Very Computer

> > First question: will I be able to use Linux as a firewall inbetween
> > a CISCO router (which we don't have access to) and our LAN?

> Yes.

> > Second: if the first answer is Yes, which version of Linux is
> > better to use for the firewall purpose. I'm not planning using
> > it for anything else. The hardware is P-233MMX/64MB/6GB

> Linux 2.2.x supports ipchains.  ipchains is mature and reliable.
> With it you can implement a good packet filtering firewall.
> Multicast does not get special treatment and is therefore supported.

> Linux 2.4.x also supports ipchains.  In addition it has the new
> netfilter code which supports filtering on the state of a connection
> as well as the previous capabilities.  The netfilter user-space
> interface is called iptables.  Multicast is NOT supported, in fact
> at present, multicast packets are simply dropped.

> ipchains and netfilter (iptables) have very different architectures.
> Migrating to netfilter is *NOT a rule for rule translation* .
> ipchains and netfilter are not compatible, you choose to load one or
> the other.

> IMO, netfilter is not yet ready for prime time, certainly not if you
> use multicast.

> --
> Manfred
> ---------------------------------------------------------------
> ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

>We don't use multicast, we just need our email server to communicate with
>email gateway and a few users to be able to access some other IP services.

>I'm familiar with CISCO access lists. Does Linux work the same way? I mean
>does it allow restricting particular ports, not just IP addresses?

>I'm a little confused about the version. I can see RedHat, Mandrake, Debian,
>etc.You're talking about 2.2.x and 2.4.x. I guess the question is which
>distro is better for our needs?

> We don't use multicast, we just need our email server to communicate
> with email gateway and a few users to be able to access some other
> IP services.

> I'm familiar with CISCO access lists. Does Linux work the same way?
> I mean does it allow restricting particular ports, not just IP
> addresses?

> > Thanks Manfred,

[SNIP]
> > I'm a little confused about the version.

> The only versions that matter are the Linux kernel version (what I
> referred to) and the versions of the important libraries (libc).

> Distros really only differ in the decorations they add and the
> security compromises they introduce.

> > I can see RedHat, Mandrake, Debian, etc.  I guess the question is
> > which distro is better for our needs?

> None of the main distros are any good for a firewall.  They are
> feature driven and bloated, at least out of the box, they also install
> all sorts of things that compromise security.  Try not to run any
> servers on the firewall box.  Certainly don't run linuxconf, sendmail
> or bind.  A firewall also should not have program development support
> (why give tools to a cracker?) and it does not need big-time scripting
> support (perl).  Man pages and other docs are also not necessary.

> > > Thanks Manfred,

> [SNIP]
> > > I'm a little confused about the version.

> > The only versions that matter are the Linux kernel version (what I
> > referred to) and the versions of the important libraries (libc).

> > Distros really only differ in the decorations they add and the
> > security compromises they introduce.

> > > I can see RedHat, Mandrake, Debian, etc.  I guess the question is
> > > which distro is better for our needs?

> > None of the main distros are any good for a firewall.  They are
> > feature driven and bloated, at least out of the box, they also install
> > all sorts of things that compromise security.  Try not to run any
> > servers on the firewall box.  Certainly don't run linuxconf, sendmail
> > or bind.  A firewall also should not have program development support
> > (why give tools to a cracker?) and it does not need big-time scripting
> > support (perl).  Man pages and other docs are also not necessary.

> *nods*
> The only 'main' distro I would recommend would be Slackware since you
> can have full control of what is installed. But then if you want 2.4x
> kernel (iptables) you'd have to get into recompiling, which is usually
> a good idea anyway (i.e. Openwall patch, monolithic, etc). Come to
> think of it, is 2.4 actually included in any stable release distro yet?
> Astaro has a security specific distro which I haven't had a chance yet
> to setup and play with.

> > If you need remote admin, install ssh and rsync.

> > Consider logging to a separate host or at least put /var on a
> > separate partition.

> > Implement a means of intrusion detection.  F.e. a procedure to
> > periodically check binaries and config files against read-only
> > media.  Or install tripwire.

> I like Snort for IDS. Especially since it can monitor the whole
> subnet. =)

> > You could look at the Linux Router Project or other singe/dual floppy
> > Linux distros.  Or install Debian on another system and just copy the
> > bare minimum of files over to the firewall host.  If it doesn't fit
> > inside 10MB it is too big.  ;)

> Coyote is, IMHO, a good package built on LRP. I currently have a couple
> clients using it for a masq firewall.

> > A lean and mean installation is also very easy to re-install should
> > the need arise.  Just keep a full image on a CD or ZIP disk.

> > --
> > Manfred
> > ---------------------------------------------------------------
> > ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

> --
> --------------------------------------------------------------
> Tom Johnson
> - Applied Computer Systems, LLC

> [Insert standard disclaimer here]

> ls /dev/fridge/ | grep "Mountain Dew" > /dev/HID0
> --------------------------------------------------------------

> I am not sure what you mean by having both NICs on the same subnet.
> A router breaks up broadcast domains, and that automatically breaks up
> your network; one side of router will have one broadcast address while
> the other side will have another. If you want to have same broadcast
> address on both sides, you should use a switch or a bridge instead
> of a router. Putting router there will surely*up your network.

> > Another question which is probably more of a general networking but
maybe
> > you could help. As I mentioned I don't have access to that router. I
have
> > another one for Internet and it's a default gateway. It has static route
> > entries for subnets behind the uncontrollable router. Now the question.
When
> > I install a Linux firewall, it should have both NICs on the same subnet.
> > Will the firewall be transparent for the uncontrollable router (for
allowed
> > services)? Will it work at all with both NICs on the same subnet?

> 1. How many public IP addresses do you have?
> 2. How many public servers?
> 3. how many hosts total?

> --
> Manfred
> ---------------------------------------------------------------
> ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

> > ... The NIC on the router side cannot have different than our
> > subnet address ...

> That is only true if that host itself needs to access the public
> Internet or if it needs to masquerade for some other hosts.
> Otherwise you can give it a private address such as 192.168.1.1
> and it will still work as intended.

> --
> Manfred
> ---------------------------------------------------------------
> ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

>First question: will I be able to use Linux as a firewall inbetween a CISCO
>router (which we don't have access to) and our LAN?