i recently obtained a copy of mdk linux, and i've been having a hell of a time getting it to configure internet connections, setup a firewall, etc. it seems as though mdk just "fritzes out" when i try to setup internet connections, and i'll soon explain what is meant by "fritzing out."

def'n of "fritzing out":
if i set the security setting to anything above (High) or setup the firewall to try to regulate any internet services i cannot connect to the internet, even though mdk control center acknowledges that i have an ethernet card that is (up). when it tries to connect to the internet the control center gets all buggy (windows won't close, etc.) and dictates that the connection setup was failed and that an error occurred during configuration and to check my settings.

my suspicions are (1) that my internet connection which is (ADSL) is somehow incompatible with the firewall or (2) that i require more knowledge to properly configure around these issues.

I don't recommend you to use 'High' security mode if the machine's not a server. The connection may be up, but the firewall may be blocking everything (plus 'High' mode changes permissions and other things - then it's hard to use it for a desktop machine). Play with the firewall. If you find a situation when you can't connect, open a terminal, use su to become root ('su' and then root passowrd when asked) and run 'iptables -L'. It lists your current firewalling rules - your set of rules will allow someone, when you post them, to find out what's wrong.

I have determined the conditions under which a connection can be established.

When security settings are set to standard and the firewall is disabled (under Mandrake's control center) and the machine is rebooted, I am consistently able to connect to the internet via DSL.

However, as soon as I fiddle with the Firewall settings, the internet connection ceases to work (my logs spit out lots of "Shorewall:OUTPUT:REJECT" messages) and the connection will not revive until the machine is rebooted with the Firewall disabled.

I have iptabled the system in both (connected & unfirewalled) and (unconnected & firewalled) states.

I guess I have to manually configure the ip table if I want to use Mandrake's firewall?

-----------------

ABLE TO CONNECT, NOT FIREWALLED:

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

-----------------

UNABLE TO CONNECT, FIREWALLED:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
eth0_in all -- anywhere anywhere
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:'
reject all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
eth0_fwd all -- anywhere anywhere
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
fw2net all -- anywhere anywhere
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:'
reject all -- anywhere anywhere

Chain all2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:all2all:REJECT:'
reject all -- anywhere anywhere

Chain common (5 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
icmpdef icmp -- anywhere anywhere
DROP tcp -- anywhere anywhere state INVALID
REJECT udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:microsoft-ds reject-with icmp-port-unreachable
reject tcp -- anywhere anywhere tcp dpt:135
DROP udp -- anywhere anywhere udp dpt:1900
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere 224.0.0.0/4
reject tcp -- anywhere anywhere tcp dpt:auth
DROP all -- anywhere 10.0.0.255

Chain dynamic (2 references)
target prot opt source destination

Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere

Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request
net2fw all -- anywhere anywhere

Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere

Chain icmpdef (1 references)
target prot opt source destination

Chain net2all (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2allROP:'
DROP all -- anywhere anywhere

Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
net2all all -- anywhere anywhere

Chain newnotsyn (4 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain reject (6 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain shorewall (0 references)
target prot opt source destination

The firewall is too restrictive - blocks much and logs everything. I think you need something simplier. Please search this site for 'iptables script'. There were many posted, many of them commented, so you can choose one that fits your situation best.

Guarddog!
For a good frontend to enabling just the ports you need.
Then you can learn iptables.

thx a lot for the suggestions, mara. you were right, it was too restrictive, so i went to the shorewall.net page and d/l'ed the "default" config files i needed. everything is working peachy now, taking exception to the fact that shorewall seems to have some sort of aneurysm when the command "restart" is issued. i believe this is a bug of versions < 1.3.9, so i'll try to fix it.

btw, does anyone have suggestions for firewall software besides 1) guarddog and 2) shorewall?