Re: Newbie Questions Part 1

To: Michael Boyd <Michael.Boyd@maunsell.co.uk>
Cc: debian-firewall@lists.debian.org, mdbboyd@hotmail.com
Subject: Re: Newbie Questions Part 1
From: Giacomo Mulas <gmulas@ca.astro.it>
Date: Wed, 8 Nov 2000 13:36:28 +0100 (CET)
Message-id: <[🔎] Pine.LNX.4.21.0011081322040.28938-100000@capitanata.ca.astro.it>
In-reply-to: <[🔎] 3A094456.15CABD8F@maunsell.co.uk>

On Wed, 8 Nov 2000, Michael Boyd wrote:

> I am quite new to Debian and Linux in general, and really started using
> Debian as it was the only distro. I could find on the net that I could
> install from floppies.  I have graduated to potato CDs now though.

welcome, Michael.

> [Win. 98 Box]--eth--[Debian Box]--modem--[Internet Service Provider]
> 
> I intend to add other machines on my network later and have the Debian
> Box doing ipmasq, ipchains and diald.
> 
> My first two questions are:-
> 
> Would it be *much* safer to insert a second Debian Box with 2 ethernet
> cards, one machine to do the firewalling and one to make the connection
> to the internet?  Presumably if I did that the machine making the
> internet connection would be potentially vulnerable?

The machine directly exposed to the Internet can be more vulnerable if you
expose anything to the Internet: if you carefully filter incoming
connections and do not offer any services to the external world, it can be
made rather safe though. I recommend using a stateful packet filter on 
the firewall (spf for kernels 2.2.x, iptables for kernels 2.4.x) so that
you can deny all connections originating from the Internet while still
being able to do pretty much everything from the inside. Spf and iptables
have been packaged for woody, but the packages can be built from sources
and install smoothly on potato. This, if configured properly, will give
you a reasonably secure home setup. At home, I actually use a Linux box as
a dialer, firewall and masquerading box, pretty much as you describe
(apart from diald, I prefer to connect and disconnect manually), and it
works very well.

> Is there anything wrong with using IP addresses such as 10.0.0.1 and a
> subnet mask of 255.255.255.0 for my machines?  The gateway will have a
> dynamic IP addr. from my ISP as well.

As long as you use non-routable (private) addresses, you can subnet them
as you please. With masquerading, those addresses will be substituted with
the IP of your firewall, and will never be seen on the Internet.

Bye
Giacomo

________________________________________________________________________

Giacomo Mulas <gmulas@ca.astro.it, gmulas@tiscalinet.it, gmulas@eso.org>
________________________________________________________________________

OSSERVATORIO  ASTRONOMICO                                                
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 216     Fax : +39 070 71180 222
________________________________________________________________________

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)
________________________________________________________________________

Reply to:

References:
- Newbie Questions Part 1
  - From: Michael Boyd <Michael.Boyd@maunsell.co.uk>

Prev by Date: Re: Data Piping
Next by Date: Re: ipchains question
Previous by thread: Newbie Questions Part 1
Next by thread: Re: Newbie Questions Part 1
Index(es):
- Date
- Thread