[CS-FSLUG] Firewall fights

Ed Hurst ehurst at asisaid.com
Wed Jan 25 06:54:05 CST 2006 

Stephen J. McCracken wrote:
> Here's a quick stab at things for now.  I assume you just have one
> network card in this box (it's not acting like a router or gateway, is
> it?).

Here's the deal: We have a DSL modem with four ports and wireless 
capability. SBC treats their DSL customers as one big LAN group. Our IP 
assignments via DHCP are 192.168.1.64 - 192.168.1.67. Our DNS comes in 
via 192.168.1.254. The DSL modem has a wimpy firewall built in, and I 
know from running FreeBSD it works, based on the logs. SBC claims to 
filter some things at their gateway, too. Right now, I have the firewall 
turned off.

I have the one interface, which Kanotix calls "lan0" along with the 
loopback. I don't filter for any other machine.

I tried to run the firestarter wizard again, but it asks questions I 
can't answer, even using Google. It assumes far too much knowledge. The 
shortage here is not getting rules, but understanding why I need this or 
that, or don't need it. They use terms which don't match even the issues 
you mentioned. For example, the configuration doesn't even mention 
"time-exceeded". Debian (and friends) is the one distro which does 
absolutely nothing for the firewall neophyte.

The rules for FreeBSD are based on IPFW, and I can't discern how to 
translate that to IPTables. The rules in CentOS are script-based, though 
hardly so involved as the SUSE Firewall2. There is no simple rule stack 
I can just copy over.

[rant mode]

This has been my one great frustration. Apparently my learning 
disability affects this one thing, because I've read more about 
firewalls than almost any other topic, and I still cannot edit the rules 
without accidentally locking myself off the Net, or something equally 
dumb. Considering all the other users out there less technically 
inclined than I, it's a wonder any newbies will ever touch this.

I read a dozen or more guides for GUI packages. All of them keep making 
the same mistake: "You can do this if you want that" but no one bothers 
to explain why I would want to do "that" or any other option. The 
defaults always assume a server gateway; nothing seems to aim at the 
independent workstation. They all claim to be "simple and easy to use" 
but that's simply not so. It's easy only if you are an accomplished 
network technician.

-- 
Ed Hurst
----------
Bible Application - http://ed.asisaid.com/bible/index.html
Plain & Simple Computer Help - http://ed.asisaid.com/
Mission, Method & Means - http://ed.asisaid.com/blog/

More information about the Christiansource mailing list