On Fri, Jan 28, 2000 at 09:26:46AM -0500, Bill White wrote: > Hi. I have a question about how powerful my firewall computer should > be. > > I want to make a firewall for a small constellation of computers > in my living room. Behind the firewall I will have two Win98 computers, > one computer which boots Win98 or several flavors of Unix/Linux, and > one Hurd box. This system will be entirely single user at any one > time, though there may be different users. The network application > will mostly be using VPN software to use Outlook and downloading > source files through a CM system. Think of it as using CVS on a > 1.0e6 line SW project, with 10 or so engineers making changes. I > will need to fetch changed files from the internal network. > > I have an old 486DX120 machine which needs memory. I was planning > to put 32Mb in it and letting it be the firewall. The two Win98 > machines are on one subnet, and one hub, and everything else is > on a second hub and subnet, so the firewall box will handle > routing between the two subnets. I need this to work this way for > the VPN on the Win98 machines. The other machines are not involved > in the VPN at all. > > Does this computer seem reasonably powerful? I found (via some testing with a friend) that various denial-of-service attacks sent in high-volume to ANY linux server running tcplogd and/or icmplogd typically would cause the machine to keel over dead fairly rapidly -- and not recover -- if the machine was RAM hungry and had the added disadvantage of being disk IO bound via slow IDE, whatever... We played around with a few different machines I own -- 486 w/32M RAM, K6-2/350 w/96MB RAM, and PIII450 w/128MB RAM. Machines NOT logging every darn packet that came by typically faired MUCH better and recovered nicely. Of course, if you have all the logging stuff on, and someone does this, if that machine is the firewall machine, your network's then off-line. Of course, such attacks are very indiscreet and most folks have no reason to do them against people (other than recent strangeness at Yahoo, and other large companies), and inevitably the attacker makes a mistake and evidence of their true source is left somewhere... forensics and syslogd become good friends at that point... :) So the answer is, "Yes... the 486 will work." -- but it could be taken off-line fairly easily if you run the logging deamons. Other things to consider running on the firewall are port-scan detection programs like "snort" and "portsentry". These can be configured to drop network connections from machines doing casual port-scanning easily, and if the person doing the scanning is spoofing IP addresses... (when will ISP's learn to only route their ASSIGNED address ranges???? Damn...) then you could end up with a bunch of things you can't get to on the net until you figure out what happened. Depending on the time you have available to play with it, it's very interesting stuff. One friend has portsentry doing a fun thing... every time his firewall is port-scanned, it pages him on his text pager. He then gets to log in via SSH and see what all the fuss is about. :) :) -- Nate Duehr <nate@natetech.com> GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2 Public Key available upon request, or at wwwkeys.pgp.net and others.
Attachment:
pgpyymgYZ8Fh2.pgp
Description: PGP signature