1. What is this Mandrake Security project ?

This is a 100% Free Software project that aims 
at creating an easy to use linux-based 
firewall.
This is both a lightweight Mandrake distribution 
(based on an updated 7.2) and an administration 
tool for network appliances.


2. What can I do with it ?

The main goal is to share Internet access in a 
secured way, but it's also a general purpose 
two-ways firewall/router.

You can use the MandrakeSecurity distribution 
to turn an old PC into a firewall (it's compiled 
for i386 architecture and above).


3. What kinds of interfaces are supported ?

It works with all Ethernet cards supported 
by the 2.2.18 linux kernel, ADSL modems 
(not USB ones for now), ISDN and RTC modems.


4. What kinds of services are provided ?

You have the options to :
- share Internet access (masquerading/NAT), even 
for non-linux computers in your local network
- filter office traffic (outgoing rules with 
bastille-firewall)
- restrict and/or redirect Internet traffic 
(Port Forwarding)
- keep web pages or files in cache (Squid transparent 
or manual proxy)
- restrict access to some sites, disable advertisements 
(Squid Guard)
- automatically set IP addresses of your local computers 
(DHCP server)
- view several logs
- display usage graphs (memory, cpu and network traffic)
- connect to your firewall through secure shell (even 
from your browser with a ssh applet)
- backup and restore your firewall configuration


5. What is the administration tool provided ?

We call it NAAT (network appliances administration tool).
It's both a tool to easily administrate an appliance like 
a firewall (the main interface being a web browser), and 
a development framework.


6. How can I use your tool ?

All you need is a web browser to connect to the firewall.
So you can configure it from any computer/operating system 
featuring a web browser.

There's also a console tool that you can use directly on 
the firewall machine itself.


7. Why is your tool a development framework ?

A configuration scenario (for instance, "ADSL configuration") is 
described with an easy-to-understand XML file, which contains 
the pages and the logic to go from page to page.
This scenario is then processed through XSL rules to produce 
an interface (PHP pages for a web interface, for example).

So the scenario is both independent from a particular type 
of User Interface, and from the system configuration backend.

From the frontend point of view, the backend is a set of 
pertinent system parameters, which it can get and set.
When these parameters are modified, the backend generates 
corresponding events that in turn update the system.

The system is updated through the use of 'smart files' that 
take the form of templates (i.e. parameterized system files) 
and scripts for the less obvious tasks. 
This templates idea was taken from the e-smith distribution, but 
our model is data- (or events-)driven, further isolating the 
frontend from the intricacities of the backend.

With this model, it's relatively easy to develop new scenarii 
to configure particular parts of the system.


8. Why not using Webmin ? Linuxconf ? Ximian setup tools ?

First of all, we didn't want the interface to be merged 
with the backend logic. That way we could have different 
kinds of interfaces more easily, and it's also really 
interesting from a maintenance point of view.

Secondly, we wanted simplicity and extensibility. Both these 
requirements lead to synthetize the system as a limited set 
of pertinent parameters (i.e. we needed a data-driven model), 
which would play the role of the single interface between the 
frontend and the backend.
It was also especially important that administrators could 
get a grasp of the tool easily without having to read the 
code. So the templates idea (which are really the system files 
with a bit of perl in them) was a good choice.

Lastly, we needed a tool that would be relatively easy to 
develop with and to add features. That's why the backend 
uses perl (for files and strings manipulation), and 
the frontend XML and XSL (XML is easy to read and write, 
and XSL is a powerful way to transform this XML into an 
interface, like PHP pages).

From the tools above, the closest to our needs were 
the Ximian setup tools, and they have several strong points 
indeed. But the goal not being the same lead to different 
choices.


9. Why didn't you use the 2.4.X kernel ?

2.4 kernels have this powerful netfilter for increased 
security (stateful firewalling), and also an improved 
TCP/IP stack. So we are really interested into integrating 
it in the the future.

But what we really wanted was stability (which is a part 
of security), and the 2.4 kernels have not been tested enough 
yet.


10. Do you support a DMZ (Demilitarized Zone) ?

As of now we only support a two-ways situation : 
from local network to external network and from 
external network to local network.

So we don't support DMZ, but we support more than 
2 interfaces (if you want to connect more than 
one local network to the Internet for instance).


11. Do you provide an IDS (Intrusion Detection System) ?

We provide Snort in the MandrakeSecurity distribution, 
and may provide Prelude for people interested in testing 
it, but we currently have no interface to configure them.


12. Do you provide VPN (Virtual Private Network) support ?

Not yet.


13. Can I add a DNS server ? a FTP server ? a Mail server ? ...

DNS server was not included for security reasons. You may add 
it yourself (using Mandrake 7.2 package recompiled for i386), 
for instance to use DNS cache.

You may also add any other type of server using updated 
Mandrake 7.2 packages and recompiled for i386.


14. Why are the beta ISO images so big ?

First of all because we provided the source packages 
with it, in addition to the binary packages.

We will also reduce the number of packages installed, 
which are still too numerous and take a bit too much 
disk space.


15. Misc

Where can I find URLs lists for SquidGuard ?

Why doesn't my game X work with your firewall ?
Why doesn't application Y work with your firewall ?
Why can't I ping from your firewall ?

ICQ support ? H323 and QuickTime support ?


16. Who are the people working on it ?

Here is the answer to this indiscreet question:

Philippe Libat (team leader, i.e. everyone's scapegoat)
Maurizio de Cecco and Enzo Maggi (original engine and XSL rules, i.e. italian maffiosi)
Renaud Chaillat (backend and frontend accidental fun)
Florin Grad (DHCP and Squid jedi)
Vincent Saugey (ipchains, logs and monitoring graphs artist, and entertaining agent)

Amaury Amblard-Ladurantie and Helene Durosini (meticulous Html, PHP, Icons & Design Charter people)

Camille Begnis (documentation patient writer)

e-smith distribution (original templates idea)












