Mandrake SNF

[Jonathan Hutchins]

I built a Mandrake SNF box last night.  "SNF" stands for different things
depending on what you're reading, Single Network Firewall, Secure Network
Firewall, etc.

It's a pre-configured Mandrake 7.2 system with a browser-based configuration
system for building a firewall/NAT Router on a Pentium-or-better PC.
Requires less than 1G of HD, 32M of RAM (64 recommended), VESA 2 VGA.

I used one of my old Compaq DeskPro 2000 Pentium 120's with 32 Meg of RAM.
Once I updated the BIOS so that it would boot from the CD, it only took
about 30 minutes to install.  This is a single CD installation, vs two or
three for the standard Mandrake install.  Source is on a second CD.  Biggest
problem is figuring out which of the two (identical) NIC's is supposed to be
the internal and which is the external.  There isn't a "package selection"
stage in the install, which makes it quicker.  I used the "Auto Allocate"
function for disk partitioning, and it created more partitions than I've
seen since RedHat 2x.

Once installed, you are advised to use the Web interface for configuration.
Most of the standard text files have comments that say "DO NOT MODIFY
DIRECTLY, THIS FILE WILL BE OVERWRITTEN".  There is no clear pointer to what
overwrites them, and I had some trouble when I figured out that I'd used a
bad IP address on the internal NIC.

The browser interface is very good, and very attractive.  I started out
using Lynx from the main console, and it was noticeably slow, and some what
clumsy, but I did get the NIC re-addressed.  Once I was on the network, I
went to my Windows workstation for further exploration.  While there's a
quick blurb in the install about using the Browser for further
configuration, I had to use netstat to see what port it was listening on for
localhost, and when I tried to connect from Windows I got nothing.  I
toggled over to another Linux box on the net, tried remote Lynx, and got the
clue: please use SSL (https).  No message displayed on the IE5.5 for some
reason.

Once I connected to the actual GUI Browser interface, things seemed to go
even more quickly than with Lynx.  I'm guessing that this is because the
server has to re-direct each item for a plain-text interface.  The menus and
buttons are well designed and logical, even if there are a few misspellings
(remember, Mandrake is primarily based in France).

The only problem here is the same problem with Microsoft's Small Business
Server - if they didn't think of the option you wanted, you're sunk.  In the
"Network Cards" configuration page, you can set which card is the "admin"
interface.  I presume this tells the config server which card to listen on.
I wanted to set both so that I can configure from work or from home, but
that's not an option, it's either-or.

You can also configure packet forwarding and other ipchains rules.  There's
more flexibility here, as they allow both pre-selected rules and
write-your-own options.  This is good.

I think I can get around the limit on which NIC listens for the GUI by using
SSH to connect from work, then the local Lynx interface to change cards.

There are some nice graphs of network usage, and you can request reporting
of all reedited packets, etc.  I would say that this is pretty close to
being as good an interface as the SMC Barricade, and would be as  usable by
non-Linux literate users.  Ultimately, if you can get around the web config
tool overwriting options it doesn't allow, it might be even more flexible
than an SMC for someone who knew what they were doing. Adding things like
Netmeeting pass-through would require some work.

SNF also installs Squid for proxy and caching, but does not configure it by
default.  It includes a DHCP and DNS server.

And that's about all I can tell you after one evening with it.  It's still a
node off the local net with the RH6.2 box serving as the firewall, but I may
put it on line this weekend and see how it does.