[gentoo-user] Wha' hoppen to firestarter?

[gentoo-user] Wha' hoppen to firestarter?

[Kevin O'Gorman]

I had firestarter-1.0.3 emerged for quite some time.  I hadn't really
used it, but I'm a bit surprised now to find that it's interfering
with normal emerges because it's got a big red "M" smacked on it.

I suppose that means there's a problem with it, and it's explained in
some forum or list that I don't normally get.  But now I'd like a
clue: what's the {prognosis, workaround, fix, alternative}. As I
mentioned, I hadn't really started to use it, but I'd like to have a
better firewall tool than building iptables scripts in vim.

-- 
Kevin O'Gorman, PhD
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Wha' hoppen to firestarter?

[Dale]

Kevin O'Gorman wrote:
> I had firestarter-1.0.3 emerged for quite some time.  I hadn't really
> used it, but I'm a bit surprised now to find that it's interfering
> with normal emerges because it's got a big red "M" smacked on it.
>
> I suppose that means there's a problem with it, and it's explained in
> some forum or list that I don't normally get.  But now I'd like a
> clue: what's the {prognosis, workaround, fix, alternative}. As I
> mentioned, I hadn't really started to use it, but I'd like to have a
> better firewall tool than building iptables scripts in vim.
>

This is from the Gentoo dev list.

> The upstream development for firestarter has been dead for some time
> (last news update Jul 31 2005).  Recent changes to the netfilter code
> in the kernel have caused firestarter not to work (see bug #179792).
> That bug has a patch that fixes that particular problem but the fact that
> upstream is dead, the several other open bugs about firestarter and the
> fact that I no longer use it myself mean I'm masking it for removal.
>
> I feel there are several good alternatives in net-firewall/ to use as
> replacements for the iptables-generating aspect of firestarter.  If
> someone
> would like to pick up and maintain this package, they're welcome to it,
> otherwise, I'll remove it in thirty days.
>
> Michael Sterrett
>   -Mr. Bones.- 

So, if you like firestarter, better say something pretty soon.  ;-)

That help any??

Dale

:-)  :-)  :-)

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Wha' hoppen to firestarter?

[Ali Polatel]

Dale <dalek@exceedtech.net> yazmış:
> Kevin O'Gorman wrote:
> > I had firestarter-1.0.3 emerged for quite some time.  I hadn't really
> > used it, but I'm a bit surprised now to find that it's interfering
> > with normal emerges because it's got a big red "M" smacked on it.
> >
> > I suppose that means there's a problem with it, and it's explained in
> > some forum or list that I don't normally get.  But now I'd like a
> > clue: what's the {prognosis, workaround, fix, alternative}. As I
> > mentioned, I hadn't really started to use it, but I'd like to have a
> > better firewall tool than building iptables scripts in vim.
> >
> 
> This is from the Gentoo dev list.
> 
<snip>
> 
> So, if you like firestarter, better say something pretty soon.  ;-)
> 
> That help any??
> 
> Dale
> 
> :-)  :-)  :-)

 Upstream is dead and there are many open bugs so it's a PITA to
maintain. Here are the open bugs about firestarter:

http://bugs.gentoo.org/show_bug.cgi?id=146620
http://bugs.gentoo.org/show_bug.cgi?id=179792
http://bugs.gentoo.org/show_bug.cgi?id=180104
http://bugs.gentoo.org/show_bug.cgi?id=180105

-- 
ali polatel (hawking)
Now is the time for drinking; now the time to beat the earth with
unfettered foot.
		-- Quintus Horatius Flaccus (Horace)
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Wha' hoppen to firestarter?

[Alan McKinnon]

On Wednesday 06 June 2007, Kevin O'Gorman wrote:
> I had firestarter-1.0.3 emerged for quite some time.  I hadn't really
> used it, but I'm a bit surprised now to find that it's interfering
> with normal emerges because it's got a big red "M" smacked on it.
>
> I suppose that means there's a problem with it, and it's explained in
> some forum or list that I don't normally get.  But now I'd like a
> clue: what's the {prognosis, workaround, fix, alternative}. As I
> mentioned, I hadn't really started to use it, but I'd like to have a
> better firewall tool than building iptables scripts in vim.

I find it useful to read the new entries in 
$PORTDIR/profile/package.mask after every sync to see what's recently 
been nuked:

# Michael Sterrett <mr_bones_@gentoo.org> (30 May 2007)
# masked for removal on 20070629
# Upstream is dead and there are several open bugs:
# http://bugs.gentoo.org/show_bug.cgi?id=146620
# http://bugs.gentoo.org/show_bug.cgi?id=179792
# http://bugs.gentoo.org/show_bug.cgi?id=180104
# http://bugs.gentoo.org/show_bug.cgi?id=180105
# See 
http://article.gmane.org/gmane.comp.security.firewalls.firestarter.user/1342
# for a thread on the mailing list regarding the state of things, 
including
# mention of the problems with the newest netfilter code.
net-firewall/firestarter


alan


-- 
Optimists say the glass is half full,
Pessimists say the glass is half empty,
Developers say wtf is the glass twice as big as it needs to be?

Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Wha' hoppen to firestarter?

[Kevin O'Gorman]

On 6/5/07, Dale <dalek@exceedtech.net> wrote:
> Kevin O'Gorman wrote:
> > I had firestarter-1.0.3 emerged for quite some time.  I hadn't really
> > used it, but I'm a bit surprised now to find that it's interfering
> > with normal emerges because it's got a big red "M" smacked on it.
> >
> > I suppose that means there's a problem with it, and it's explained in
> > some forum or list that I don't normally get.  But now I'd like a
> > clue: what's the {prognosis, workaround, fix, alternative}. As I
> > mentioned, I hadn't really started to use it, but I'd like to have a
> > better firewall tool than building iptables scripts in vim.
> >
>
> This is from the Gentoo dev list.
>
> > The upstream development for firestarter has been dead for some time
> > (last news update Jul 31 2005).  Recent changes to the netfilter code
> > in the kernel have caused firestarter not to work (see bug #179792).
> > That bug has a patch that fixes that particular problem but the fact that
> > upstream is dead, the several other open bugs about firestarter and the
> > fact that I no longer use it myself mean I'm masking it for removal.
> >
> > I feel there are several good alternatives in net-firewall/ to use as
> > replacements for the iptables-generating aspect of firestarter.  If
> > someone
> > would like to pick up and maintain this package, they're welcome to it,
> > otherwise, I'll remove it in thirty days.
> >
> > Michael Sterrett
> >   -Mr. Bones.-
>
> So, if you like firestarter, better say something pretty soon.  ;-)
>
> That help any??
>
> Dale

That helps some, but in net-firewall I'm finding a lot of unstable
packages, and no really good idea which ones will be the best for a
personal firewall, let alone which ones are best supported upstream so
this doesn't happen to me again.  So I'm interested in
recommendations.  What did you switch to?

++ kevin

-- 
Kevin O'Gorman, PhD
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Wha' hoppen to firestarter?

[Jorge Almeida]

On Wed, 6 Jun 2007, Kevin O'Gorman wrote:

>
> That helps some, but in net-firewall I'm finding a lot of unstable
> packages, and no really good idea which ones will be the best for a
> personal firewall, let alone which ones are best supported upstream so
> this doesn't happen to me again.  So I'm interested in
> recommendations.  What did you switch to?
>
I use Shorewall. It's well supported and works well. I don't know a
thing about iptables and still I've had a firewall in my workstations
since I started using Linux.

>

-- 
Jorge Almeida
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Wha' hoppen to firestarter?

[Ken]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kevin O'Gorman wrote:
> On 6/5/07, Dale <dalek@exceedtech.net> wrote:
>> Kevin O'Gorman wrote:
<snip>
> 
> That helps some, but in net-firewall I'm finding a lot of unstable
> packages, and no really good idea which ones will be the best for a
> personal firewall, let alone which ones are best supported upstream so
> this doesn't happen to me again.  So I'm interested in
> recommendations.  What did you switch to?
> 
> ++ kevin
> 
I never used firestarter, but I have used and would recommend shorewall.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGZr6s0PM4px2/kjgRAs8OAJ0XIDfA21OfMSsbGJxttO73yq2P2QCgiRbl
kSZqw3JMxdfxSb0dKkx9aLk=
=8N8n
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Wha' hoppen to firestarter?

[John J. Foster]

[-- Attachment #1: Type: text/plain, Size: 778 bytes --]

On Wed, Jun 06, 2007 at 06:35:18AM -0700, Kevin O'Gorman wrote:
> 
>  That helps some, but in net-firewall I'm finding a lot of unstable
>  packages, and no really good idea which ones will be the best for a
>  personal firewall, let alone which ones are best supported upstream so
>  this doesn't happen to me again.  So I'm interested in
>  recommendations.  What did you switch to?
> 
I've been using net-firewall/fwbuilder for a few years with no issues. I
also find it pretty easy to use. Plus, it will also write rules for a
Linksys WRT54G running openwrt.

festus
-- 
It is not unusual for those at the wrong end of the club to have a
clearer picture of reality than those who wield it.
                                                      Noam Chomsky

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Wha' hoppen to firestarter?

[Dave Jones]

Jorge Almeida wrote on 06/06/07 15:59:
>> That helps some, but in net-firewall I'm finding a lot of unstable
>> packages, and no really good idea which ones will be the best for a
>> personal firewall, let alone which ones are best supported upstream so
>> this doesn't happen to me again.  So I'm interested in
>> recommendations.  What did you switch to?

I use fwbuilder.  It's a drag and drop iptables front-end which builds
firewall scripts.  fwbuilder works very well once you've figured out
defining and manipulating your firewall objects.  The documentation is
very sparse.

It does miss the immediacy of the firestarter GUI though.

Cheers, Dave
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Wha' hoppen to firestarter?

[Dale]

Kevin O'Gorman wrote:
> On 6/5/07, Dale <dalek@exceedtech.net> wrote:
>> Kevin O'Gorman wrote:
>> > I had firestarter-1.0.3 emerged for quite some time.  I hadn't really
>> > used it, but I'm a bit surprised now to find that it's interfering
>> > with normal emerges because it's got a big red "M" smacked on it.
>> >
>> > I suppose that means there's a problem with it, and it's explained in
>> > some forum or list that I don't normally get.  But now I'd like a
>> > clue: what's the {prognosis, workaround, fix, alternative}. As I
>> > mentioned, I hadn't really started to use it, but I'd like to have a
>> > better firewall tool than building iptables scripts in vim.
>> >
>>
>> This is from the Gentoo dev list.
>>
>> > The upstream development for firestarter has been dead for some time
>> > (last news update Jul 31 2005).  Recent changes to the netfilter code
>> > in the kernel have caused firestarter not to work (see bug #179792).
>> > That bug has a patch that fixes that particular problem but the
>> fact that
>> > upstream is dead, the several other open bugs about firestarter and
>> the
>> > fact that I no longer use it myself mean I'm masking it for removal.
>> >
>> > I feel there are several good alternatives in net-firewall/ to use as
>> > replacements for the iptables-generating aspect of firestarter.  If
>> > someone
>> > would like to pick up and maintain this package, they're welcome to
>> it,
>> > otherwise, I'll remove it in thirty days.
>> >
>> > Michael Sterrett
>> >   -Mr. Bones.-
>>
>> So, if you like firestarter, better say something pretty soon.  ;-)
>>
>> That help any??
>>
>> Dale
>
> That helps some, but in net-firewall I'm finding a lot of unstable
> packages, and no really good idea which ones will be the best for a
> personal firewall, let alone which ones are best supported upstream so
> this doesn't happen to me again.  So I'm interested in
> recommendations.  What did you switch to?
>
> ++ kevin
>

I haven't crossed the switching bridge yet.  I use iptables myself.  I
just browse around and "steal" someone else's script or rules.  :D

Dale

:-)  :-)  :-)
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Wha' hoppen to firestarter?

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1132 bytes --]

On Wednesday 06 June 2007 15:10, John J. Foster wrote:
> On Wed, Jun 06, 2007 at 06:35:18AM -0700, Kevin O'Gorman wrote:
> >  That helps some, but in net-firewall I'm finding a lot of unstable
> >  packages, and no really good idea which ones will be the best for a
> >  personal firewall, let alone which ones are best supported upstream so
> >  this doesn't happen to me again.  So I'm interested in
> >  recommendations.  What did you switch to?
>
> I've been using net-firewall/fwbuilder for a few years with no issues. I
> also find it pretty easy to use. Plus, it will also write rules for a
> Linksys WRT54G running openwrt.

I've also tried fwbuilder out (a pain to set up with ssh and what not), but 
for some reason the naked truth of iptables and a little script I gradually 
knocked up has prevailed as my chosen method of managing my firewalls.

Full transparency as to what goes in and what comes out.

PS. I found a pdf manual of fwbuilder somewhere in their website and it was 
quite detailed and very helpful.  Strongly recommended for anyone who starts 
fiddling with it.
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Wha' hoppen to firestarter?

[David Snider]

Mick wrote:
>>>  packages, and no really good idea which ones will be the best for a
>>>  personal firewall, let alone which ones are best supported upstream so
>>>  this doesn't happen to me again.  So I'm interested in
>>>  recommendations.  What did you switch to?
>>>       
I switched to shorewall and have been very pleased with it's performance.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Wha' hoppen to firestarter?

[Roy Wright]

Kevin O'Gorman wrote:
> That helps some, but in net-firewall I'm finding a lot of unstable
> packages, and no really good idea which ones will be the best for a
> personal firewall, let alone which ones are best supported upstream so
> this doesn't happen to me again.  So I'm interested in
> recommendations.  What did you switch to?
>

I just switched to shorewall.  I configured it to only allow in SSH,
but have one weirdy when I try to test using nmap -v -A -P0 in that
sometimes nmap reports only port 22 open and 113 closed as expected,
but other times it also reports ports 80, 554, and 1755 open, which
has me really confused and concerned.

One word of advice on using shorewall, compile the netfilter options
in your kernel as modules, not directly linked in...  That one lead
me on a merry chase until I punted and switched to using modules...


HTH,
Roy

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Wha' hoppen to firestarter?

[Mick]

[-- Attachment #1: Type: text/plain, Size: 636 bytes --]

On Thursday 14 June 2007 21:19, Roy Wright wrote:

> I just switched to shorewall.  I configured it to only allow in SSH,
> but have one weirdy when I try to test using nmap -v -A -P0 in that
> sometimes nmap reports only port 22 open and 113 closed as expected,
> but other times it also reports ports 80, 554, and 1755 open, which
> has me really confused and concerned.

What does netstat -anop report in such occasions?

To see the status of all of your ports within a given range try something 
like:

# nmap -v -A -T4 -P0 -p 1-1755 <ip_address>    for scanning all ports between 
1 and 1755.

-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Wha' hoppen to firestarter?

[Arturo 'Buanzo' Busleiman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Roy Wright wrote:
> but other times it also reports ports 80, 554, and 1755 open, which
> has me really confused and concerned.

Typical case when you scan from behind your ISP's NetApp NetCache appliance. Same thing happens in
Argentina when using Fibertel ISP. I scan a server, and 80, 554 and 1755 are open, when in fact
they're not. That's because you're behind a transparent proxy. It might be a different issue, but
I'd try scannning from different ISPs, or from another box in the same LAN.

- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Free Music: http://www.buanzo.com.ar/files/buanzo-ultimamente.ogg
Consulting and Secure Mail Hosting: http://www.buanzo.com.ar/pro/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGcn1JAlpOsGhXcE0RCkbaAJ9u7nbroblXE+/mWVhEWt9qB13e/wCeN/RA
8wTnNcFwPu1R93vtpm3g6wk=
=cWaQ
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list