Re: Ip_forward trouble
Ok, I think we're starting to home in on an understanding.
I understand the necessity to harden the firewall and the servers behind it,
and this task is most defiantly on the list. I am using the Debian potato
2.2 stock kernel, and thus ipchains. Constructing these rules is not a
problem. I think I have a good understanding of the syntax, and have used
scripts in the pat to construct working models.
My main problem is with the availability of internet access behind the
firewall. With all firewall rules disabled (input output and forward all
set to ACCEPT) I can't get a test box behind the firewall to see the
firewall or any Ethernet signal on the network line. With the settings I
have described, when I plug a line from the internal adapter of the firewall
to the NIC of the Win2k test box, I expect to see the link light to come on,
the network indicator in the system tray to so a connection, and to be able
to ping the firewall from the test box, but I am not. As far as I can tell,
there is no Ethernet signal coming form the firewall to service the internal
network. This is my problem.
Is there a setting I have forgotten, a service I should be running, a
configuration I am missing? I have a base potato install, have changed the
ipforward flag in /etc/network/options installed the second NIC in
/etc/network/interfaces and reset the network. I have set the win2k box
Tcp/Ip settings with the firewall as the gateway and given it an ip in the
firewall's range. I have flushed the firewall rules and made them all
ACCEPT. I even put a whimsical penguin sticker on the side of the firewall
but strangely with no effect! What am I missing?
I really appreciate this help,
-Tom
On 1/6/02 5:34 PM, "TOKI -- linux powa :)" <mrlinux5@yahoo.fr> wrote:
> Ok now i understand well.
> Ok your network is very logical. I understand why you choosed to take
> 10.0.x.y adresses.
>
> With debian it should be easy to setup this kind of firewall.
> To my mind because it s just beetween 2 networks, i would have recommend
> you openBSD. (because of the security of your lab too).
>
> Debian can be easily a strong firewall (mine is a debian).
> It will let you the choice of 2.2 or 2.4 kernels (i dont recommand 2.5.1
> cause is stil in beta test)
>
> So with 2.2 you have ipchains, ipmasqadm, and with 2.4 iptable and NAT.
>
> However you will not have any difficulties to find a solution for your
> prob. you can find lots of scripts for walling your debian on the net.
>
> try sourceforge.net or freshmeat.net
>
> Be happy. Your firewall will be easy to set up.
> (But you have to secure it before doing anything else !!!)
> Like removing files or services that you don t need, making strongest
> rules for your wall, compiling your kernel staticly etc...
> Tasks that you need to do !!!
> And of course it will not protect you if you don t protect your servers.
>
> A long task for a newbie but it pays well ;))
> You can be sure .. ;)
>
> On Sun, 2002-01-06 at 22:47, Thomas Cook wrote:
>> TOKI:
>>
>>
>> The use is that I don¹t really know what I'm doing. Well, not totally...
>> Here is the lay of the land.
>>
>> I have a high speed connection connected (appropriately enough) to a
>> hardware router and hub. This router (192.168.1.1) serves as a DHCP host
>> for my little LAN. On this LAN there are basically 2 sectors. The first is
>> the general house computers, used by the people here for surfing and e-mail,
>> nothing fancy. There are at any time, between 6 and 12 of these, mostly
>> running windows. Because they have no use for it, all of their ports are
>> blocked from the outside by the router I mentioned.
>>
>> The second leg of the network is my computer lab. This lab consists of
>> about 2 dozen boxes running any number of OS's and services like my mail,
>> web site, shell server, etc. Not all of this are set up, mainly because
>> they need to be seen from the outside, and thus protected. Hence the
>> firewall (among other protections).
>>
>> I have set the firewall up on the network, with an IP address from the
>> router, and have left that IP in the DMZ of the router so it is seen from
>> the internet at large. I want to set up some sort of NAT to translate the
>> ports of the firewall to the appropriate servers behind the firewall. To
>> avoid any confusion by the people on the larger house network, I was going
>> to use the 10... IP rang for the network, but it really makes no difference,
>> and I can just as easily set them up with the subnet you suggest. (though
>> the term easily may not apply as I have yet to get this working).
>>
>> I have been fighting with several firewall solutions (smoothwall, Gibraltar,
>> redhat based, openBSD based), but because the box i am using is SCSI based,
>> it has a complicated install, and many distros have trouble. I like debian,
>> because it installs flawlessly, has that great package system, and I have
>> used it in many of the boxes in the lab. I have though about trying a
>> hardware solution (namely a netscreen 5xp) but the price tag of a $500
>> hardware firewall vs. a free debian firewall is always a deal breaker.
>>
>> Maybe some of this rambling will help,
>> -Tom
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
Reply to: