kaut
10-31-2002, 12:21 PM
I tried searching first because there are around 3000 posts on firewall, but I didn't find anything that helped me. First, what exactly is a firewall? And how would I go about to set one up?
Click to See Complete Forum and Search --> : Where to start on setting up a firewall?
Wallex
10-31-2002, 12:35 PM
A firewall... basicly is a set of rules to manipulate packets that reach/pass/leave your computer. You can filter these packets through rules so that certain ports get blocked, or that certain addresses get blocked, or which is more common... you block everything and only allow in packets with certain given criteria. The whole point of a firewall is to stop people from exploiting any services you might be running on your pc. Sometimes users aren't evenaware of what services are running on their pc, and if left open, some other people can take advantage of this. Good security is about knowing which packages should be allowed in/out and which not, and to configure your running services correctly and make sure you keep them updated to fill in any security holes that might have been found. The second use of a firewall is to do routing (and perhaps masquerading). Routing is the forwarding of packets (if your computer is connected to two networks which can't communication with each other, you use this to let them), and ip masquerading is about actually modifying the 'ip from' field so that it appears that the packet is comming from your pc instead of the one in the internal network, useful if you are on the internet and want to allow other pcs to use it as well.
Now how to set it up... since the latest kernel the command is iptables. There's a howto, a readme and lots of resources on it. If you want a firewall the easy way (not having to understand all this about packets and such) get a firewalling program (which basicly uses iptables). Guarddog is good for this.. but I don't like it because it uses Qt, you could just search for a firewall program anyway.. most (if not all) rely on the iptables that is built in into the kernel.
Now how to set it up... since the latest kernel the command is iptables. There's a howto, a readme and lots of resources on it. If you want a firewall the easy way (not having to understand all this about packets and such) get a firewalling program (which basicly uses iptables). Guarddog is good for this.. but I don't like it because it uses Qt, you could just search for a firewall program anyway.. most (if not all) rely on the iptables that is built in into the kernel.
kaut
11-04-2002, 11:58 AM
Thanks for explaining it out for me. That's what I knew somewhat what it did but wasn't clear on all of it. I'll look for a firewall program now since I'm lazy and don't really know a lot about what I'm doing. It's a learning experience.
Odins_Son
11-04-2002, 02:43 PM
What I did for a basic firewall was I took my old junker computer a P-166 and installed coyote linux...a linux that is small enough to fit on a floppy disk. It loads it into cache so it runs quikly. I stuffed in two NIC cards one connected to my adsl and one connected to my PC. All you have to do find some firewall scripts that will fit what you want and set up IP-masqurating. This probably isn't the best way to do things, but its good if you want to have several computers hooked up and sharing one IP and its a good project.
craigad
11-04-2002, 02:59 PM
Has anyone tried Mandrake Single Network Firewall and router? Seen the info on the product but not much more.............
You might wanna check it out
Craigad
You might wanna check it out
Craigad
anarcholinuxism
04-11-2003, 06:31 PM
Wallex , that's the single most intelligent definition about anything I've seen given on these boards.
I understand you leave ports open for your own communications (http requests, mail etc. what's to stop people outside using these ports to access your machine?
I understand you leave ports open for your own communications (http requests, mail etc. what's to stop people outside using these ports to access your machine?
chrism01
04-11-2003, 06:57 PM
Well, there are basically 3 'chains' of rules, although the current implementation is iptables (used to be ipchains).
Fundamentally, you've got INPUT, FORWARD, OUTPUT.
All ports <1024 are 'privileged' ie only SW running under root acnt can bind to them.
Normally you send requests out on unprivileged ports and the relevant daemon at the other end eg httpd will be listening on port 80.
You set up the ports so that only input is allowed on the privileged ports and ensure you block all ports you are not using.
As an example, if you have a firewall and apache running on your gateway machine, so you've got 2 NICs, and you only want it reachable from inside your lan, block port 80 on the external interface eg eth0 and allow it on the internal (lan facing) interface eg eth1.
You may find newer tech eg IM systems use higher num ports, so you'll have to check your system log msgs to see which port they want to use if you can't find out by googling. You'll need to turn on logging for pkt reject/deny for this.
You use the FORWARD 'chain' to allow forwarding of pkts from internal boxes to the internet and vice versa. This (usually) involves using IP-Masquerading (NAT or PAT) technique so that you only need one box registered with your ISP.
Some ISPs TOS say you shouldn't do this ie only one box may be used, but its very rare that they bother to do the analysis of your pkt stream to check.
You can specify ithe interface for each set of rules, so you've got (in the above example) INPUT, OUTPUT and FORWARD rules for eth0 and another set for eth1.
See www.tldp.org (The Linux Doc Proj) for HOWTOs etc.
Fundamentally, you've got INPUT, FORWARD, OUTPUT.
All ports <1024 are 'privileged' ie only SW running under root acnt can bind to them.
Normally you send requests out on unprivileged ports and the relevant daemon at the other end eg httpd will be listening on port 80.
You set up the ports so that only input is allowed on the privileged ports and ensure you block all ports you are not using.
As an example, if you have a firewall and apache running on your gateway machine, so you've got 2 NICs, and you only want it reachable from inside your lan, block port 80 on the external interface eg eth0 and allow it on the internal (lan facing) interface eg eth1.
You may find newer tech eg IM systems use higher num ports, so you'll have to check your system log msgs to see which port they want to use if you can't find out by googling. You'll need to turn on logging for pkt reject/deny for this.
You use the FORWARD 'chain' to allow forwarding of pkts from internal boxes to the internet and vice versa. This (usually) involves using IP-Masquerading (NAT or PAT) technique so that you only need one box registered with your ISP.
Some ISPs TOS say you shouldn't do this ie only one box may be used, but its very rare that they bother to do the analysis of your pkt stream to check.
You can specify ithe interface for each set of rules, so you've got (in the above example) INPUT, OUTPUT and FORWARD rules for eth0 and another set for eth1.
See www.tldp.org (The Linux Doc Proj) for HOWTOs etc.
ZenelithCalling
04-11-2003, 07:09 PM
wallex, chrism01
I agree with anarcholinuxism. These are great and understandable (at least for me) description.
thanks
-z
I agree with anarcholinuxism. These are great and understandable (at least for me) description.
thanks
-z
mage492
04-12-2003, 12:23 AM
It cleared up a few things for me, too! I have a question of my own, now...
Okay, I've heard about Coyote and Devil-Linux, but what others run off read-only media? I've searched on www.linux.org , then looked at the minimalist distro's home pages. Many of them are ambiguous.
If nothing else, what are the criterion to make them work off read-only? Is it a special way the kernel's set up, some included software, or does it just have to be smaller than the available RAM?
I'm trying to set up my own specialized firewall box, but I want to try out a few operating systems, first. Thanks in advance!
Okay, I've heard about Coyote and Devil-Linux, but what others run off read-only media? I've searched on www.linux.org , then looked at the minimalist distro's home pages. Many of them are ambiguous.
If nothing else, what are the criterion to make them work off read-only? Is it a special way the kernel's set up, some included software, or does it just have to be smaller than the available RAM?
I'm trying to set up my own specialized firewall box, but I want to try out a few operating systems, first. Thanks in advance!
chrism01
04-12-2003, 05:35 AM
i believe there used to be one called floppy-fw, ran off a read-only floppy disk.
Try google for it?
Anyway, here's a useful link to a VERY good HOWTO site:
http://www.tldp.org/HOWTO/Firewall-HOWTO.html
Try google for it?
Anyway, here's a useful link to a VERY good HOWTO site:
http://www.tldp.org/HOWTO/Firewall-HOWTO.html
brandon_yap
04-13-2003, 06:34 AM
hi...
what is a firewall???
Kindly reply ASAP...
Thanks!!!
what is a firewall???
Kindly reply ASAP...
Thanks!!!
Suramya
04-13-2003, 06:53 AM
Originally posted by brandon_yap
hi...
what is a firewall???
Kindly reply ASAP...
Thanks!!!
If you would read the posts above yours, you can learn about firewalls.
You can also try reading through the following site:
http://www.firewallguide.com/
- Sur
hi...
what is a firewall???
Kindly reply ASAP...
Thanks!!!
If you would read the posts above yours, you can learn about firewalls.
You can also try reading through the following site:
http://www.firewallguide.com/
- Sur
brandon_yap
04-13-2003, 06:59 AM
thanks for the reply and website...
by the way how do u know your id number...
Kindly reply ASAP...
Thanks!!!
by the way how do u know your id number...
Kindly reply ASAP...
Thanks!!!
gkedrovs
04-13-2003, 07:20 AM
Originally posted by mage492
Okay, I've heard about Coyote and Devil-Linux, but what others run off read-only media? I've searched on www.linux.org , then looked at the minimalist distro's home pages. Many of them are ambiguous.
Linux Router Project (LRP) (http://www.linuxrouter.org/)
I don't know if this will help, but there it is. This whole deal about a dedicated rom machine doing gateway / firewall / routing has been on my back-burner for a long time, and it's rapidly creeping up to the front-burner. This is one of the sites I have marked to check out more in-depth.
Here are some other firewall links I've gleaned lately (fyi):
GUI tool that uses iptables:
http://firestarter.sourceforge.net/
General:
www.tldp.org/HOWTO/Security-Quickstart-HOWTO/
All the fun stuff (documentation is abundant for those who desire knowledge and are willing to read and learn):
http://www.iptables.org/
Suerte.
-Greg
Okay, I've heard about Coyote and Devil-Linux, but what others run off read-only media? I've searched on www.linux.org , then looked at the minimalist distro's home pages. Many of them are ambiguous.
Linux Router Project (LRP) (http://www.linuxrouter.org/)
I don't know if this will help, but there it is. This whole deal about a dedicated rom machine doing gateway / firewall / routing has been on my back-burner for a long time, and it's rapidly creeping up to the front-burner. This is one of the sites I have marked to check out more in-depth.
Here are some other firewall links I've gleaned lately (fyi):
GUI tool that uses iptables:
http://firestarter.sourceforge.net/
General:
www.tldp.org/HOWTO/Security-Quickstart-HOWTO/
All the fun stuff (documentation is abundant for those who desire knowledge and are willing to read and learn):
http://www.iptables.org/
Suerte.
-Greg
arioch
04-13-2003, 07:26 AM
check out the Astaro linux firewall
Suramya
04-13-2003, 07:34 AM
Originally posted by brandon_yap
thanks for the reply and website...
by the way how do u know your id number...
Kindly reply ASAP...
Thanks!!!
I am assuming you are talking about my Linux User #. You can register as a Linux user at http://counter.li.org/
- Sur
thanks for the reply and website...
by the way how do u know your id number...
Kindly reply ASAP...
Thanks!!!
I am assuming you are talking about my Linux User #. You can register as a Linux user at http://counter.li.org/
- Sur
brandon_yap
04-13-2003, 07:45 AM
thanks for the reply
Leigh
04-14-2003, 03:24 AM
i believe there used to be one called floppy-fw, ran off a read-only floppy disk.
It's here.
FloppyFW (http://zelow.no/floppyfw)
Works extremely well, quite simple to set up.
It's here.
FloppyFW (http://zelow.no/floppyfw)
Works extremely well, quite simple to set up.
lordinfidel
04-14-2003, 02:53 PM
fwbuilder.org
If you are familiar with the checkpoint style interface then this will be pretty intuitive.
Although I am a strong believer in doing things by hand. If you are managing several firewalls, this cool app will be helpful.
It stores everything in xml, and it is a nice looking gui. It's object oriented and allows you basically to drag and drop your objects into rules.
You can create your own custom services, and it has the obligatory stock of pre-made services (IP, ICMP, TCP and UDP).
After you are done creating your rule set, you can complie (port) it to any platform of your choosing. Your not restriced to just iptables on red hat with a 2.4 kernel. You can port it to ipchains on bsd if you so choose. Which is the part I find pretty cool.
It's also nice if you are using 3+ nics to help you manage the rules on each interface. Which is a daunting task when doing it by hand.
just my find for the day
If you are familiar with the checkpoint style interface then this will be pretty intuitive.
Although I am a strong believer in doing things by hand. If you are managing several firewalls, this cool app will be helpful.
It stores everything in xml, and it is a nice looking gui. It's object oriented and allows you basically to drag and drop your objects into rules.
You can create your own custom services, and it has the obligatory stock of pre-made services (IP, ICMP, TCP and UDP).
After you are done creating your rule set, you can complie (port) it to any platform of your choosing. Your not restriced to just iptables on red hat with a 2.4 kernel. You can port it to ipchains on bsd if you so choose. Which is the part I find pretty cool.
It's also nice if you are using 3+ nics to help you manage the rules on each interface. Which is a daunting task when doing it by hand.
just my find for the day
brandon_yap
04-14-2003, 10:58 PM
thanks for the website lordinfidel! i have learnt more about firewall...Thanks!!!
justlinux.com
Copyright Internet.com Inc. All Rights Reserved.
Copyright Internet.com Inc. All Rights Reserved.