Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1999_2

NFR Wizards Archive: Re: Firewall question

Re: Firewall question

Carric Dooley (carriccom2usa.com)
Wed, 14 Jul 1999 10:03:17 -0400 (EDT)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: dreamwvr: "Re: Firewall question"
Previous message: czarconerpm.com: "Re: The devil's in the details"
Maybe in reply to: Matt Dunn: "The devil's in the details"
Next in thread: dreamwvr: "Re: Firewall question"

Well, first of all (and I'm sure you have heard this) use RH 6.0. The 2.2
kernel is much faster. I could not believe the latency I got rid of when
I upgraded my 5.2 gateway at home to 6.0. This would require you to use
ipchains for packet filtering, but if you are not familiar with ipfwadm,
what difference does it make? If you are, ipchains is better, and since
it is written by the same guy, the learning curve is not all that steep.

I would definately use SSH as you state, but bear in mind this eliminates
the need for some additional "sftp" or "stelnet" or whatever you were
talking about. You can use an ssh encrypted tunnel for all your off-site
traffic (mail, ftp, www, news, etc., you just redirect it through ssh..
There are how-to's on how to do it).

Another reason for 6.0 is that you can install all the latest apps
without having to upgrade your glibc and other libraries. I limped along,
clinging to 5.2 for a little while on the "ain't broke, don't fix it"
premise, but it gets harder and harder to keep daemons with security
problems up to date when you have to install 10 other packages that the
upgraded code depends on.

As far as logging, you have the ability to do that via ipchains if that's
all you want. If you want authentication for something other than http,
take a look at TIS fwtk. If you want to keep it simple, authenticate for
http, and just log all other protocols, you get the ability through squid
(which is a much nicer implementation than the version that ships with
5.2... I had a hell of a time with squid on 5.2, but it out of the box it
works like a champ on 6.0) to do user authentication.

As far as VPN, ssh should give you what you need. I'm assuming the vnc is
to administer things like NT beasties behind the firewall, since one
certainly doesn't need a gui to manage a *nix machine. =) I am not
positive you will not have problems with VNC over SSH. It should work,
but I have not personally tested it. Sorry.

Carric Dooley
COM2:Interactive Media
http://www.com2usa.com

On Tue, 13 Jul 1999, Carl Swanson wrote:

> I had a firewall question that I hoped the wizard
> might be able to help me with ;-)
>
> I want to set up a firewall on a Linux RedHat 5.2
> machine with 2 NICs protecting a little network
> from the internet (connected using ISDN or DSL to
> an ISP connection). There will eventually be several of these
> little isolated networks.
>
> I need to have static IP addresses and will have
> a block of 16 or 32 address per network, so total
> static ip addressing.
>
>
> I need to need able to connect to the little network via
> the internet to do admin work, etc, but obviously I don't
> want anyone else in, just me from a static IP address or two.
>
> And I of course want to allow the little network
> users full access to the internet, including web,
> telnet, ftp, etc.
>
> It has been suggested that I set things up thusly:
>
> I want to set up both a firewall and a proxy server. Each
> machine in the local net will have its own IP address, and
> my firewall in the linux machine will only let certain internet IP
> addresses to connect (mine). All other ip address that
> try a direct connection will be denied (except machines that are
> responding to a telnet initiation, etc, from the local net)
>
> I'll also install a proxy server so I can control what users use
> what services through the gateway machine and onto the internet.
> I want to be able to control who has access and log where
> they go.
>
> I'll also disable telnet and ftp into the gateway machine, and use
> ssh, and the secure telnet and sftp versions (but I do need
> telnet and ftp access)
>
> Since I'll be using RedHat 5.2 (kernel 2.0.36) I should use ipfwadm
> for the firewall.
>
> Here are some questions I have:
>
> - First of all how does the above sound
> - What proxy software should I use?
> - Will I then need VPN at all between two linux machines
> over the internet? Or is the ssh and secure telnet and ftp
> enough? (I also want to do VNC remote control sessions,
> so that might be an issue).
>
>
> Any tips, hints, pointers, etc, would be MUCH appreciated.
>
> Thanks much,
>
> Carl
> cswansontivoli.com
>
>
>

Next message: dreamwvr: "Re: Firewall question"
Previous message: czarconerpm.com: "Re: The devil's in the details"
Maybe in reply to: Matt Dunn: "The devil's in the details"
Next in thread: dreamwvr: "Re: Firewall question"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:19:03 CDT