To: Michael Boyd <michael.boyd@fabermaunsell.com> Cc: debian-firewall@lists.debian.org Bcc: Subject: Re: Firewall/Router for Sharing a Cable Modem Connection Reply-To: In-Reply-To: <3DD10BF9.3CDF6952@fabermaunsell.com> On Tue, Nov 12, 2002 at 02:11:05PM +0000, Michael Boyd wrote: > / Beta(W98 Desktop) > Internet---Cable Modem---Alpha(Firewall/Router)---Hub- Gamma(Debian > Desktop) > | \ X Terminals etc > Omega (Experimental > Web Server) etc > This is essentially what I have here, except my server is not DMZ'd as it appears you have done above (if there are indeed 3 NICs in that box). I wrote a script available that takes care of most of this, if you're interested: http://firegate.sourceforge.net > Is it correct to call Alpha a Firewall/Router? I gather it will get its > external IP address dynamically. I will use NAT to hide the 10.X.X.X > internal addresses. I believe it is correct to say it's a router, yes. Perhaps a different word would be "gateway". In any case, you should certainly use it as a firewall as well. > 2. What packages do I need over and above those I am familiar with for > my old dial-up set-up? I am thinking mainly of DHCP which I believe is > necessary as I will have a dynamic external IP address. I think I will > write the iptables rules by hand. I used ssh in my previous set-up to > login to the firewall internally which worked well so I will do that > agin and make sure telnetd isn't on the machine. Yes, dhclient is probably needed, unless you want to go setting up your interfaces by hand. Here again, I have a very similar setup where I use SSH exclusively, and the firewall box has no keyboard or monitor. The aforementioned script takes that into account, FWIW. > 3. Is a 486 up to the task? I believe the download rate is up to 512K. Absolutely. I have an i486/66MHz handling a 3500kb/sec downstream and a 384kb/sec upstream just fine. There are only 5 machines behind the box, but it's my understanding that a 486 can handle more than a T1 worth of traffic. > 4. How can I install Woody with a 2.4 kernel from my CD set? The > default seems to be a 2.2 kernel. I don't understand the instructions > on the CDs or those I've found on the internet. I believe I need 2.4 to > use iptables. Use the bf2.4 boot floppy images, or one of the netinst CDs that has that image on it. That's what I did. However... once you get going, you should *really* use GRSecurity to patch up the 2.4 kernel. It can be a major pain, but you may thank me (and its authors) one day. > 5. I want to get emails generated by Alpha (containing logfiles etc) > delivered via an email address provided by the cable provider *or* > internally. Am I correct in thinking exim can do both of these > alternatives? Apologies if I am straying 'off list' here. I am not sure what you're saying here, so I will just add that I have exim running on my equivalent of your "Omega" above. It works just fine for both internal delivery and external SMTP delivered to/from my net. > 6. Does iptables enable the use of things like ICQ and gaming over the > internet 'out of the box' without the workrounds necessary when using > ipchains? Oh God, you had to bring that up. ;) Yes and no. There are some helper modules written for 2.4/netfilter, however not for ICQ. If you examine the code I have in my script, it might give you some ideas on how to compensate for these shortcomings. AFAIK you basically have three choices: settle for partial ability the way I've done it; run a full-blown SOCKS proxy; or use some mini-proxy like ReAIM. HTH, Jeff Bonner
Attachment:
pgpvRzPg3tqzL.pgp
Description: PGP signature