OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Here is my plan for firewall implement

Re: Here is my plan for firewall implementation

Craig Brozefsky (craigonshore.com)
Sun, 21 Sep 1997 12:05:07 -0500

On Fri, 19 Sep 1997, Jim Raykowski wrote:

> Hello All,
> Here is my plan for implementating a firewall at my site and I would like
> to hear some comments on the goods and bads.

This is very similiar to what I am running/designing. We have a small
LAN of about 20 computers of mixed breed and species doing everything
from NSCalendar servies to SMB and NFS/NIS+. I set it up primarily as a
training ground for several of the tech support people we have around the
office and ran into several issues which I hope to help you avoid.

> My plan is to build a Pentium 133 with 32 MB RAM with 540 MB Hard Drive
> running Linux Slackware using kernel 2.0.30 and TIS Firewall Toolkit 2.0.
> I plan to use the SMTP, HTTP, TELNET, and FTP proxies from the FWTK and set
> up a fake DNS on this machine.

May I suggest that you stay away from the 2.0.30 kernel it has several
problems including but not limited to broken transparent proxy support,
SCSI flakiness, and other bugs. kernels earlier that 2.0.27 I beleive
shouldhave trans proxy working, and for the msot stable environment go
with 1.2.13 if you don't need the extra features in the 2.0.X kernels.
2.0.30 pre9 is out and has some memory leaks and other issues, but if
youcan wait till 2.0.31 it should be a stable kernel since the developers
are concenrating on releasing a 1.2.13 caliber kernel for the 2.0.X
series now.

The HTTP gateway has some flakiness whe it comes to rewriting URLs. I
have had it break several pages that have Javascript URLs in them, ie:
<a href="Javascript:funccal(arg,arg,arg)">
got rewriten with a ":" appended ot it, thus breaking things. What you
may want to do is either get a beefier box for your firewall and run
something like Squid in caching mode (slap a SCSI disk on there for the
cache dirs) or run Squid non-caching. It has alot of nice features like
DNS caching and such that will make your web access slicker. May I also
suggest using Junkbusters. I set it up to forward chain to Squid.

The SMAP gateway is nice, but keep an eye on it. I have in the past had
it go into a runaway loop and fill up some partitions with log messages
and bounced mail. I do not know i the curent version fixed the problem
which was related to a message not being requeued, or discarded after
sendmail failed to send it.

> I will build another Linux computer to act as the internal DNS that will
> forward all queries it cannot answer to the firewall and then forward
> answers back to the systems that asked. It will also be my network
> monitoring station and the station the I xfer all update to my external web
> and ftp servers.

I also have a Linux box doing much of the same.

> My default policy will be to deny all unless otherwise permitted. I am
> trying to protect the information as we deal with government contracts but
> still need access to the internet to look up data and exchange information
> with other contractors.
> Thanks,

I attempted to implement the same policy and have found that the fwtk and
Linux were not really suitable for it when considering the needs I have,
but with a little bit of coding I think you could pull it off. The major
problem I had was transparent proxies in 2.0.30 not working, as well as
attempt to proxy ssh. My goal was/is to create a version of plug-gw that
could take transparent proxied connection, deduce where the connection
was attempted to, check against an ACL list, and then forward it. The
transproxyd that comes with Debian cannot do.

Craig Brozefsky craigonshore.com
onShore Inc. http://www.onshore.com/~craig
Development Team p_priority=PFUN+(p_work/4)+(2*p_cash)
I hear my inside, the mechanized hum of another world - Steely Dan

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:58 CDT