Re: firewall script
> Hi,
>
> I'm installing a 2.0 based firewall in the next few days, so I might as
well
> use your script and knock out some of the bugs that will turn up when
changing
> to 2.0.
>
> Also, I'll write some perl Expect scripts to automate the interactive
bits (I
> might re-implement the whole thing in perl if it seems appropriate)
>
> Where is the current version ? If it's not available via ftp/http
please mail
> it to the list (it's not too big for that, is it ?)
>
> Cheers, Phil.
Hey Phil,
It's still incomplete and pretty primitive right now it's pretty much a
list of commands just thrown together in a script. Depending on your
expertise which I imagine is pretty high, you might find alot of it pretty
obvious..(most of it wasn't so obvious for me, my expertise is
rudimentary!).
It might be a little helpful as far as the packages listed....crude expect
scripts I've done and the order of installation I've worked out so far.
As far as a slick script that gives you a little tutorial, asks some
questions records your responses and then does the whole install for
you....I've got a ways to go.
This is what I've automated for my setup:
base installation: done by hand to the point where dselect
fires up.
xtra packages to build FW: automated/primitive script
rebuilding/installing kernel: automated/primitive script
ifconfig/routing commands: automated/primitive script
DNS install: automated/primitive script
TO DO:
mailer install/config (I was going to try VMailer probably today)
add my second class C to DNS data (no biggee, just some key pounding,
today)
set up ssh
inbed ifconfig/routing into startup scripts
Strip System:
remove uneeded packages
clean start up scripts
I have already tested some of the "strip" steps so I don't think that will
be a problem. Doing ssh and VMailer right (especially VMailer) will
probably eat the most time.
Then putting it all up for perusal and finding what Debian "policys" I've
broken and need to correct as well as alternate features that must be
allowed for. I'll be putting the setup on the net for testing Tuesday,
that's when InterNIC should be switching over to my DNS servers, the
internal net will change to a seperate class C also,but that's only
going to change routing and reverse-DNS.
Then the tough stuff....tutorial and taking user input...such as DNS
info...probably want to accept some sort of /etc/hosts file format...
My setup at this point is bare network then packet-filter which has three
ethernet segments one to a DMZ net with the bastion running mail-relay and
secondary DNS, then the safe or internal network containing all my other
systems including mailhub running mail distribution and DNS primary. So
three machines one with three ethernet cards is what I have set-up right
now: See below:
------- inet
2 |
B 0 |
A 6 |
R : pipeline50 206.81.41.1 (hollenberg-001)
E 8 |
1 |
N : HUB-----my regular hosts that I'm using to type this email.
E 4 |
T 1 |
: |
0 |
-------
|
|
_______ -----------------------
| 206.81.41.8 |
2 | |
0 | |
6 | |
D : | | _____________
M 8 | | | |
Z 1 | 206.81.41.65 |--------------| bast1 |
: | | |206.81.41.66 |
N 4 | | | mail & DNS |
E 1 | pacfil | |_____________|
T : | (Packet Filter) |
6 | |
4 | |
| |
| |
| |
| 206.81.41.129 |
------- -----------------------
|
2 |
0 |
I 6 |
N : | ---------------
T 8 | | |
E 1 HUB---------| mailhub |
R : | | |
N 4 | | 206.81.41.130 |
A 1 | | |
L : | ---------------
1 ---------------
N 2 | |
E 8 | barney |
T | (mail-client) |
| 206.81.41.131 |
|_______________|
Henry Hollenberg speed@barney.iamerica.net
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: