l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
December 2: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2001 Dec 30 17:09

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Setting up an old box as a Router/Server/Firewall?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Setting up an old box as a Router/Server/Firewall?



If you run public services then I more strongly recommend a dedicated box that does nothing but firewall/NAT/port forward and a DMZ would be a nice addition.  The other advantage of  adedicated (NOT server) system, is when you are 'playing' around with things and you zap something, then you don't have to reconfigure your network to get the INternet connection working again.

I currently use the Eigerstein2 varient of the LRP.  Links can be found http://leaf.blkmtn.org 

As the 'dedicated' box is on a floppy, I can experiment with alternative configs and if I goof, swap back to the original floppy disk.  If I goof on a server, it takes longer to get it going again and my wife is annoyed.

-sp


On Fri, 07 September 2001, Jan Wynholds wrote:

> 
> If you want to use later versions (2.4)of the kernel for your firewall, I seem
> to remember needing at least 4 MB of ram for install.
> 
> If you run public services, I would suggest a triple interface host (one for
> the INET, one for your LAN, one for your public DMZ), but you have to go with
> what you have...
> 
> Jeff's suggestions are _very_ good (as always).  If you come to the next
> meeting, hopefully I can shed some light on how to get the most from iptables. 
> 
> However, my favorite how-to on the subject is (watch out for the striking
> similarity to the talk that I'll be giving):
> 
> http://people.unix-fu.org/andreasson/index.html
> (props to BoingWorld)
> 
> It's a very good walk-through of the rule sets and why.  HTHO.  If you want to
> use ipchains and an older kernel, I know of some good howtos for that as well. 
> Just let me know ;-P
> 
> jan
> 
> 
> --- Jeff Newmiller <jdnewmil@dcn.davis.ca.us> wrote:
> > On Thu, 6 Sep 2001, Ryan wrote:
> > 
> > > Ok, I've got an old 486 sitting in my
> > > closet that I got from my dad a while
> > > ago, intending to set it up as a linux
> > > based server/bridging firewall. It has
> > > 2 NICs so I was hoping to set up some
> > > routing software and whatnot to allow
> > > me to run a webserver and mail server
> > > on the 486 while still being able to
> > > use games and whatnot that need to act
> > > accept incoming connections on my main
> > > box.
> > 
> > You have to be a little more careful with multi-function computers also
> > acting as firewalls, but it is doable.  Multiple functions allow hackers
> > more flexibility if they get through your outer perimeter.
> > 
> > > My prefered setup for dealing with
> > > incoming connections on eth0 is to have
> > > a list of ports to block connections
> > > to and a list of ports to allow incomming
> > > connections to, and what IP on the
> > > internal network those requests should
> > > be directed to (or to direct it to a
> > > server that's running localy).
> > 
> > More commonly, all incoming connections are blocked, unless they meet
> > specific requirements.  You only end up with one list that way.
> > 
> > > 
> > > Traffic to the internet from eth1 (the
> > > internal network) should sent out to
> > > the WAN, prefreably without a proxy.
> > 
> > Masquerading.
> > 
> > > 
> > > Oh, and I do only have one internal IP.
> > 
> > Definitely on the poor side of the tracks. ;)
> > 
> > Actually, I think you mean one _external_ IP.
> > 
> > > Suggestions on what programs would be
> > > needed to do this stuff and hints on
> > > setting things up?
> > 
> > I use a customized Linux Router Project configuration, but that takes a
> > little more doing to include mailservers and webservers.  Seems like there
> > are a lot of variations on this base now... LEAF
> > (http://leaf.sourceforge.net), Coyote (http://www.coyotelinux.com) are two
> > that come to mind.  http://www.linuxsecurity.com has information on quite
> > a few Linux security issues.
> > 
> > There are a few configurable firewall scripts, like rcf
> > (http://rcf.mvlan.net/) or seawall (http://seawall.sourceforge.net/) for
> > ipchains.  There are some advantages to going with Linux 2.4's iptables,
> > but fewer people are familiar with it... you can try shorewall
> > (http://shorewall.sourceforge.net/).
> > 
> > > I currently have Storm installed on it,
> > > but I have A copy on Mandrake SNF and
> > > could get and burn any other Distro off
> > > the net.
> > 
> > I would expect that either of these could do the job, assuming you have
> > enough disk space and ram in this box. Use whichever you find more
> > familiar.  Look for Bastille Linux, a script for hardening a RedHat-based
> > distribution.
> > 
> > ---------------------------------------------------------------------------
> > Jeff Newmiller                        The     .....       .....  Go Live...
> > DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
> >                                       Live:   OO#.. Dead: OO#..  Playing
> > Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
> > /Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
> > ---------------------------------------------------------------------------
> > 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
> http://im.yahoo.com



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.