"security" <[EMAIL PROTECTED]> writes: > Hello all,
Hi, > Florin, I have a couple questions for you. I've installed the pre-alpha ISO and > aside from a little network card detection glitch it installed beautifully (the > cards don't appear in the MNF web interface). My first test was to restore a backup > configuration file to an identical machine running the 10.0 from our current 8.2 > firewall. Oops, big mistake. Apparently the zones are defined differently and I've > now locked myself out of the LAN interface... no biggie but it brings me to a > question I've had for a while. Will there be a way (or would you please consider > adding it) to do a pre-check on the rules before shorewall attempts to restart? > I've been in a hurry before or not thinking and I've made rules that the interface > accepts but shorewall pukes on. For instance, you would never make a rule: > > ACCEPT wan dmz icmp 0:65535 (all ports) --- --- > > This would effectively bring the firewall down and force you to log on locally, > change the /etc/shorewall/rules file, restart shorewall, then re-enter the interface > so the database can get changed too. I can see at least two different subjects here, but they are somehow related, I agree. 1. Update the 8.2 configuration. It would have been nice to have a diff between the 8.2 configuration and the 10.0 one. I will check this matter somewhere this week and come back to you. 2. Shorewall checking. I have already modified the shorewall intiscript and replace the 'restart' with 'check && restart'. This will at least fail eventually on the check and do not actually fire the restart. It is difficult to do a real check and this is somehow based on some knowledge of the firewall administrator. I'm not sure how can I improve this so any ideas are welcome. > Question #2 - Traffic Shaping > Honestly this is fantastic and it's so very welcomed. However, would it be possible > to TS by IP? We have a number of chat servers and I'd LOVE to shape them via the FW > instead of by each machine. Hum, the traffic shaping is based on the wondershaper script and this will not allow TS by IP if I rememeber correctly, but I will have a closer look this week. > This also brings me to a humble suggestion. Just a suggestion but you may want to > have a checkbox by the rules that would "disable" the rule instead of deleting it. > The database could keep the rule around but would ultimately not write rules to the > configs that were checked "disabled". This allows you to test rules first instead of > just deleting them and having to re-add them. this is already present in the actual MNF2 iso image. The rules have two more coloumns now: status (enabled|disabled) and commentary > I LOVE your firewall. thank you for the compliment ... I hope it can sometimes be helpful :o) have a nice day, -- Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
