The sample Samba configuration file is included with Samba; it's just modified slightly in Slackware (adjusting the log/spool file locations).

I like the idea of a firewall included at set-up, but, I am fine with the way things are now. It is an interesting suggestion.

Just for a jape, I followed the documentation trail. The initial email to root says 'man iptables' for lots of information. Then the manual page for iptables gives a link to http://www.netfilter.org. At that site you can click on Documentation-HOWTOs with a collection of links in a section Tutorials. One of these links, titled 'Comparison of iptables automation tools' has this quote. I have added the emphasis.
I agree that a firewall is a necessary component of securing network services, but where do you draw a line with automation tools? Do you also want to introduce tools to automate setting up services like SSH, NFS, Samba? I do not think that any competent system administrator would contemplate this.

OK, let me rephrase that:
httpd service is "preconfigured" and is not required to get the system to boot.
same with sshd.

They have "sane" defaults and that is all that is being asked for a firewall config.

As mentioned earlier, the admin is totally responsible for enabling sshd AND firewall, as they should be disabled by default and are not needed for the system to function... so I don't see why the flood of "why can't I ssh into my box???" would happen.
Even if it did, it would happen because something YOU did, not the system.

Yeah I don't know about that...
 

I've installed *Firestarter* and *FW Builder* too. FW Builder is nice, and simple, and about as complex as you need it to be too.

Firestarter isn't updated that much, took quite a bit of work to install on one machine and is sorely lacking in the documentation department - not to mention the fact that you have to install well over a dozen deps leaving you with an almost GNOME ready box.

Patrick gave his two cents when he said taht following new installations he echo's ALL: ALL into hosts.deny as a starting point on a new box.

There's also the welcome email to root, and the rather unintuitively located /etc/ppp/firewall-standalone which doesn't work if simply copied to /etc/rc.d/rc.firewall and then chmod'd - At the very least one would need to know that they have to change $EXTIF to something along the lines of 'eth0' or 'wlan0'.

There was another thread with a different sort of firewall about a year ago here: http://www.linuxquestions.org/questi...script-884878/

Okay there's a lot of options. But then again, what kind of options are we really thinking about giving out?

A seasoned admin has his firewall scripts and mods them accordingly, experiments with new incarnations on sandboxes, and simply does a quick scp to /etc/rc.firewall and chmod's it 700.

A noob doesn't even know what an ICMP message is - it could take weeks for them to read through the instructions for what each port is for and for that matter, what a port is!

They might know what world of warcraft is (I know I don't), or minecraft (I don't know what that is either but I've built a couple of minecraft servers for my subscribers and it seems I'm hosting about 50 of them).

Heck, even asking a noob if they're going to be using eth0 or wlan0 is probably enough TMI to help them brick their machine - that they have to be asked whether they want sshd to start on boot is almost too much for many (as necessary a question as it is, it's not at all that obvious to us that this is a difficult question for most n00bs).

No. No firewall config included during installation - especially not dialogs for a Bash clone of Eric's EFG.

It's been pointed out in the threads above that we have FW Builder as an SBo, and that is good enough IMO as far as any sort of app is concerned.

We certainly don't want people asking themselves, "Gee. Firewall... I think I'm supposed to have one of those. I'll answer yes to that.", and then be presented in the middle of an install with a seemingly endless list of frightful questions that resemble a kernel makefile.

I do (Pat, if you're listening) think that the EFG should be mentioned in the welcome email with a link to it... Why?

• Because it's safe - in order to fsck things up you have to be able to gen the script and actually install it as rc.firewall
• Because it is an addtional learning tool that they can work with, read, glean wisdom from, and have something functional once they understand how to make it run.
• Because including a firewall generator as part of the standard Slackware install is inviting n00bs to fire off bug reports to LQ saying that their slackboxware macheen is broaken.

A mention of FW Builder at SBo, SBo in general, and sbopkg are probably also good things to cover as well in the welcome email, continuing in this same philosophy - Slackware gives you UNIX while you, the SA, make it what you want and need, and here's some kewl places to look for those tools.

All in all a firewall is just one of the first things that you *might* need/want to do w/your system. Installing an IDS is just as important in a forward facing box, and talk of including a question during the installation dialog as to whether you want to configure one of those is just as problematic a proposal.

That having been said, I think it's a great idea to clone Eric's EFG as a Bash script which has an SBo at Slackbuilds.org

Now, as far as truly important things are concerned, I think the automatic coffee maker script really should be included as part of the standard Slackware installation process IMNSHO ;)

I hope that helps!

Kindest regards,

.

But i really do like the idea of setting up everything by hand. I'm sure, Slackware is not that kind of Linux distribution which must have tools like ufw. The beauty of Slackware is being Unix-like, oldschool and so on.
In Slackware I advice you to use this script:
Name it rc.firewall and put in in /etc/rc.d/ directory. Then make it executable (chmod +x /etc/rc.d/rc.firewall)
It will start with the system automatically*. And you will be able to use these commands:
... to start / stop / restart your firewall rules set manually.

*If you look through /etc/rc.d/rc.inet2, you will find there:
This is how the work is done :-)

httpd.conf is shipped with apache. It is slightly modified to make it obey Slackware's directory setup and adds a few commented lines to make it easier to enable PHP support for noobs. The file itself, however, comes from apache. openssh's ssh_config and sshd_config files are shipped by default with ssh and are not Slackware-specific (and shipping with root logins enabled is hardly a sane default). In both httpd and ssh the only real modification is the inclusion of an rc.httpd and rc.sshd script to get them to start in Slackware's BSD-style SysV init system. Obviously rc.firewall is already setup for this. It is easy to warp facts to support your own ideas but once again, rc.firewall is showing remarkable consistency with regards to the rest of Slackware's settings. Perhaps if you could get upstream iptables to produce a default firewall configuration all would be fine. :rolleyes:

Again, Pat/Slackware is not the creator of most 'sane' defaults -- it ships upstream defaults and modifies them only if they will cause trouble (if they won't start, or if they will spam the root directory). Since there is no upstream firewall script, and rc.firewall is already set to start if available, there is no need for modification.

The one thing we do have as a problem as stated is the firewall script provided at /etc/ppp/firewall-standalone is not readily deploy-able even as a sample script. Having a sample script that can be universal to everyone out-of-the-box, even in the minimum, provided can be a great learning tool to have for those wanting to learn, for the rest of us who already have our pre-built scripts, do we need it? No. Can we edit the default out? Yes we can.

1. Are we asking to consider for a prebuilt Firewall to be included with Slackware ready to go out of the box?

No, we are asking for a sample script that can be edited, copied, and then made executable with universal defaults to anyone, regardless of skill level, can work with.

2. Are we asking to consider for an nCurses tool to be added into Slackware's setup?

ONLY if it can be skipped during installation if we so chose to.

3. Are we asking to consider for more packages for bloatware to the system?

No we aren't. In fact we are asking to AVOID having to add extra packages to the system like FWBuilder, FireStarter, etc. With sample scripts we don't need extra packages.

4. Are we asking to consider for some extra documentation like a Firewall-HOWTO?

While a lot of information exists online, getting that information if you are offline is rather problematic especially when most of it is written in tech jargon, and not English when you aren't a tech speaking person new to Linux. Newbies (not nOObs) often need an easy to follow guide so they can learn. Slackware's already included HOWTOs are easy to follow, written in English, and are simple enough for anyone.

Besides, Slackware already teaches the best fundamentals of Linux compared to any other distribution outside of Linux From Scratch, so why not teach those willing to learn for themselves how to properly setup a basic universal firewall and provide a proper sample thereof for beginners to start with and expand from?

When I installed Slackware, the first time and every consecutive time, I used Slackbook. I would recommend everyone to do so. It's needed if you intend to use Slackware, that's what it's about, thorough reading. There's a good chapter about Iptables in the Slackbook. Maybe a reference to Alien Bob's generator will do. It's not a Slackware-installation matter, it's a Slackbook matter.

It seems to me that firewalls are very unique and particular to each network. I don't know if there are "universal defaults" besides a deny-all type of script. I still think any sample script is going to cause headaches for Pat because once people start uncommenting lines or modifying their setup, and then locking themselves out of their box, they're going to complain to Pat and take up valuable time.

Teaching people the fundamentals of Linux is very different from teaching people the fundamentals of iptables. I see Slackware as a building block -- a distribution intended to give people a solid foundation on which to learn themselves. Emphasis on the "themselves." The whole teaching a man to fish kind of thing.

Besides, this teaching thing is a slippery slope. You ask that Pat include a basic firewall to teach people some fundamentals. Is he supposed to teach them about NAT or port forwarding? Where does it end?

As stated by others far more eloquently than I, I would prefer Pat spend his limited time on creating this solid building block -- i.e. packaging, making sure all the nuts and bolts fit together, etc. -- than spending his time teaching people iptables.

But that's just me.

You make a good point about where to start stuff from, but there's always the argument that could be made, "Even a foundation needs a first stone to be placed."

Providing a basic entry level to a system such as a sample, documentation, a generalized HOWTO, and links to advanced documents is better than nothing at all. As far as what is Universal, yes for advanced users universe does not apply. Universal is more or less basically what are the standard network applications, ports, and routing tables that would apply to a standard average user PC... more or less something like AlienBOB's EFG default configuration, give or take.

In my case, I use NAT tables, some custom port forwarding configurations, block off everything else inbound that isn't from applications installed or in use, redirect some outbound stuff to a loopback, and fairly much keep a log of activities that attempt to circumvent the security I have in place. Is it optimal for me? Yes. For anyone else would it work? Maybe not.

As far as documentation, the basics should cover just that, the basics. If you need advanced stuff, then you have to go online, and you're on your own from there.

The other option is... include a offline HTML webpage of AlienBOB's EFG on the disk under /extras or even /unsupported that anyone can access, run, and setup if they so choose to.

Again remember this topic is just a discussion and nothing concrete. But ideas always are good to toss around about things and such.

Some things that should be added to Slackware-14 are the following HOWTOs which are not included currently due to them not been on tdlp :-

http://www.netfilter.org/documentati...ring-HOWTO.txt
http://www.netfilter.org/documentati.../NAT-HOWTO.txt

The following HOWTOs which are included describe the old and no longer functional ways :-

Bridge+Firewall (replaced already by Ethernet-Bridge-netfilter-HOWTO)
Firewall-HOWTO
IP-Masquerade-HOWTO
IPCHAINS-HOWTO
IPMasquerading+Napster
Masquerading-Simple-HOWTO

Currently if a new user goes reading /usr/doc/Linux-HOWTOs they will not be able to learn how to use the firewall features that Slackware currently offers (iptables) but will learn about ipchains and ipfwadm (gasp)

So if we really want to help new users then how about we get the documentation up to date first?

Yes, that would definitely help.

However, I think using iptables on the command line is a bit too complicated for new users, and is unnecessary in most cases. You either start with a script like EFG and comment out or in stuff, or you use firewall builder. Does anyone here actually build a firewall script from scratch by writing out iptables commands ? If you do, then you are a hardcore user, cuz I don't. I just use the EFG and comment stuff in or out. I will probably switch to firewall builder sometime ... or maybe not because the EFG works well. One benefit of firewall builder is that you can push iptables rules to your router as well.

Well, I was with you until this unbelievably condescending statement. So noobs are illiterate idiots, is that it? Perhaps you would be interested to learn that I have an IQ in the 150s, hold more than one advanced degree, am a pretty darn good speller, AND I just started using Slackware.

Everyone in this forum was once a new user at some point. Please do not be a jerk about it.

I agree, especially using the word n00b.

For sure it is unlikely that any firewall script will be included in the installer for fear of mass upheaval. However, as I said before, maybe the EFG should be included somewhere, but disabled by default, or firewall builder (it's already a slackbuild).

Agreed. That is unnecessarily harsh. We like to welcome new Slackware users to the official Slackware forum. Glad to hear you're enjoying Slackware. :)

Thank you. I love this forum, and have always been encouraged by the number of people here who are willing to help. As for Slackware, I took it on as a learning exercise and it has not let me down. I'm sure I'll have fun using it for years to come!

Noob = useless idiot trash, trollish idiot moron, and scum of the internet.

Newbie (Newb) = Novice, beginner, apprentice, and someone without knowledge of advanced topics, methods, and procedures.

Yes calling new Slackware users "nOObs" is one thing that is very condescending not just to Slackware, but to the community, and the new people who need help. This topic was a topic designed to bring about talks of change to help new users, not hinder them, belittle them, or think they can't learn.

I do not see what the big fuss is all about. Could a rc.firewall generator, similar to AlienBob's be added to Slackware? If "yes" -- great, it will make things easier for some people, if "no" -- the Easy Firewall Generator is still there, so no big deal.

That's it.


may I share my humble opinion?
I use my Slackware boxes as desktop computers -- one at home is for multimedia, the other is mainly for testing my slackbuild scripts and the machine at work if for.. eh.. work, which often includes bioinformatics. Please, don't shred me to pieces for saying this, but learning iptables is something that I simply do not want to do. I am neither a computer specialist nor a computer geek. Therefore, a user like me will be happy if provided with a basic firewall script out of the box.

Actually the term newbie ( and it's many derivatives ) originated with the American GI in Vietnam. It was used to refer to a soldier who had just arrived in country and needed everyone's help just to survive. It was not derogatory in any way.

Just saying
John