Shorewall users - Apr 2005 - Re: dumb, dumb question ...

>Date: Sun, 17 Apr 2005 13:28:05 -0400
>From: "ryanag@zoominternet.net" <ryanag@zoominternet.net>
>Subject: Re: [Shorewall-users] dumb, dumb question **follow-up	on
>	support-request documentation**
>To: Tom Eastep <teastep@shorewall.net>
>Cc: Mailing List for Shorewall Users
>	<shorewall-users@lists.shorewall.net>
>Message-ID: <1113758885.18991.11.camel@localhost.localdomain>
>Content-Type: text/plain
>
>On Sat, 2005-04-16 at 16:49 -0700, Tom Eastep wrote:
> >
> >
> > Today, there are all sorts of bold large red font on the Shorewall
> > website
> > that people routinely ignore; that''s one of my chief
frustrations. Why
> > would
> > this link be any different?
>
>There are too many - offer one which says "new user support click
here"
>then limit the answers to "yes/no" when possible.
>
>
> >And if you can enumerate the classes of problems, what does this system
> >provide that a well-written troubleshooting guide does not?
>
>Absolutely nothing - I think my way is a step backward. But
>realistically, how many open source projects have troubleshooting guides
>worth looking at?
>
>Remember - many people aren''t doing this at work, and
aren''t ready to
>sit down with the entire user manual / troubleshooting guide until
>they''ve determined the program is useful.
>
>
> >And if Shorewall is running on an embedded system in the closet? (see
> >http://leaf.sourceforge.org).
>
>Can you use a different set of questions? Perhaps some instructions on
>how to use WinSCP to get files...
>
>
>
> >I somehow think that the 80/20 rule should apply here -- isn''t
there
> >something that takes 20% of the effort of what you propose that
> >accomplishes 80% of what is provides?
>
>I don''t know. Think of the new user, not the advanced. What would a
new
>user be used to? Windows2000/XP most likely, and probably familiar with
>home-user routers DLink, linksys, etc
>
>Windows users are certainly used to wizards with yes/no answers, and
>Dlink and Linksys also use wizards to setup their routers. I think a
>support system setup in that manner will help them out a lot
(Linksys''s
>and netgear''s online support is similar to what I described).
>
>
>The flip side of all this is that its great your provide any support at
>all, especially given the price of shorewall. :-)
>
For me, I have been using shorewall for years. I only use the most basic of 
functions, but I expect anyone worth a darn is using it for more than me.

As for Newbies who are only Windows savvy (term used loosely) - boo-hoo for 
being spoiled. Try writing a case statement in Assembly.

Shorewall is an intense package meant for network administrators to lock 
down a network. If you''ve got a decent degree, good experience and a
brain
on your shourlders, you''ll figure out how to best implement your
network
with or without shorewall.

If you are just tinkering with shorewall, don''t waste anyones time
until you
at least perused the docs, tried the sample configs and tested them out. 
Then if you are stuck, fine...

Having a wizard approach is really meant for single PC focus that end-users 
can follow. Using shorewall should mean you aren''t necessarily the
end-user
and should have a grasp of networking concepts and the ability to think 
things out reasonably without requiring to be handheld via some sort of 
wizard.

On Sun, 2005-04-17 at 18:10 -0230, Roderick Greening
wrote:
> Having a wizard approach is really meant for single PC focus that end-
> users 
> can follow. Using shorewall should mean you aren''t necessarily the
> end-user 
> and should have a grasp of networking concepts and the ability to
> think 
> things out reasonably without requiring to be handheld via some sort
> of 
> wizard.
Even BSD-based firewall/routers have wizards these days (albeit text-
based).

Check out the setup for m0n0wall.
http://www.m0n0.ch/wall/
http://www.m0n0.ch/wall/quickstart/initial-m0n0wall-console.html

Firestarer is another wizard-based one ( http://www.fs-security.com/ ) ,
although it has rather limited functionality, its ideal for a home-
network.


>As for Newbies who are only Windows savvy (term used loosely) - boo-hoo
>for being spoiled. Try writing a case statement in Assembly.
Thats harsh. Tom said many businesses put people who seem to have very
little networking knowledge in the position of admin''ing the company
firewall, then come here looking for help.

Would you rather the newbie''s buy MS''s small-biz server and
fire up ISA?
If so, don''t complain when they spread worms all over the ''net
slowing
connections to a crawl and flooding logfiles.

On Sunday 17 Apr 2005 21:57, ryanag@zoominternet.net
wrote:
> On Sun, 2005-04-17 at 18:10 -0230, Roderick Greening wrote:
> > Having a wizard approach is really meant for single PC focus that end-
> > users
> > can follow. Using shorewall should mean you aren''t
necessarily the
> > end-user
> > and should have a grasp of networking concepts and the ability to
> > think
> > things out reasonably without requiring to be handheld via some sort
> > of
> > wizard.
>
> Even BSD-based firewall/routers have wizards these days (albeit text-
> based).
>
> Check out the setup for m0n0wall.
> http://www.m0n0.ch/wall/
> http://www.m0n0.ch/wall/quickstart/initial-m0n0wall-console.html
>
> Firestarer is another wizard-based one ( http://www.fs-security.com/ ) ,
> although it has rather limited functionality, its ideal for a home-
> network.
>
> >As for Newbies who are only Windows savvy (term used loosely) - boo-hoo
> >for being spoiled. Try writing a case statement in Assembly.
>
> Thats harsh. Tom said many businesses put people who seem to have very
> little networking knowledge in the position of admin''ing the
company
> firewall, then come here looking for help.
>
> Would you rather the newbie''s buy MS''s small-biz server
and fire up ISA?
> If so, don''t complain when they spread worms all over the
''net slowing
> connections to a crawl and flooding logfiles.
webmin has a perfectly adequate frontend, been using it for years.
some example files in the distro would not do any harm, eg
interfaces.standalone.example
zones.standalone.example
rules.standalone.example
policy.standalone.example
etc etc

This is assuming that a standalone firewall is what most newbies will want

anyone doing NAT etc should read up on firewalling principles first, then test 
on a dummy setup (a few old boxes) before applying ''in anger''

and for those who work on the principle that they don''t know and
don''t want to
know, there is always the likes of smoothwall, which does have a gpl version 
and is aimed at the corporate/institutional market.


-- 
-----------------
Bob Hutchinson
Midwales dot com
-----------------

ryanag@zoominternet.net wrote:
> 
> Even BSD-based firewall/routers have wizards these days (albeit text-
> based).
> 
> Check out the setup for m0n0wall.
> http://www.m0n0.ch/wall/
> http://www.m0n0.ch/wall/quickstart/initial-m0n0wall-console.html
> 
> Firestarer is another wizard-based one ( http://www.fs-security.com/ ) ,
> although it has rather limited functionality, its ideal for a home-
> network.
> 
I''ve always felt that Shorewall and I were dragged kicking and
screaming
into the home-network market. My first firewall product (Seawall) was
aimed at that market but a lot of folks who tried to use it were network
administrators. And because Seawall was designed with only the home
network in mind, it worked poorly in a lot of cases. I always loosely
quote Conin Doyle -- "Still it is an error to argue in front of your
data. You find yourself insensibly twisting them to fit your theories".
With Seawall, we were always insensibly twisting the problem to fit
Seawall''s solution.

Given that experience, I wanted my next effort to have flexibility as
it''s primary goal and I focused Shorewall towards the needs of network
administrators.

It is only by popular demand that Shorewall has QuickStart guides and
sample configurations. It is not because I was clambering after the
single (usually dynamic) public IP market.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Bob Hutchinson wrote:
> webmin has a perfectly adequate frontend, been using it for years.
> some example files in the distro would not do any harm, eg
> interfaces.standalone.example
> zones.standalone.example
> rules.standalone.example
> policy.standalone.example
> etc etc
> 
> This is assuming that a standalone firewall is what most newbies will want
> 
> anyone doing NAT etc should read up on firewalling principles first, then
test
> on a dummy setup (a few old boxes) before applying ''in
anger''
It is troubling that someone like yourself who subscribes to this list
is apparently unaware of the QuickStart Guides and sample configurations
(http://shorewall.net/shorewall_quickstart_guide.htm).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

[This email is either empty or too large to be displayed at this time]

I use Shorewall at work (small business and don''t have system people) 
and at home.   Being new to Linux I tried many firewall solutions and 
found Shorewall to be the easiest to understand, install and maintain 
mainly because of the documentation, examples and support.   I find that 
the Shorewall commands like check and status provide adequate 
information to troubleshoot and the support (mailing list) can most 
times get your questions answered.

Commercial products may have great gui''s and knowledge bases
(integrated
into help sites) but you have to understand who is funding these.  As 
for Open Source their is Webmin and Awdall who have made great attempts 
to simplify Shorewall and provide some firewall knowledge.  Which brings 
up the point that you still must have somewhat of an understanding to 
implement a firewall (and Shorewalls documentation is a great place to 
get this).  The only firewall for dumbies is Microsoft''s which is built
into the operating system and how many people and how much have they 
spent on this.

In conclusion, Shorewall is a great firewall (thanks Tom) and believe it 
does what it supposed do very well - protect.

Cheers!
Ken


Tom Eastep wrote:
>ryanag@zoominternet.net wrote:
>
>  
>
>>Even BSD-based firewall/routers have wizards these days (albeit text-
>>based).
>>
>>Check out the setup for m0n0wall.
>>http://www.m0n0.ch/wall/
>>http://www.m0n0.ch/wall/quickstart/initial-m0n0wall-console.html
>>
>>Firestarer is another wizard-based one ( http://www.fs-security.com/ ) ,
>>although it has rather limited functionality, its ideal for a home-
>>network.
>>
>>    
>>
>
>I''ve always felt that Shorewall and I were dragged kicking and
screaming
>into the home-network market. My first firewall product (Seawall) was
>aimed at that market but a lot of folks who tried to use it were network
>administrators. And because Seawall was designed with only the home
>network in mind, it worked poorly in a lot of cases. I always loosely
>quote Conin Doyle -- "Still it is an error to argue in front of your
>data. You find yourself insensibly twisting them to fit your theories".
>With Seawall, we were always insensibly twisting the problem to fit
>Seawall''s solution.
>
>Given that experience, I wanted my next effort to have flexibility as
>it''s primary goal and I focused Shorewall towards the needs of
network
>administrators.
>
>It is only by popular demand that Shorewall has QuickStart guides and
>sample configurations. It is not because I was clambering after the
>single (usually dynamic) public IP market.
>
>-Tom
>  
>

Hi Everyone,
 I use shorewall for NAT/firewall, on a small home network with three users.
Is there a simple way of limiting upload bandwidth by IP address to stop the
users uploading too much?

Tom

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.9.16 - Release Date: 18/04/2005

Tom Denham wrote:
> Hi Everyone,
>  I use shorewall for NAT/firewall, on a small home network with three
users.
> Is there a simple way of limiting upload bandwidth by IP address to stop
the
> users uploading too much?
Shorewall is a tool for configuring Netfilter. Netfilter is a packet
filter, not a bandwidth management system.

I suggest that you investigate htb-init which is a tool for configuring
HTB (a traffic shaper) and that you look at
http://shorewall.net/traffic_shaping.htm to see how to integrate such a
tool with Shorewall.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Here is a pretty simple way to do QoS - 

TigerDirect has the below switch for $130. It has some very basic QoS
(high/low) and it will allow you to throttle ports to different speeds.
http://www.trendnet.com/products/TE100-S24WS.htm


On Mon, 2005-04-18 at 17:16 +0100, Tom Denham wrote:
> Hi Everyone,
>  I use shorewall for NAT/firewall, on a small home network with three
users.
> Is there a simple way of limiting upload bandwidth by IP address to stop
the
> users uploading too much?
> 
> Tom
>

> TigerDirect has the below switch for $130. It has some very basic QoS
> (high/low) and it will allow you to throttle ports to different speeds.
> http://www.trendnet.com/products/TE100-S24WS.htm
Why pay $130 for a closed-box system that does "very basic QoS" when
you can incorporate fairly robust traffic shaping into your shorewall
firewall with only a moderate effort, for free?

My idea support-idea centered around the home / small offices with
limited experience, and how to make their support requests less painful.

Perhaps you should just reply to new users with inappropriate support
requests a list of other nice options (firestarter , ipcop, smoothwall,
coyotelinux, various commercial routers such as sonicwall and trendware,
m0n0wall) with familiar GUI interfaces for them to check out.

>I''ve always felt that Shorewall and I were dragged kicking and
screaming
> into the home-network market. 
I have several computers at home (3) , a VoIP phone, an Wireless AP, and
a gigabit switch (workgroup) powered by a 3 Mbps / 500k cable modem.
Although this didn''t cost me a fortune, how many homes had this setup 5
years ago?

I think home networks are getting complex enough to deserve decent
tools, and a Cisco PIX is just a tad out of my price range. ;-)



On Mon, 2005-04-18 at 06:44 -0700, Tom Eastep wrote:
> ryanag@zoominternet.net wrote:
> 
> > 
> > Even BSD-based firewall/routers have wizards these days (albeit text-
> > based).
> > 
> > Check out the setup for m0n0wall.
> > http://www.m0n0.ch/wall/
> > http://www.m0n0.ch/wall/quickstart/initial-m0n0wall-console.html
> > 
> > Firestarer is another wizard-based one ( http://www.fs-security.com/ )
,
> > although it has rather limited functionality, its ideal for a home-
> > network.
> > 
> 
> I''ve always felt that Shorewall and I were dragged kicking and
screaming
> into the home-network market. My first firewall product (Seawall) was
> aimed at that market but a lot of folks who tried to use it were network
> administrators. And because Seawall was designed with only the home
> network in mind, it worked poorly in a lot of cases. I always loosely
> quote Conin Doyle -- "Still it is an error to argue in front of your
> data. You find yourself insensibly twisting them to fit your
theories".
> With Seawall, we were always insensibly twisting the problem to fit
> Seawall''s solution.
> 
> Given that experience, I wanted my next effort to have flexibility as
> it''s primary goal and I focused Shorewall towards the needs of
network
> administrators.
> 
> It is only by popular demand that Shorewall has QuickStart guides and
> sample configurations. It is not because I was clambering after the
> single (usually dynamic) public IP market.
> 
> -Tom

>moderate effort
Different people''s times are worth different amounts of money. 

Also, if you decide to go with another firewall down the road that
doesn''t do any QoS, it''ll still be a part of your network.



On Mon, 2005-04-18 at 12:56 -0500, Gary Buckmaster
wrote:
> > TigerDirect has the below switch for $130. It has some very basic QoS
> > (high/low) and it will allow you to throttle ports to different
speeds.
> > http://www.trendnet.com/products/TE100-S24WS.htm
> 
> Why pay $130 for a closed-box system that does "very basic QoS"
when
> you can incorporate fairly robust traffic shaping into your shorewall
> firewall with only a moderate effort, for free?
>

ryan wrote:
>>moderate effort
> Different people''s times are worth different amounts of money. 
> 
However the value proposition with OSS is that while the Software is
free, you generally have to invest some of your time to understand how
to use the software.

I suppose that one thing that shows through in my attitude is that I''m
a
frustrated teacher. I was in a PHD program intending to be a college
Math Professor and reluctantly entered the nascent computer industry in
1969 only because at that time new PHDs in Mathematics were lucky to get
a temporary chair in a small college for $6000/yr. So if you use my
software, I want you to also learn something...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

ryan wrote:
> My idea support-idea centered around the home / small offices with
> limited experience, and how to make their support requests less painful.
> 
> Perhaps you should just reply to new users with inappropriate support
> requests a list of other nice options (firestarter , ipcop, smoothwall,
> coyotelinux, various commercial routers such as sonicwall and trendware,
> m0n0wall) with familiar GUI interfaces for them to check out.
> 
Or if they are running Mandrake or SuSE, check out the firewall that''s
built into their distribution (although the one in Mandrake is based on
Shorewall).

I think that''s a little too "in your face"; reminds me of the
first
Shorewall web site that proclaimed that users who knew little or nothing
about IP were better off going elsewhere (because there was almost no
documentation :-) ).

I don''t have anything against answering newbie questions although there
have been cases where I was grateful when a particularly dense person
finally announced that they tried SuSE firewall and it did just what
they wanted :-) -- I just wish that people would read a bit more before
posting.

There was a time on the Internet where posting without first doing due
diligence was considered the height of rudeness. Today, that view is
shared only by troglodytes like me...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> There was a time on the Internet where posting without first doing due
> diligence was considered the height of rudeness. Today, that view is
> shared only by troglodytes like me...

Up with troglodytes!  The world needs so many more of them.  And while
we''re at it, can we please free the mallocs?

I guess its in the delivery of the message.

If you would point out that there are easier (but not necessarily
better) alternatives to shorewall if you aren''t familiar with
networking
or linux, I don''t think it would be too offensive.


On Mon, 2005-04-18 at 11:28 -0700, Tom Eastep wrote:
> 
> I think that''s a little too "in your face"; reminds me
of the first
> Shorewall web site that proclaimed that users who knew little or
> nothing
> about IP were better off going elsewhere (because there was almost no
> documentation :-) ).

> However the value proposition with OSS is that while the Software is
> free, you generally have to invest some of your time to understand how
> to use the software.
I think there''s a balance between 
-the time it takes you to learn how to use the software
-the relative value of what is learned in the process
-the amount of money a click-and-drool solution costs

Since the highest cost to most companies is labor, open source projects
sometimes lose out to inferior commercial products. Of course, many open
source projects have as good UI''s as their commercial counterparts, but
lack the marketing deptartments.


On Mon, 2005-04-18 at 11:08 -0700, Tom Eastep wrote:
> ryan wrote:
> >>moderate effort
> > Different people''s times are worth different amounts of
money.
> > 
> 
> However the value proposition with OSS is that while the Software is
> free, you generally have to invest some of your time to understand how
> to use the software.
> 
> I suppose that one thing that shows through in my attitude is that
I''m a
> frustrated teacher. I was in a PHD program intending to be a college
> Math Professor and reluctantly entered the nascent computer industry in
> 1969 only because at that time new PHDs in Mathematics were lucky to get
> a temporary chair in a small college for $6000/yr. So if you use my
> software, I want you to also learn something...
> 
> -Tom

Tom Eastep wrote:
...
> There was a time on the Internet where posting without first doing due
> diligence was considered the height of rudeness. Today, that view is
> shared only by troglodytes like me...
> 
> -Tom
Count me in with the troglodytes then...
-- 
Jack at Monkeynoodle dot Org: It''s a Scientific Venture...
Riding the Emergency Third Rail Power Trip since 1996!

ryan wrote:
> My idea support-idea centered around the home / small offices with
> limited experience, and how to make their support requests less painful.
> 
> Perhaps you should just reply to new users with inappropriate support
> requests a list of other nice options (firestarter , ipcop, smoothwall,
> coyotelinux, various commercial routers such as sonicwall and trendware,
> m0n0wall) with familiar GUI interfaces for them to check out.
At one point I had a brilliant idea for making support of free open 
source software work without causticity... then I realized that I hate 
doing support, other people hate asking for support, and it probably 
couldn''t be commercialized successfully on even the small scale I had
in
mind.

The funny thing is that I was planning on starting from exactly the 
level of "easy" firewall that you mention... I was supporting them on
a
mailing list and getting exactly the same level of dumb, arrogant, 
un-researched questions. I suspect we''d see the same thing on a support
list for bottle-openers...

-- 
Jack at Monkeynoodle dot Org: It''s a Scientific Venture...
Riding the Emergency Third Rail Power Trip since 1996!

ryan wrote:
> Here is a pretty simple way to do QoS - 
> 
> TigerDirect has the below switch for $130. It has some very basic QoS
> (high/low) and it will allow you to throttle ports to different speeds.
> http://www.trendnet.com/products/TE100-S24WS.htm
> 
> 
You get what you pay for. I''ve never had an issue with any 
Shorewall-based firewall once I got past my setup frustrations... in the 
late nineties. In that same time I''ve had uncountable failures from 
cheap SOHO junk like that. Investing your time buys a better product.

-- 
Jack at Monkeynoodle dot Org: It''s a Scientific Venture...
Riding the Emergency Third Rail Power Trip since 1996!

I''m on the m0n0wall and firestarter mailing lists - I see surprisingly
few dumb or arrogant questions. 

The m0n0wall list gets a *huge* volume of questions, the majority of
them fairly intelligent, or at least not ones with obvious answers

The difference between those two projects and many others is that they
strive to be so easy to use, anyone who understands the concepts behind
them should be able to get by with some basic functionality. m0n0wall
even denies any shell access to the firewall - the developer considers
this a feature.

Although I prefer shorewall to the two mentioned above, there will be a
whole generation of IT employees who don''t know what command-line is,
and will always be asking "dumb" questions as the UI is so unfamiliar
to
them.

On Mon, 2005-04-18 at 13:55 -0700, Jack Coates wrote:
> ryan wrote:
> > My idea support-idea centered around the home / small offices with
> > limited experience, and how to make their support requests less
painful.
> > 
> > Perhaps you should just reply to new users with inappropriate support
> > requests a list of other nice options (firestarter , ipcop,
smoothwall,
> > coyotelinux, various commercial routers such as sonicwall and
trendware,
> > m0n0wall) with familiar GUI interfaces for them to check out.
> 
> At one point I had a brilliant idea for making support of free open 
> source software work without causticity... then I realized that I hate 
> doing support, other people hate asking for support, and it probably 
> couldn''t be commercialized successfully on even the small scale I
had in
> mind.
> 
> The funny thing is that I was planning on starting from exactly the 
> level of "easy" firewall that you mention... I was supporting
them on a
> mailing list and getting exactly the same level of dumb, arrogant, 
> un-researched questions. I suspect we''d see the same thing on a
support
> list for bottle-openers...
>

>I''ve had uncountable failures from 
> cheap SOHO junk like that
I think you are painting with too broad of a brush. Have you actually
used the switch I am linked to, or are you classifying it as junk
because its inexpensive?

I hope its not the latter, as many people claim (incorrectly) that free
software can''t be as good as commercial products since the commercial
stuff is more expensive.

On Mon, 2005-04-18 at 13:58 -0700, Jack Coates wrote:
> ryan wrote:
> > Here is a pretty simple way to do QoS - 
> > 
> > TigerDirect has the below switch for $130. It has some very basic QoS
> > (high/low) and it will allow you to throttle ports to different
speeds.
> > http://www.trendnet.com/products/TE100-S24WS.htm
> > 
> > 
> 
> You get what you pay for. I''ve never had an issue with any 
> Shorewall-based firewall once I got past my setup frustrations... in the 
> late nineties. In that same time I''ve had uncountable failures
from
> cheap SOHO junk like that. Investing your time buys a better product.
>

ive always heard the only stupid question is an unasked question but in the same
breath i also agree that if it is documented in docs and how to''s then
RTFM ive had my fair share of stupid questions on here and ive leared GOOGLE it
if you cant find it on google read docs harder and then if you cant figure it
out then email the lists if yall have noticed i have not posted in a while
because i figured out the docs off the site i guess thats is why they are
written now if we can only get every one to read them

________________________________

From: shorewall-users-bounces@lists.shorewall.net on behalf of ryan
Sent: Mon 4/18/2005 4:21 PM
To: Jack Coates
Cc: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] dumb, dumb question ...



I''m on the m0n0wall and firestarter mailing lists - I see surprisingly
few dumb or arrogant questions.

The m0n0wall list gets a *huge* volume of questions, the majority of
them fairly intelligent, or at least not ones with obvious answers

The difference between those two projects and many others is that they
strive to be so easy to use, anyone who understands the concepts behind
them should be able to get by with some basic functionality. m0n0wall
even denies any shell access to the firewall - the developer considers
this a feature.

Although I prefer shorewall to the two mentioned above, there will be a
whole generation of IT employees who don''t know what command-line is,
and will always be asking "dumb" questions as the UI is so unfamiliar
to
them.

On Mon, 2005-04-18 at 13:55 -0700, Jack Coates wrote:
> ryan wrote:
> > My idea support-idea centered around the home / small offices with
> > limited experience, and how to make their support requests less
painful.
> >
> > Perhaps you should just reply to new users with inappropriate support
> > requests a list of other nice options (firestarter , ipcop,
smoothwall,
> > coyotelinux, various commercial routers such as sonicwall and
trendware,
> > m0n0wall) with familiar GUI interfaces for them to check out.
>
> At one point I had a brilliant idea for making support of free open
> source software work without causticity... then I realized that I hate
> doing support, other people hate asking for support, and it probably
> couldn''t be commercialized successfully on even the small scale I
had in
> mind.
>
> The funny thing is that I was planning on starting from exactly the
> level of "easy" firewall that you mention... I was supporting
them on a
> mailing list and getting exactly the same level of dumb, arrogant,
> un-researched questions. I suspect we''d see the same thing on a
support
> list for bottle-openers...
>
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

ryan wrote:
> 
> Although I prefer shorewall to the two mentioned above, there will be a
> whole generation of IT employees who don''t know what command-line
is,
> and will always be asking "dumb" questions as the UI is so
unfamiliar to
> them.
> 
To try to wrap up this thread, here are my final thoughts on the subject:

a) I have tried to make "shorewall status" capture 100% of the
information necessary to analyze Shorewall problems.

b) All that I ask is that people run that command and forward the output.

c) I don''t know how much simpler it can be than that -- they
don''t even
have to answer any yes/no questions.

d) People ignore my request and send all variety of folded ASCII art,
obfuscated command output, partial config files, ...

I don''t believe that the answer to this problem is yet another
application to maintain (web-based problem reporting system).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

ryan wrote:
> My idea support-idea centered around the home / small offices with
> limited experience, and how to make their support requests less painful.
> 
> Perhaps you should just reply to new users with inappropriate support
> requests a list of other nice options (firestarter , ipcop, smoothwall,
> coyotelinux, various commercial routers such as sonicwall and trendware,
> m0n0wall) with familiar GUI interfaces for them to check out.
> 
I''ve added some verbiage on the home page along with links to
firestarter and m0n0wall.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Those are good choices for newer users.

-firestarter is point-and-click and very simple
-m0n0wall can do many of the things that shorewall can (1:1 NAT,
multiple interfaces, granular control of firewall rules, etc) and is
fairly simple to setup. 

I certainly agree with your comment that shorewall is more flexible and
powerful than either firestarter or m0n0wall. Definitely my favorite of
the three!


On Wed, 2005-04-20 at 15:17 -0700, Tom Eastep wrote:
> ryan wrote:
> > My idea support-idea centered around the home / small offices with
> > limited experience, and how to make their support requests less
painful.
> > 
> > Perhaps you should just reply to new users with inappropriate support
> > requests a list of other nice options (firestarter , ipcop,
smoothwall,
> > coyotelinux, various commercial routers such as sonicwall and
trendware,
> > m0n0wall) with familiar GUI interfaces for them to check out.
> > 
> 
> I''ve added some verbiage on the home page along with links to
> firestarter and m0n0wall.
> 
> -Tom

On Wednesday 20 April 2005 03:32 pm, ryan wrote:
> Those are good choices for newer users.
>
> -firestarter is point-and-click and very simple
> -m0n0wall can do many of the things that shorewall can (1:1 NAT,
> multiple interfaces, granular control of firewall rules, etc) and is
> fairly simple to setup.
 
but but but...

It seems new Linux users probably use what ever firewall came with
their box, or one of those cheap hardware devices.  With those 
cheap hardware routers (netgear linksys, et al) coming down under
$35 in price, it seems more entry level users are going there.

It seems that shorewall is picking up more of
the complex installations, as shorewall itself gains new
functionality with each release.

Other than the aggravation factor on the list and for Tom,
this is probably the right place to ask these questions.

The quickstart guides handle 99% of the installations in entry level
category if you can just get people to read them.

-- 
John Andersen - NORCOM
http://www.norcomsoftware.com/

John Andersen wrote:
> On Wednesday 20 April 2005 03:32 pm, ryan wrote:
>>Those are good choices for newer users.
>>
>>-firestarter is point-and-click and very simple
>>-m0n0wall can do many of the things that shorewall can (1:1 NAT,
>>multiple interfaces, granular control of firewall rules, etc) and is
>>fairly simple to setup.
>  
> but but but...
> 
> It seems new Linux users probably use what ever firewall came with
> their box, or one of those cheap hardware devices.  With those 
> cheap hardware routers (netgear linksys, et al) coming down under
> $35 in price, it seems more entry level users are going there.
But some are finding Shorewall. Possibly the word is out that Shorewall is
what the "big boys" use :-)
> 
> It seems that shorewall is picking up more of
> the complex installations, as shorewall itself gains new
> functionality with each release.
> 
That is actually my preference.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> It seems new Linux users probably use what ever firewall came with
> their box, or one of those cheap hardware devices.  With those
> cheap hardware routers (netgear linksys, et al) coming down under
> $35 in price, it seems more entry level users are going there.
To be fair, m0n0wall is more targeted at the medium sized business than home 
users, and doesn''t really compete with linksys and netgear.

It has vlan, traffic shaping (queing and pipes), pptp (with radius 
authentication), pptp redirection, snmp, browser capture, IPSec VPN support, 
1:1 NAT, proxy arp, and other features not usually seen in home-user 
firewalls.

The only complaint I have with m0n0wall is that its too much of a boxed 
solution. It is what it is, and configuration changes are limited at best. Of 
course, what do you expect when the whole OS is 6 MB?


I think firestarter fits in the gap between the limited firewall configuration 
tools offered by SuSE, RedHat, etc and the advanced features of shorewall. 
Its extremely simple to quickly set up, and create an extremely secure 
firewall by "whitelisting" traffic.

Its by far superior to any vendor-distributed iptables configuration tool
I''ve
ever used, and its similarity to zone alarm probably makes Windows users more 
at ease.

> Other than the aggravation factor on the list and for Tom,
> this is probably the right place to ask these questions.
For someone who knows nothing about firewalls (and I mean zip), firestarter is 
probably a better starting point than shorewall. Their documentation is quite 
good, and you don''t ever need to go to the commandline to make or
change
rules.



On Wednesday 20 April 2005 21:45, John Andersen wrote:
> On Wednesday 20 April 2005 03:32 pm, ryan wrote:
> > Those are good choices for newer users.
> >
> > -firestarter is point-and-click and very simple
> > -m0n0wall can do many of the things that shorewall can (1:1 NAT,
> > multiple interfaces, granular control of firewall rules, etc) and is
> > fairly simple to setup.
>
> but but but...
>
> It seems new Linux users probably use what ever firewall came with
> their box, or one of those cheap hardware devices.  With those
> cheap hardware routers (netgear linksys, et al) coming down under
> $35 in price, it seems more entry level users are going there.
>
> It seems that shorewall is picking up more of
> the complex installations, as shorewall itself gains new
> functionality with each release.
>
> Other than the aggravation factor on the list and for Tom,
> this is probably the right place to ask these questions.
>
> The quickstart guides handle 99% of the installations in entry level
> category if you can just get people to read them.