John, thanks very much for your extensive comments. I''m sure
they''ll be helpful as we draft the next version.
> -----Original Message-----
> From: John Andersen [mailto:JAndersen@screenio.com]
> Sent: Friday, May 10, 2002 12:28 PM
> To: shorewall-devel@shorewall.net
> Subject: [Shorewall-devel] QSG
>=20
>=20
> I just installed Shorewall for the first time
> and had no working knowledge of iptables other than
> a couple magazine articles prior to this time.
>=20
> The use of the QSG is fresh in my mind.
>=20
> It was the single most helpful guide of any on
> the site.
>=20
> Comments:
> 1) The /etc/shorewall/masq section shows
> the use of the third column but then says you don''t
> need it if you have a dynamic ip. =20
>=20
> Its not clear you need it with a static either, but
> this point should be (briefly) explaided in that section,
> perhaps with a link to the full docs as is found in other
> areas.
>=20
>=20
> 2) for the /etc/shorewall/rules section:
> a) the "if you run servers on your firewall" section
> should show more than just www, it should probably
> show smtp and pop3, which small organizations
> are likely to run on the firewall than a www server.
>=20
> b) The PORT FORWARDINGsection I found initially confusing.
> I don''t know why, probably because it didn''t work
> correctly the first time. Reason: default gateway
> on the loc client was not (yet) set to the linux box,
> it was still pointing to our antiquated hardware firewall.
> This was explained in one of the other docs but perhaps
> a word in this section would be warranted.
> =20
> The situations in which you need an IP in the last=20
> column was poorly understood by this newbie, and
> reading the rest of the docs didn''t clear it up much
> but I got it working by way of example.
> =20
> Also with more and more of these instant messanger
> clients floating about examples of routing these to
> workstations would be nice. I finally found and=20
> cribbed one out of Tom''s setup.
>=20
> Side Note to Tom: A separate little file to hold=20
> these instant messanger inbound connections=20
> which would get merged with rules might be a
> nice enhancement. That way you don''t have
> to open up your entire rules file every time some
> one on the sales staff decides they have to=20
> subscribe to yet another one of these things.=20
> They are a pain in the neck.=20
> =20
> General Suggestions:
> 1) Some consideration of breaking the QSG into=20
> three separate documents should be given.
>=20
> Single Zone (Workstation)
> Two Zone (Classic Firewall)
> Three+ Zone (Bastion)
>=20
> At any given reading, most users will be installing
> exactly one of these types, and intermingling the
> three descriptions makes it seem more complex
> than it is.
>=20
> 2) A snippit library on the website would be nice.
> Could be a directory of small text files with=20
> long descriptive names. Alternativly web pages
> could be used as is done now with some of
> the examples.
>=20
> Snippits would contain mostly rules (but perhaps
> content for the other files as well) and notes.
> =20
> So If you have Samba running on the FW you would=20
> have a snippit for that (as is curretly found on a=20
> page).
> =20
> Some possible snippit topics
> smtp, pop3 servers
> local news servers (including externally
> accessable customer support news
> servers).
> time servers
> integration with novell netware
> Xwindow sesions (not thru ssh)
> Jet Direct boxes and such
> cups IPP
> =20
> These would help users not familiar with all the
> protocalls and services. None of these
> are terribly complex, and most of them can be
> figured out by watching the logs, but every
> little bit helps.
>=20
> =20
>=20
> ______________________________________
> John Andersen
> NORCOM / Juneau, Alaska
> http://www.screenio.com/
>=20
>=20
>=20
> _______________________________________________
> Shorewall-devel mailing list
> Shorewall-devel@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-devel
>=20