Re: configuration of debian firewall / NAT

To: Carl Buchmann <CBuchmann@videotron.ca>
Cc: debian-firewall@lists.debian.org
Subject: Re: configuration of debian firewall / NAT
From: Giacomo Mulas <gmulas@ca.astro.it>
Date: Fri, 11 Jan 2002 12:03:16 +0100 (CET)
Message-id: <[🔎] Pine.LNX.4.42.0201111126500.2778-100000@capitanata.ca.astro.it>
Reply-to: Giacomo Mulas <gmulas@ca.astro.it>
In-reply-to: <[🔎] 006d01c19a38$98c8d830$6701a8c0@frankralphs.com>

On Thu, 10 Jan 2002, Carl Buchmann wrote:

> I recently discovered Debian, (I was using RedHat for a while) and I'm
> very impressed with the software and it's capabilities. I want to
> replace my current redhat box which is running as a firewall / Nat with
> a new Debian Box. I would like to know how to configure the firewall and
> Nat script on Debian. All I've done now is I set it up the potato and
> configured it as DHCP & Apache server. I was wondering if you could help
> me in any way setting up a firewall \ Nat , and the appropriate steps on
> applying it to Debian.

Welcome to the club. You seem to have followed the same path I (and
many other people here) did some time ago. Debian stable usually has less
"bells and whistles" than the latest RH/SuSE/Mandrake distributions, but
it is invariably and reliably rock solid, once you properly set it up, and
way easier to maintain.

I do administer a firewall on a potato-based box, with a few additions,
remarkably similar to your setup. This firewall has four NICs already, for
the Internet, the protected LAN and two DMZs with different permissions.
Some time ago I used an almost pure potato setup, with the added spf
package (recompiled from unstable) to provide user-space stateful
firewalling. Then, as 2.4.x kernel got more and more reliable, I switched
to them, to be able to use their native stateful packet filtering
capability, and my set of needed filtering rules shrinked impressively as
a result. You can get an unofficial (yet valid) set of packages to use
2.4.x kernels at http://people.debian.org/~bunk/debian, e.g. add the lines
deb http://people.debian.org/~bunk/debian potato main
deb-src http://people.debian.org/~bunk/debian potato main
to your /etc/apt/sources.list file. If you choose to install a 2.4.x
kernel, do also install the iptables packege from the above (or another)
source.

To configure the firewall, create an init script in /etc/init.d (mine is
called "netfilter"), and add a soft link to it in the rcS.d directory,
making sure it gets called _before_ the network interfaces are brought up,
for maximum security. In debian, the network is brought up by the
"networking" script, usually softlinked to "S40networking" in the rcS.d
directory, so that you will need to use a lower number for you firewall
setup script (e.g. "S39netfilter" will do). In that script, put a
"DROP" default policy and then add as many exceptions as you need for the
connections that you do need. Since that script runs before you are
connected to the net, there is no DNS available yet when it runs,
therefore you will have to use numeric IP addresses. If you really want to
use names (which makes you somewhat vulnerable to some DNS attacks), split
the script in two: the first one runs before the NICs are brought up, and
it DROPs anything not strictly needed for your firewall to resolve names,
the second, setting up the actual policy, runs after the network is up
and your firewall can resolve addresses.

Also in that script, or in another one, depending on your taste, you may
add any commands needed for your NAT policy (usually one or two commands
are enough for most simple setups).

Another, more flexible but more complex possibility is add "pre-up", "up",
"down" and "post-down" configuration lines to the /etc/network/interfaces
configuration file, so that you can have a very fine-grained control over
what happens if you bring up or down selected interfaces. This is not how
I implemented my firewall here, but I would probably do so if I were to
redo it anew now. If you wish, I may send you some excerpts of my firewall
setup script, but I will not post it to the list (unless many people are
interested), to avoid annoying others.

Be patient, Debian may require some effort at the beginning but it pays
off handsomely afterwards.

Bye
Giacomo

-- 
_________________________________________________________________

Giacomo Mulas <gmulas@ca.astro.it, giacomo.mulas@tin.it>
_________________________________________________________________

OSSERVATORIO ASTRONOMICO DI CAGLIARI
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 216     Fax : +39 070 71180 222
_________________________________________________________________

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)
_________________________________________________________________

Reply to:

Follow-Ups:
- Re: configuration of debian firewall / NAT
  - From: Ron Johnson <ron.l.johnson@cox.net>

References:
- configuration of debian firewall / NAT
  - From: "Carl Buchmann" <CBuchmann@videotron.ca>

Prev by Date: Re: configuration of debian firewall / NAT
Next by Date: Re: configuration of debian firewall / NAT
Previous by thread: Re: configuration of debian firewall / NAT
Next by thread: Re: configuration of debian firewall / NAT
Index(es):
- Date
- Thread