Very Computer

Does anyone out there have any experience with setting up a basic
firewall using a Linux box? I was thinking of setting up a cut-down
Linux box, disabling routing in the kernel, adding shadow passwords
and disabling all tcp/udp services other than SMTP. Then perhaps add
a proxy httpd & ftpd server, and setting up the machines on the
internal net with those non-routed ip addresses such as 10.x.x.x
or something.

Does any of this sound reasonable? And if so, where can I find the
proxy servers I'll need to give web browsers & ftp clients on the
internal network access to the Internet?

Any help, suggestions, redicules, concerns etc. are welcome.

--
Robert Kroes
http://blaze.net.au/~robkroes

Quote:>See the Firewall-HOWTO at the Linux Doc Proj

(CC'ed to the HowTo author, so he may tell me ``do it yourself'' :-)).

--

OpenLink Software, Inc.

Presently, a PCI 486 server, running 1.3.70 has 2 SMC cards, and
pentium running 1.3.74 has 1.

On both machines, regardless of the shared mem location, I get
conflicts, and they just will not work.

So, can I use this driver in I/O mode (doesn't seem like it), or
where can I find a better diagnostic package than what I have?

BTW, I get this problem with 1 card and just basic I/O ports and
SCSI board in system.  Doesn't matter how much I strip it down.

The setup software will always hang when or complain with any
shared mem options.

Any opinions?

Thanx in advance

sj
--

[deleted]

Quote:

> You may want to 'wrap' sendmail with smap from the firewall toolkit at
> ftp.tis.com.  And even though you are not going to offer any other services you
> should still do logging (tcp_wrappers or netacl(from TIS)) and filesystem
> checking (tripwire - coast.cs.purdue.edu).

> As far as proxies you could use ip_masquarading, fwtk gateways, socks, CERN
> http, or Harvest cached.  CERN and Harvest both do caching on top of proxying.

> Rick

Secondly, in a situation where httpd<->ProxyAwareWWWClient session is taking
place through a proxy config, TIS FWTK assumes a set of ip addresses at
the LAN end, and the traffic goes through the ports in the FW.  So where
should the ip_masquerade take place?  My understanding on ipfw is that
the ip addess conversion takes place between interfaces.

Do I have this right?

Yong

My brain needed some cranking.  As I read what you have said, it just
clicked that any IP address behind the firewall is independent from the
one outside of the firewall.

Yong

Proxy agents, such as the ones with the fwtk, are considered application
gateways, while ipfw is packet filtering.  ip_masq needs ip_forwarding on so it
can forward the packets, albeit with a different source address.  Proxies do
not require that ip_forwarding be on because they listen for requests and
gather the information themselves, then passing it on to the client.  Packets
are not forwarded though the box.  If you use proxies you don't need ip_masq
and vise versa.

You need to decide which you want to use.  IP_masq has some advantages, but its
my opinion that proxies are more secure since you can turn off ip_forwarding
and not have worry about too much.  With ip_masq you have to turn on
ip_forwarding and then be very careful to get the rules correct and pray there
are no bugs in the code.

As for me - right now I'm using proxies, but I would consider changing once I
feel confortable with the code.

Rick

________________________________________
Rick Hicks
Systems Specialist
Hussmann Corporation

There's a good article in the May 1996 LJ on setting up a Linux
firewall.

--