l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 7: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2001 Dec 30 17:09

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Setting up an old box as a Router/Server/Firewall?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Setting up an old box as a Router/Server/Firewall?



If you want to use later versions (2.4)of the kernel for your firewall, I seem
to remember needing at least 4 MB of ram for install.

If you run public services, I would suggest a triple interface host (one for
the INET, one for your LAN, one for your public DMZ), but you have to go with
what you have...

Jeff's suggestions are _very_ good (as always).  If you come to the next
meeting, hopefully I can shed some light on how to get the most from iptables. 

However, my favorite how-to on the subject is (watch out for the striking
similarity to the talk that I'll be giving):

http://people.unix-fu.org/andreasson/index.html
(props to BoingWorld)

It's a very good walk-through of the rule sets and why.  HTHO.  If you want to
use ipchains and an older kernel, I know of some good howtos for that as well. 
Just let me know ;-P

jan


--- Jeff Newmiller <jdnewmil@dcn.davis.ca.us> wrote:
> On Thu, 6 Sep 2001, Ryan wrote:
> 
> > Ok, I've got an old 486 sitting in my
> > closet that I got from my dad a while
> > ago, intending to set it up as a linux
> > based server/bridging firewall. It has
> > 2 NICs so I was hoping to set up some
> > routing software and whatnot to allow
> > me to run a webserver and mail server
> > on the 486 while still being able to
> > use games and whatnot that need to act
> > accept incoming connections on my main
> > box.
> 
> You have to be a little more careful with multi-function computers also
> acting as firewalls, but it is doable.  Multiple functions allow hackers
> more flexibility if they get through your outer perimeter.
> 
> > My prefered setup for dealing with
> > incoming connections on eth0 is to have
> > a list of ports to block connections
> > to and a list of ports to allow incomming
> > connections to, and what IP on the
> > internal network those requests should
> > be directed to (or to direct it to a
> > server that's running localy).
> 
> More commonly, all incoming connections are blocked, unless they meet
> specific requirements.  You only end up with one list that way.
> 
> > 
> > Traffic to the internet from eth1 (the
> > internal network) should sent out to
> > the WAN, prefreably without a proxy.
> 
> Masquerading.
> 
> > 
> > Oh, and I do only have one internal IP.
> 
> Definitely on the poor side of the tracks. ;)
> 
> Actually, I think you mean one _external_ IP.
> 
> > Suggestions on what programs would be
> > needed to do this stuff and hints on
> > setting things up?
> 
> I use a customized Linux Router Project configuration, but that takes a
> little more doing to include mailservers and webservers.  Seems like there
> are a lot of variations on this base now... LEAF
> (http://leaf.sourceforge.net), Coyote (http://www.coyotelinux.com) are two
> that come to mind.  http://www.linuxsecurity.com has information on quite
> a few Linux security issues.
> 
> There are a few configurable firewall scripts, like rcf
> (http://rcf.mvlan.net/) or seawall (http://seawall.sourceforge.net/) for
> ipchains.  There are some advantages to going with Linux 2.4's iptables,
> but fewer people are familiar with it... you can try shorewall
> (http://shorewall.sourceforge.net/).
> 
> > I currently have Storm installed on it,
> > but I have A copy on Mandrake SNF and
> > could get and burn any other Distro off
> > the net.
> 
> I would expect that either of these could do the job, assuming you have
> enough disk space and ram in this box. Use whichever you find more
> familiar.  Look for Bastille Linux, a script for hardening a RedHat-based
> distribution.
> 
> ---------------------------------------------------------------------------
> Jeff Newmiller                        The     .....       .....  Go Live...
> DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
>                                       Live:   OO#.. Dead: OO#..  Playing
> Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
> /Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
> ---------------------------------------------------------------------------
> 


__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.