[ale] Opinion Call: Firewalls for DSL

Michael Phillips mike at coosavalley.net
Mon Jul 3 14:00:05 EDT 2000 

My experience with NetMax has been ..... well, let's say I wish the media
was on a CD-RW so at least I could reuse the CD! It quite plainly *sucks*.
YMMV of course.

Mike


------------------------------------------------------------------------
Michael Phillips                                Senior UNIX Administrator
<mike.phillips at ieionline.com >  Phone: 256-362-8562 Ext 143
International Enterprises, Inc. Fax: 256-362-0102
108 Allen St                            http://www.ieionline.com
Talladega, AL 35160                     "Superior Avionics for the Military"

DISCLAIMER: Opionions expressed are not neccessarily those of my employer
-----Original Message-----
From: owner-ale at ale.org [mailto:owner-ale at ale.org]On Behalf Of Ray Knight -
To: ale at ale.org
Clientlink
Sent: Monday, July 03, 2000 9:33 AM
To: Jeff Hubbs; Ale
Subject: RE: [ale] Opinion Call: Firewalls for DSL


You could have used any of the number of Linux based firewall/router distros
that use a single floppy approach on your original target machine.  The
following is a list of a few that I have tried.  I am currently using the
FreeSCO solution, but the others have their advantages as well:

ShareTheNet     http://www.ShareTheNet.com/
FreeSCO         http://www.linuxsupportline.com/~router/
floppyfw           http://www.zelow.no/floppyfw/
Coyote Linux    http://www.coyotelinux.com/coyote.html
FirePlug           http://edge.fireplug.net/

And of course there is the Linux Router Project at
http://www.linuxrouter.org

Ray Knight
audilvr at speakeasy.org
-----Original Message-----
From: owner-ale at ale.org [mailto:owner-ale at ale.org]On Behalf Of Jeff Hubbs
To: ale at ale.org
Sent: Monday, July 03, 2000 12:51 AM
To: ale at ale.org
Subject: [ale] Opinion Call: Firewalls for DSL


A couple of months ago, I made a strategic decision to pop for the NetMax
Firewall/Router product from CyberNet.
My dangerously optimistic premise was that I had a lot of things to
integrate at the house - new computer, firewall, Telocity DSL (no
complaints, BTW), old computer - and I thought that the NetMax' "thin
server" Web-administered approach would help me get going quicker.
My target machine was going to be a VLBus 486DX/33 in which I could put as
much as 32MB of RAM, and I had already set myself up with some ISA-bus
Ethernet cards to choose from, three of them being NE2000 clones.   I also
scored a 3Com 3C515 - an ISA-bus 10/100 full-duplex card.
The first problem I had was that whereas the NetMax docs said it supported
the 3Com 3C515, there appeared to be no way to get it to work, and when I
called tech support, the person that answered didn't even seem to understand
the question when I tried to find out how.  I finally had to insist to speak
to someone who had firsthand experience with the product.  When I finally
did, I learned that my question about the 3C515 apparently had no answer and
that the cliam of supporting the 3C515 was apparently a lot of hogwash.  I
also learned that when the NetMax docs say that a Pentium is the minimum
required CPU, they mean it - it is unstable on a 486 (he did not indicate
that it was compiled for Pentium that that's my assumption).  This fellow
offered to set me up with the FreeBSD version in trade for the Linux version
that I bought and my address was taken down.  It never arrived.
I decided that I would try to soldier ahead with what I had.  I picked up a
fairly nice Pentium/75 at MicroSeconds.  It took me a few tries to get
anywhere with it, but I eventually got it to work with two interfaces,
performing NAT.  One key element to my eventual success was that the only
documentation that is usable is a single article on their Web page; the
provided documentation is NOT sufficient to figure out the installation.
Here is my sack of woes to date:
At the moment, even after a reboot, the Web interface is not reacting.  It
was working fine, but now, zip.
The interface, when it did work, is DOG SLOW.  If you make config changes,
it takes this Pentium/75 with 256KB of cache and 72MB of RAM *several
minutes* to go through the commit/restart services process.
The console sometimes fills up with stuff like "Unable to handle kernel NULL
pointer dereference at..." or "Out of Memory" errors.  Most of the time, NAT
operation seems to continue unabated but the "Out of Memory" stuff got so
bad that the machine would only respond to a three-fingered salute.
There is nothing documented or nothing I can locate in the Web interface
(again, when it worked) or the Web site that gives me the ability to enable
or block specific services or even ports - just a rather vaguely labeled set
of check boxes.
Things like sendmail are running.  I don't want it running.  But, to stop
it, I have to dig through /etc/rc.d or whatever in the typical fashion.
So far, my attempts to configure X have been a total failure.  The video is
a supported Cirrus Logic.  All three offered methods of X configuration at
the console error out.
You log onto the console using the username and password you enter at
install time.  It would be nice to su to root so you can run things like
fsck but the root password is unknown to me.
The Web site support options - the user forum and the knowledge base - have
been essentially useless and my one attempt at phone support was horrendous.
Before I went though all this, I had read the Firewall-HOWTO and got a fair
idea of the theory behind ipchains and I understood that I had a lot to
learn and that I would have to be careful to harden the Internet-facing
interface and generally be on my toes about it.  I had good reason to
believe that the NetMax product was going to help prevent me from having to
be quite so down-and-dirty.
So, my question to you fine folks is basically this:  should I have
bothered?  Would I have been as well off if I had just put on a bare-bones
Red Hat 6.2 installation on the 486 and figured out ipchains?  Right now I
have a marginally unstable firewall that is performing NAT like it should,
but when certain Internet functions don't work, it seems I have to "open the
hood" anyway and I really don't have a good way to know how well protected
my firewall is against the baddies.   I know some of you have done the
firewall thing with some success and inasmuch as I would *like* a shortcut
to a well-done firewall, I've just about concluded that the NetMax product
is not it and my $50 would have been better spent elsewhere.
So what do you think I should do?
- Jeff


--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list