Quote:
|
Quote:
|
Just for a jape, I followed the documentation trail. The initial email to root says 'man iptables' for lots of information. Then the manual page for iptables gives a link to http://www.netfilter.org. At that site you can click on Documentation-HOWTOs with a collection of links in a section Tutorials. One of these links, titled 'Comparison of iptables automation tools' has this quote. I have added the emphasis.
Quote:
|
Quote:
httpd service is "preconfigured" and is not required to get the system to boot. same with sshd. They have "sane" defaults and that is all that is being asked for a firewall config. As mentioned earlier, the admin is totally responsible for enabling sshd AND firewall, as they should be disabled by default and are not needed for the system to function... so I don't see why the flood of "why can't I ssh into my box???" would happen. Even if it did, it would happen because something YOU did, not the system. |
Yeah I don't know about that...
I've installed *Firestarter* and *FW Builder* too. FW Builder is nice, and simple, and about as complex as you need it to be too.
Firestarter isn't updated that much, took quite a bit of work to install on one machine and is sorely lacking in the documentation department - not to mention the fact that you have to install well over a dozen deps leaving you with an almost GNOME ready box. Patrick gave his two cents when he said taht following new installations he echo's ALL: ALL into hosts.deny as a starting point on a new box. There's also the welcome email to root, and the rather unintuitively located /etc/ppp/firewall-standalone which doesn't work if simply copied to /etc/rc.d/rc.firewall and then chmod'd - At the very least one would need to know that they have to change $EXTIF to something along the lines of 'eth0' or 'wlan0'. There was another thread with a different sort of firewall about a year ago here: http://www.linuxquestions.org/questi...script-884878/ Okay there's a lot of options. But then again, what kind of options are we really thinking about giving out? A seasoned admin has his firewall scripts and mods them accordingly, experiments with new incarnations on sandboxes, and simply does a quick scp to /etc/rc.firewall and chmod's it 700. A noob doesn't even know what an ICMP message is - it could take weeks for them to read through the instructions for what each port is for and for that matter, what a port is! They might know what world of warcraft is (I know I don't), or minecraft (I don't know what that is either but I've built a couple of minecraft servers for my subscribers and it seems I'm hosting about 50 of them). Heck, even asking a noob if they're going to be using eth0 or wlan0 is probably enough TMI to help them brick their machine - that they have to be asked whether they want sshd to start on boot is almost too much for many (as necessary a question as it is, it's not at all that obvious to us that this is a difficult question for most n00bs). No. No firewall config included during installation - especially not dialogs for a Bash clone of Eric's EFG. It's been pointed out in the threads above that we have FW Builder as an SBo, and that is good enough IMO as far as any sort of app is concerned. We certainly don't want people asking themselves, "Gee. Firewall... I think I'm supposed to have one of those. I'll answer yes to that.", and then be presented in the middle of an install with a seemingly endless list of frightful questions that resemble a kernel makefile. I do (Pat, if you're listening) think that the EFG should be mentioned in the welcome email with a link to it... Why?
A mention of FW Builder at SBo, SBo in general, and sbopkg are probably also good things to cover as well in the welcome email, continuing in this same philosophy - Slackware gives you UNIX while you, the SA, make it what you want and need, and here's some kewl places to look for those tools. All in all a firewall is just one of the first things that you *might* need/want to do w/your system. Installing an IDS is just as important in a forward facing box, and talk of including a question during the installation dialog as to whether you want to configure one of those is just as problematic a proposal. That having been said, I think it's a great idea to clone Eric's EFG as a Bash script which has an SBo at Slackbuilds.org Now, as far as truly important things are concerned, I think the automatic coffee maker script really should be included as part of the standard Slackware installation process IMNSHO ;) I hope that helps! Kindest regards, . |
But i really do like the idea of setting up everything by hand. I'm sure, Slackware is not that kind of Linux distribution which must have tools like ufw. The beauty of Slackware is being Unix-like, oldschool and so on.
In Slackware I advice you to use this script: Code:
#!/bin/bash It will start with the system automatically*. And you will be able to use these commands: Code:
/etc/rc.d/rc.firewall start Code:
/etc/rc.d/rc.firewall stop Code:
/etc/rc.d/rc.firewall restart *If you look through /etc/rc.d/rc.inet2, you will find there: Code:
# If there is a firewall script, run it before enabling packet forwarding. |
Quote:
Again, Pat/Slackware is not the creator of most 'sane' defaults -- it ships upstream defaults and modifies them only if they will cause trouble (if they won't start, or if they will spam the root directory). Since there is no upstream firewall script, and rc.firewall is already set to start if available, there is no need for modification. |
The one thing we do have as a problem as stated is the firewall script provided at /etc/ppp/firewall-standalone is not readily deploy-able even as a sample script. Having a sample script that can be universal to everyone out-of-the-box, even in the minimum, provided can be a great learning tool to have for those wanting to learn, for the rest of us who already have our pre-built scripts, do we need it? No. Can we edit the default out? Yes we can.
1. Are we asking to consider for a prebuilt Firewall to be included with Slackware ready to go out of the box? No, we are asking for a sample script that can be edited, copied, and then made executable with universal defaults to anyone, regardless of skill level, can work with. 2. Are we asking to consider for an nCurses tool to be added into Slackware's setup? ONLY if it can be skipped during installation if we so chose to. 3. Are we asking to consider for more packages for bloatware to the system? No we aren't. In fact we are asking to AVOID having to add extra packages to the system like FWBuilder, FireStarter, etc. With sample scripts we don't need extra packages. 4. Are we asking to consider for some extra documentation like a Firewall-HOWTO? While a lot of information exists online, getting that information if you are offline is rather problematic especially when most of it is written in tech jargon, and not English when you aren't a tech speaking person new to Linux. Newbies (not nOObs) often need an easy to follow guide so they can learn. Slackware's already included HOWTOs are easy to follow, written in English, and are simple enough for anyone. Besides, Slackware already teaches the best fundamentals of Linux compared to any other distribution outside of Linux From Scratch, so why not teach those willing to learn for themselves how to properly setup a basic universal firewall and provide a proper sample thereof for beginners to start with and expand from? |
When I installed Slackware, the first time and every consecutive time, I used Slackbook. I would recommend everyone to do so. It's needed if you intend to use Slackware, that's what it's about, thorough reading. There's a good chapter about Iptables in the Slackbook. Maybe a reference to Alien Bob's generator will do. It's not a Slackware-installation matter, it's a Slackbook matter.
|
Quote:
Quote:
Besides, this teaching thing is a slippery slope. You ask that Pat include a basic firewall to teach people some fundamentals. Is he supposed to teach them about NAT or port forwarding? Where does it end? As stated by others far more eloquently than I, I would prefer Pat spend his limited time on creating this solid building block -- i.e. packaging, making sure all the nuts and bolts fit together, etc. -- than spending his time teaching people iptables. But that's just me. |
You make a good point about where to start stuff from, but there's always the argument that could be made, "Even a foundation needs a first stone to be placed."
Providing a basic entry level to a system such as a sample, documentation, a generalized HOWTO, and links to advanced documents is better than nothing at all. As far as what is Universal, yes for advanced users universe does not apply. Universal is more or less basically what are the standard network applications, ports, and routing tables that would apply to a standard average user PC... more or less something like AlienBOB's EFG default configuration, give or take. In my case, I use NAT tables, some custom port forwarding configurations, block off everything else inbound that isn't from applications installed or in use, redirect some outbound stuff to a loopback, and fairly much keep a log of activities that attempt to circumvent the security I have in place. Is it optimal for me? Yes. For anyone else would it work? Maybe not. As far as documentation, the basics should cover just that, the basics. If you need advanced stuff, then you have to go online, and you're on your own from there. The other option is... include a offline HTML webpage of AlienBOB's EFG on the disk under /extras or even /unsupported that anyone can access, run, and setup if they so choose to. Again remember this topic is just a discussion and nothing concrete. But ideas always are good to toss around about things and such. |
Some things that should be added to Slackware-14 are the following HOWTOs which are not included currently due to them not been on tdlp :-
http://www.netfilter.org/documentati...ring-HOWTO.txt http://www.netfilter.org/documentati.../NAT-HOWTO.txt The following HOWTOs which are included describe the old and no longer functional ways :- Bridge+Firewall (replaced already by Ethernet-Bridge-netfilter-HOWTO) Firewall-HOWTO IP-Masquerade-HOWTO IPCHAINS-HOWTO IPMasquerading+Napster Masquerading-Simple-HOWTO Currently if a new user goes reading /usr/doc/Linux-HOWTOs they will not be able to learn how to use the firewall features that Slackware currently offers (iptables) but will learn about ipchains and ipfwadm (gasp) So if we really want to help new users then how about we get the documentation up to date first? |
Quote:
However, I think using iptables on the command line is a bit too complicated for new users, and is unnecessary in most cases. You either start with a script like EFG and comment out or in stuff, or you use firewall builder. Does anyone here actually build a firewall script from scratch by writing out iptables commands ? If you do, then you are a hardcore user, cuz I don't. I just use the EFG and comment stuff in or out. I will probably switch to firewall builder sometime ... or maybe not because the EFG works well. One benefit of firewall builder is that you can push iptables rules to your router as well. |
Quote:
Everyone in this forum was once a new user at some point. Please do not be a jerk about it. |
Quote:
For sure it is unlikely that any firewall script will be included in the installer for fear of mass upheaval. However, as I said before, maybe the EFG should be included somewhere, but disabled by default, or firewall builder (it's already a slackbuild). |
Quote:
|
Quote:
|
Noob = useless idiot trash, trollish idiot moron, and scum of the internet.
Newbie (Newb) = Novice, beginner, apprentice, and someone without knowledge of advanced topics, methods, and procedures. Yes calling new Slackware users "nOObs" is one thing that is very condescending not just to Slackware, but to the community, and the new people who need help. This topic was a topic designed to bring about talks of change to help new users, not hinder them, belittle them, or think they can't learn. |
I do not see what the big fuss is all about. Could a rc.firewall generator, similar to AlienBob's be added to Slackware? If "yes" -- great, it will make things easier for some people, if "no" -- the Easy Firewall Generator is still there, so no big deal.
That's it. may I share my humble opinion? I use my Slackware boxes as desktop computers -- one at home is for multimedia, the other is mainly for testing my slackbuild scripts and the machine at work if for.. eh.. work, which often includes bioinformatics. Please, don't shred me to pieces for saying this, but learning iptables is something that I simply do not want to do. I am neither a computer specialist nor a computer geek. Therefore, a user like me will be happy if provided with a basic firewall script out of the box. |
Quote:
Just saying John |
All times are GMT -5. The time now is 03:21 PM. |