[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall Planning

<quote who="red">
> All,
> This may have come up a billion times in the past
> but, I am setting up a FW  and I have some basic questions:
> Setup 1:(idea at least)
> 					  Public ip 64.1.1.x
> 				         DMZ HOST (ports80,993,143,53)
> upstream 64.1.1.          	         /
> (internet)---DSLmodem----(64.x)FW(2.x)--HUB/
> 				        \
> 				         \Linksys(Wireless router)
> 					  \         \
> 					   \ 	     \
> 				 	   workstation, workstation
> I have 5 static ips
> Im using a p400 with two nics (deb woody)
> Goals:
> I want to do Packet Filtering and logging for the DMZ and the
> workstations:
> Questions:
> 1) Do I need three Nics on the Firewall , one for the DMZ?
> 2) In the drawing above I am running DHCP on the LAN with the Linksys
> Wireless router. Should I run DHCP on the LAN interface on the FW
> instead? What would be the benefits/drawbacks?
> 3) If the WAN interface in the router is a 64.1.1.x and the LAN
> interface is a 2.x.x.x/24 will i be able to route the 1.1.1.x/24 and
> DMZ host through the FW?
> 4) I want to use Iptables because I heard they are more advanced than
> ipchains is this true?
> 5) I am somewhat familiar with the command line IPtables commands, but
> was curious at to what other (non gui) tools I could use to write
> rules.?
> Thanks
> In advance
> -red
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org

I proceed to answer your questions according to what I've done in the
past. Some people may or may not disagree.
1) I would set another nic to connect only to the dmz, so yes to the three
nics, this is the most secure way possible.2) I would run the dhcp in the lan. Why? IMHO the dhcp works only in the
lan and for the lan, so I dont see it necessary to run it in the firewall.3) Yes you can, thanks to iptables using port forwarding for incoming, nat
for outgoing, etc.4) Yes, Iptables are more advanced. Ipchains was thought for kernel 2.2.x
and in a near future people wont keep developing them. iptables is the for
kernel 2.4.x and correct me if I am wrong for kernel 2.6.x allowing many
more options, and the capabilities of iptables are increasing rapidly.
Check netfilter.samba.org for details about this, I may not be giving you
the best explanation.5) Iptables is the program to generate rules or chains for your firewall,
there are other console and gui programs that can help you generate them.
If you want a quick fast firewall search for them (freshmeat.net, google)
though If you want to become adept I would suggest you go to
netfilter.samba .org and start studying some of the docs there, they are
great and its good somebody dedicated his time to make them. There are
some easy examples there. Also I have some examples in my web page
www.debian-gnu.com sections - configurations.
Well, I wish you luck in this matter.

In my case I have more or less same network topology as you plan to make
so if you have further questions I may be able to help.

Reply to: