Quote:
I will repeat that I wouldn't object to a firewall script being included, but pretending that it is a simple matter of shipping a do-everything script is not helping. Enabling a good, secure firewall *will* flood Pat with support requests asking why network services aren't working (why can't I ssh to my box???). Since the way to prevent those support requests is to get users to understand what they're doing, allowing users to implement their own firewalls via rc.firewall puts the responsibility on the user instead of the maintainer. I would much rather Pat spend his time juggling package versions and patches to try and get a good, stable, functional Slackware than worrying about writing firewall scripts and responding to e-mails from uninformed users, especially when there's a very good chance that I and anyone else looking for more than the bare minimum firewall will end up rewriting it anyway. Pumping out a stable distro and knowing which versions of software to include (for ~1000 packages) so that everything works well is beyond my capability and time constraints, but creating a firewall is well within my abilities. I would rather more time be spent on the former than the latter. The EFG already exists (and is hosted on slackware.com) and is a noob-friendly way to create a firewall without any additional support required from Pat. I think it's sufficient. Of course that is just one man's opinion. Also see this from rc.inet2: Code:
# If there is a firewall script, run it before enabling packet forwarding. |
Quote:
Code:
If you need to set up your Linux machine as a router for other systems, |
Quote:
|
Quote:
|
Going off what Eric said, the HOWTO documentation could be added to to include more information into this perhaps. That being said couldn't a sample firewall script be provided like the sample Samba script?
|
Quote:
|
Quote:
|
Just for a jape, I followed the documentation trail. The initial email to root says 'man iptables' for lots of information. Then the manual page for iptables gives a link to http://www.netfilter.org. At that site you can click on Documentation-HOWTOs with a collection of links in a section Tutorials. One of these links, titled 'Comparison of iptables automation tools' has this quote. I have added the emphasis.
Quote:
|
Quote:
httpd service is "preconfigured" and is not required to get the system to boot. same with sshd. They have "sane" defaults and that is all that is being asked for a firewall config. As mentioned earlier, the admin is totally responsible for enabling sshd AND firewall, as they should be disabled by default and are not needed for the system to function... so I don't see why the flood of "why can't I ssh into my box???" would happen. Even if it did, it would happen because something YOU did, not the system. |
Yeah I don't know about that...
I've installed *Firestarter* and *FW Builder* too. FW Builder is nice, and simple, and about as complex as you need it to be too.
Firestarter isn't updated that much, took quite a bit of work to install on one machine and is sorely lacking in the documentation department - not to mention the fact that you have to install well over a dozen deps leaving you with an almost GNOME ready box. Patrick gave his two cents when he said taht following new installations he echo's ALL: ALL into hosts.deny as a starting point on a new box. There's also the welcome email to root, and the rather unintuitively located /etc/ppp/firewall-standalone which doesn't work if simply copied to /etc/rc.d/rc.firewall and then chmod'd - At the very least one would need to know that they have to change $EXTIF to something along the lines of 'eth0' or 'wlan0'. There was another thread with a different sort of firewall about a year ago here: http://www.linuxquestions.org/questi...script-884878/ Okay there's a lot of options. But then again, what kind of options are we really thinking about giving out? A seasoned admin has his firewall scripts and mods them accordingly, experiments with new incarnations on sandboxes, and simply does a quick scp to /etc/rc.firewall and chmod's it 700. A noob doesn't even know what an ICMP message is - it could take weeks for them to read through the instructions for what each port is for and for that matter, what a port is! They might know what world of warcraft is (I know I don't), or minecraft (I don't know what that is either but I've built a couple of minecraft servers for my subscribers and it seems I'm hosting about 50 of them). Heck, even asking a noob if they're going to be using eth0 or wlan0 is probably enough TMI to help them brick their machine - that they have to be asked whether they want sshd to start on boot is almost too much for many (as necessary a question as it is, it's not at all that obvious to us that this is a difficult question for most n00bs). No. No firewall config included during installation - especially not dialogs for a Bash clone of Eric's EFG. It's been pointed out in the threads above that we have FW Builder as an SBo, and that is good enough IMO as far as any sort of app is concerned. We certainly don't want people asking themselves, "Gee. Firewall... I think I'm supposed to have one of those. I'll answer yes to that.", and then be presented in the middle of an install with a seemingly endless list of frightful questions that resemble a kernel makefile. I do (Pat, if you're listening) think that the EFG should be mentioned in the welcome email with a link to it... Why?
A mention of FW Builder at SBo, SBo in general, and sbopkg are probably also good things to cover as well in the welcome email, continuing in this same philosophy - Slackware gives you UNIX while you, the SA, make it what you want and need, and here's some kewl places to look for those tools. All in all a firewall is just one of the first things that you *might* need/want to do w/your system. Installing an IDS is just as important in a forward facing box, and talk of including a question during the installation dialog as to whether you want to configure one of those is just as problematic a proposal. That having been said, I think it's a great idea to clone Eric's EFG as a Bash script which has an SBo at Slackbuilds.org Now, as far as truly important things are concerned, I think the automatic coffee maker script really should be included as part of the standard Slackware installation process IMNSHO ;) I hope that helps! Kindest regards, . |
But i really do like the idea of setting up everything by hand. I'm sure, Slackware is not that kind of Linux distribution which must have tools like ufw. The beauty of Slackware is being Unix-like, oldschool and so on.
In Slackware I advice you to use this script: Code:
#!/bin/bash It will start with the system automatically*. And you will be able to use these commands: Code:
/etc/rc.d/rc.firewall start Code:
/etc/rc.d/rc.firewall stop Code:
/etc/rc.d/rc.firewall restart *If you look through /etc/rc.d/rc.inet2, you will find there: Code:
# If there is a firewall script, run it before enabling packet forwarding. |
Quote:
Again, Pat/Slackware is not the creator of most 'sane' defaults -- it ships upstream defaults and modifies them only if they will cause trouble (if they won't start, or if they will spam the root directory). Since there is no upstream firewall script, and rc.firewall is already set to start if available, there is no need for modification. |
The one thing we do have as a problem as stated is the firewall script provided at /etc/ppp/firewall-standalone is not readily deploy-able even as a sample script. Having a sample script that can be universal to everyone out-of-the-box, even in the minimum, provided can be a great learning tool to have for those wanting to learn, for the rest of us who already have our pre-built scripts, do we need it? No. Can we edit the default out? Yes we can.
1. Are we asking to consider for a prebuilt Firewall to be included with Slackware ready to go out of the box? No, we are asking for a sample script that can be edited, copied, and then made executable with universal defaults to anyone, regardless of skill level, can work with. 2. Are we asking to consider for an nCurses tool to be added into Slackware's setup? ONLY if it can be skipped during installation if we so chose to. 3. Are we asking to consider for more packages for bloatware to the system? No we aren't. In fact we are asking to AVOID having to add extra packages to the system like FWBuilder, FireStarter, etc. With sample scripts we don't need extra packages. 4. Are we asking to consider for some extra documentation like a Firewall-HOWTO? While a lot of information exists online, getting that information if you are offline is rather problematic especially when most of it is written in tech jargon, and not English when you aren't a tech speaking person new to Linux. Newbies (not nOObs) often need an easy to follow guide so they can learn. Slackware's already included HOWTOs are easy to follow, written in English, and are simple enough for anyone. Besides, Slackware already teaches the best fundamentals of Linux compared to any other distribution outside of Linux From Scratch, so why not teach those willing to learn for themselves how to properly setup a basic universal firewall and provide a proper sample thereof for beginners to start with and expand from? |
When I installed Slackware, the first time and every consecutive time, I used Slackbook. I would recommend everyone to do so. It's needed if you intend to use Slackware, that's what it's about, thorough reading. There's a good chapter about Iptables in the Slackbook. Maybe a reference to Alien Bob's generator will do. It's not a Slackware-installation matter, it's a Slackbook matter.
|
Quote:
Quote:
Besides, this teaching thing is a slippery slope. You ask that Pat include a basic firewall to teach people some fundamentals. Is he supposed to teach them about NAT or port forwarding? Where does it end? As stated by others far more eloquently than I, I would prefer Pat spend his limited time on creating this solid building block -- i.e. packaging, making sure all the nuts and bolts fit together, etc. -- than spending his time teaching people iptables. But that's just me. |
All times are GMT -5. The time now is 10:11 PM. |