OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Subnetting, firewall setup
From: Will McCracken (willWGM3.COM)
Date: Fri Oct 06 2000 - 07:10:38 CDT

Veritas has a product called Veritas Volume Manager that allows you to use
two hard drives in a variety of mirrored setups some of which I believe
provide immediate failover to the backup disk should one of the disks
fail. The product is only available for HP-UX and Solaris at this time,
but Veritas has issued a press release
(http://www.veritas.com/us/aboutus/pressroom/2000/00-01-24-0.html) stating
that they are working on porting to Linux. Not an immediate solution, but
you might want to keep your eye out for it.

http://www.veritas.com/us/products/volumemanager/prodinfo.html

Will

On Thu, 5 Oct 2000, Dave Akins wrote:

> Thanks for the comments Don... We're looking at running about 6 web servers
> behind this Linux firewall, so it should be interesting.
>
> I share your concerns about a hard drive crash, but I don't know that a
> hard-drive-less system is very practical. I like the idea that I can log
> activity to the hard drive and basically not have to worry about trying to
> compromise certain functionality because it won't fit on a floppy disk or zip
> disk. With RedHat 6.2, my firewalls are usually down around 140MB. What I like
> to do, is when I get everything setup correctly, create a boot floppy, and ghost
> the entire hard drive (using Norton Ghost) to a file server somewhere. then burn
> that to CD with an autoexec.bat which fires off Norton Ghost. What I have then
> is a CD that can restore my system in the event of a failure. With a 48x+
> CD-ROM you can get the system back in about 10 minutes. All you need is
> something to alert you of a hard drive failure!
>
>
>
> Don Felgar wrote:
>
> > I have a similar type of network running on a T1. For the router I
> > use a 32mb P90 Debian box with a Sangoma WanRouter card. It works
> > beautifully. Despite the direst of warnings from US West about the
> > Linux/WanRouter router, the first ping I tried worked. I've never set
> > up a Cisco router but I certainly don't feel constrained by Linux.
> >
> > My biggest concern is that a disk drive failure in the router would be
> > a major headache. I have an identical box for backup, but the
> > WanRouter isn't actually in it, obviously. I wish I didn't have to
> > worry about a harddrive crash bringing down the network. You might do
> > well to boot from floppy as with the Linux Router Project.
> >
> > I don't think you'll have any throughput concerns with the Linux
> > router. My understanding is that the Cisco OS is optimized for large
> > networks so underperforms Sangoma's products on smaller networks.
> >
> > I'm not sure I really answered any of your questions, but hope this
> > helps.
> >
> > -Don
> >
> > On Wed, Oct 04, 2000, Dave Akins wrote:
> > > I have setup about 20 different Linux - IP Masq boxes and have seen no
> > > problems. Have any of you had any experiences (good or bad) using Linux as
> > > the actual full-time router for a public-addressable network? I will have
> > > about 6 web servers hosting anywhere from1 to 50 sites each and an email
> > > server sitting behind this Linux box. Also, all outgoing private-network
> > > traffic will go through it as well (masqueraded).
> > >
> > > I have been using RedHat 6.0/6.1/6.2, custom install, with only Networked
> > > Workstation/Utilities,DNS Server, and I think that's it. Then I go into
> > > /etc/rc.d/init.d and remove the scripts for all the services I don't want.
> > > (as well as comment out /etc/inetd.conf entries) Anybody have any
> > > recommendations on whether I should recompile the kernel, use a different
> > > distribution, etc? Anybody any luck with e-Smith?
> > >
> > >
> > >
> > > Joe Santapau wrote:
> > >
> > > > this confusion became very clear to me when
> > > > messing around with the cisco pix device,
> > > >
> > > > the cisco ios makes it easy to make conduits between
> > > > a real internet ip, and lets say 192.168, 10. etc. etc.
> > > >
> > > > linux doesn't have a clear way of doing this yet, you would
> > > > have to use nat in reverse i guess, i don't think the masqerading
> > > > features of the kernel where intended for this. ( its my guess anyhow)
> > > >
> > > > but anyway if you bring up a eth0 at .2 and another eth1 at .3
> > > > .2 default gateway is 1, and .4-254 is .3 waht you would have
> > > > is a class C dmz whose connection depended on your linux box ( not
> > > > to mention its firewall rules for security ) there might be a way to
> > > > use a plip cable as a means fo detecting a failure and a failover
> > > > script could be run if a box doesn't respond.
> > > >
> > > > just a word of caution, as good as linux is, i have seen linux
> > > > box's lock up in a routing situation after ( what i suspect )
> > > > the ipchains counters get too large. i have had to reboot them
> > > > on a monthly basis, using both redhat linux pared down to just boot
> > > > and a two floppy little ditty i later put together not unlike the
> > > > linux router project.
> > > >
> > > > no services running on the linux box none... the only
> > > > possible thing coming out of you firewall are syslog
> > > > messages ;-)
> > > >
> > > > i hope this describes you question, if not disreguard completly !
> > > >
> > > > ----- Original Message -----
> > > > From: "Dave Akins" <dave600PACBELL.NET>
> > > > To: <FOCUS-LINUXSECURITYFOCUS.COM>
> > > > Sent: Tuesday, October 03, 2000 07:13 PM
> > > > Subject: Subnetting, firewall setup
> > > >
> > > > > I am familiar with using Linux as an IP Masq/gateway box to hook a
> > > > > private network to a public IP space. Now I have a new problem...
> > > > >
> > > > > I have a class C network that I've been given from my ISP. The T-1
> > > > > router sits at .1. I would like to set a Linux box up to be the
> > > > > firewall for everything in this Class C? Rather than order a smaller
> > > > > network to sit between the ISP and the Class C, is there a way I can do
> > > > > this with ONLY the Class C? Or am I best off ordering a small 2-host
> > > > > network to sit between the T-1 router and the Linux?
>