[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall/Router for Sharing a Cable Modem Connection

To: Michael Boyd <michael.boyd@fabermaunsell.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: Firewall/Router for Sharing a Cable Modem Connection
In-Reply-To: <3DD10BF9.3CDF6952@fabermaunsell.com>

On Tue, Nov 12, 2002 at 02:11:05PM +0000, Michael Boyd wrote:

>                                                      / Beta(W98 Desktop)
> Internet---Cable Modem---Alpha(Firewall/Router)---Hub- Gamma(Debian
> Desktop)
>                            |                         \ X Terminals etc
>                          Omega (Experimental
>                                 Web Server) etc

This is essentially what I have here, except my server is not DMZ'd as
it appears you have done above (if there are indeed 3 NICs in that box).
I wrote a script available that takes care of most of this, if you're


> Is it correct to call Alpha a Firewall/Router?  I gather it will get its
> external IP address dynamically.  I will use NAT to hide the 10.X.X.X
> internal addresses.

I believe it is correct to say it's a router, yes.  Perhaps a different
word would be "gateway".  In any case, you should certainly use it as a
firewall as well.

> 2. What packages do I need over and above those I am familiar with for
> my old dial-up set-up?  I am thinking mainly of DHCP which I believe is
> necessary as I will have a dynamic external IP address.  I think I will
> write the iptables rules by hand.  I used ssh in my previous set-up to
> login to the firewall internally which worked well so I will do that
> agin and make sure telnetd isn't on the machine.

Yes, dhclient is probably needed, unless you want to go setting up your
interfaces by hand.  Here again, I have a very similar setup where I use
SSH exclusively, and the firewall box has no keyboard or monitor.  The
aforementioned script takes that into account, FWIW.

> 3. Is a 486 up to the task?  I believe the download rate is up to 512K.

Absolutely.  I have an i486/66MHz handling a 3500kb/sec downstream and a
384kb/sec upstream just fine.  There are only 5 machines behind the box,
but it's my understanding that a 486 can handle more than a T1 worth of

> 4. How can I install Woody with a 2.4 kernel from my CD set?  The
> default seems to be a 2.2 kernel.  I don't understand the instructions
> on the CDs or those I've found on the internet.  I believe I need 2.4 to
> use iptables.

Use the bf2.4 boot floppy images, or one of the netinst CDs that has
that image on it.  That's what I did.  However... once you get going,
you should *really* use GRSecurity to patch up the 2.4 kernel.  It can
be a major pain, but you may thank me (and its authors) one day.

> 5. I want to get emails generated by Alpha (containing logfiles etc)
> delivered via an email address provided by the cable provider *or*
> internally.  Am I correct in thinking exim can do both of these
> alternatives?  Apologies if I am straying 'off list' here.

I am not sure what you're saying here, so I will just add that I have
exim running on my equivalent of your "Omega" above.  It works just fine
for both internal delivery and external SMTP delivered to/from my net.

> 6. Does iptables enable the use of things like ICQ and gaming over the
> internet 'out of the box' without the workrounds necessary when using
> ipchains?

Oh God, you had to bring that up.  ;)  Yes and no.  There are some
helper modules written for 2.4/netfilter, however not for ICQ.  If you
examine the code I have in my script, it might give you some ideas on
how to compensate for these shortcomings.  AFAIK you basically have
three choices:  settle for partial ability the way I've done it; run
a full-blown SOCKS proxy; or use some mini-proxy like ReAIM.


Jeff Bonner

Attachment: pgpvRzPg3tqzL.pgp
Description: PGP signature

Reply to: