>Date: Sun, 17 Apr 2005 13:28:05 -0400 >From: "ryanag@zoominternet.net" <ryanag@zoominternet.net> >Subject: Re: [Shorewall-users] dumb, dumb question **follow-up on > support-request documentation** >To: Tom Eastep <teastep@shorewall.net> >Cc: Mailing List for Shorewall Users > <shorewall-users@lists.shorewall.net> >Message-ID: <1113758885.18991.11.camel@localhost.localdomain> >Content-Type: text/plain > >On Sat, 2005-04-16 at 16:49 -0700, Tom Eastep wrote: > > > > > > Today, there are all sorts of bold large red font on the Shorewall > > website > > that people routinely ignore; that''s one of my chief frustrations. Why > > would > > this link be any different? > >There are too many - offer one which says "new user support click here" >then limit the answers to "yes/no" when possible. > > > >And if you can enumerate the classes of problems, what does this system > >provide that a well-written troubleshooting guide does not? > >Absolutely nothing - I think my way is a step backward. But >realistically, how many open source projects have troubleshooting guides >worth looking at? > >Remember - many people aren''t doing this at work, and aren''t ready to >sit down with the entire user manual / troubleshooting guide until >they''ve determined the program is useful. > > > >And if Shorewall is running on an embedded system in the closet? (see > >http://leaf.sourceforge.org). > >Can you use a different set of questions? Perhaps some instructions on >how to use WinSCP to get files... > > > > >I somehow think that the 80/20 rule should apply here -- isn''t there > >something that takes 20% of the effort of what you propose that > >accomplishes 80% of what is provides? > >I don''t know. Think of the new user, not the advanced. What would a new >user be used to? Windows2000/XP most likely, and probably familiar with >home-user routers DLink, linksys, etc > >Windows users are certainly used to wizards with yes/no answers, and >Dlink and Linksys also use wizards to setup their routers. I think a >support system setup in that manner will help them out a lot (Linksys''s >and netgear''s online support is similar to what I described). > > >The flip side of all this is that its great your provide any support at >all, especially given the price of shorewall. :-) >For me, I have been using shorewall for years. I only use the most basic of functions, but I expect anyone worth a darn is using it for more than me. As for Newbies who are only Windows savvy (term used loosely) - boo-hoo for being spoiled. Try writing a case statement in Assembly. Shorewall is an intense package meant for network administrators to lock down a network. If you''ve got a decent degree, good experience and a brain on your shourlders, you''ll figure out how to best implement your network with or without shorewall. If you are just tinkering with shorewall, don''t waste anyones time until you at least perused the docs, tried the sample configs and tested them out. Then if you are stuck, fine... Having a wizard approach is really meant for single PC focus that end-users can follow. Using shorewall should mean you aren''t necessarily the end-user and should have a grasp of networking concepts and the ability to think things out reasonably without requiring to be handheld via some sort of wizard.
On Sun, 2005-04-17 at 18:10 -0230, Roderick Greening wrote:> Having a wizard approach is really meant for single PC focus that end- > users > can follow. Using shorewall should mean you aren''t necessarily the > end-user > and should have a grasp of networking concepts and the ability to > think > things out reasonably without requiring to be handheld via some sort > of > wizard.Even BSD-based firewall/routers have wizards these days (albeit text- based). Check out the setup for m0n0wall. http://www.m0n0.ch/wall/ http://www.m0n0.ch/wall/quickstart/initial-m0n0wall-console.html Firestarer is another wizard-based one ( http://www.fs-security.com/ ) , although it has rather limited functionality, its ideal for a home- network.>As for Newbies who are only Windows savvy (term used loosely) - boo-hoo >for being spoiled. Try writing a case statement in Assembly.Thats harsh. Tom said many businesses put people who seem to have very little networking knowledge in the position of admin''ing the company firewall, then come here looking for help. Would you rather the newbie''s buy MS''s small-biz server and fire up ISA? If so, don''t complain when they spread worms all over the ''net slowing connections to a crawl and flooding logfiles.
On Sunday 17 Apr 2005 21:57, ryanag@zoominternet.net wrote:> On Sun, 2005-04-17 at 18:10 -0230, Roderick Greening wrote: > > Having a wizard approach is really meant for single PC focus that end- > > users > > can follow. Using shorewall should mean you aren''t necessarily the > > end-user > > and should have a grasp of networking concepts and the ability to > > think > > things out reasonably without requiring to be handheld via some sort > > of > > wizard. > > Even BSD-based firewall/routers have wizards these days (albeit text- > based). > > Check out the setup for m0n0wall. > http://www.m0n0.ch/wall/ > http://www.m0n0.ch/wall/quickstart/initial-m0n0wall-console.html > > Firestarer is another wizard-based one ( http://www.fs-security.com/ ) , > although it has rather limited functionality, its ideal for a home- > network. > > >As for Newbies who are only Windows savvy (term used loosely) - boo-hoo > >for being spoiled. Try writing a case statement in Assembly. > > Thats harsh. Tom said many businesses put people who seem to have very > little networking knowledge in the position of admin''ing the company > firewall, then come here looking for help. > > Would you rather the newbie''s buy MS''s small-biz server and fire up ISA? > If so, don''t complain when they spread worms all over the ''net slowing > connections to a crawl and flooding logfiles.webmin has a perfectly adequate frontend, been using it for years. some example files in the distro would not do any harm, eg interfaces.standalone.example zones.standalone.example rules.standalone.example policy.standalone.example etc etc This is assuming that a standalone firewall is what most newbies will want anyone doing NAT etc should read up on firewalling principles first, then test on a dummy setup (a few old boxes) before applying ''in anger'' and for those who work on the principle that they don''t know and don''t want to know, there is always the likes of smoothwall, which does have a gpl version and is aimed at the corporate/institutional market. -- ----------------- Bob Hutchinson Midwales dot com -----------------
ryanag@zoominternet.net wrote:> > Even BSD-based firewall/routers have wizards these days (albeit text- > based). > > Check out the setup for m0n0wall. > http://www.m0n0.ch/wall/ > http://www.m0n0.ch/wall/quickstart/initial-m0n0wall-console.html > > Firestarer is another wizard-based one ( http://www.fs-security.com/ ) , > although it has rather limited functionality, its ideal for a home- > network. >I''ve always felt that Shorewall and I were dragged kicking and screaming into the home-network market. My first firewall product (Seawall) was aimed at that market but a lot of folks who tried to use it were network administrators. And because Seawall was designed with only the home network in mind, it worked poorly in a lot of cases. I always loosely quote Conin Doyle -- "Still it is an error to argue in front of your data. You find yourself insensibly twisting them to fit your theories". With Seawall, we were always insensibly twisting the problem to fit Seawall''s solution. Given that experience, I wanted my next effort to have flexibility as it''s primary goal and I focused Shorewall towards the needs of network administrators. It is only by popular demand that Shorewall has QuickStart guides and sample configurations. It is not because I was clambering after the single (usually dynamic) public IP market. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Bob Hutchinson wrote:> webmin has a perfectly adequate frontend, been using it for years. > some example files in the distro would not do any harm, eg > interfaces.standalone.example > zones.standalone.example > rules.standalone.example > policy.standalone.example > etc etc > > This is assuming that a standalone firewall is what most newbies will want > > anyone doing NAT etc should read up on firewalling principles first, then test > on a dummy setup (a few old boxes) before applying ''in anger''It is troubling that someone like yourself who subscribes to this list is apparently unaware of the QuickStart Guides and sample configurations (http://shorewall.net/shorewall_quickstart_guide.htm). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
[This email is either empty or too large to be displayed at this time]
I use Shorewall at work (small business and don''t have system people) and at home. Being new to Linux I tried many firewall solutions and found Shorewall to be the easiest to understand, install and maintain mainly because of the documentation, examples and support. I find that the Shorewall commands like check and status provide adequate information to troubleshoot and the support (mailing list) can most times get your questions answered. Commercial products may have great gui''s and knowledge bases (integrated into help sites) but you have to understand who is funding these. As for Open Source their is Webmin and Awdall who have made great attempts to simplify Shorewall and provide some firewall knowledge. Which brings up the point that you still must have somewhat of an understanding to implement a firewall (and Shorewalls documentation is a great place to get this). The only firewall for dumbies is Microsoft''s which is built into the operating system and how many people and how much have they spent on this. In conclusion, Shorewall is a great firewall (thanks Tom) and believe it does what it supposed do very well - protect. Cheers! Ken Tom Eastep wrote:>ryanag@zoominternet.net wrote: > > > >>Even BSD-based firewall/routers have wizards these days (albeit text- >>based). >> >>Check out the setup for m0n0wall. >>http://www.m0n0.ch/wall/ >>http://www.m0n0.ch/wall/quickstart/initial-m0n0wall-console.html >> >>Firestarer is another wizard-based one ( http://www.fs-security.com/ ) , >>although it has rather limited functionality, its ideal for a home- >>network. >> >> >> > >I''ve always felt that Shorewall and I were dragged kicking and screaming >into the home-network market. My first firewall product (Seawall) was >aimed at that market but a lot of folks who tried to use it were network >administrators. And because Seawall was designed with only the home >network in mind, it worked poorly in a lot of cases. I always loosely >quote Conin Doyle -- "Still it is an error to argue in front of your >data. You find yourself insensibly twisting them to fit your theories". >With Seawall, we were always insensibly twisting the problem to fit >Seawall''s solution. > >Given that experience, I wanted my next effort to have flexibility as >it''s primary goal and I focused Shorewall towards the needs of network >administrators. > >It is only by popular demand that Shorewall has QuickStart guides and >sample configurations. It is not because I was clambering after the >single (usually dynamic) public IP market. > >-Tom > >
Hi Everyone, I use shorewall for NAT/firewall, on a small home network with three users. Is there a simple way of limiting upload bandwidth by IP address to stop the users uploading too much? Tom -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.9.16 - Release Date: 18/04/2005
Tom Denham wrote:> Hi Everyone, > I use shorewall for NAT/firewall, on a small home network with three users. > Is there a simple way of limiting upload bandwidth by IP address to stop the > users uploading too much?Shorewall is a tool for configuring Netfilter. Netfilter is a packet filter, not a bandwidth management system. I suggest that you investigate htb-init which is a tool for configuring HTB (a traffic shaper) and that you look at http://shorewall.net/traffic_shaping.htm to see how to integrate such a tool with Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Here is a pretty simple way to do QoS - TigerDirect has the below switch for $130. It has some very basic QoS (high/low) and it will allow you to throttle ports to different speeds. http://www.trendnet.com/products/TE100-S24WS.htm On Mon, 2005-04-18 at 17:16 +0100, Tom Denham wrote:> Hi Everyone, > I use shorewall for NAT/firewall, on a small home network with three users. > Is there a simple way of limiting upload bandwidth by IP address to stop the > users uploading too much? > > Tom >
> TigerDirect has the below switch for $130. It has some very basic QoS > (high/low) and it will allow you to throttle ports to different speeds. > http://www.trendnet.com/products/TE100-S24WS.htmWhy pay $130 for a closed-box system that does "very basic QoS" when you can incorporate fairly robust traffic shaping into your shorewall firewall with only a moderate effort, for free?
My idea support-idea centered around the home / small offices with limited experience, and how to make their support requests less painful. Perhaps you should just reply to new users with inappropriate support requests a list of other nice options (firestarter , ipcop, smoothwall, coyotelinux, various commercial routers such as sonicwall and trendware, m0n0wall) with familiar GUI interfaces for them to check out.>I''ve always felt that Shorewall and I were dragged kicking andscreaming> into the home-network market.I have several computers at home (3) , a VoIP phone, an Wireless AP, and a gigabit switch (workgroup) powered by a 3 Mbps / 500k cable modem. Although this didn''t cost me a fortune, how many homes had this setup 5 years ago? I think home networks are getting complex enough to deserve decent tools, and a Cisco PIX is just a tad out of my price range. ;-) On Mon, 2005-04-18 at 06:44 -0700, Tom Eastep wrote:> ryanag@zoominternet.net wrote: > > > > > Even BSD-based firewall/routers have wizards these days (albeit text- > > based). > > > > Check out the setup for m0n0wall. > > http://www.m0n0.ch/wall/ > > http://www.m0n0.ch/wall/quickstart/initial-m0n0wall-console.html > > > > Firestarer is another wizard-based one ( http://www.fs-security.com/ ) , > > although it has rather limited functionality, its ideal for a home- > > network. > > > > I''ve always felt that Shorewall and I were dragged kicking and screaming > into the home-network market. My first firewall product (Seawall) was > aimed at that market but a lot of folks who tried to use it were network > administrators. And because Seawall was designed with only the home > network in mind, it worked poorly in a lot of cases. I always loosely > quote Conin Doyle -- "Still it is an error to argue in front of your > data. You find yourself insensibly twisting them to fit your theories". > With Seawall, we were always insensibly twisting the problem to fit > Seawall''s solution. > > Given that experience, I wanted my next effort to have flexibility as > it''s primary goal and I focused Shorewall towards the needs of network > administrators. > > It is only by popular demand that Shorewall has QuickStart guides and > sample configurations. It is not because I was clambering after the > single (usually dynamic) public IP market. > > -Tom
>moderate effortDifferent people''s times are worth different amounts of money. Also, if you decide to go with another firewall down the road that doesn''t do any QoS, it''ll still be a part of your network. On Mon, 2005-04-18 at 12:56 -0500, Gary Buckmaster wrote:> > TigerDirect has the below switch for $130. It has some very basic QoS > > (high/low) and it will allow you to throttle ports to different speeds. > > http://www.trendnet.com/products/TE100-S24WS.htm > > Why pay $130 for a closed-box system that does "very basic QoS" when > you can incorporate fairly robust traffic shaping into your shorewall > firewall with only a moderate effort, for free? >
ryan wrote:>>moderate effort > Different people''s times are worth different amounts of money. >However the value proposition with OSS is that while the Software is free, you generally have to invest some of your time to understand how to use the software. I suppose that one thing that shows through in my attitude is that I''m a frustrated teacher. I was in a PHD program intending to be a college Math Professor and reluctantly entered the nascent computer industry in 1969 only because at that time new PHDs in Mathematics were lucky to get a temporary chair in a small college for $6000/yr. So if you use my software, I want you to also learn something... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
ryan wrote:> My idea support-idea centered around the home / small offices with > limited experience, and how to make their support requests less painful. > > Perhaps you should just reply to new users with inappropriate support > requests a list of other nice options (firestarter , ipcop, smoothwall, > coyotelinux, various commercial routers such as sonicwall and trendware, > m0n0wall) with familiar GUI interfaces for them to check out. >Or if they are running Mandrake or SuSE, check out the firewall that''s built into their distribution (although the one in Mandrake is based on Shorewall). I think that''s a little too "in your face"; reminds me of the first Shorewall web site that proclaimed that users who knew little or nothing about IP were better off going elsewhere (because there was almost no documentation :-) ). I don''t have anything against answering newbie questions although there have been cases where I was grateful when a particularly dense person finally announced that they tried SuSE firewall and it did just what they wanted :-) -- I just wish that people would read a bit more before posting. There was a time on the Internet where posting without first doing due diligence was considered the height of rudeness. Today, that view is shared only by troglodytes like me... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> There was a time on the Internet where posting without first doing due > diligence was considered the height of rudeness. Today, that view is > shared only by troglodytes like me...Up with troglodytes! The world needs so many more of them. And while we''re at it, can we please free the mallocs?
I guess its in the delivery of the message. If you would point out that there are easier (but not necessarily better) alternatives to shorewall if you aren''t familiar with networking or linux, I don''t think it would be too offensive. On Mon, 2005-04-18 at 11:28 -0700, Tom Eastep wrote:> > I think that''s a little too "in your face"; reminds me of the first > Shorewall web site that proclaimed that users who knew little or > nothing > about IP were better off going elsewhere (because there was almost no > documentation :-) ).
> However the value proposition with OSS is that while the Software is > free, you generally have to invest some of your time to understand how > to use the software.I think there''s a balance between -the time it takes you to learn how to use the software -the relative value of what is learned in the process -the amount of money a click-and-drool solution costs Since the highest cost to most companies is labor, open source projects sometimes lose out to inferior commercial products. Of course, many open source projects have as good UI''s as their commercial counterparts, but lack the marketing deptartments. On Mon, 2005-04-18 at 11:08 -0700, Tom Eastep wrote:> ryan wrote: > >>moderate effort > > Different people''s times are worth different amounts of money. > > > > However the value proposition with OSS is that while the Software is > free, you generally have to invest some of your time to understand how > to use the software. > > I suppose that one thing that shows through in my attitude is that I''m a > frustrated teacher. I was in a PHD program intending to be a college > Math Professor and reluctantly entered the nascent computer industry in > 1969 only because at that time new PHDs in Mathematics were lucky to get > a temporary chair in a small college for $6000/yr. So if you use my > software, I want you to also learn something... > > -Tom
Tom Eastep wrote: ...> There was a time on the Internet where posting without first doing due > diligence was considered the height of rudeness. Today, that view is > shared only by troglodytes like me... > > -TomCount me in with the troglodytes then... -- Jack at Monkeynoodle dot Org: It''s a Scientific Venture... Riding the Emergency Third Rail Power Trip since 1996!
ryan wrote:> My idea support-idea centered around the home / small offices with > limited experience, and how to make their support requests less painful. > > Perhaps you should just reply to new users with inappropriate support > requests a list of other nice options (firestarter , ipcop, smoothwall, > coyotelinux, various commercial routers such as sonicwall and trendware, > m0n0wall) with familiar GUI interfaces for them to check out.At one point I had a brilliant idea for making support of free open source software work without causticity... then I realized that I hate doing support, other people hate asking for support, and it probably couldn''t be commercialized successfully on even the small scale I had in mind. The funny thing is that I was planning on starting from exactly the level of "easy" firewall that you mention... I was supporting them on a mailing list and getting exactly the same level of dumb, arrogant, un-researched questions. I suspect we''d see the same thing on a support list for bottle-openers... -- Jack at Monkeynoodle dot Org: It''s a Scientific Venture... Riding the Emergency Third Rail Power Trip since 1996!
ryan wrote:> Here is a pretty simple way to do QoS - > > TigerDirect has the below switch for $130. It has some very basic QoS > (high/low) and it will allow you to throttle ports to different speeds. > http://www.trendnet.com/products/TE100-S24WS.htm > >You get what you pay for. I''ve never had an issue with any Shorewall-based firewall once I got past my setup frustrations... in the late nineties. In that same time I''ve had uncountable failures from cheap SOHO junk like that. Investing your time buys a better product. -- Jack at Monkeynoodle dot Org: It''s a Scientific Venture... Riding the Emergency Third Rail Power Trip since 1996!
I''m on the m0n0wall and firestarter mailing lists - I see surprisingly few dumb or arrogant questions. The m0n0wall list gets a *huge* volume of questions, the majority of them fairly intelligent, or at least not ones with obvious answers The difference between those two projects and many others is that they strive to be so easy to use, anyone who understands the concepts behind them should be able to get by with some basic functionality. m0n0wall even denies any shell access to the firewall - the developer considers this a feature. Although I prefer shorewall to the two mentioned above, there will be a whole generation of IT employees who don''t know what command-line is, and will always be asking "dumb" questions as the UI is so unfamiliar to them. On Mon, 2005-04-18 at 13:55 -0700, Jack Coates wrote:> ryan wrote: > > My idea support-idea centered around the home / small offices with > > limited experience, and how to make their support requests less painful. > > > > Perhaps you should just reply to new users with inappropriate support > > requests a list of other nice options (firestarter , ipcop, smoothwall, > > coyotelinux, various commercial routers such as sonicwall and trendware, > > m0n0wall) with familiar GUI interfaces for them to check out. > > At one point I had a brilliant idea for making support of free open > source software work without causticity... then I realized that I hate > doing support, other people hate asking for support, and it probably > couldn''t be commercialized successfully on even the small scale I had in > mind. > > The funny thing is that I was planning on starting from exactly the > level of "easy" firewall that you mention... I was supporting them on a > mailing list and getting exactly the same level of dumb, arrogant, > un-researched questions. I suspect we''d see the same thing on a support > list for bottle-openers... >
>I''ve had uncountable failures from > cheap SOHO junk like thatI think you are painting with too broad of a brush. Have you actually used the switch I am linked to, or are you classifying it as junk because its inexpensive? I hope its not the latter, as many people claim (incorrectly) that free software can''t be as good as commercial products since the commercial stuff is more expensive. On Mon, 2005-04-18 at 13:58 -0700, Jack Coates wrote:> ryan wrote: > > Here is a pretty simple way to do QoS - > > > > TigerDirect has the below switch for $130. It has some very basic QoS > > (high/low) and it will allow you to throttle ports to different speeds. > > http://www.trendnet.com/products/TE100-S24WS.htm > > > > > > You get what you pay for. I''ve never had an issue with any > Shorewall-based firewall once I got past my setup frustrations... in the > late nineties. In that same time I''ve had uncountable failures from > cheap SOHO junk like that. Investing your time buys a better product. >
ive always heard the only stupid question is an unasked question but in the same breath i also agree that if it is documented in docs and how to''s then RTFM ive had my fair share of stupid questions on here and ive leared GOOGLE it if you cant find it on google read docs harder and then if you cant figure it out then email the lists if yall have noticed i have not posted in a while because i figured out the docs off the site i guess thats is why they are written now if we can only get every one to read them ________________________________ From: shorewall-users-bounces@lists.shorewall.net on behalf of ryan Sent: Mon 4/18/2005 4:21 PM To: Jack Coates Cc: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] dumb, dumb question ... I''m on the m0n0wall and firestarter mailing lists - I see surprisingly few dumb or arrogant questions. The m0n0wall list gets a *huge* volume of questions, the majority of them fairly intelligent, or at least not ones with obvious answers The difference between those two projects and many others is that they strive to be so easy to use, anyone who understands the concepts behind them should be able to get by with some basic functionality. m0n0wall even denies any shell access to the firewall - the developer considers this a feature. Although I prefer shorewall to the two mentioned above, there will be a whole generation of IT employees who don''t know what command-line is, and will always be asking "dumb" questions as the UI is so unfamiliar to them. On Mon, 2005-04-18 at 13:55 -0700, Jack Coates wrote:> ryan wrote: > > My idea support-idea centered around the home / small offices with > > limited experience, and how to make their support requests less painful. > > > > Perhaps you should just reply to new users with inappropriate support > > requests a list of other nice options (firestarter , ipcop, smoothwall, > > coyotelinux, various commercial routers such as sonicwall and trendware, > > m0n0wall) with familiar GUI interfaces for them to check out. > > At one point I had a brilliant idea for making support of free open > source software work without causticity... then I realized that I hate > doing support, other people hate asking for support, and it probably > couldn''t be commercialized successfully on even the small scale I had in > mind. > > The funny thing is that I was planning on starting from exactly the > level of "easy" firewall that you mention... I was supporting them on a > mailing list and getting exactly the same level of dumb, arrogant, > un-researched questions. I suspect we''d see the same thing on a support > list for bottle-openers... >_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
ryan wrote:> > Although I prefer shorewall to the two mentioned above, there will be a > whole generation of IT employees who don''t know what command-line is, > and will always be asking "dumb" questions as the UI is so unfamiliar to > them. >To try to wrap up this thread, here are my final thoughts on the subject: a) I have tried to make "shorewall status" capture 100% of the information necessary to analyze Shorewall problems. b) All that I ask is that people run that command and forward the output. c) I don''t know how much simpler it can be than that -- they don''t even have to answer any yes/no questions. d) People ignore my request and send all variety of folded ASCII art, obfuscated command output, partial config files, ... I don''t believe that the answer to this problem is yet another application to maintain (web-based problem reporting system). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
ryan wrote:> My idea support-idea centered around the home / small offices with > limited experience, and how to make their support requests less painful. > > Perhaps you should just reply to new users with inappropriate support > requests a list of other nice options (firestarter , ipcop, smoothwall, > coyotelinux, various commercial routers such as sonicwall and trendware, > m0n0wall) with familiar GUI interfaces for them to check out. >I''ve added some verbiage on the home page along with links to firestarter and m0n0wall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Those are good choices for newer users. -firestarter is point-and-click and very simple -m0n0wall can do many of the things that shorewall can (1:1 NAT, multiple interfaces, granular control of firewall rules, etc) and is fairly simple to setup. I certainly agree with your comment that shorewall is more flexible and powerful than either firestarter or m0n0wall. Definitely my favorite of the three! On Wed, 2005-04-20 at 15:17 -0700, Tom Eastep wrote:> ryan wrote: > > My idea support-idea centered around the home / small offices with > > limited experience, and how to make their support requests less painful. > > > > Perhaps you should just reply to new users with inappropriate support > > requests a list of other nice options (firestarter , ipcop, smoothwall, > > coyotelinux, various commercial routers such as sonicwall and trendware, > > m0n0wall) with familiar GUI interfaces for them to check out. > > > > I''ve added some verbiage on the home page along with links to > firestarter and m0n0wall. > > -Tom
On Wednesday 20 April 2005 03:32 pm, ryan wrote:> Those are good choices for newer users. > > -firestarter is point-and-click and very simple > -m0n0wall can do many of the things that shorewall can (1:1 NAT, > multiple interfaces, granular control of firewall rules, etc) and is > fairly simple to setup.but but but... It seems new Linux users probably use what ever firewall came with their box, or one of those cheap hardware devices. With those cheap hardware routers (netgear linksys, et al) coming down under $35 in price, it seems more entry level users are going there. It seems that shorewall is picking up more of the complex installations, as shorewall itself gains new functionality with each release. Other than the aggravation factor on the list and for Tom, this is probably the right place to ask these questions. The quickstart guides handle 99% of the installations in entry level category if you can just get people to read them. -- John Andersen - NORCOM http://www.norcomsoftware.com/
John Andersen wrote:> On Wednesday 20 April 2005 03:32 pm, ryan wrote: >>Those are good choices for newer users. >> >>-firestarter is point-and-click and very simple >>-m0n0wall can do many of the things that shorewall can (1:1 NAT, >>multiple interfaces, granular control of firewall rules, etc) and is >>fairly simple to setup. > > but but but... > > It seems new Linux users probably use what ever firewall came with > their box, or one of those cheap hardware devices. With those > cheap hardware routers (netgear linksys, et al) coming down under > $35 in price, it seems more entry level users are going there.But some are finding Shorewall. Possibly the word is out that Shorewall is what the "big boys" use :-)> > It seems that shorewall is picking up more of > the complex installations, as shorewall itself gains new > functionality with each release. >That is actually my preference. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> It seems new Linux users probably use what ever firewall came with > their box, or one of those cheap hardware devices. With those > cheap hardware routers (netgear linksys, et al) coming down under > $35 in price, it seems more entry level users are going there.To be fair, m0n0wall is more targeted at the medium sized business than home users, and doesn''t really compete with linksys and netgear. It has vlan, traffic shaping (queing and pipes), pptp (with radius authentication), pptp redirection, snmp, browser capture, IPSec VPN support, 1:1 NAT, proxy arp, and other features not usually seen in home-user firewalls. The only complaint I have with m0n0wall is that its too much of a boxed solution. It is what it is, and configuration changes are limited at best. Of course, what do you expect when the whole OS is 6 MB? I think firestarter fits in the gap between the limited firewall configuration tools offered by SuSE, RedHat, etc and the advanced features of shorewall. Its extremely simple to quickly set up, and create an extremely secure firewall by "whitelisting" traffic. Its by far superior to any vendor-distributed iptables configuration tool I''ve ever used, and its similarity to zone alarm probably makes Windows users more at ease.> Other than the aggravation factor on the list and for Tom, > this is probably the right place to ask these questions.For someone who knows nothing about firewalls (and I mean zip), firestarter is probably a better starting point than shorewall. Their documentation is quite good, and you don''t ever need to go to the commandline to make or change rules. On Wednesday 20 April 2005 21:45, John Andersen wrote:> On Wednesday 20 April 2005 03:32 pm, ryan wrote: > > Those are good choices for newer users. > > > > -firestarter is point-and-click and very simple > > -m0n0wall can do many of the things that shorewall can (1:1 NAT, > > multiple interfaces, granular control of firewall rules, etc) and is > > fairly simple to setup. > > but but but... > > It seems new Linux users probably use what ever firewall came with > their box, or one of those cheap hardware devices. With those > cheap hardware routers (netgear linksys, et al) coming down under > $35 in price, it seems more entry level users are going there. > > It seems that shorewall is picking up more of > the complex installations, as shorewall itself gains new > functionality with each release. > > Other than the aggravation factor on the list and for Tom, > this is probably the right place to ask these questions. > > The quickstart guides handle 99% of the installations in entry level > category if you can just get people to read them.