Counterspy Posted February 25, 2003 Report Share Posted February 25, 2003 At present I am using Guarddog as a firewall, not wanting to take up the challenge of Shorewall. I was disappointed at the disappearance of InteractiveBastille from version 9 because it "felt" so configurable. Since shorewall kept making its presence felt on my machine, I decided to go back to the web site ( http://www.shorewall.net ) and check out whether I had missed something in the docs I had already downloaded. I came away truly impressed with the power and scope of this program, thoroughly documented at every stage to the point of being almost overwhelming. For those setting up home or larger networks, its coloured diagrams and the accompanying descriptions makes it a primer on networking. The docs can be downloaded as a pdf for easier access than the html on the site. There is an excellent Quick Start Guide and a more comprehensive Setup Guide, FAQ and Reference section on the site if you don't want the whole doc package in the PDF. There are numerous references to other sites providing additional information on specific issues. Of particular interest is the list of ports references at http://www.iss.net/security_issues/advice/...Exploits/Ports/ . I have decided that I will now begin to build a shorewall firewall and suggest that if you have overlooked it, give it a second look with an open mind. My only regret is that Mandrakesoft didn't include the pdf in the docs in the distro. To lock a system down and relax as much as possible about the world out there it is in my opinion among the best I've seen despite its learning curve. Counterspy Quote Link to comment Share on other sites More sharing options...
MottS Posted February 25, 2003 Report Share Posted February 25, 2003 Shorewall definitively rocks ! I've been using Shorewall on my server since September 2002 without a giltch. The problems people have aren't related to Shorewall but to the MCC. The Shorewall GUI overthere (Security->Firewall) does not reflect all the possibilities Shorewall offers. For instance, when you open a port from the MCC (You clic the SSH box for example), the port is opened on your LAN and the NET. This is probably not what an IT admin would want. There is no way of doing otherwise even if you clic the 'Advanced' button and enter ports manually. Those ports will be opened on all interfaces. That can cause headache for newbies and they may think that Shorewall sucks while this isn't the Shorewall's fault. However, when one take time to read the config files in /etc/shorewall, he can comes with the right solution very rapidly. I really suggest everyone interested in using Shorewall to read the files in /etc/shorewall. They are really short with lots of good example. Take a special care with 'policy' and 'rules'. Counterspy, your link doesn't works :-( . But you are probably talking of /etc/services ciow MOttS Quote Link to comment Share on other sites More sharing options...
paul Posted February 25, 2003 Report Share Posted February 25, 2003 I agreee entirely. I've had a shorewall firewall since December, and have never quite figured out why so many people complain about it. the docs are fantastic, and written for people that have never build a firewall before. I guess MottS is right : The problems people have aren't related to Shorewall but to the MCC Quote Link to comment Share on other sites More sharing options...
Counterspy Posted February 25, 2003 Author Report Share Posted February 25, 2003 I thought MCC was manipulating msec not shorewall. It sure looks that way from the msec docs. Thanks MottS, link fixed. Counterspy. Quote Link to comment Share on other sites More sharing options...
MottS Posted February 25, 2003 Report Share Posted February 25, 2003 I thought MCC was manipulating msec not shorewall. It sure looks that way from the msec docs. Thanks MottS, link fixed. Counterspy. I'm pretty sure the MCC modifies the Shorewall config files in /etc/Shorewall. Take ssh for example. Look at /etc/shorewall/rules and then check the ssh box in the MCC. Now go back to see /etc/shorewall/rules. You'll see that port 22 has been added to every interfaces. In fact when you clic a box or enter ports manually with the 'Advanced' button, the MCC write that stuff in /etc/shorewall/rules (it doesn't play with any other files) and restarts Shorewall. This is why the config files (/etc/shorewall/rules) get screwed up when you modify them by hand and then play with the Firewall config in the MCC. I realized that when I added a DNAT rule (DNAT net masq:192.168.1.100 tcp 6891:6900 .. or something like that .. I'm not at home right now) to /etc/shorewall/rules to transfer files with msn and played with the Firewall setting in the MCC. The DNAT line was removed and some weird stuff appeared. Needless to say that it wasn't working at all after that. So the moral is don't play with the MCC after modifying your config files by hand ! ;-) .. even better -> don't use the MCC for your Firewall. MOttS Quote Link to comment Share on other sites More sharing options...
Counterspy Posted February 26, 2003 Author Report Share Posted February 26, 2003 Yet another example of Mandrake failing to document adequately. The shorewall docs take up as much space in a 2" ring binder than four of the five Mandrak docs. Counterspy Quote Link to comment Share on other sites More sharing options...
paul Posted February 26, 2003 Report Share Posted February 26, 2003 Yet another example of Mandrake failing to document adequately. The shorewall docs take up as much space in a 2" ring binder than four of the five Mandrak docs. Counterspy :#: I got them printed out too Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.