Re: OT: Re: Firewalling: best approach?

To: debian-user@lists.debian.org
Subject: Re: OT: Re: Firewalling: best approach?
From: "M. Maas" <mark@mateo.xs4all.nl>
Date: Thu, 09 Feb 2006 12:49:33 +0100
Message-id: <[🔎] 43EB2C4D.50404@mateo.xs4all.nl>
In-reply-to: <[🔎] 43EB2870.6060908@wbs.co.za>
References: <[🔎] 1139459412.4781.15.camel@localhost.localdomain> <[🔎] 43EB209F.2080704@mateo.xs4all.nl> <[🔎] 43EB2870.6060908@wbs.co.za>

Did not even think about the top posting on Debian lists.
To many lists, to many rules. ;-)

Anyway, don't forget to also secure your firewall the best way you can.
Good read: http://www.debian.org/doc/user-manuals#securing

Mark

Clifford W. Hansen wrote:
> Greetz,
> 
> Firstly I'm only top posting to keep with the flow...
> 
> secondly, I agree with Mark, I've used shorewall and found it really
> easy to use especially when you are lazy++ like me...
> 
> After installing shorewall "apt-get install shorewall shorewall-docs"
> you will need to set:
>     
> Firewall:~# vi /etc/default/shorewall
> Now simply change
> startup = 0
> to
> startup = 1
> save, and exit.
> 
> 
>>    Shorewall configuration files are stored in two separate places:
>> /etc/shorewall stores all the program configuration files.
>> /usr/share/shorewall stores supporting files and action files.
>>
>>    On the Debian package version of shorewall, /etc/shorewall is
>> rather empty. Luckily, we're provided with default configuration files
>> in /usr/share/doc/shorewall/default-config
>>
>>    Since we will need to use these config files to actually make
>> Shorewall work, the first thing to do is to copy them over to
>> /etc/shorewall:
>>
>> Firewall:~# cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/
>>
>>    Now our /etc/shorewall directory should have default copies of all
>> the config files. Next we modify a few of them to get our firewall in
>> basic working order. I'm only going to cover the basic configurations
>> necessary to get the firewall working. Please read the documentation
>> in each config file you edit so you can fully understand what each
>> step is really doing! 
> 
> Taken from: http://www.cyberdogtech.com/firewalls/firewall/
> 
> Take a look at that website it has a couple of nice tips... also read
> the conf files, that should help alot aswell :)
> 
> Good luck....
> 
> M. Maas wrote:
>> Hi,
>>
>> Listen I don't want to be an ass... No really.. I don't!
>>
>> But would the use shorewall not make it easier? Or even the IPcop
>> distribution?
>>
>> Seriously, I'd like to know the reasoning behind choosing the manual
>> route instead of a easier automated one.
>>
>> Thanks,
>> Mark
>>
>> Bradley Alexander wrote:
>>> I am trying to configure a firewall, but nailing down the configuration
>>> is eluding me. The box is running Debian stable. I have tried with
>>> iproute2 (I'm including a description below), but not gotten the
>>> intended effect. I have tried the lartc list, to no avail. A friend of
>>> mine suggested setting up a virtual server for one set of interfaces and
>>> running the other set on the native machine. Which is the best approach
>>> to this? Muddling through the iproute2 configuration, or the virtual
>>> server route? If virtual server, which would be the best one? Qemu? Xen?
>>> VMware player or server (Free as in beer, but not is in speech)?
>>> Basically, I have a rackmount server with six network interfaces (2
>>> onboard and a quad card). eth0 is the internal network, eth1 is a kiosk
>>> network, eth2 is a DMZ/wireless network. On the outbound side, eth3 is a
>>> DSL connection and eth4 is a cablemodem connection.
>>>
>>> What I am trying to do is route all internal traffic out the DSL
>>> connection (eth0 to eth3), and the two dmzs, kiosk and wireless out the
>>> cable connection (eth1 and eth2 to eth4). Thus far as I have been unable
>>> to get this to work.
>>>
>>> For the sake of the discussion, the internal network is 10.1.1.0/24, the
>>> kiosk is 172.16.1.0/24 and the dmz/wireless is 192.168.1.0/24. The dsl
>>> line is 1.2.3.4 and the cable line is 9.8.7.6.
>>>
>>> I added the following to rt_tables:
>>>
>>> 1       internal
>>> 2       kiosk
>>> 3       dmz
>>>
>>> then created a script
>>>
>>> ip rule add from 10.1.1.0/24 table internal
>>> ip route add default via 1.2.3.4 dev eth3 table internal
>>>
>>> ip rule add from 172.16.1.0/24 table kiosk
>>> ip route add default via 9.8.7.6 dev eth4 table kiosk
>>>
>>> ip rule add from 192.168.1.0/24 table dmz
>>> ip route add default via 9.8.7.6 dev eth4 table dmz
>>>
>>> When I run this script, it does not do what I expect, especially after
>>> running the firewall rules atop it. I thought I had it nailed, but it
>>> wasn't working as expected, and I really couldn't test very well.
>>>
>>> I'm hoping some kind soul on this list might have a few minutes for an
>>> email exchange to help me get this sorted out. If so, please email me
>>> off-list. I'm sure its probably something that I overlooked, but I'm at
>>> a loss as to what.
>>>
>>> Regards,
>>> --b
>>>
>>>
>>>
>>
> 

-- 
www: http://menem.mine.nu/blog/

Reply to:

References:
- Firewalling: best approach?
  - From: Bradley Alexander <storm@tux.org>
- OT: Re: Firewalling: best approach?
  - From: "M. Maas" <mark@mateo.xs4all.nl>
- Re: OT: Re: Firewalling: best approach?
  - From: "Clifford W. Hansen" <cliffordh@wbs.co.za>

Prev by Date: Re: OT: Re: Firewalling: best approach?
Next by Date: Re: Hardware not detected
Previous by thread: Re: OT: Re: Firewalling: best approach?
Next by thread: Re: OT: Re: Firewalling: best approach?
Index(es):
- Date
- Thread