Re: Re[2]: Firewall in an internet-caffe

To: IronHand <ironhand@go2.pl>
Cc: Debian-Firewall <debian-firewall@lists.debian.org>
Subject: Re: Re[2]: Firewall in an internet-caffe
From: Ray Olszewski <ray@comarre.com>
Date: Sat, 26 May 2001 17:49:27 -0700
Message-id: <2.2.32.20010527004927.00c96aa8@[192.168.1.23]>
I've added the mailing list back in. Your complete reply to me, for the
benefit of others, follows my comments below.

At 01:28 AM 5/27/01 +0200, you wrote:
>Hello!
>Thank You for quick answer.

Glad I could help. Here are a couple of additional thoughts.

1. If you put the FTP/MAIL/WWW server on the same Ethernet as the Windows
clients, you necessarily weaken your firewall protection of those Windows
clients (because you have to permit some external traffic to get in to make
the FTP/MAIL/WWW server work). You may also need to provide an authoritative
DNS server ... you don't say enough about your situation for me to tell ...
and that too is a service commonly DMZ'd. As is POP3 or IMAP. If you offer
shell accounts, it gets even worse.

2. As to where to provide shell accounts, you have only three options:

        A. On the router/firewall. That is the last place you want them; the
security of this host should be paramount.

        B. On the FTP/MAIL/WWW server. Not impossible, but risky ... if
someone uses a weak password and gets his or her account cracked, you
provide access to all of your external services.

        C. On a different machine. 

If you exclude choice C, I certainly think B is better than A ... but not
offering the service at all is (probably) even better.

3. As to how to use your 32 addresses ... as I said before, you haven't
described your LAN in enough detail for me to give you more than some
preliminary thoughts. If you want more feedback on that, please describe in
a bit more detail how you intend to configure the router/firewall. For
example, you previously said you would give it IP address a.b.c.1. Though
this usage is common shorthand, it really is inaccurate -- *interfaces* get
IP addresses, not *hosts*. A router has (at least) two IP addresses, on two
different networks. If the router/firewall's *internal* interface is
a.b.c.1, then what is its external IP address (the one that connects the
router to the Internet)? Does you ISP know that that IP address is *its*
route to a.b.c.0/27?

4. I was neither offended by anything you said nor disappointed in your
language skills (which are, in point of fact, quite good). All I intended to
say was that your question about using ipchains was too vague to be answered
in any meaningful way. Firewalling is a well-developed specialty, and you
would benefit from reading some of the basic documents on it, and perhaps
looking at some of the available firewalling packages for Linux (such as
seawall, a Sourceforge project). Or perhaps not ... your more recent
comments indicate a greater breadth of knowledge than I inferred from your
first message.

>As an answer for Your letter, I would like to write:
>
>> Hmmmm ... it looks to me like you have some potential problems you are
>> unaware of at the routing (not the firewalling) level.
>
>Maybe a bit.
>
>> Now as described, the 30 available addresses are all on the same network.
>> From  your diageam, I'm not sure if you intend to use 2 or 3 NICs -- that
>> is, will the FTP/MAIL/WWW server be on the same LAN as the Windows
>> workstations or will it be on a separate LAN (commonly called a DMZ in the
>> world of firewalls)? Either answer gives you problems.
>
>I know it's called DMZ, but I don't like this name. Well, I was thinking
>about the same ethernet.
>
>[cut]
>>         eth0 is the external connection to the Internet. It is (I'll
>>                 guess; your description isn't actually complete enough
>>                 for me to be sure) IP address a.b.c.1 .
>>         eth1 is the internal connection to the DMZ. It uses some
>>                 private-address range (e.g., 192.168.1.0/24), and
>>                 your FTP/MAIL/WWW server gets an address on that
>>                 network. eth1 gets (for example) IP address 
>>                 192.168.1.1 and that address is the gateway address
>>                 for DMZ servers.
>>         eth2 is the internal connection to your "cafe" LAN. It uses
>>                 a different private-address range (e.g., 192.168.2.0/24),
>>                 and each Windows client cets an address in that range.
>>                 eth2 gets (for example) IP address 192.168.2.1 and 
>>                 that address is te gateway address for the Windows
>>                 workstations.
>
>Well, 192.168.1.* states for masquerading, but I have 32 IP's. I don't
>need masqerading (it would be stupid I think; 32 lines with 4kbps every
>and using only one?), I just need to filter packages going from/to my
>internet provider using firewall. Every computer in caffe has it's own
>IP in Internet, so server needs to be a router for Win's and a DNS
>server for DMZ with ftp/www/etc... Am I right? I can firewall data
>directly on every Windows system, but I don't want it. It's how the
>present administrator did it:
>
>*************** --- to Windows based computers (ethernet)
>*INET PROVIDER* --- Slackware with shell accounts
>*************** --- Slackware with DNS, www, ftp, mail
>
>I want to make one computer a firewall.
>
>> Now, using the "policy routing" features of the 2.2.x kernel (I haven't
>> checked into what 2.4.x does here),
>
>I'm pretty sure I'll be using 2.2.19 kernel.
>
>[cut]
>> Now, that's just the routing part of your problem. There is still the
>> firewalling part. Yes, firewalling (in this context) is just a matter of
>> setting a bunch of ACCEPTs and DENYs (and REJECTs, possibly). But that isn't
>> much help; it's like saying that computer programming is just getting the 1s
>> and 0s in the right order  -- true but unintructive. You should look at the
>> Firewalling HowTo
>
>OK, It's not an offence I presume ;). My english is not-so-good so I
>prefered not to write to much. I wasn't saying, that I'm only going to
>use ipchains. I will also apply kernel patch from solar designer at
>www.openwall.com (I think). Also portsentry will be used or some good
>equivalent (do You know about something that doesn't open every port?).
>I will also chroot everything I can (BIND, ProFTPD [partly], and so on).
>Some other ideas are also in my head, but I'm not sure about them yet
>(some of them are contradictory with programs licences).
>
>> and some standard references on firewalling (a good place
>> to start is at lrp.c0wz.com, a directory site for Linux Router Project
>> documents) to get a better feel for the kinds of tradeoffs you need to
>> consider.
>
>Thanks.
>
>> accounts would naturally be on a (probably separate) shell server located in
>> the DMZ.
>
>But if not 'separated', than at which one would You recomend?
>
>Best Regards
>IronHand
>-- 
>nIck: IronHand of CruX     /GCS d-(++) s:- a18 C++ UL++++ P+++ L++@ E\
>maIl:                     { W+++ N+ o? K? w+++ !O M V? PS+ PE- Y PGP- }
>ironhand@zsno.ids.czest.pl \t+ 5+ X- R++ tv b+ DI? D+ G++ e- h! r% y-/
>
>
>

--
------------------------------------"Never tell me the odds!"---
Ray Olszewski                                        -- Han Solo
Palo Alto, CA           	 	         ray@comarre.com        
----------------------------------------------------------------
Reply to:
Follow-Ups:
- Re: Re[2]: Firewall in an internet-caffe
  - From: "Robert Davies" <Rob_Davies@NTLWorld.Com>
Prev by Date: Re: Firewall in an internet-caffe
Next by Date: Re: Multiple DSLs, and switching incoming route upon failure?
Previous by thread: Re: Firewall in an internet-caffe
Next by thread: Re: Re[2]: Firewall in an internet-caffe
Index(es):
- Date
- Thread