MandrivaThis Forum is for the discussion of Mandriva (Mandrake) Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi,
I've tried to install Mandrake a number of times now, and it seems to be the same whatever I do: During installation, I'm asked what (local) services I want the Internet to be able to connect to. This is a local machine, so I choose "Nothing (firewall)". This should install some standard firewall. Sadly, the result is that I don't get as much as an IP adress from my router (which is my LAN gateway for my home ADSL).
In order to get basic LAN functionality to work, I have to go to "Configure Computer" and deselect the firewall (opening up my computer?).
That can't be right.
This is a home computer, so I do want to connect to the Internet, but without exposing myself too much to crackers. With Mandrake, what is the suggested approach, given that the default installation options apparently are misleading?
I've tried searching for 'firewall', but I can't find any good answers (and the search seems not to restrict itself to the Mandrake subforum, what's up with that?).
the built in firewall for Mandrake is Shorewall, which is basically a front end to IP Tables. (as are all Linux firewalls). to get it started shut down your internet connection first (that's important!), go to Mandrake Control Center->system->services & see if it's in there as a startup service. if it is & it's running, turn it off. if it's not there, then it isn't installed. if that's the case, go to the MCC software installer & install shorewall. once it's installed & turned off, go to system->security (or just security, at work right now & forget where it's at) & go to the firewall module. most times you can just select (or deselect) the various boxes, apply the settings, retstart your internet & you'll be safe & good to go. if that's not the case, then you might need to edit some shorewall config files. they are located in /etc/shorewall. the ones you need to be concerned with are...........interfaces, policy, rules & zones. it's tough for me to say what the settings should look like for you. it all depends on your needs. here's some basic configs for a stand alone computer, with an eth0 card & DSL modem connection.......
interfaces..........
#ZONE INTERFACE BROADCAST OPTIONS
net ppp+ detect
loc eth0 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
policy............
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT
loc net ACCEPT
fw net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
rules...............
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# PORT PORT(S) DEST LIMIT SET
ACCEPT net fw icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
zones................
#ZONE DISPLAY COMMENTS
net Net Internet zone
loc Local Local
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
again, these are just generic settings & may need to be modified to suit your particular needs. get all the info here......... http://www.shorewall.net . there's even some config templates you can download there to get you started. once you get it working, go back to MCC->system->services & make sure shorewall is checked to start at boot. to manually stop & start it, you can type in terminal as root.......... service shorewall start .............or.................. service shorewall stop. to see status, it would be............ service shorewall status.
finally, to test your firewall, here's 2 good places............. the Shields Up link at GRC.com. or the Port Scan link at DSLReports.com.
otis
Last edited by otish1000c; 10-19-2004 at 04:07 PM.
Thanks for the fast reply. I will have to test this once I get home.
*looks at watch, waiting for 5pm* comeon, comeon, comeon...
If that is your "rough guide" because you're not at a Linux pc, well, it looks quite excellent already, so no sweat. I'm sure I can make something useful of it.
BTW, GRC's "Shields Up" has been criticized of being rather too simple and consequently not reporting the actual situation, but I'll give that DSLreports site a go. (This is not the place to argue about the correctness of that statement. More info at http://grcsucks.com/ if you're interested. But don't flame ME, I'm just the messenger.)
Good to see that Mandrake have improved this on 10.1 - during Firewall setup you can explicitly specify an interface to be accomodated, for example eth0 - you get your firewall and internet access accordingly - from what I remember with defaults, "Sygate" showed complete stealth on all tests. (fwiw )
While not specifically limited to this, the Shorewall install assumes that you will be using Linux as a multi-homed (multiple network interfaces) network router/firewall.
This is NOT the same as Winblows built in firewall.
If you are worried about security, just crank up the security settings and DO NOT tell Linux that this is a "local" only machine.
The Shorewall install runs as a service (as posted by otish1000c) but it immediately turns off all Internet Access, so that YOU are tasked with enabling only those things that you want running from one interface to another.
In other words Shorewall sets itself up as a NAT router with filtering.
You haven't specified your configuration, but this may not be what you are looking for.
Does your machine have two NIC's in it?
Will you be using it as an internet router & firewall?
When I first installed Mandrake, I asked for the firewall to block "everything", which it most certainly did. Then, after the installation had completed and I was up and running, I had to disable to firewall in order to get an IP from my router, and gain Internet access.
I went home yesterday and checked things out. To my surprise, it seems that even though MCC says the firewall is now disabled, my computer does not have any open ports to the network.
This situation is good enough for my needs, so the thread may stop here if it's okay with you.
But since you asked, I'm going to fill in the blanks nonetheless:
My setup is as follows: [ADSL] - I've got an ADSL modem coming out of the phone socket. My ISP allows only one local client, but I have (at least) two computers. [Router] - I've got a router that acts as the single ISP client, and acts as a HUB and NAT/DHCP server for my LAN. [PC1] - My primary computer has a RTL3189-type (or somesuch) NIC. In fact it's a four-port PCI hub, but it works as a normal NIC in any regard. This one runs Linux (and FreeDOS). No MS sw here. [PC2] - My wife's mostly-stationary laptop runs Windows XP. This computer is not really protected, and she knows the risks. I'm not messing with it more than I have to, so that that.
As you can see, the computer in question is a regular LAN client, ie. it needs no gateway/NAT capabilities.
When I used Windows, GRC and others would report open ports, as my wife's computer still does. But now, with Linux, and using the same test tools, it seems my ports are more secure (at least, when probed with those tools).
As I said this is good enough for my needs. Thanks all!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.