Re: [vox-tech] Firewall
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [vox-tech] Firewall
Yeah, based on Pete's post I started looking at LRP (even saw your name (Mr.
Newmiller) in a link). I think I'd like to build one, but the project seems a
little disarrayed, and misleading.
I'd like to build 2 (both without hard drives and bootable off a single floppy):
Home:
2 NICs, DHCP server, able to get a dynamic IP (external) from my ISP
Office:
3 NICs (External, DMZ, Internal), DHCP Server, fixed IP
Where should I start?
BTW, I don't understand the 2 firewall setup.
If you guys will help me get it working, I'll try to write a HOW-TO
Jay
Jay Strauss
jjstrauss@yahoo.com
----- Original Message -----
From: <jdnewmil@dcn.davis.ca.us>
To: <vox-tech@franz.mother.com>
Sent: Wednesday, January 10, 2001 5:57 PM
Subject: Re: [vox-tech] Firewall
> On Wed, 10 Jan 2001, Jay wrote:
>
> > I'm trying to decide how to setup my next firewall. I see smoothwall
> > (which I hear is pretty good) uses only 2 nics (internal and external)
> > and port forwards request to machines on the private internal network.
>
> Two nics is pretty much a minimum for a firewall. :)
>
> > Then others use that External/DMZ/Internal setup (like in the ipchains
howto).
> >
> > Why would I choose one over the other?
>
> Paranoia. If you allow ANY services to portforward in and there is a
> security flaw in the server daemon(s), then once your box is cracked
> your whole network is compromised. If you have three NICs, or better yet,
> a second firewall, then your private lan can access the server, and the
> outside world can access it, but if the server is cracked then they are
> faced with getting through a firewall that contains no holes. The
> headache with this is that your server is pretty thoroughly isolated from
> your LAN, so YOU can't schedule actions to push data into your lan... all
> data movement to or from your LAN must be initiated from within the lan.
> Thus, if you have a database you want to serve data from it must be in the
> demilitarized zone on or with the other servers.
>
> Most people don't want to setup dedicated servers in their homes with
> limited communication among the rest of their network, just because
> someone _might_ be able to crack their system.
>
> > Also, isn't there some way to setup a firewall that doesn't have hard
> > drive and boots off the floppy.
>
> http://www.linuxrouter.org (barebones, but simple)
> http://lrp.c0wz.com (clearing house of information about LRP)
> (Steinkuehler's preconfigured images can make initial
> setup very easy.... _if_ he has one that matches your needs.
> Rather complex if you start adapting it to different setup.
> Douthitt's Oxygen is tuned for experienced *nixers.)
>
> ---------------------------------------------------------------------------
> Jeff Newmiller The ..... ..... Go Live...
> DCN:<jdnewmil@dcn.davis.ca.us> Basics: ##.#. ##.#. Live Go...
> Work:<JeffN@endecon.com> Live: OO#.. Dead: OO#.. Playing
> Research Engineer (Solar/Batteries O.O#. #.O#. with
> /Software/Embedded Controllers) .OO#. .OO#. rocks...2k
> ---------------------------------------------------------------------------
>
>
|
