Re: Firewall on a debian Box.
Currently I'm using a Debian box for our ADSL internet connection and it
works so well, with an increible performance...
I'm using ipchains under a 2.2.18 kernel and the gfcc GUI for setting the
rules... Debian it's a good choice 'cos it installs a really minimum
sistem from the basic installation, and you can add the software as you
need it.
The help, well, I'm think that you are helped now, and I'm sure that
you'll be helped in the future in the list or others, everybody here are a
guru and an apprentice :-D
My favourite links about Linux/Debian firewalling are:
·http://ipmasq.cjb.net
·http://netfilter.filewatcher.org/ipchains
·http://www.linux.no/biblioteket/HOWTO/Net-HOWTO-html/Net-HOWTO.html
·http://www.linuxdoc.org/ :-)
My steps into the creation of the firewall was:
1. Preinstallation
·Descrive the services to provide
·Write the firewall rules into a paper... you have to know that
only a rule of masquerading is needed to provide full access to internet!
2. Installation
·Install the Debian system (without entering into the dselect,
only the minimum installation)
·Install the software, only the necessary, 'cos if you need more
soft you can install it later... ssh, gfcc, xlib and gtk (for gfcc)
3. Postinstallation
·Scan for open ports (nmap) and close the unnecessary
·Make a nessus scan to the firewall and save it as your first
auditing document.
·Send the logs to another host not easily accessible from the
firewall with syslog-ng, parse it with logcheck, and read it!
Currently I'm using the firewall as:
·Firewall, with ipchains and gfcc as config tool
·SMTP gateway
·POP3 server (from woody, 'cos the potato release don't support
LDAP yet
·SSH server for root connections
·SMTPS, POP3S server from the stunnel package, that provides SSL
access to the services
·HTTP server, using the dhttpd package (an HTTP server that only
supports the GET method, no cgi, no php, no jsp, no
vulnerabilities
My firewall hardware are:
·Pentium III 650Mhz
·64Mb RAM
·1 EIDE HDD Drive - 9Gb.
The firewall masquerade a few ports to our DMZ network that provides
public services, as secondary DNS services, Web services, or PGP Key
server services...
Pros:
·You can control the firewall using an easy interface (gfcc)
·The control comes from the third level of TCP/IP, that ensures
good refinement, and give me usefull logs (refused connections,
port attacks, and other stuff)
·I have a poor maintanance, it's a Debian!
Cons:
·I was lucky, 'cos in 2 days I had configured the firewall, but I
know good sysadmins that spent a week into the task...
Hey! You are still here reading the mail!! Really I'm not an absolutely
boring writter!!! :-P
Bye, and good luck with your firewall, I'm waiting into the list your
experience and conclusions...
On Wed, 10 Jan 2001, Matt Kopishke wrote:
Hi, I need to set up a firewall on my company's small network. What I
have in mind is a box that does packet filtering, shuts down unused ports,
and such. This machine would have to be transparent as we do web
hosting. So some thing that looks like this:
+------+ +------------+ +------+
The Internet --|Router|--|Firewall Box|--|Switch|-- Our Network
+------+ +------------+ +------+
If that makes any sense. My question is where do I start? Is there any
good software or documentation that deals with this kind of set up? I
know I can start shutting down ports using ipchains, but some one else
must already be using a set up like this.
Thanks,
-Matt-
+-----------------------------------------------------+
Matt Kopishke kopishke@midcoast.com |
Blue Note Technology http://bluenotetech.com |
Waldo Theatre http://www.waldotheatre.org |
+------------------------+----------------------------+
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
________________________________________________________
Josep Llauradó Selvas josep.llaurado@activa-online.com
Departament Tecnologia
Activa Online http://www.activa-online.com
PGP KeyID: 1024D/6D1E972D
KeyFP:0A08 5760 146F 8A3F 1704 5BF1 6B58 ACD3 6D1E 972D
________________________________________________________
Reply to: