Re[4]: Firewall in an internet-caffe
Hello!
As an answer for Your letter, I would like to write:
> So my preference would be to use the 32 IP's addresses for the DMZ, I'd run
> a squid proxy,
Quite impossible. Squid needs fast hard disc, unreachabe (yet!). Maybe
some day, but not now.
> and have browsers use it, which will conserve your bandwidth,
> and offer faster access when pages are revisited.
I agree, but the most important thing for customers is IRC and netplay
(StarCraft and Quake I-III). Web pages are not so important for me now.
> So you might
> like to take a look at something like Smoothwall, which can do firewalling
> on older legacy hardware and has good support for things like IPSEC, routing
> and packet filtering (plus IIRC incoming dial up), see www.smoothwall.org.
I'll check this out. Thanks.
> For shell access I'd suggest rather than allowing telnet, to use OpenSSH and
I thought that's obvious. :)
> It's not really clear to me what you are protecting,
Mostly windows (DoS attacks) and Linux from the previous administrator.
He enjoys cracking in and destroing data from hdd. :(
> then you are only left with the problem of the shell accounts. This should
> really be on a seperate machine, a play pen box, which is not trusted,
> depending on what you're offering it might be best to segregate that one
> completely by splitting the DMZ.
I thought about modified bash with double logging, sending log backup
every 30min to trusted server, extension to bash that allows accepting
and denying some commands. That's my friends idea. It will be easy one.
I want to cheat a little, so I'm going to copy almost every file from /
to /fake and start every shell account from there. It will take users
some time to find out whats going on...
I know it'll consume some space, but I think it's worth of it.
Best Regards
IronHand
--
nIck: IronHand of CruX /GCS d-(++) s:- a18 C++ UL++++ P+++ L++@ E\
maIl: { W+++ N+ o? K? w+++ !O M V? PS+ PE- Y PGP- }
ironhand@zsno.ids.czest.pl \t+ 5+ X- R++ tv b+ DI? D+ G++ e- h! r% y-/
Reply to: