I'm really getting the hang of this stuff. Right now I've got a nifty little setup at home:

Internet--->Cable Modem--->(NIC #1):Win98SE Box with ICS (1st NAT, 192.168.0.0/24): (NIC #2)--->Hub--->(eth0): Debian woody firewall (2nd NAT, 10.0.0.0/24): (eth1)--->Win98 box

And the Win98 box on the very end is just chugging away fine on the 'net. This is awesome.


[This message has been edited by Strike (edited 18 December 2000).]

So, just to axe a silly question, why not put the debian firewall box between the cable modem and the NIC on the 98SE box?

I am interested in setting up a firewall box here at work, where are some good resources for a not so educated linux duck, on firewalls?

I guess I should look at the NHF's and see if anything is there.

We've got a wireless internet hookup, which enters our email/web server, then runs to the switch, which everything else plugs in to. I wanna know what steps I need to take to set up the box to put between the email/web server and the rest of the world..

I'd like to have a step by step, but some resources would be nice, too. http://www.linuxnewbie.org/ubb/smile.gif

Word.

------------------
TheLinuxDuck
Wait... that's a penguin?!?!?
:wq

Well, two reasons really:

1 - I'm taking the firewall back with me when I go back to school in a few weeks, so I want to be able to play with it in my own room instead of the room with the cable connection.

2 - I'm not sure how it would work with the cable connection (if the DHCP stuff would work the same, though I imagine it should), and I don't want to cause any downtime in the 'net connection really.

Basically, I'm trying to make this box a totally transparent solution for all sorts of situations. I want it to be a general purpose firewall that can work in a number of different environments. This test was basically to work my dhcpd.conf creating script that I mentioned needing help on in the Programming, Script Depot forum. Before, I was using a 192.168.0.0/16 subnet for my two-box setup at school, which worked just fine. But, then I brought it home where I had already set up the Win98SE ICS stuff to use that same subnet with static IPs that I was using at school as well. So, I wanted to change it to a different private subnet to see if I could get it to work. And, sure enough, it did.

Ultimately, I would like this firewall to be able to do exactly what you suggested - to just move it up or down anywhere in the chain. I just thought that it was really cool how I have added two hops to any Internet site on my own connection (which, though it does slightly decrease connection speed [not noticeably, on cable or at school], is pretty neat if you ask me). I mean, the fact that I can still play games like Counter-strike and Half-Life in spite of the networking rearrangement I've done is just kinda neat and I just wanted to toot my own horn a little bit http://www.linuxnewbie.org/ubb/biggrin.gif

Originally posted by TheLinuxDuck:
I am interested in setting up a firewall box here at work, where are some good resources for a not so educated linux duck, on firewalls?

I guess I should look at the NHF's and see if anything is there.

We've got a wireless internet hookup, which enters our email/web server, then runs to the switch, which everything else plugs in to. I wanna know what steps I need to take to set up the box to put between the email/web server and the rest of the world..

I'd like to have a step by step, but some resources would be nice, too. http://www.linuxnewbie.org/ubb/smile.gif

Word.


I'm getting some pretty good experience with this, so post here and I can help.

I'm assuming you want a Linux box to handle this. Basically, search around for "firewall", "ipmasq", "NAT", and "ipchains" on Linux Google (http://www.google.com/linux) and you should be well on your way.

Strike:

Well, I've been doing some reading and research this morning, and so far a lot of it is greek to me. My intelligence only goes to a certain level, then I start to fade.. http://www.linuxnewbie.org/ubb/smile.gif

I will keep reading, and hope that some of this stuff sinks in...

The way we're set up right now.. we've got a linux box that handles the web/email serving, and provides the internal users of the LAN with internet access. It works well.. plus, it has a IP firewall on it.. I just don't think that having the IP firewall on the same machine that has the email and web server is very smart..

I want to stop using the firewall on the box, and put it on a seperate box that will forward all requests, etc to http, ftp, ssh (when I set it up) and email, if allowed.

Right now, our linx box is the gateway:


LAN<-->192.168.1.1
\
[ ] (current linux box)
\
1.2.3.4<-->internet


Very easy setup as is. But, when I add the firewall machine into the loop, what IP do I assign it? Does it become 1.2.3.4 and 192.168.1.1, and the current linux box becomes 192.168.1.2 and 192.168.1.3?

I just don't understand what IP's to assigned to the new box.. maybe I'm making this out to be more complicated than it should be..


(192.168.1.0)LAN<-->192.168.1.3
/
[ ] (current linux box)
/
192.168.1.2<-->192.168.1.1
/
(new firewall box) [ ]
/
1.2.3.4<-->internet


Is this how I will set up the new box? Do I give the new firewall the currently assigned static IP (1.2.3.4) and make the current linxu box be as though it is part of the internal network only? Or, do I give the connection between the new box and the old box their own network, as:


(192.168.1.0)LAN<-->192.168.1.3
/
[ ] (current linux box)
/
172.160.1.2<-->172.160.1.1
/
(new firewall box) [ ]
/
1.2.3.4<-->internet


See, this is the kinda stuff that cornfuses me.. the current box we are running kinda took care of a lot of this stuff for me, and when I try to examine the way it works, I just get cornfused even more.

Yeah, I know, I need to read more, and try this stuff out and see how it works.. but, the more I read, the more I scratch my neanderthalithic head.

Thanks for your patience, Strike!!! http://www.linuxnewbie.org/ubb/smile.gif

------------------
TheLinuxDuck
Wait... that's a penguin?!?!?
:wq

TheLinuxDuck:

Interesting scenario. I only have linux at home, but I have a couple of questions.

1) Why do you want your email/server box btwn the firewall and the rest of the LAN? Why not something like this:

Internet
^
|
v
eth0
[firewall]
eth1
^
|
|
HUB<-->[email/server]
|
|---->[LAN client 1]
|
|---->[LAN client 2]

Or if you want your email/server isolated from the LAN for whatever reason, isn't there a setup for a 'three-legged' scheme like this:

Internet
^
|
v
eth0
[firewall]eth2<-->[email/server]
eth1
^
|
|
HUB
|
|---->[LAN client 1]
|
|---->[LAN client 2]

In this scheme, the third 'leg' where the email server is 'isolated' from the internal LAN. Traffic can go from the Internet to the server, and from the LAN to the server. If you ran Squid on the server, I'd suppose that you could even make it so the internal LAN could _only_ connect to the network via proxy on the server.

Just a few ideas. Worth every penny you paid for them http://www.linuxnewbie.org/ubb/wink.gif

Monte


------------------
There are basically three kinds of men. There
are the ones who learn by reading. Then there are
the few who learn by observation. The rest just
have to pee on the electric fence for themselves.



[This message has been edited by milanuk (edited 19 December 2000).]

have the firewall/gateway box use DHCP client on eth0 and DHCPD (server) on eth1

ipmasqadm (NAT) between eth0 and eth1.

Then you have a mobile LAN party router!

I highly recommend everyone use DHCP for their subnets. Even if your IPs should never changed, hardcore the MAC address into /etc/dhcpd.conf and you client side network setup will be non-existent, regardless of platform.

Very easy setup as is. But, when I add the firewall machine into the loop, what IP do I assign it? Does it become 1.2.3.4 and 192.168.1.1, and the current linux box becomes 192.168.1.2 and 192.168.1.3?


the firewall machine will have your internet ip address on one of the ethernet cards (or ppp, whatever interface you use to connect to the internet), and it will have the internal IP address on another ethernet card of 192.168.1.1

option 1:
then you will run some cabling from the ethernet card of the private IP address to a hub, then run another cable from another port on the same hub to your current email/webserver/etc linux box (note: you could do this using a cross connect cable, but a hub gives you more flexibility imo). your email/webserver/etc linux box will now have an ip of 192.168.1.2 on eth0 [which is going to the hub on which the firewall is on]. on eth1 in your email/webserver/etc linux box you will assign 192.168.1.3 to eth1, and run this into your huge switch/hub [whatever your office has] that provides dhcp or i guess, if you're living in the stone age still, static private ip addresses [whistles innocently].

option 2:
from your new firewall computer, [assuming] eth0 will be your internet connection, and eth1 will be your internal connection. eth1 can run directly to a hub from here, and it will create a fairly safe environment (rather than just plugging your dsl modem [for instance] directly into the hub... (note: the security hazard that this brings on is very low, and it would take a lot of time and talent to make use of it, but it's better to be safe than sorry.. continuing..) - so you have eth1 going into a (big) switch/hub - and then you connect your email/http server into that same hub, along with all your other computers on your network.


(192.168.1.0)LAN<-->192.168.1.3 / [ ] (current linux box) / 192.168.1.2<-->192.168.1.1 / (new firewall box) [ ] / 1.2.3.4<-->internet


that diagram can be correct.. it's basically what i just explained http://www.linuxnewbie.org/ubb/smile.gif


Is this how I will set up the new box? Do I give the new firewall the currently assigned static IP (1.2.3.4) and make the current linxu box be as though it is part of the internal network only? Or, do I give the connection between the new box and the old box their own network, as:


you will be using (1)ipmasqadm (especially the portfw feature) and (2)ipchains for *redirecting* requests from: (1-port_fw) outside_request --> your firewall gateway --> email/http server *and* (2-ip_masqing) internal_requests --> firewall gateway --> internet. this is obviously very simplified.. there will be a few rules that go into this.. once you actually get the layout and understand everything, and ready for help with ipmasqadm (portforwarding) and ipchains (masquerading) - i'll be glad to help http://www.linuxnewbie.org/ubb/smile.gif

and if i've confused everyone even more, i'll shutup and go back trying to learn c++ =)

regards,

~kyle

portfw examples can be found at http://www.fandelem.com/nhf-5.html#portfw if you're interested and i'm not around :}

Okay, you actually seem to have a good idea of what you are doing and what needs to be done. It seems like you want your firewall to handle ALL inbound/outbound traffic, right? Well, to the external interface (eth0, ppp0, whatever), you will want to assign your static, "real" (meaning it actually exists on the Internet) IP. To the internal interface (to which the rest of your internal network will be tethered), you will want to assign a static, "private" (meaning it is in one of the reserved private subnet address classes - 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/20) IP. I'd just go ahead and suggest 192.168.0.1 (assuming you need no more than 65,000 or so nodes on this network).

Okay, next important question - do you want to use DHCP on a private subnet for internal IPs (i.e. do you want a machine to dole out IPs, or do you want all machines to have statically assigned ones)? Obviously, with a small network, assigning static IPs isn't that bad, and it doesn't require administering a DHCP server of your own. But, then you have to keep track of all the assigned IPs and this can be a ***** to do if your internal network is even slightly dynamic (machines moving around, getting added, getting removed). Then you have to do periodic "IP audits", and those are so mind-numbingly boring...

If you want to use DHCP for your internal network, then the next question is whether or not you want to use DHCP for that e-mail server and whatnot as well. I'd say no, because that machine is supposed to be up all the time anyway, so assigning it a static IP would make sense. I'd just assign it 192.168.0.2 and then limit the range for the DHCP server from 192.168.0.3 to whatever is sensible.

This should be a decent start, methinks. Any other questions, keep 'em coming.

milanuk made a good point about my suggestion
for the pass-thru. As it stands right now,
the email/web server is the passthru for all
access.. and adding a firewal to be the
pass-thru would eliminate the web/email
server having to be the pass-thru, so that
makes sense..

The trouble I have is that our switch is
already full.. if I want to add another item
into the switch, I'm going to have to buy
another 24-port, which doesn't make sense
when we won't ever use them all.

The office is small enough that static IP's
make more sense, to me anyway. I don't see a
need to use DHCP with 17+/- machines. I can
easily find out what IP each machine is..
besides, the email server uses the static
IP's to determine which machines/what IP's
are allowed to relay mail.. to keep spammers
from using this box as a relay.

So, I would just rather stick with static IP's.

Is it possible for me to set it up as I
suggested?

Internet<-->firewall<-->web/email server<-->switch

Or, should I really try to find a way to free
up a plug on the switch, and simply make the
firewall be the passthrough?

I just don't want to add any unecessary
slowdowns into the network.

And yes, I would like to firewall to handle
all in/outbound traffic. It just seems the
right way to handle it.

here is a question that seems silly, but I
don't really know for sure.

If I have a firewall that passes all
allowed connections through, do I need to
have all services turned off (minus
firewall), and use ipmasq to forward the
packets to the email/web server. Will it be
set up to handle the incoming port
connections, and forward them to the
appropriate IP?

It sounds like a silly question, but I want
to make sure I understand this correctly.

And, once the firewall machine is handling
all incoming/outgoing traffic, I could
essentially set it up so that I had 1 linux
box to handle the web stuff.. one box to
handle the email, one box to handle ftp,
etc..etc.. so each would have it's own box.


Right?

Or is that just too complicated for a small
time office?

I feel as though I kinda understand this
stuff, but the details are what get my head
spinning.. http://www.linuxnewbie.org/ubb/smile.gif

Btw, thanks so much to everyone who has
posted in this thread with advice/aide.. I
most definitely appreciate the time you're
giving!!

http://www.linuxnewbie.org/ubb/smile.gif

Originally posted by TheLinuxDuck:
milanuk made a good point about my suggestion
for the pass-thru. As it stands right now,
the email/web server is the passthru for all
access.. and adding a firewal to be the
pass-thru would eliminate the web/email
server having to be the pass-thru, so that
makes sense..

The trouble I have is that our switch is
already full.. if I want to add another item
into the switch, I'm going to have to buy
another 24-port, which doesn't make sense
when we won't ever use them all.

Okay, maybe I'm being denser than normal, since I don't work w/ that big of equipment, just my little 5 port switch, but what does the switch have to do w/ it? Stick another nic in the firewall, and do a crossover cable from the firewall to the server, or find a small unused hub/switch to stick in between them if you don't want to hassle w/ a crossover cable. Then you would have a three-legged setup, w/ the internet on one side, your DMZ (server) on another, and your internal LAN on the inside still.



The office is small enough that static IP's
make more sense, to me anyway. I don't see a
need to use DHCP with 17+/- machines. I can
easily find out what IP each machine is..
besides, the email server uses the static
IP's to determine which machines/what IP's
are allowed to relay mail.. to keep spammers
from using this box as a relay.

So, I would just rather stick with static IP's.

So do stick w/ static IP's. I think the idea would be to set up your dhcpd.conf file so that you assign known hosts static ip's that never change based on their hardware mac addresses, while leaving some flexibility for new machines to be added at a whim. Want to change the nameserver, or any of the many things that dhcp can 'push'? Do it once on the dhcp server, and then it's done for all of the machines in the LAN.

HTH,

Monte


------------------
There are basically three kinds of men. There
are the ones who learn by reading. Then there are
the few who learn by observation. The rest just
have to pee on the electric fence for themselves.

milanuk makes a good point - DHCP doesn't mean that you can't do static IPs by machine anyway, I hadn't thought of that. Indeed, you can assign IPs based on MAC address, and this would allow these machines to be functional on any DHCP network. A much more elegant solution.

He also raises an excellent point in that you can just have your server in the DMZ if you wanted (I thought about it, just didn't suggest it, as it would require you buying a new NIC and crossover cable [or build a crossover cable, which I recommend if you have the parts to bastardize a standard cable, like crimpers and heads]). This way you can take the added load of passing along the connections one more hop OFF of that server, and decrease the internal LAN machines' number of hops to the 'net by one.

Also, if your mail server machine is using IPs to deliver, I think you should alias those to hostnames and then just edit /etc/hosts whenever you make an IP change.


If I have a firewall that passes all
allowed connections through, do I need to
have all services turned off (minus
firewall), and use ipmasq to forward the
packets to the email/web server. Will it be
set up to handle the incoming port
connections, and forward them to the
appropriate IP?

Yes, you should still practice the same security precautions if you are allowing all connections through. But, you don't have to let all connections through, of course. You have a fairly high degree of granularity in terms of controlling what goes in and out with ipchains and ipmasq.

Hey, Strike. I was wondering if you have any experience in IPMASQing a PLIP connection.
I had a PLIP connection setup before, but just for my local net. I'd like to get my PLIP box to the outside net.
I use FreeSCO for my main outside link, but I'll probably have Debian on the two boxes with PLIP.
This sounds a bit like what you have done except one of my IPMASQ is going to be eth0 <> PLIP.
BTW, I don't need any firewall for this second IPMASQ, just the IPMASQ
I hope you could help.
TIA

[This message has been edited by bleg26 (edited 20 December 2000).]

bleg26 - I don't think there'd be any difference except that your ipchains rules would have to specify a different interface, but then again I don't know as I have no PLIP experience yet. Do some digging about for info, because I'm not sure. If there's still questions, start a new thread here and we'll see who jumps on it.

Alright. I'll see what I can find out. If I can figure it out I'll post it in the How I did it, if anyone wants to know how. Probably next week sometime.