Re: newbie firewalling questions
On 16 May 2004, James LeClair wrote:
> Hey all. I am running woody om an old p166 for routing purposes. Works
> quite well. Would like to add firewall functionality, so I have a few
> questions. Also, I am planning on reinstalling with kernel 2.4 as
> opposed to the current config which uses 2.2.
> I realize that I am asking a lot. But with a few examples, I could get
> a grasp on some basic priciples that would allow me to get going.
> Thanks in advace for anyone that provides assistance.
> --Wishing all a wonderful summer 2004!
> ---If i recompile 2.4, what are the bare minimum requirements for future
> firewall possibilities?
I presume you mean hardware requirements rather than kernel
configuration or support software requirements.
I happily ran a 2.4 and 2.6 based firewall on equivalent hardware with
64MB of RAM for around five years. I recently upgraded to a P3-500
because it cost the same as the p166 class machine had, and I wanted to
move toward using IPSec which the p166 was not as fast as desired for.
So, your existing hardware should be just fine for any conceivable home
use, as far as I have seen. :)
> ---How do I enable external requests for machines running network services
> internally to be forwarded to their appropriate machines ( ie, ftp, apache
> and ssh as examples )?
Well, at the moment you use ipchains and in the simplest case you could
simply continue to use that, through the ipchains "compatibility"
interface to iptables.
> ---Like above, how do I allow/restrict internal requests, that would only
> be resolvable by being routed externally, possible/impossible?
I would strongly suggest that both of these are easier if you use some
sort of "helper" tool to build the iptables rules, rather than
I use, and recommend, the 'firehol' package that you can find in testing
and unstable, or backport trivially as it is a bash shell script.
You will find it takes a while for it to process your configuration on a
p166 class machine, but that it is quite effective. I was happy with it
for the last years or so on that equivalent hardware.
> /sbin/modprobe ip_masq_raudio
This is the only line that I can see potentially causing you problems.
I don't believe that the RealAudio masquerade module has been ported
forward to iptables at this point.
There are no dangerous thoughts; thinking itself is dangerous.
-- Hannah Arendt