Here's a quick rundown on my home network: I use Earthlink/Mindspring ADSL. I plug my ADSL modem into my phone line and then I plug the modem into a 4 port hub. I am allowed to have up to four computers connected at one time... not NAT or anything, my ISP just assigns up to four dynamic IP addresses.

internet --> modem ---> 4 port hub ---> 2 linux boxes, win98 box, win 2000 box

I have a debian box that I use as my main computer, an older slower machine that I use as a testing ground for debian(so I don't screw up my good machine) and then I have a win98 box(parents) and a win2000 box.


Each one of these computers has to handle its own security. I have IPTABLES running on both linux boxes and some sort of personal firewall by norton? on the windows machines.


Here's the actual question: I'm feeling much more comfortable with my linux skills now and I really don't feel like I need to keep my older debian box around to test things. I was thinking about wiping it clean and turning it into a firewall/router. Then I would run the following:

internet --> modem -> firewall/router -> 4 port hub -> linux box, win98 box, win 2000 box

Is this more secure of a setup? What about network speed? Will it slow my transfer speeds since packets will have another computer to go through? If I do maintain a separate firewall, do I need to keep a firewall on each machine within my internal network?

Thanks for the help!


- cotfessi

[ 27 August 2001: Message edited by: cotfessi ]

with
internet --> modem --> firewall --> hub -->network, your security is greater because you're pinpointing the entry to your network...
it shouldn't slow down your connection at all, unless you're using really bad NIC's or something... but even then, it shouldn't be too much slower...
it's checking packets and either letting them through or not...
they're not processed or anything...

from outside, all anyone will see is a dumb box. they would hafta hack there way into a useable prompt-type state on the dumb firewall box (the dumber/simpler you can make it and still be functional, the better). then once they get on the dumb box they're faced with 2 windows boxes they could care less about, and 1(+) linux boxes nicely hardened. quite a waste of time unless you've really pissed someone off or are known to have credit card data or something on your box.

Sounds like you are a perfect candidate for LRP (Linux Router Project). It's what I have been using for about a year now. I use P100 system as an LRP firewall between my home network and my @home cable modem.

Go to www.linuxrouter.org (http://www.linuxrouter.org) or (if it's still up) www.c0wz.com (http://www.c0wz.com)for info and downloads.

How about smoothwall (www.smoothwall.org)? Does anyone have experience with it?

I have a internal ADSL-modem (it does have Linux-drivers). I'm planning to install Smoothwall on a surplus-PC and plug it in the net using that ADSL-modem. The drivers are for Red Hat, so I'm worried that they might not work with Smoothwall.

www.freesco.com (http://www.freesco.com)

I love freesco! Plus you can run it off a floppy!!

This setup would be great for secutiy and wouldn't slow your Internet connection materially. You could actually get some more speed by installing some Internet content caching software like Squid on the firewall.

Just wanted to throw another option in. Coyote Linux (http://www.coyotelinux.com/) is another distro designed for firewall/router use. It's what I'm using for my cable modem connection. Like Freesco, it boots from a single floppy disk, and you don't need a hard drive/cdrom/keyboard/monitor installed on the firewall PC. Just turn the box on, wait about a minute, and the firewall is up and running. Since it runs from a floppy, and is read-only, you can just turn the power on and off (no logging into Linux), and it's really secure, since you can't make any changes as long as the floppy is write-protected. Best of all, a 486/33 with 16MB ram is plenty for a small LAN, anything better than that is overkill. (So you don't have to worry about slowing down the connection.)

Since it uses NAT, you're ISP only assignes one IP to you, and as YaRness said, it's much more difficult to hack into a LAN through a NAT router, since all your LAN PC's have private/un-routable IP addresses.

I used to have my Windows PC's connected directly to internet, and running Zone Alarm, getting lots of hits. After I setup the Coyote router, I still ran ZA just to test security, got no hits at all, so I eventually turned ZA off. The default Coyote firewall rules should be pretty secure, but I made a few changes to the firewall rules. It's a good way to gain Linux ipchains experience.

Whatever route you take, it's fun to have your firewall port-scanned to see how well you did. I've used the scan tools at www.dslreports.com. (http://www.dslreports.com.) They have two tests, the quick port scan (http://www.dslreports.com/scan), and the full scan (http://www.dslreports.com/secureme) (click the Request Scan link at bottom). Run/request these scans from a Windows box, and if you do the full scan, leave the router and Windows box running untill it's complete. On the full scan, a score of "0" is the best. Anything else means there's potential security holes. My Coyote box scores "0".