Very Computer

Hello,

I am about to get a DSL which I want to share on my local net. My client
hosts are about 10, all of them Windows machines.

So, I want to setup a dual-hommed Linux box which will share my DSL to my
local net and also act as a firewall.

Which do you believe is the best distribution of Linux for such a use? I
know that more or less each distribution offers the same tools, but I would
like to know if any of them offers more tools towards my above need.

Regards,
-n-

well if you want to do this with linux make sure you have a very very
hardened linux installation, run no services on it whatsoever, unless you
absolutly need to, then you ought to be fine. The key to securing anything
is to remove every possible doorway. Dont run apache, dont run proftp,
dont run anything unless you absolutly have to. there are some additional
packages to harden the kernel (prevent stack smashing attacks). Goto
insecure.org and read up on any exploitable software, and make sure if
anything you run is on that list, you fix it. Download and install nmap
and scan yourself to see what you have open. The said, go for a
minimalistic distro, dont install mandrake, or redhat (sorry guys), they
arent built for being a server. I would go with a nice simple,
minimalistic installation, since all you're gonna run is ipf anyways, why
have anything but a console, and some basic apps, you may consider going
with 2.2 series kernel (depending on what you need), they tend to be more
stable then the newer ones, not that linux is unstable, but if you are
making a firewall, you want a rock.  IMHO, linux is not the OS of choice
for building a firewall. I plan on using my freeBSD as a router, why? the
BSD's are better suited for server environments, they are by far more
stable by the way they are developed. openBSD is remored to be one of the
most stable server setups availible. At my work we have a half dozen
servers, our http proxy runs squid on openBSD and typically stays up for
months at a time. free and open just seem to be more designed for a quiet
server setup. fwiw most appliance computers (snap server, hubs, etc) run
some variation on the BSD's.

If you still are convinced linux is the OS you want for your router, goto
www.linux.org pick out a nice small distro, install it bare except for a
compiler and gmake, then build ipfilter, and setup the kernel to route
packets for you (thus the same for freeBSD).

On Thu, 16 May 2002 10:21:13 +0300 in comp.os.linux.networking,

Quote:> So, I want to setup a dual-hommed Linux box which will share my DSL to my
> local net and also act as a firewall.

> Which do you believe is the best distribution of Linux for such a use?

I use Coyote Linux for my firewall:

  http://www.coyotelinux.com

It's a single-floppy distribution specifically designed for the purpose
of playing firewall, and it has no extraneous services running at all.

--

      OS/2 + Linux + BeOS + FreeBSD + Solaris + WinNT4 + Win95 + DOS
      + PC/GEOS + Fusion + vMac + Executor = PC Hobbyist Heaven! :-)
                   The Theorem Theorem: If If, Then Then

Quote:>Hello,

>I am about to get a DSL which I want to share on my local net. My client
>hosts are about 10, all of them Windows machines.

>So, I want to setup a dual-hommed Linux box which will share my DSL to my
>local net and also act as a firewall.

>Which do you believe is the best distribution of Linux for such a use? I
>know that more or less each distribution offers the same tools, but I would
>like to know if any of them offers more tools towards my above need.

>Regards,
>-n-

IPCOP is a purpose built router/firewall distro with squid proxy,
snort intrusion detection and web based gui admin.

All the hard work is done for you . www.ipcop.org

Well,

thanks to everybody for the detailed and precise answers.

I think I will go with Linux, and I will first try the IPCOP which looks
very promising and interesting.

Thanks again!
-n-

Quote:> Hello,

> I am about to get a DSL which I want to share on my local net. My client
> hosts are about 10, all of them Windows machines.

> So, I want to setup a dual-hommed Linux box which will share my DSL to my
> local net and also act as a firewall.

> Which do you believe is the best distribution of Linux for such a use? I
> know that more or less each distribution offers the same tools, but I
would
> like to know if any of them offers more tools towards my above need.

> Regards,
> -n-

Most of the firewall docs lean toward Redhat, but they can usually be
applied to other distros.  For example, I followed the instructions in
"Pocket" ISP based on Redhat Linux HOWTO
http://www.linuxdoc.org/HOWTO/ISP-Setup-RedHat-HOWTO.html
to build my Slackware firewall.

It's not so much which distro is best for a fireall., as which one is best
for you.

--

All the facts above are true, except for the ones I made up.

james.knott.

Quote:> Hello,

> I am about to get a DSL which I want to share on my local net. My client
> hosts are about 10, all of them Windows machines.

> So, I want to setup a dual-hommed Linux box which will share my DSL to my
> local net and also act as a firewall.

> Which do you believe is the best distribution of Linux for such a use? I
> know that more or less each distribution offers the same tools, but I would
> like to know if any of them offers more tools towards my above need.

This is a scenario where "less is more."

Security is obtained by having nothing left on the system for would-be
intruders to try to crack.

You _don't_ want X running; you _don't_ want GNOME, KDE, and such.

All you want is some limited set of network services, likely
including:
 a) A Squid proxy;
 b) Roaring Penguin PPPoE;
 c) _Maybe_ an SMTP server;
 d) If you know you want to administer from outside, sometimes,
    install sshd.

The usual "big names" of Red Hat, Mandrake, and SuSE tend to install
everything including the marching band, which is acceptable so long as
you then proceed to "rpm -e" anything that looks like it could be part
of the marching band.

I run a pretty stripped down Debian on my firewall box; that has the
merit of allowing me to use the "apt-get" tools to easily keep it up
to date vis-a-vis security updates.  That's pretty valuable...
--

http://www.cbbrowne.com/info/nonrdbms.html
ITS is a hand-crafted RSUBR.

Quote:> Hello,

> I am about to get a DSL which I want to share on my local net. My client
> hosts are about 10, all of them Windows machines.

> So, I want to setup a dual-hommed Linux box which will share my DSL to my
> local net and also act as a firewall.

> Which do you believe is the best distribution of Linux for such a use? I
> know that more or less each distribution offers the same tools, but I
would
> like to know if any of them offers more tools towards my above need.

> Regards,
> -n-

Alternatively, if you want something easier/simpler to install try IPCop or
Smoothwall (my personal choice would be IPCop www.ipcop.org). Or look at
bastille linux for a util which will help to harden a standard linux
installation. Of course, if you've got the knowledge and experience to build
the firewall yourself, go for it :-)

Followups to col.networking.

Yeah, just about any distro can be configured to work well as a
firewall.  The only edge one really has over another is ease of
configuration and maintenance.  

For example, you want the smallest possible set of installed
applications on your firewall to reduce the chances of some
interaction opening a security hole.  If you start with one of the
main distros you may need to do a lot of uninstalling in order to get
rid of all the cruft.  And the more stuff you need to remove, the more
likely you are to miss something.  So my personal preference is to
pick a distro that lets you choose to install almost nothing, then
selectively add packages later.

--

"Last I checked, it wasn't the power cord for the Clue Generator that
was sticking up your ass." - John Novak, rasfwrj

i suggest you all check out www.smoothwall.org.  everything you have
all asked for, in a hardened ready to rock easy to install linux
firewall/router distro.  web managed (from the inside), DNS (for the
inside), ipchains, firewall logging, conduits, pinholes, DynDNS
support for your DHCP'd ip addres, DHCP server for your inside lan,
traffic graphs, latest 2.2.0 kernel, great ASDL modem support
(includeing PPoE and USB), vpn support to connect to *theoretically*
any IPSec destination, and up to 3 interfaces.

ive scanned my smoothwall from the outside, and nmap just says wtf?

[...]

Quote:> ive scanned my smoothwall from the outside, and nmap just
> says wtf?

Hmmmm, just a simple, freely-available "script-kiddie" tool reports:
----------------------------------------
Port scanning target address 216.61.198.245
Port 1 tcpmux is Firewalled
Port 2 compressnet is Firewalled
Port 3 compressnet is Firewalled
Port 4 is Firewalled
Port 5 rje is Firewalled
Port 6 is Firewalled
Port 21 ftp is open
Port 22 ssh is open SSH-2.0-OpenSSH_3.1p1
Port 23 telnet is Firewalled
Port 25 smtp is open hermes.dfwlp.com ESMTP Sendmail 8.11.6/8.11.6
Port 110 is open +OK Qpopper (version 4.0.3) at hermes.dfwlp.com
Port 121 erpc is Firewalled
Port 249 is Firewalled
Port 361 semantix is Firewalled
Port 486 sstats is Firewalled
Port 605 is Firewalled
Port 709 entrustmanager is Firewalled
Port 831 is Firewalled
Port 952 is Firewalled
Port 3389 msrdp is open
Port 10000 is open Webmin SSL Login Username/Password
Port 65001 is open
Port 65006 is open
Port 65007 is open
----------------------------------------

I didn't use any of the more informative professional tools because I'm off
work right now.

Do the above mean the same as "wtf" does to nmap?

             tony

I built my firewall using Slackware, and those nmap web scan sites give up,
as they can't find anything.

--

All the facts above are true, except for the ones I made up.

james.knott.

What does mine show?

--

All the facts above are true, except for the ones I made up.

james.knott.