Hi,
I've tried to install Mandrake a number of times now, and it seems to be the same whatever I do: During installation, I'm asked what (local) services I want the Internet to be able to connect to. This is a local machine, so I choose "Nothing (firewall)". This should install some standard firewall. Sadly, the result is that I don't get as much as an IP adress from my router (which is my LAN gateway for my home ADSL).

In order to get basic LAN functionality to work, I have to go to "Configure Computer" and deselect the firewall (opening up my computer?).
That can't be right.



This is a home computer, so I do want to connect to the Internet, but without exposing myself too much to crackers. With Mandrake, what is the suggested approach, given that the default installation options apparently are misleading?

I've tried searching for 'firewall', but I can't find any good answers (and the search seems not to restrict itself to the Mandrake subforum, what's up with that?).

Help!

the built in firewall for Mandrake is Shorewall, which is basically a front end to IP Tables. (as are all Linux firewalls). to get it started shut down your internet connection first (that's important!), go to Mandrake Control Center->system->services & see if it's in there as a startup service. if it is & it's running, turn it off. if it's not there, then it isn't installed. if that's the case, go to the MCC software installer & install shorewall. once it's installed & turned off, go to system->security (or just security, at work right now & forget where it's at) & go to the firewall module. most times you can just select (or deselect) the various boxes, apply the settings, retstart your internet & you'll be safe & good to go. if that's not the case, then you might need to edit some shorewall config files. they are located in /etc/shorewall. the ones you need to be concerned with are...........interfaces, policy, rules & zones. it's tough for me to say what the settings should look like for you. it all depends on your needs. here's some basic configs for a stand alone computer, with an eth0 card & DSL modem connection.......

interfaces..........
#ZONE INTERFACE BROADCAST OPTIONS
net ppp+ detect
loc eth0 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

policy............
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT
loc net ACCEPT
fw net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

rules...............
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# PORT PORT(S) DEST LIMIT SET
ACCEPT net fw icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

zones................
#ZONE DISPLAY COMMENTS
net Net Internet zone
loc Local Local
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


again, these are just generic settings & may need to be modified to suit your particular needs. get all the info here......... http://www.shorewall.net . there's even some config templates you can download there to get you started. once you get it working, go back to MCC->system->services & make sure shorewall is checked to start at boot. to manually stop & start it, you can type in terminal as root.......... service shorewall start .............or.................. service shorewall stop. to see status, it would be............ service shorewall status.

finally, to test your firewall, here's 2 good places............. the Shields Up link at GRC.com. or the Port Scan link at DSLReports.com.

otis

Thanks for the fast reply. I will have to test this once I get home.
*looks at watch, waiting for 5pm* comeon, comeon, comeon...

If that is your "rough guide" because you're not at a Linux pc, well, it looks quite excellent already, so no sweat. I'm sure I can make something useful of it.

BTW, GRC's "Shields Up" has been criticized of being rather too simple and consequently not reporting the actual situation, but I'll give that DSLreports site a go. (This is not the place to argue about the correctness of that statement. More info at http://grcsucks.com/ if you're interested. But don't flame ME, I'm just the messenger.)

Thanks though!

Good to see that Mandrake have improved this on 10.1 - during Firewall setup you can explicitly specify an interface to be accomodated, for example eth0 - you get your firewall and internet access accordingly - from what I remember with defaults, "Sygate" showed complete stealth on all tests. (fwiw )

While not specifically limited to this, the Shorewall install assumes that you will be using Linux as a multi-homed (multiple network interfaces) network router/firewall.

This is NOT the same as Winblows built in firewall.

If you are worried about security, just crank up the security settings and DO NOT tell Linux that this is a "local" only machine.

The Shorewall install runs as a service (as posted by otish1000c) but it immediately turns off all Internet Access, so that YOU are tasked with enabling only those things that you want running from one interface to another.

In other words Shorewall sets itself up as a NAT router with filtering.

You haven't specified your configuration, but this may not be what you are looking for.

Does your machine have two NIC's in it?

Will you be using it as an internet router & firewall?

When I first installed Mandrake, I asked for the firewall to block "everything", which it most certainly did. Then, after the installation had completed and I was up and running, I had to disable to firewall in order to get an IP from my router, and gain Internet access.

I went home yesterday and checked things out. To my surprise, it seems that even though MCC says the firewall is now disabled, my computer does not have any open ports to the network.

This situation is good enough for my needs, so the thread may stop here if it's okay with you.

But since you asked, I'm going to fill in the blanks nonetheless:
My setup is as follows:
[ADSL] - I've got an ADSL modem coming out of the phone socket. My ISP allows only one local client, but I have (at least) two computers.
[Router] - I've got a router that acts as the single ISP client, and acts as a HUB and NAT/DHCP server for my LAN.
[PC1] - My primary computer has a RTL3189-type (or somesuch) NIC. In fact it's a four-port PCI hub, but it works as a normal NIC in any regard. This one runs Linux (and FreeDOS). No MS sw here.
[PC2] - My wife's mostly-stationary laptop runs Windows XP. This computer is not really protected, and she knows the risks. I'm not messing with it more than I have to, so that that.

As you can see, the computer in question is a regular LAN client, ie. it needs no gateway/NAT capabilities.

When I used Windows, GRC and others would report open ports, as my wife's computer still does. But now, with Linux, and using the same test tools, it seems my ports are more secure (at least, when probed with those tools).

As I said this is good enough for my needs. Thanks all!

Great!

Make sure she gets SP2 for XP though, at least that way there is some semblence of security.