Very Computer

I'm upgrading my home server from Redhat 6.1 to SuSE 8.0 mainly so I
can take advantage of the improved packet filtering.  The existing
server uses a fairly standard setup: Dialup ISP, IPCHAINS firewall
from Robert Ziegler's book, Internet sharing among Windows boxes, file
sharing with Samba, Setiathome, not much else.

My security books (Ziegler, Toxen) tell me that the firewall shouldn't
be on the same box as Samba and other important stuff.  Okay, I have
an old Pentium 133 box with 64MB RAM that I've installed SuSE 8.0 on,
and I could use that as a separate firewall box.

Is my understanding of the physical interface correct?
* Modem on serial port to the Internet.
* Ethernet card with "null hub" (reverse) cable to eth1 on the main
server.
* eth0 on the main server to the home network switch.
* Different networks for the firewall box and the main server (e.g.,
192.168.1.1 for the server and 192.168.2.1 for the firewall).

If this is correct, what does it buy me?  I assume the separate
networks improve security, but I'm lost beyond that.  All the diagrams
I've seen for a DMZ show Web servers and stuff off to the side between
the firewall and the rest of the LAN, but this doesn't really apply to
my setup.

Is there any benefit to installing a second machine as a standalone
firewall, or should I just continue with my current setup where the
firewall is on the main server?

TIA for any advice.

Mike

-----
Mike Dodd  (remove 'xspam.' when emailing)

-----------== Posted via Newsfeed.Com - Uncensored Usenet News ==----------
   http://www.newsfeed.com       The #1 Newsgroup Service in the World!
-----= Over 100,000 Newsgroups - Unlimited Fast Downloads - 19 Servers =-----

 just make sure your rules on the external interface block all the services you run to the internal network.  also, if you have that other box anyway you could make it the firewall. check out www.openbsd.org. best firewall there its.

The reason for a separate firewall, is that everything else that's run on
the firewall, increases the potential for a security hole.

--

All the facts above are true, except for the ones I made up.

james.knott.

Quote:> I'm upgrading my home server from Redhat 6.1 to SuSE 8.0 mainly so I can
> take advantage of the improved packet filtering.  The existing server
> uses a fairly standard setup: Dialup ISP, IPCHAINS firewall from Robert
> Ziegler's book, Internet sharing among Windows boxes, file sharing with
> Samba, Setiathome, not much else.

> My security books (Ziegler, Toxen) tell me that the firewall shouldn't
> be on the same box as Samba and other important stuff.  Okay, I have an
> old Pentium 133 box with 64MB RAM that I've installed SuSE 8.0 on, and I
> could use that as a separate firewall box.

> Is my understanding of the physical interface correct? * Modem on serial
> port to the Internet. * Ethernet card with "null hub" (reverse) cable to
> eth1 on the main server.
> * eth0 on the main server to the home network switch. * Different
> networks for the firewall box and the main server (e.g., 192.168.1.1 for
> the server and 192.168.2.1 for the firewall).

> If this is correct, what does it buy me?  I assume the separate networks
> improve security, but I'm lost beyond that.  All the diagrams I've seen
> for a DMZ show Web servers and stuff off to the side between the
> firewall and the rest of the LAN, but this doesn't really apply to my
> setup.

> Is there any benefit to installing a second machine as a standalone
> firewall, or should I just continue with my current setup where the
> firewall is on the main server?

Hardware routers are dirt cheap and easier to administer than a Linux
firewall. I was using a Redhat 7.1 box as my firewall/router but I
switched to a Linksys router. The Linksys router combines a wireless
access point, an ethernet switch and a Cable/DSL port with a very easy to
administer router, all for $150.

Since you're beginner,
    - put everything on the main server -- it's cheaper, less space, less
      maintenance, and, most of all, easier to learn.
    - or, get dedicated firewall/router (ie. Linksys) -- just plug in and
      turn it on.

Separate boxes makes sense if there are more than one person at the site,
one person deals with admin, another deals with Web, etc.  But, this has
nothing to do with security.  For you, time is better spent in learning to
configure your machine correctly.  :-)

--

8-CPU Cluster, Hosting, NAS, Linux, LaTeX, python, vim, mutt, tin

Well, I didn't really say I was a beginner.  In fact, my existing
server is fairly well configured (unnecessary services turned off,
working firewall in place, Samba/NFS configured, etc., etc.).

The reason I asked about the benefits of a dual-homed firewall is that
I have the opportunity to learn more about _security_  and am
wondering if there's any real benefit to a home network such as I
described.

Quote:>Separate boxes makes sense if there are more than one person at the site,
>one person deals with admin, another deals with Web, etc.  But, this has
>nothing to do with security.  For you, time is better spent in learning to
>configure your machine correctly.  :-)

This seems to contradict what I've read and heard about a dual-homed
firewall.  My understanding is that it has _everything_ to do with
security.  If a cracker gets past the firewall on a single machine,
she has access to everything else on that machine.  Not so on a
dual-homed setup.

But what sort of attacks will a dual-home setup prevent?  Where's the
balance between additional security to my home network and the extra
work of maintaining the second box?  That's the kind of information
I'm looking for.

Mike

-----
Mike Dodd  (remove 'xspam.' when emailing)

-----------== Posted via Newsfeed.Com - Uncensored Usenet News ==----------
   http://www.newsfeed.com       The #1 Newsgroup Service in the World!
-----= Over 100,000 Newsgroups - Unlimited Fast Downloads - 19 Servers =-----

Improved packet filtering in suse 8.0? what feature are you missing in
your 6.1 ?

Quote:> My security books (Ziegler, Toxen) tell me that the firewall shouldn't
> be on the same box as Samba and other important stuff.  Okay, I have an
> old Pentium 133 box with 64MB RAM that I've installed SuSE 8.0 on, and I
> could use that as a separate firewall box.

While that may be true for an enterprise level setup, for a
residential one, separate computers is..er.. overkill. Run it all on one
damn machine, and configure it so that people who have no business
accessing a service cannot. You can stop them with the firewall, tcp
wrappers, then the authentication etc.Just keep tabs on the developments
on your chosen daemons.

Quote:> Is my understanding of the physical interface correct? * Modem on serial
> port to the Internet. * Ethernet card with "null hub" (reverse) cable to
> eth1 on the main server.
> * eth0 on the main server to the home network switch. * Different
> networks for the firewall box and the main server (e.g., 192.168.1.1 for
> the server and 192.168.2.1 for the firewall).

yes, if you want a dedicated "firewall" box.

No otherwise. Modem to serial port . ethernet card thru straight cable to
hub port.
Other computers connected to hub. Or switch.

Quote:> If this is correct, what does it buy me?  I assume the separate networks
> improve security, but I'm lost beyond that.  All the diagrams I've seen
> for a DMZ show Web servers and stuff off to the side between the
> firewall and the rest of the LAN, but this doesn't really apply to my
> setup.

One more barrier the attacker has to get past, and possibly time. The
first machine would trigger alarms and let you know, I guess, before the
attack penetrates to your firewall..

Quote:> Is there any benefit to installing a second machine as a standalone
> firewall, or should I just continue with my current setup where the
> firewall is on the main server?
> TIA for any advice.

> Mike

> -----
> Mike Dodd  (remove 'xspam.' when emailing)

> -----------== Posted via Newsfeed.Com - Uncensored Usenet News
> ==----------
>    http://www.newsfeed.com       The #1 Newsgroup Service in the World!
> -----= Over 100,000 Newsgroups - Unlimited Fast Downloads - 19 Servers
> =-----

RedHat 6.1 is a 2.2 series kernel. It has ipchains. I assume SuSE 8.0
has a 2.4 series kernel with iptables?
--
Rob Pearce

The "from" must be wrong, nothing that helpful ever comes from the TAN team!

(snip)

I've just set up a similar network, after having my main machine doing
the internet serving.  I felt unhappy about having the firewall on one
machine doing the only security.

I set up an old machine with mndk 8.2, the same disto as all the other
machine and one I am more famiiar with.  This machine will accept
connection from the rest of the network but does not know (i think!) the
ip numbers of the other machines on the network.

I used InteractiveBastille to configure iptables, tests at gmc and
sygatech show I am presently safe.

The only service I am deliberately running on the firewall is sshd so I can
configure the headless machine from anywhere on the lan.

I feel safer doing this and it did'nt cost me anything!
--
andrew joseph
using linux mandrake 8.2, hardened with Bastille ... which is nice!

Correct.

Yes, I could have (and did) try Red Hat 7.1 and 7.2 Professional, but
became discouraged with their non-standard gcc as well as never being
able to get Gnome to work correctly, after replacing nearly everything
in the box (mobo, power supply, RAM, video, hard drive).

Mike

-----
Mike Dodd  (remove 'xspam.' when emailing)

-----------== Posted via Newsfeed.Com - Uncensored Usenet News ==----------
   http://www.newsfeed.com       The #1 Newsgroup Service in the World!
-----= Over 100,000 Newsgroups - Unlimited Fast Downloads - 19 Servers =-----

Thanks to everyone who offered information and advice on this topic.

I'm leaning toward the single-box setup (which is what I already
have).  Since I switched ISPs from one of the biggies with well-known
address blocks to a tiny one out here in the country, my existing
firewall hasn't logged any dropped packets, so I figure that's a major
improvement.

So I'll configure an iptables firewall and put it on the new SuSE 8.0
server along with everything else.

Again, thanks to all.

Mike

-----
Mike Dodd  (remove 'xspam.' when emailing)

-----------== Posted via Newsfeed.Com - Uncensored Usenet News ==----------
   http://www.newsfeed.com       The #1 Newsgroup Service in the World!
-----= Over 100,000 Newsgroups - Unlimited Fast Downloads - 19 Servers =-----