Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables....
Maybe Shoreline with webmin....
Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing.
Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it....
On Mon, 31 Dec 2007 00:13:22 -0500 Robert Moskowitz rgm@htt-consult.com wrote:
Well FWbuilder is NOT easy. The documentation does not match
Take a look at FireStarter: http://www.fs-security.com/
It very easy to set and use. It's only a front-end for iptables. But watch out, it has it's limitations in the scenarios that it can handle.
On the other hand, you can use it to generate the iptables rules and then just use it in text mode only.
On Dec 31, 2007 12:13 AM, Robert Moskowitz rgm@htt-consult.com wrote:
Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables....
Maybe Shoreline with webmin....
Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing.
Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it....
If you've ever used a Checkpoint firewall, FWBuilder is exactly like that interface. It even comes with a module that will let you modify Checkpoint firewalls.
"Problem is I want a REAL router/firewall with little work."
Run a smoothwall installtion and replace your CentOS install.
-Peter
On 31/12/2007, Matt Shields mattboston@gmail.com wrote:
On Dec 31, 2007 12:13 AM, Robert Moskowitz rgm@htt-consult.com wrote:
Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables....
Maybe Shoreline with webmin....
Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing.
Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it....
If you've ever used a Checkpoint firewall, FWBuilder is exactly like that interface. It even comes with a module that will let you modify Checkpoint firewalls.
-- -matt _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Peter Farrell wrote:
"Problem is I want a REAL router/firewall with little work."
Run a smoothwall installtion and replace your CentOS install.
well first challenge is my unit's USB ethernet dongles. Centos uses the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169...
So have to see what info I can get on their website. Astaro 6 cannot recognize the dongles either. Shorewall still looks like an option. I do have Centos (and DSL) on these units....
-Peter
On 31/12/2007, Matt Shields mattboston@gmail.com wrote:
On Dec 31, 2007 12:13 AM, Robert Moskowitz rgm@htt-consult.com wrote:
Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables....
Maybe Shoreline with webmin....
Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing.
Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it....
If you've ever used a Checkpoint firewall, FWBuilder is exactly like that interface. It even comes with a module that will let you modify Checkpoint firewalls.
-- -matt _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Robert Moskowitz wrote:
Peter Farrell wrote:
"Problem is I want a REAL router/firewall with little work."
Run a smoothwall installtion and replace your CentOS install.
well first challenge is my unit's USB ethernet dongles. Centos uses the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169...
So have to see what info I can get on their website. Astaro 6 cannot recognize the dongles either. Shorewall still looks like an option. I do have Centos (and DSL) on these units....
-Peter
On 31/12/2007, Matt Shields mattboston@gmail.com wrote:
On Dec 31, 2007 12:13 AM, Robert Moskowitz rgm@htt-consult.com wrote:
Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables....
Maybe Shoreline with webmin....
Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing.
Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it....
If you've ever used a Checkpoint firewall, FWBuilder is exactly like that interface. It even comes with a module that will let you modify Checkpoint firewalls.
-- -matt _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
There is also Ipcop - http://ipcop.org/
Rob
On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:
Peter Farrell wrote:
"Problem is I want a REAL router/firewall with little work."
Run a smoothwall installtion and replace your CentOS install.
well first challenge is my unit's USB ethernet dongles. Centos uses the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169...
I've used this at home for years. I don't know if it's suitable, but it seems *very* flexible. Allows for NAT or not, has typical zones, reporting, IPTables modification support, ...
Has run/tested successfully on various configurations here. It's another "ditch your CentOS" solution though. But you can put it on any old junk laying around and it'ss probably work. Using cable modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz pci gives <= 700MB/sec - both from decent sites. Tested using both ISA and PCI bus adapters through both twisted pair and thin coax.
<snip>
HTH
William L. Maltby wrote:
On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:
Peter Farrell wrote:
"Problem is I want a REAL router/firewall with little work."
Run a smoothwall installtion and replace your CentOS install.
well first challenge is my unit's USB ethernet dongles. Centos uses the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169...
I've used this at home for years. I don't know if it's suitable, but it seems *very* flexible. Allows for NAT or not, has typical zones, reporting, IPTables modification support, ...
Has run/tested successfully on various configurations here. It's another "ditch your CentOS" solution though. But you can put it on any old junk laying around and it'ss probably work. Using cable modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz pci gives <= 700MB/sec - both from decent sites. Tested using both ISA and PCI bus adapters through both twisted pair and thin coax.
As I thought about things this morning, trying to put up smoothwall, I realized that one of my goals is to have a tool to turn a Centos system that I am using for foo, into a firewall for bar for a day. I have Astaro for my serious firewall needs (see later post), but need something 'portable'. You see I have these plans with some small itx systems....
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 31 Dec 2007 12:21:34 -0500 Robert Moskowitz rgm@htt-consult.com wrote:
William L. Maltby wrote:
On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:
Peter Farrell wrote:
"Problem is I want a REAL router/firewall with little work."
Run a smoothwall installtion and replace your CentOS install.
well first challenge is my unit's USB ethernet dongles. Centos uses the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169...
I've used this at home for years. I don't know if it's suitable, but it seems *very* flexible. Allows for NAT or not, has typical zones, reporting, IPTables modification support, ...
Has run/tested successfully on various configurations here. It's another "ditch your CentOS" solution though. But you can put it on any old junk laying around and it'ss probably work. Using cable modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz pci gives <= 700MB/sec - both from decent sites. Tested using both ISA and PCI bus adapters through both twisted pair and thin coax.
As I thought about things this morning, trying to put up smoothwall, I realized that one of my goals is to have a tool to turn a Centos system that I am using for foo, into a firewall for bar for a day. I have Astaro for my serious firewall needs (see later post), but need something 'portable'. You see I have these plans with some small itx systems....
have you considered linux that fits on a floppy disk?
http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/
http://www.linuxlinks.com/Distributions/Floppy/
http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distributions...
get one running and configured and save to floppy... things go south reboot the machine and everything is back. no hard drives to worry about...
- -- Mark
"Drunkenness is not an excuse for stupidity. If you're stupid when you're sober then that's one thing, but if you're sober when you're stupid, then you're just plain stupid!" ============================================== Powered by CentOS5 (RHEL5)
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Mark Weaver Sent: Monday, December 31, 2007 8:09 PM To: centos@centos.org Subject: Re: [CentOS] Firewall frustration
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 31 Dec 2007 12:21:34 -0500 Robert Moskowitz rgm@htt-consult.com wrote:
William L. Maltby wrote:
On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:
Peter Farrell wrote:
"Problem is I want a REAL router/firewall with little work."
Run a smoothwall installtion and replace your CentOS install.
well first challenge is my unit's USB ethernet dongles. Centos uses
the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169...
I've used this at home for years. I don't know if it's suitable, but
it seems *very* flexible. Allows for NAT or not, has typical zones, reporting, IPTables modification support, ...
Has run/tested successfully on various configurations here. It's another "ditch your CentOS" solution though. But you can put it on any old junk laying around and it'ss probably work. Using cable modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz
pci gives <= 700MB/sec - both from decent sites. Tested using both ISA and PCI bus adapters through both twisted pair and thin coax.
As I thought about things this morning, trying to put up smoothwall, I
realized that one of my goals is to have a tool to turn a Centos system that I am using for foo, into a firewall for bar for a day. I have Astaro for my serious firewall needs (see later post), but need something 'portable'. You see I have these plans with some small itx systems....
have you considered linux that fits on a floppy disk?
http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/
http://www.linuxlinks.com/Distributions/Floppy/
http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distribut ions/Tiny/Floppy_Sized/
get one running and configured and save to floppy... things go south reboot the machine and everything is back. no hard drives to worry about...
- -- Mark
"Drunkenness is not an excuse for stupidity. If you're stupid when you're sober then that's one thing, but if you're sober when you're stupid, then you're just plain stupid!" ============================================== Powered by CentOS5 (RHEL5)
I have this vision of a live CD that would come up and pull down it's config via SCP or HTTPS and run. Or maybe a PGP encrypted file over TFTP. No writable media in the machine at all, no access to write to the configs, just a dumb device that knows where to get it's config. Any compromise could be fixed with just a reboot, the config could even be reloaded at some interval automatically, off machine logging, perhaps even without an interface. You could more than likely go one step further and use PXE to load everything over NFS or something, then you are at no moving parts. Unfortunately, I have the ideas but not the knowledge or time. In my opinion, this would be the ultimate evolution of things like IP Cop and Smoothwall.
I want to say that monowall had this on the roadmap, but I haven't looked lately. Appears someone has done some work on it: http://people.freebsd.org/~nik/m0n0wall/pxe+nfs/article.html
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 31 Dec 2007 21:36:09 -0500 "Mark A. Lewis" mark@siliconjunkie.net wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Mark Weaver Sent: Monday, December 31, 2007 8:09 PM To: centos@centos.org Subject: Re: [CentOS] Firewall frustration
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 31 Dec 2007 12:21:34 -0500 Robert Moskowitz rgm@htt-consult.com wrote:
William L. Maltby wrote:
On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:
Peter Farrell wrote:
"Problem is I want a REAL router/firewall with little work."
Run a smoothwall installtion and replace your CentOS install.
well first challenge is my unit's USB ethernet dongles. Centos uses
the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169...
I've used this at home for years. I don't know if it's suitable, but
it seems *very* flexible. Allows for NAT or not, has typical zones, reporting, IPTables modification support, ...
Has run/tested successfully on various configurations here. It's another "ditch your CentOS" solution though. But you can put it on any old junk laying around and it'ss probably work. Using cable modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz
pci gives <= 700MB/sec - both from decent sites. Tested using both ISA and PCI bus adapters through both twisted pair and thin coax.
As I thought about things this morning, trying to put up smoothwall, I
realized that one of my goals is to have a tool to turn a Centos system that I am using for foo, into a firewall for bar for a day. I have Astaro for my serious firewall needs (see later post), but need something 'portable'. You see I have these plans with some small itx systems....
have you considered linux that fits on a floppy disk?
http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/
http://www.linuxlinks.com/Distributions/Floppy/
http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distribut ions/Tiny/Floppy_Sized/
get one running and configured and save to floppy... things go south reboot the machine and everything is back. no hard drives to worry about...
Mark
"Drunkenness is not an excuse for stupidity. If you're stupid when you're sober then that's one thing, but if you're sober when you're stupid, then you're just plain stupid!" ============================================== Powered by CentOS5 (RHEL5) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iD8DBQFHeZKZAHUWFbtwPigRAqlLAJ9NrXCoPuh0vyCET81GKQ7a27RQ0QCbBvkT Ez253XYLAOfSJS7u5ij36U4= =jb20 -----END PGP SIGNATURE-----
I have this vision of a live CD that would come up and pull down it's config via SCP or HTTPS and run. Or maybe a PGP encrypted file over TFTP. No writable media in the machine at all, no access to write to the configs, just a dumb device that knows where to get it's config. Any compromise could be fixed with just a reboot, the config could even be reloaded at some interval automatically, off machine logging, perhaps even without an interface. You could more than likely go one step further and use PXE to load everything over NFS or something, then you are at no moving parts. Unfortunately, I have the ideas but not the knowledge or time. In my opinion, this would be the ultimate evolution of things like IP Cop and Smoothwall.
I want to say that monowall had this on the roadmap, but I haven't looked lately. Appears someone has done some work on it: http://people.freebsd.org/~nik/m0n0wall/pxe+nfs/article.html
I seem to remember there being distro ISO tools out there that allow one to roll their own distro, but for the life of me can't remember what it's called.
Anyway, if you're feeling ambitious you could load an OS, season to taste and then create your OS using the Live CD technology that's out there.
- -- Mark
"Drunkenness is not an excuse for stupidity. If you're stupid when you're sober then that's one thing, but if you're sober when you're stupid, then you're just plain stupid!" ============================================== Powered by CentOS5 (RHEL5)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On a whim I googled live CD creation and came up with some very interesting results.
http://www.google.com/search?q=create+live+cd&ie=utf-8&oe=utf-8&...
- -- Mark
"Drunkenness is not an excuse for stupidity. If you're stupid when you're sober then that's one thing, but if you're sober when you're stupid, then you're just plain stupid!" ============================================== Powered by CentOS5 (RHEL5)
Mark Weaver wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 31 Dec 2007 12:21:34 -0500 Robert Moskowitz rgm@htt-consult.com wrote:
William L. Maltby wrote:
On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:
Peter Farrell wrote:
"Problem is I want a REAL router/firewall with little work."
Run a smoothwall installtion and replace your CentOS install.
well first challenge is my unit's USB ethernet dongles. Centos uses the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169...
I've used this at home for years. I don't know if it's suitable, but it seems *very* flexible. Allows for NAT or not, has typical zones, reporting, IPTables modification support, ...
Has run/tested successfully on various configurations here. It's another "ditch your CentOS" solution though. But you can put it on any old junk laying around and it'ss probably work. Using cable modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz pci gives <= 700MB/sec - both from decent sites. Tested using both ISA and PCI bus adapters through both twisted pair and thin coax.
As I thought about things this morning, trying to put up smoothwall, I realized that one of my goals is to have a tool to turn a Centos system that I am using for foo, into a firewall for bar for a day. I have Astaro for my serious firewall needs (see later post), but need something 'portable'. You see I have these plans with some small itx systems....
have you considered linux that fits on a floppy disk?
http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/
http://www.linuxlinks.com/Distributions/Floppy/
http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distributions...
get one running and configured and save to floppy... things go south reboot the machine and everything is back. no hard drives to worry about...
Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape.
On Tue, 1 Jan 2008, Robert Moskowitz wrote:
Mark Weaver wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 31 Dec 2007 12:21:34 -0500 Robert Moskowitz rgm@htt-consult.com wrote:
William L. Maltby wrote:
On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:
Peter Farrell wrote:
"Problem is I want a REAL router/firewall with little work."
Run a smoothwall installtion and replace your CentOS install.
well first challenge is my unit's USB ethernet dongles. Centos uses the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169...
I've used this at home for years. I don't know if it's suitable, but it seems *very* flexible. Allows for NAT or not, has typical zones, reporting, IPTables modification support, ...
Has run/tested successfully on various configurations here. It's another "ditch your CentOS" solution though. But you can put it on any old junk laying around and it'ss probably work. Using cable modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz pci gives <= 700MB/sec - both from decent sites. Tested using both ISA and PCI bus adapters through both twisted pair and thin coax.
As I thought about things this morning, trying to put up smoothwall, I realized that one of my goals is to have a tool to turn a Centos system that I am using for foo, into a firewall for bar for a day. I have Astaro for my serious firewall needs (see later post), but need something 'portable'. You see I have these plans with some small itx systems....
have you considered linux that fits on a floppy disk?
http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/
http://www.linuxlinks.com/Distributions/Floppy/
http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distributions...
get one running and configured and save to floppy... things go south reboot the machine and everything is back. no hard drives to worry about...
Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape.
Yes, floppy drives are rare - but they are still incredibly valuable. I've dealt with needing to install drivers from floppy for OSes, and the OSse are looking to floppy.
I've needed DOS' fdisk to get me out of problems at times, and having a bootable copy of DOS on-hand has done the job.
Some BIOS updates are only available from a bootable floppy (won't install to anything else).
Saves times and frusteration in having a reusable floppy around than having to sometimes create a bootable CD to put the files on. Reuse the floppy as often as needed.
Old hardware still exists and is usable, and sometimes only work, or work best, with floppies.
Sometimes "old school" is still "good school".
We still often use "VT100" or "3270" emulation for remote connectivity... Think about their origins.
Scott
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Scott Ehrlich wrote:
On Tue, 1 Jan 2008, Robert Moskowitz wrote:
Mark Weaver wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 31 Dec 2007 12:21:34 -0500 Robert Moskowitz rgm@htt-consult.com wrote:
William L. Maltby wrote:
On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:
Peter Farrell wrote:
> "Problem is I want a REAL router/firewall with little work." > > Run a smoothwall installtion and replace your CentOS install. > > http://www.smoothwall.org/ > well first challenge is my unit's USB ethernet dongles. Centos uses the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 8169...
I've used this at home for years. I don't know if it's suitable, but it seems *very* flexible. Allows for NAT or not, has typical zones, reporting, IPTables modification support, ...
Has run/tested successfully on various configurations here. It's another "ditch your CentOS" solution though. But you can put it on any old junk laying around and it'ss probably work. Using cable modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz pci gives <= 700MB/sec - both from decent sites. Tested using both ISA and PCI bus adapters through both twisted pair and thin coax.
As I thought about things this morning, trying to put up smoothwall, I realized that one of my goals is to have a tool to turn a Centos system that I am using for foo, into a firewall for bar for a day. I have Astaro for my serious firewall needs (see later post), but need something 'portable'. You see I have these plans with some small itx systems....
have you considered linux that fits on a floppy disk?
http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/
http://www.linuxlinks.com/Distributions/Floppy/
http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distributions...
get one running and configured and save to floppy... things go south reboot the machine and everything is back. no hard drives to worry about...
Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape.
Yes, floppy drives are rare - but they are still incredibly valuable. I've dealt with needing to install drivers from floppy for OSes, and the OSse are looking to floppy.
I've needed DOS' fdisk to get me out of problems at times, and having a bootable copy of DOS on-hand has done the job.
Some BIOS updates are only available from a bootable floppy (won't install to anything else).
Saves times and frusteration in having a reusable floppy around than having to sometimes create a bootable CD to put the files on. Reuse the floppy as often as needed.
I have a USB floppy that came with my Toshiba 3490. It is a very valuable part of my 'tool box'.
Old hardware still exists and is usable, and sometimes only work, or work best, with floppies.
Sometimes "old school" is still "good school".
Talk to me about 'old school'. I sat at my first Teletype in '66 as a Junior in High School, learning Dartmouth Basic...
But I am looking at what I can easily travel with, and a floppy is NOT part of a traveling collection. Enough gear to upset TSA as it is.
We still often use "VT100" or "3270" emulation for remote connectivity... Think about their origins.
Check out who chaired the TN3270E workgroup ;) Want to discuss LU2 management layer?
Not really, some things are best left in the dust heap. Along with those 55 Baud Teletypes!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 1 Jan 2008 08:57:22 -0500 Robert Moskowitz rgm@htt-consult.com wrote:
Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape.
why would you even think about using a Notebook computer as a firewall? I was assuming you were going to delegate this task to an older machine with sufficient resources to handle the task and not give the task to a notebook computer.
- -- Mark
"Drunkenness is not an excuse for stupidity. If you're stupid when you're sober then that's one thing, but if you're sober when you're stupid, then you're just plain stupid!" ============================================== Powered by CentOS5 (RHEL5)
Mark Weaver wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 1 Jan 2008 08:57:22 -0500 Robert Moskowitz rgm@htt-consult.com wrote:
Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape.
why would you even think about using a Notebook computer as a firewall? I was assuming you were going to delegate this task to an older machine with sufficient resources to handle the task and not give the task to a notebook computer.
I guess he wants it to be portable.
He seems to be knowing his requirements a lot better than we do. It looks like he wants an easy firewall that would boot for HD only, cost nothing, and runs with usb ethernet devices.
I really think he should carry an embedded firewall (like a soekris or a wrap) with pfsense on it.
Ugo
Ugo Bellavance wrote:
Mark Weaver wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 1 Jan 2008 08:57:22 -0500 Robert Moskowitz rgm@htt-consult.com wrote:
Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape.
why would you even think about using a Notebook computer as a firewall? I was assuming you were going to delegate this task to an older machine with sufficient resources to handle the task and not give the task to a notebook computer.
I guess he wants it to be portable.
He seems to be knowing his requirements a lot better than we do. It looks like he wants an easy firewall that would boot for HD only, cost nothing, and runs with usb ethernet devices.
I really think he should carry an embedded firewall (like a soekris or a wrap) with pfsense on it.
Old laptops make pretty good firewalls, I think. They take little space, have a built-in battery backup and built-in keyboard/monitor to use when you are visiting the datacenter. I have repurposed a couple of older laptops for these reasons since the machine doesn't need to be very fast to accomplish the mission. A lot of 3-4 year old laptops cave in under the weight of Windows, but are really overkill for a simple unix firewall. Better than sending them to the dustbin.
Best,
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 01 Jan 2008 10:59:17 -0500 Chris Mauritz chrism@imntv.com wrote:
Old laptops make pretty good firewalls, I think. They take little space, have a built-in battery backup and built-in keyboard/monitor to use when you are visiting the datacenter. I have repurposed a couple of older laptops for these reasons since the machine doesn't need to be very fast to accomplish the mission. A lot of 3-4 year old laptops cave in under the weight of Windows, but are really overkill for a simple unix firewall. Better than sending them to the dustbin.
Best,
true...
- -- Mark
"Drunkenness is not an excuse for stupidity. If you're stupid when you're sober then that's one thing, but if you're sober when you're stupid, then you're just plain stupid!" ============================================== Powered by CentOS5 (RHEL5)
Chris Mauritz wrote:
Ugo Bellavance wrote:
Mark Weaver wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 1 Jan 2008 08:57:22 -0500 Robert Moskowitz rgm@htt-consult.com wrote:
Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape.
why would you even think about using a Notebook computer as a firewall? I was assuming you were going to delegate this task to an older machine with sufficient resources to handle the task and not give the task to a notebook computer.
I guess he wants it to be portable.
He seems to be knowing his requirements a lot better than we do. It looks like he wants an easy firewall that would boot for HD only, cost nothing, and runs with usb ethernet devices.
I really think he should carry an embedded firewall (like a soekris or a wrap) with pfsense on it.
Old laptops make pretty good firewalls, I think. They take little space, have a built-in battery backup and built-in keyboard/monitor to use when you are visiting the datacenter. I have repurposed a couple of older laptops for these reasons since the machine doesn't need to be very fast to accomplish the mission. A lot of 3-4 year old laptops cave in under the weight of Windows, but are really overkill for a simple unix firewall. Better than sending them to the dustbin.
hmmm ... I would think that they do not handle heat very well though.
Maybe they do, and certainly it is better than throwing them away I guess.
--- Johnny Hughes johnny@centos.org wrote:
Chris Mauritz wrote:
Ugo Bellavance wrote:
Mark Weaver wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 1 Jan 2008 08:57:22 -0500 Robert Moskowitz rgm@htt-consult.com wrote:
Have you ever thought about how rare floppy
drives are now? At best
you go with a bootable usb, if your notebook
supports bootable USB.
My Libretto does have a bootable floppy, but
that is something extra
to carry. It will not boot from anything else
(besides its HD). My
nc4010 (this notebook) will boot from usb. My
corp notebook (nc2400)
is locked down; and I don't see any value at
getting corp IT bent out
of shape.
why would you even think about using a Notebook
computer as a firewall?
I was assuming you were going to delegate this
task to an older machine
with sufficient resources to handle the task and
not give the task to a
notebook computer.
I guess he wants it to be portable.
He seems to be knowing his requirements a lot
better than we do. It
looks like he wants an easy firewall that would
boot for HD only, cost
nothing, and runs with usb ethernet devices.
I really think he should carry an embedded
firewall (like a soekris or
a wrap) with pfsense on it.
Old laptops make pretty good firewalls, I think.
They take little
space, have a built-in battery backup and built-in
keyboard/monitor to
use when you are visiting the datacenter. I have
repurposed a couple
of older laptops for these reasons since the
machine doesn't need to be
very fast to accomplish the mission. A lot of 3-4
year old laptops cave
in under the weight of Windows, but are really
overkill for a simple
unix firewall. Better than sending them to the
dustbin.
hmmm ... I would think that they do not handle heat very well though.
Maybe they do, and certainly it is better than throwing them away I guess.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
The bad thing is if you always keep the laptop plugged in the battery will be useless and will not hold a charge. That is what happen with one of my laptops.
--- Steven Vishoot sir_funzone@yahoo.com wrote:
--- Johnny Hughes johnny@centos.org wrote:
Chris Mauritz wrote:
Ugo Bellavance wrote:
Mark Weaver wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 1 Jan 2008 08:57:22 -0500 Robert Moskowitz rgm@htt-consult.com wrote:
Have you ever thought about how rare floppy
drives are now? At best
you go with a bootable usb, if your notebook
supports bootable USB.
My Libretto does have a bootable floppy, but
that is something extra
to carry. It will not boot from anything
else
(besides its HD). My
nc4010 (this notebook) will boot from usb.
My
corp notebook (nc2400)
is locked down; and I don't see any value at
getting corp IT bent out
of shape.
why would you even think about using a
Notebook
computer as a firewall?
I was assuming you were going to delegate this
task to an older machine
with sufficient resources to handle the task
and
not give the task to a
notebook computer.
I guess he wants it to be portable.
He seems to be knowing his requirements a lot
better than we do. It
looks like he wants an easy firewall that would
boot for HD only, cost
nothing, and runs with usb ethernet devices.
I really think he should carry an embedded
firewall (like a soekris or
a wrap) with pfsense on it.
Old laptops make pretty good firewalls, I think.
They take little
space, have a built-in battery backup and
built-in
keyboard/monitor to
use when you are visiting the datacenter. I
have
repurposed a couple
of older laptops for these reasons since the
machine doesn't need to be
very fast to accomplish the mission. A lot of
3-4
year old laptops cave
in under the weight of Windows, but are really
overkill for a simple
unix firewall. Better than sending them to the
dustbin.
hmmm ... I would think that they do not handle
heat
very well though.
Maybe they do, and certainly it is better than throwing them away I guess.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
The bad thing is if you always keep the laptop plugged in the battery will be useless and will not hold a charge. That is what happen with one of my laptops.
You can always take the battery out and keep it plugged in. Runs cooler, too.
____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Chris Mauritz wrote:
Ugo Bellavance wrote:
Mark Weaver wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 1 Jan 2008 08:57:22 -0500 Robert Moskowitz rgm@htt-consult.com wrote:
Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape.
why would you even think about using a Notebook computer as a firewall? I was assuming you were going to delegate this task to an older machine with sufficient resources to handle the task and not give the task to a notebook computer.
I guess he wants it to be portable.
He seems to be knowing his requirements a lot better than we do. It looks like he wants an easy firewall that would boot for HD only, cost nothing, and runs with usb ethernet devices.
I really think he should carry an embedded firewall (like a soekris or a wrap) with pfsense on it.
Old laptops make pretty good firewalls, I think. They take little space, have a built-in battery backup and built-in keyboard/monitor to use when you are visiting the datacenter. I have repurposed a couple of older laptops for these reasons since the machine doesn't need to be very fast to accomplish the mission. A lot of 3-4 year old laptops cave in under the weight of Windows, but are really overkill for a simple unix firewall. Better than sending them to the dustbin.
I have a Dell notebook that functions as my backup Win2000 family finance system.
Next project is to see if I can reuse that old Toshiba 4000cdt box ;)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 01 Jan 2008 10:32:14 -0500 Ugo Bellavance ugob@lubik.ca wrote:
I guess he wants it to be portable.
He seems to be knowing his requirements a lot better than we do. It looks like he wants an easy firewall that would boot for HD only, cost nothing, and runs with usb ethernet devices.
I really think he should carry an embedded firewall (like a soekris or a wrap) with pfsense on it.
Ugo
well... if he built a live CD that would essentially "be" a portable firewall. Just boot the CD in what ever machine you've got it configured for and off you go.
- -- Mark
"Drunkenness is not an excuse for stupidity. If you're stupid when you're sober then that's one thing, but if you're sober when you're stupid, then you're just plain stupid!" ============================================== Powered by CentOS5 (RHEL5)
Mark Weaver wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 01 Jan 2008 10:32:14 -0500 Ugo Bellavance ugob@lubik.ca wrote:
I guess he wants it to be portable.
He seems to be knowing his requirements a lot better than we do. It looks like he wants an easy firewall that would boot for HD only, cost nothing, and runs with usb ethernet devices.
I really think he should carry an embedded firewall (like a soekris or a wrap) with pfsense on it.
Ugo
well... if he built a live CD that would essentially "be" a portable firewall. Just boot the CD in what ever machine you've got it configured for and off you go.
bad assumption about available CD. But bootable USB is an option, and they are cheap enough (check out ecost countdowns), and hold more than a CD.
That will be coming next. Centos on a USB drive. DSL on USB is supposedly 'easy'.
Ugo Bellavance wrote:
Mark Weaver wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 1 Jan 2008 08:57:22 -0500 Robert Moskowitz rgm@htt-consult.com wrote:
Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape.
why would you even think about using a Notebook computer as a firewall? I was assuming you were going to delegate this task to an older machine with sufficient resources to handle the task and not give the task to a notebook computer.
I guess he wants it to be portable.
He seems to be knowing his requirements a lot better than we do. It looks like he wants an easy firewall that would boot for HD only, cost nothing, and runs with usb ethernet devices.
I really think he should carry an embedded firewall (like a soekris or a wrap) with pfsense on it.
I have enough gear to get through TSA. My next trip will have me carrying 3 laptops (granted 2 are 12" and one 7") and one microITX box. Plus a bunch of USB gizmos, my Bose 2 headphones, etc. And I do carryon, so space is at a premium.
The boxes here in the lab are not portable, but the learning has to be.
Mark Weaver wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 1 Jan 2008 08:57:22 -0500 Robert Moskowitz rgm@htt-consult.com wrote:
Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape.
why would you even think about using a Notebook computer as a firewall? I was assuming you were going to delegate this task to an older machine with sufficient resources to handle the task and not give the task to a notebook computer.
Of course in my lab, the firewall is a 'older' machine. But I want to learn from this so that when I am at a conference or trade show and need a firewall 'fast', I can put up the services on one of my Centos notebooks.
BTW, WRT 'older' machines. I am looking more at the cost of running these machines (power draw). It is not just a matter of the $0.124/KWH that I pay, but the cost to add another circuit (my NOC shares two circuits that were already runnning at 50% utilizatoin), and the cost of cooling in the summer (we added a tap into the cold air return system by the rack fans to capture the computer heat for the winter).
I just got the firewall running (see later note) on a decTOP micro PC that I pulled the 10Gb 3.5" drive and installed a 2.5" 6Gb drive. The system pulls about 10W! Compared to ~100W for some of my Compaq SFFs. Let's see 90W/day = 2.16KWH = ~$0.27/day = ~$97.76/year. That can pay for replacing another old Compaq with another decTOP (well not really as you have to add memory, switch out drives, and add a second USB ethernet dongle; guess the ROI is around 2 years).
Matt Shields wrote:
On Dec 31, 2007 12:13 AM, Robert Moskowitz rgm@htt-consult.com wrote:
Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables....
Maybe Shoreline with webmin....
Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing.
Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it....
If you've ever used a Checkpoint firewall, FWBuilder is exactly like that interface. It even comes with a module that will let you modify Checkpoint firewalls.
I noticed the later, also a PIX module. No I have not personally needed that costly of a firewall.
Full discloser time. My day job is with ICSAlabs. My area is security protocols research (like setttin up the initial IPsec certification criteria), but when I visit the labs there are all those firewall products up and running.... So, yeah, I know checkpoint. I talk with the gang over in the labs about 'simple' firewalls, but there are only certain things the boss funds here. So then I have to go cheap.
On Mon December 31 2007 07:58, Robert Moskowitz wrote:
Full discloser time. My day job is with ICSAlabs. My area is security protocols research (like setttin up the initial IPsec certification criteria), but when I visit the labs there are all those firewall products up and running.... So, yeah, I know checkpoint. I talk with the gang over in the labs about 'simple' firewalls, but there are only certain things the boss funds here. So then I have to go cheap.
While IPTABLES might be CHEAP (price) it is a very good firewall. Learn to set it up from the command line, it isn't that hard. Try the following to learn it;
http://iptables.rlworkman.net/chunkyhtml/index.html
Forget those GUI interfaces.
Robert Spangler wrote:
While IPTABLES might be CHEAP (price) it is a very good firewall. Learn to set it up from the command line, it isn't that hard. Try the following to learn it;
http://iptables.rlworkman.net/chunkyhtml/index.html
Forget those GUI interfaces.
one thing that bugs me about most canned iptables rulesets, including the ones generated by most of those GUI packages, is that they are way more complex than needed, its like they are trying to reinvent the entire tcp stack. eg: you really don't need to reject non-SYN packets on unopened connections, tcp will do that quite nicely on its own and far more efficiently than a pile of iptables rules.
Robert Spangler wrote:
On Mon December 31 2007 07:58, Robert Moskowitz wrote:
Full discloser time. My day job is with ICSAlabs. My area is security protocols research (like setttin up the initial IPsec certification criteria), but when I visit the labs there are all those firewall products up and running.... So, yeah, I know checkpoint. I talk with the gang over in the labs about 'simple' firewalls, but there are only certain things the boss funds here. So then I have to go cheap.
While IPTABLES might be CHEAP (price) it is a very good firewall. Learn to set it up from the command line, it isn't that hard. Try the following to learn it;
http://iptables.rlworkman.net/chunkyhtml/index.html
Forget those GUI interfaces.
This might be best for my current needs...
thanks
On Dec 31, 2007 7:58 AM, Robert Moskowitz rgm@htt-consult.com wrote:
Matt Shields wrote:
On Dec 31, 2007 12:13 AM, Robert Moskowitz rgm@htt-consult.com wrote:
Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables....
Maybe Shoreline with webmin....
Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing.
Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it....
If you've ever used a Checkpoint firewall, FWBuilder is exactly like that interface. It even comes with a module that will let you modify Checkpoint firewalls.
I noticed the later, also a PIX module. No I have not personally needed that costly of a firewall.
Full discloser time. My day job is with ICSAlabs. My area is security protocols research (like setttin up the initial IPsec certification criteria), but when I visit the labs there are all those firewall products up and running.... So, yeah, I know checkpoint. I talk with the gang over in the labs about 'simple' firewalls, but there are only certain things the boss funds here. So then I have to go cheap.
If you're running a single firewall, then maybe FWBuilder isn't for you, although it will do what you want. The real benefit of FWBuilder is when you have more than one firewall in your network and you want to use common objects to to simplify maintaining rules.
For example, the company I work for has 4 datacenters, plus a number of leased servers (like Rackspace). At each of the datacenters we have at least 1 pair of redundant firewalls. On all our firewalls we have common rules to allow traffic from every other datacenter/server that we own. So we define an object for each datacenter, the object is a subnet. Then we define a group called datacenters which includes all the previous subnets objects. Then when building a new firewall we just include the same rule that says from datacenters allow all.
If we add a new datacenter or leased server, we add a new subnet object and include it in the datacenter group. We then just recompile and redeploy each of the firewalls without having to add anything to the firewalls, because they already have the datacenter rule.
When you maintain a large network you really see the benefit of FWBuilder. If you're running Windows there is a $50 license fee, but for those people who are network admins but do not like Linux on the desktop it's well worth the price for the Windows license.
Matt Shields wrote:
On Dec 31, 2007 7:58 AM, Robert Moskowitz rgm@htt-consult.com wrote:
Matt Shields wrote:
On Dec 31, 2007 12:13 AM, Robert Moskowitz rgm@htt-consult.com wrote:
Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables....
Maybe Shoreline with webmin....
Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing.
Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it....
If you've ever used a Checkpoint firewall, FWBuilder is exactly like that interface. It even comes with a module that will let you modify Checkpoint firewalls.
I noticed the later, also a PIX module. No I have not personally needed that costly of a firewall.
Full discloser time. My day job is with ICSAlabs. My area is security protocols research (like setttin up the initial IPsec certification criteria), but when I visit the labs there are all those firewall products up and running.... So, yeah, I know checkpoint. I talk with the gang over in the labs about 'simple' firewalls, but there are only certain things the boss funds here. So then I have to go cheap.
If you're running a single firewall, then maybe FWBuilder isn't for you, although it will do what you want. The real benefit of FWBuilder is when you have more than one firewall in your network and you want to use common objects to to simplify maintaining rules.
For example, the company I work for has 4 datacenters, plus a number of leased servers (like Rackspace). At each of the datacenters we have at least 1 pair of redundant firewalls. On all our firewalls we have common rules to allow traffic from every other datacenter/server that we own. So we define an object for each datacenter, the object is a subnet. Then we define a group called datacenters which includes all the previous subnets objects. Then when building a new firewall we just include the same rule that says from datacenters allow all.
If we add a new datacenter or leased server, we add a new subnet object and include it in the datacenter group. We then just recompile and redeploy each of the firewalls without having to add anything to the firewalls, because they already have the datacenter rule.
When you maintain a large network you really see the benefit of FWBuilder. If you're running Windows there is a $50 license fee, but for those people who are network admins but do not like Linux on the desktop it's well worth the price for the Windows license.
I saw that about fwbuilder. Going to have to ask the crew back in the labs about it.
But, yes. I 'run' a research facility out of my house. I have to pay the electric bill, never convinced the boss to allow me to expense it; they have bought some of my equip and pay for part of the ISP cost. So as a lab, I have need for flexiblity, not replicatiblity. Also I might be at a conference and need to get something up running on one of the notebooks I travel with....
On Mon, 31 Dec 2007, Robert Moskowitz wrote:
Well FWbuilder is NOT easy.
I disagree but to each his own.
The documentation does not match the current GUI.
I have not looked at the docs lately, but Vadam used to be pretty good at keeping the docs updated. There is also a mailing list you can subscribe to. As long as you ask intelligent questions you will usually get good answers.
Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables....
To prevent that in the future set the managment ip address on the firewall object. That way fwbuilder will always allow ssh access from that machine no matter how bad you hose the rules.
Keep in mind that any of the firewall managment systems mentioned can/will also lock you out if misconfigured.
Maybe Shoreline with webmin....
Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing.
Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it....
Why reinvent the wheel? Use what you are comfortable with. For me that is fwbuilder but for you that sounds like it is Astaro.
Regards,
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Robert Moskowitz Sent: Sunday, December 30, 2007 9:13 PM To: CentOS mailing list Subject: [CentOS] Firewall frustration
Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables....
Maybe Shoreline with webmin....
Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing.
Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it....
I just turned off my Astaro Gateway, as it pissed me off by continually throttling my 10M/10M FIOS connection.....:^> I liked the integration of services in the box, and I likely would have kept it for that one item. I'll be looking at an IPCOP/Smoothwall/Monowall replacement. I have an IPCOP box at work for our public access DSL connection. (Customers kept surfing p*rn in the waiting area. Squidguard on IPcop fixed that..) Uptime on that box (Compaq P2-733) is around 250 days right now. I had to move the box, so it would be more like 400....
Dennis McLeod wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Robert Moskowitz Sent: Sunday, December 30, 2007 9:13 PM To: CentOS mailing list Subject: [CentOS] Firewall frustration
Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables....
Maybe Shoreline with webmin....
Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing.
Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it....
I just turned off my Astaro Gateway, as it pissed me off by continually throttling my 10M/10M FIOS connection.....:^>
For all that it does, you would need it on a pretty hefty box of 10M. But then I have seen LAN-LAN > 10M working here....
I liked the integration of services in the box, and I likely would have kept it for that one item. I'll be looking at an IPCOP/Smoothwall/Monowall replacement. I have an IPCOP box at work for our public access DSL connection. (Customers kept surfing p*rn in the waiting area. Squidguard on IPcop fixed that..) Uptime on that box (Compaq P2-733) is around 250 days right now. I had to move the box, so it would be more like 400....
I run Astaro on a Compaq SFF 1Ghz with 512Mb memory. It has a 4-port 10/100 card as well as the internal ethernet. I use VLANing extensively, as I have ~12 LANs connected to the box. I have the public net on one port, then all the others are plugged into a HP 2650 48-port switch. I can move systems to the subnet I need for whatever testing or production I use. I ONLY use the firewall for packet filtering. No SPAM control, web proxying, etc....
-
Barry Schiffman -
centos@911networks.com -
Chris Mauritz -
Dennis McLeod -
John R Pierce -
Johnny Hughes -
Mark A. Lewis -
Mark Weaver -
Matt Shields -
Peter Farrell -
Robert Moskowitz -
Robert Slade -
Robert Spangler -
Scott Ehrlich -
Steven Vishoot -
Tom Diehl -
Ugo Bellavance -
William L. Maltby