WIP;Filter install steps.
Firewall-steps:
One of the first goals is to strip down your OS to the bare bones
needed to get the job done. This includes removing unneeded packages,
and cleaning up /etc/inetd.conf and the startup scripts...perhaps a few
wayward binaries scattered about the system. You should end up with
something
that looks like this, and the steps to achieve this result are detailed
below.
ps -aux of a clean system (compare to yours!):
USER PID %CPU %MEM VSZ RSS TT STAT START TIME COMMAND
daemon 72 0.0 0.5 820 328 ? S 14:05 0:00 /usr/sbin/atd
root 1 2.7 0.5 820 352 ? S 14:04 0:04 init [2]
root 2 0.0 0.0 0 0 ? SW 14:04 0:00 kflushd
root 3 0.0 0.0 0 0 ? SW< 14:04 0:00 kswapd
root 9 0.0 0.3 796 248 ? S 14:04 0:00 update
root 65 0.0 0.6 840 404 ? S 14:05 0:00 /sbin/syslogd
root 67 0.1 0.7 956 472 ? S 14:05 0:00 /sbin/klogd
root 75 0.0 0.5 836 380 ? S 14:05 0:00 /usr/sbin/cron
root 79 0.0 0.4 812 300 2 S 14:05 0:00 /sbin/getty
38400 t
root 80 0.0 0.4 812 300 3 S 14:05 0:00 /sbin/getty
38400 t
root 81 0.0 0.4 812 300 4 S 14:05 0:00 /sbin/getty
38400 t
root 82 0.0 0.4 812 300 5 S 14:05 0:00 /sbin/getty
38400 t
root 83 0.0 0.4 812 300 6 S 14:05 0:00 /sbin/getty
38400 t
speed 78 0.1 1.4 1608 924 1 S 14:05 0:00 -bash
speed 87 0.0 0.6 964 420 1 R 14:07 0:00 ps -aux
Get some decent hardware....I went with NetExpress systems
(http://www.tdl.com/~netex/), they don't sell any junk and know linux
quite well. For quality I like ASUS mainboards, Buslogic SCSI adapters
and
put these in a Cal-PC case (http://www.calpc.com/), they are very long
front
to back, allowing complete access to the MB without being blocked by the
drive
racks and most importantly have good quality power supplys. The NEC
CD-ROMs
seem to have some sort of auto-termination....wish all SCSI devices
(especially
hard drives) would do this.
Obtain your Debian media (CD-ROM's), I got mine from Linux Press
(http://www.linuxpress.com/), along with Dale Scheetz' book
"The Debian Linux User's Guide" and it came with 3 CD's one of
which was the Debian 1.3.1 binaries CD. I also found this CD from
The Linux Mall (http://www.linuxmall.com/).
Prepare DNS and Mail configuration files:
For a screened subnet firewall (considered by many to be one of the more
secure variety; see "Building Internet Firewalls", Chapman and Zwicky,
Publisher: O'reilly) it will be neccasary to have more than one logical
network....at a minimum three:
The internet attachment or "BARE" network:
-may be your ISP's if you use a ppp account to connect.
-may be a subnet of your own class C, B or A if you use
a router to connect, this is the case I've illustrated
below.
The DMZ (De-Militarized-Zone) network that contains more exposed
services hosts (bastions), for accepting mail, web serving, etc.
The Internal Network for systems you want protected.
Since I use an ISDN-router I had to use part of my own Class C for the
"BARE"
network as well as the DMZ and Internal networks. So, I had to split my
class
C four ways using the subnet mask 255.255.255.192.
DNS Setup:
Firewall with One Three ported packet filter.
Mask: 255.255.255.192 (split class C into 4 subnets)
------- inet
2 |
B 0 |
A 6 |
R : pipeline50 206.81.41.1 (hollenberg_001)
E 8 |
1 |
N : HUB-----my regular hosts that I'm using to type this email.
E 4 | Unprotected network...run SATAN here, point at
T 1 | firewall.
: |
0 |
-------
|
|
_______ -----------------------
| 206.81.41.8 |
2 | |
0 | |
6 | |
D : | | _____________
M 8 | | | |
Z 1 | 206.81.41.65 |--------------| bast1 |
: | | |206.81.41.66 |
N 4 | | | mail & DNS |
E 1 | pacfil | |_____________|
T : | (Packet Filter) |
6 | |
4 | |
| |
| |
| |
| 206.81.41.129 |
------- -----------------------
|
2 |
0 |
I 6 |
N : | ---------------
T 8 | | |
E 1 HUB---------| mailhub |
R : | | |
N 4 | | 206.81.41.130 |
A 1 | | |
L : | ---------------
1 ---------------
N 2 | |
E 8 | barney |
T | (mail-client) |
| 206.81.41.131 |
|_______________|
/etc/hosts:
206.81.41.1 hollenberg_001.iamerica.net hollenberg_001
206.81.41.8 opie.iamerica.net opie pfa-out
206.81.41.4 barney.iamerica.net barney
206.81.41.5 bea.iamerica.net bea printer
206.81.41.7 clara.iamerica.net clara
206.81.41.3 helen.iamerica.net helen
206.81.41.6 office.iamerica.net
Most of these need to be moved to the "Internal Net"
DNS file database file names:
/etc/named.boot
/usr/local/named/db.rcwm
/usr/local/named/db.206.81.41
/usr/local/named/db.127.0.0
/usr/local/named/db.cache
FILE CONTENTS:
/etc/named.boot:
PRIMARY:
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
directory /usr/local/named
primary rcwm.com db.rcwm
primary 41.81.206.in-addr.arpa db.206.81.41
primary 0.0.127.in-addr.arpa db.127.0.0
cache . db.cache
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
SECONDARY:
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
directory /usr/local/named
secondary rcwm.com 206.81.41.130 db.rcwm
secondary 41.81.206.in-addr.arpa 206.81.41.130 db.206.81.41
primary 0.0.127.in-addr.arpa db.127.0.0
cache . db.cache
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
/usr/local/named/db.rcwm:
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
rcwm.com. IN SOA mailhub.rcwm.com. speed.rcwm.com. (
1 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
;
; Name Servers
;
rcwm.com. IN NS mailhub.rcwm.com.
rcwm.com. IN NS bast1.rcwm.com.
;
; MX records
;
rcwm.com. IN MX 10 mailhub.rcwm.com.
rcwm.com. IN MX 20 bast1.rcwm.com. ; bast1 = mail relay
barney.rcwm.com. IN MX 10 barney.rcwm.com.
barney.rcwm.com. IN MX 20 mailhub.rcwm.com.
barney.rcwm.com. IN MX 30 bast1.rcwm.com. ; bast1 = mail relay
; Do these later when I get this stuff figured out for real.
;opie.rcwm.com. IN MX 10 bast1.rcwm.com.
;clara.rcwm.com. IN MX 10 bast1.rcwm.com.
;
; Addresses for canonical names
;
localhost.rcwm.com. IN A 127.0.0.1
hollenberg_001.rcwm.com. IN A 206.81.41.1
bast1.rcwm.com. IN A 206.81.41.66
rcwm.com. IN A 206.81.41.66
mailhub.rcwm.com. IN A 206.81.41.130
barney.rcwm.com. IN A 206.81.41.131
opie.rcwm.com. IN A 206.81.41.132
bee.rcwm.com. IN A 206.81.41.133
clara.rcwm.com. IN A 206.81.41.134
helen.rcwm.com. IN A 206.81.41.135
home.rcwm.com. IN A 206.81.41.136
office.rcwm.com. IN A 206.81.41.137
;mag
;mr
;nuc1
;ge
pacfil.rcwm.com. IN A 206.81.41.8
pacfil.rcwm.com. IN A 206.81.41.65
pacfil.rcwm.com. IN A 206.81.41.129
;
; Aliases
;
pf.rcwm.com. IN CNAME pacfil.rcwm.com.
;
; Interface specific names
;
pf0.rcwm.com. IN A 206.81.41.8
pf64.rcwm.com. IN A 206.81.41.65
pf128.rcwm.com. IN A 206.81.41.129
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
/usr/local/named/db.206.81.41
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
41.81.206.in-addr.arpa. IN SOA mailhub.rcwm.com. speed.rcwm.com. (
1 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
;
; Name Servers
;
41.81.206.in-addr.arpa. IN NS mailhub.rcwm.com.
41.81.206.in-addr.arpa. IN NS bast1.rcwm.com.
;
; Addresses point to canonical name
;
1.41.81.206.in-addr.arpa. IN PTR hollenberg_001.rcwm.com.
8.41.81.206.in-addr.arpa. IN PTR pacfil.rcwm.com.
65.41.81.206.in-addr.arpa. IN PTR pacfil.rcwm.com.
129.41.81.206.in-addr.arpa. IN PTR pacfil.rcwm.com.
131.41.81.206.in-addr.arpa. IN PTR barney.rcwm.com.
132.41.81.206.in-addr.arpa. IN PTR opie.rcwm.com.
133.41.81.206.in-addr.arpa. IN PTR bee.rcwm.com.
134.41.81.206.in-addr.arpa. IN PTR clara.rcwm.com.
135.41.81.206.in-addr.arpa. IN PTR helen.rcwm.com.
136.41.81.206.in-addr.arpa. IN PTR home.rcwm.com.
137.41.81.206.in-addr.arpa. IN PTR office.rcwm.com.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
/usr/local/named/db.127.0.0
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
0.0.127.in-addr.arpa. IN SOA mailhub.rcwm.com. speed.rcwm.com. (
1 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
;
; Name Servers
;
0.0.127.in-addr.arpa. IN NS mailhub.rcwm.com.
0.0.127.in-addr.arpa. IN NS bast1.rcwm.com
;
; Address points to canonical name
;
1.0.0.127.in-addr.arpa. IN PTR localhost.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
/usr/local/named/db.cache
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
. 99999999 IN NS
a.root-servers.net.
. 99999999 IN NS
b.root-servers.net.
. 99999999 IN NS
c.root-servers.net.
. 99999999 IN NS
d.root-servers.net.
. 99999999 IN NS
e.root-servers.net.
. 99999999 IN NS
f.root-servers.net.
. 99999999 IN NS
g.root-servers.net.
. 99999999 IN NS
h.root-servers.net.
. 99999999 IN NS
i.root-servers.net.
. 99999999 IN NS
j.root-servers.net.
. 99999999 IN NS
k.root-servers.net.
. 99999999 IN NS
l.root-servers.net.
. 99999999 IN NS
m.root-servers.net.
a.root-servers.net. 99999999 IN A 198.41.0.4
b.root-servers.net. 99999999 IN A 128.9.0.107
c.root-servers.net. 99999999 IN A 192.33.4.12
d.root-servers.net. 99999999 IN A 128.8.10.90
e.root-servers.net. 99999999 IN A 192.203.230.10
f.root-servers.net. 99999999 IN A 192.5.5.241
g.root-servers.net. 99999999 IN A 192.112.36.4
h.root-servers.net. 99999999 IN A 128.63.2.53
i.root-servers.net. 99999999 IN A 192.36.148.17
j.root-servers.net. 99999999 IN A 198.41.0.10
k.root-servers.net. 99999999 IN A 193.0.14.129
l.root-servers.net. 99999999 IN A 198.32.64.12
m.root-servers.net. 99999999 IN A 202.12.27.33
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
VMailer setup:
I am setting up VMailer on a firewall and would like to confirm the setup
and ask a couple of questions. Sorry for the length but I didn't want to
leave out details neccasary to understand my questions. If it is
inappropriately detailed....hammer away at me.
The Domain is changing from "iamerica.net" to "rcwm.com".
------- inet
2 |
B 0 |
A 6 |
R : pipeline50 206.81.41.1 (hollenberg_001)
E 8 |
1 |
N : HUB-----hosts that I'm using to type todays email
E 4 | till I finish up this firewall.
T 1 |
: |
0 |
-------
|
|
_______ -----------------------
| 206.81.41.8 |
2 | |
0 | |
6 | |
D : | | _____________
M 8 | | | |
Z 1 | 206.81.41.65 |--------------| bast1 |
: | | |206.81.41.66
|<-MailRelay
N 4 | | | mail & DNS |
E 1 | pacfil | |_____________|
T : | (Packet Filter) |
6 | |
4 | |
| |
| |
| |
| 206.81.41.129 |
------- -----------------------
|
I 2 |
N 0 |
T 6 |
E : | ---------------
R 8 | | |
N 1 HUB---------| mailhub |
A : | | |<-MailHub
L 4 | | 206.81.41.130 |
1 | | |
N : | ---------------
E 1 ---------------
T 2 | |
8 | barney |
| (mail-client) |<-MailClient
| 206.81.41.131 |
|_______________|
Three different VMailer configurations: Mail Relay, Mail Hub and Mail
Client:
Mail Relay - forward all "To: user@rcwm.com" -> mailhub
forward all "To: user@host.inet" -> host.inet
Mail Hub - Rewrites in the form "speed@rcwm.com" to
"speed@barney.rcwm.com" and deliver.
Mail Client - Forward all NON-rcwm.com outgoing mail to Mail Relay
(bast1).
Deliver rcwm.com mail directly; with different address
forms:
- "speed"
- "speed@barney"
- "speed@barney.rcwm.com"
Solutions?
1) Mail Relay - "speed@rcwm.com" MX records:
rcwm.com. IN MX 10 mailhub.rcwm.com.
rcwm.com. IN MX 20 bast1.rcwm.com. ; bast1 = mail relay
"speed@barney.rcwm.com" MX records:
barney.rcwm.com. IN MX 10 barney.rcwm.com.
barney.rcwm.com. IN MX 20 mailhub.rcwm.com.
barney.rcwm.com. IN MX 30 bast1.rcwm.com. ; bast1 = mail relay
"user@host.inet"
relaydomain = $mydomain
2) Mail Hub - Rewrites:
alias_maps = /etc/aliases
cat /etc/aliases
speed@rcwm.com: speed@barney.rcwm.com
eliz@rcwm.com: eliz@clara.rcwm.com
etc.
3) Mail Client -
"user@host.inet" relayhost = bast1.rcwm.com (Intranet vs. Internet)
"speed" myorigin = $mydomain
"speed@rcwm.com" alias_maps = /etc/aliases
"speed@barney.rcwm.com" deliver directly as preferred MX record.
4) Forwarding mail to a second host machine.
mail to "speed@opie" needs to go to "speed@barney"
On opie in "~/.forward" file:
cat ~/.forward
speed@barney
? - Are #'s 1, 2 and 3 above the correct way to handle this, or is there a
better way?
? - How do I implement #3 using sendmail? I don't want to switch out some
of my users MTA's just yet (My wife's especially). I have the
batbook so you can give me some page numbers. I'll be looking
through it this AM but would appreciate any tips.
Thanks for your patience!
Do install up to dselect prompt.
Place Debain binaries CDROM in system.
su
run script: bast_install (filter_install to follow)
cd /
mount /dev/scd0 /mnt
cd /mnt/bo/binary-i386
#
# The following section adds packages needed to build a packet-filter:
#
dpkg -i `find . -name "tcl74_*.deb"`
dpkg -i `find . -name "expect_*.deb"`
dpkg -i `find . -name "at_*.deb"`
dpkg -i `find . -name "bin86_*.deb"`
dpkg -i `find . -name "binutils_*.deb"`
dpkg -i `find . -name "bsdmainutils_*.deb"`
dpkg -i `find . -name "cpp_*.deb"`
dpkg -i `find . -name "cron_*.deb"`
dpkg -i `find . -name "dnsutils_*.deb"`
dpkg -i `find . -name "dpkg-dev_*.deb"`
dpkg -i `find . -name "ed_*.deb"`
dpkg -i `find . -name "electric-fence_*.deb"`
dpkg -i `find . -name "gcc_*.deb"`
dpkg -i `find . -name "gdb_*.deb"`
dpkg -i `find . -name "kernel-source-2.0.30_*.deb"`
dpkg -i `find . -name "kernel-package_*.deb"`
dpkg -i `find . -name "less_*.deb"`
dpkg -i `find . -name "libbfd2.7.0.9_*.deb"`
dpkg -i `find . -name "libc5-dev_*.deb"`
dpkg -i `find . -name "libdb1-dev_*.deb"`
dpkg -i `find . -name "libg++27_*.deb"`
dpkg -i `find . -name "libg++27-dev_*.deb"`
dpkg -i `find . -name "libgdbm1-dev_*.deb"`
dpkg -i `find . -name "libreadline2-dev_*.deb"`
dpkg -i `find . -name "m4_*.deb"`
dpkg -i `find . -name "make_*.deb"`
dpkg -i `find . -name "netstd_*.deb"`
dpkg -i `find . -name "nvi_*.deb"`
dpkg -i `find . -name "patch_*.deb"`
dpkg -i `find . -name "perl_*.deb"`
I need to fix the order of installation on the above depackages to
take care of the depends....I just ran the script several times and
that seemed to work. ssh is not on the CD so I guess I'll have to
do something different for that. If a more recent kernel is needed
we'll have to ftp that as well.
Henry Hollenberg speed@barney.iamerica.net
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: