Is it possible to have linux serve as the firewall for my existing w2k network? This network is currently configured as follows:
w2k server w/AD
linksys 4-port router
e2k server
w2k prof & xp system
linux server ver7.3
Can someone point me to documentation that will instruct me on using the linux server as a firewall for this network?
Or is this even possible. Or is the firewawll limited to the system it's installed on.
Any help is appreciated.
This is completely possible, however I would suggest using a dedicated
486 or P1 for a firewall being that less services/processes on a firewall
limits the amount of possible exploits from the internet.
My personal choice is one of the LEAF projects products (http://leaf.sourceforge.net).
Other similar products would include Coyote Linux, ESmith, FreeSCO, and many others.
I hope this helps,
~Lynn
I have one existing linux/iptables firewall on my (primarily)Win2k domain and am going to add a few more iptables/FreeSWAN boxes. It's entirely possibly and, with the propery set up, can do replace most commercial firewall solutions. I suggest this book http://www.bookpool.com/.x/na7odhoek4/sm/0735710996
Also, you will definately need a box dedicated to that purpose alone with zero services running (ok maybe just SSH for remote administration).
You might want to also looking into something like ulogd for logging your firewall traffic to a MySQL database.
OK...so there is hope.
My domain is also primarily w2k plus this new linux server that I just installed. Would you happen to have any documentation on this? I'll have to try and work that book into my budget sometime in the near future. My concern or lack of knowledge deals with the actual setup of the linux system. Are there any modifications that I'll need to make to my w2k network before or after this, or can I simply add that system, assign a static IP to it, and setup the firewall accordingly?
thanks
You will need to make no changes to your domain other than possibly adding an entry to your local nameserver and changing some default gateways and routing tables to accomidate for the new firewall. If it is replacing an old firewall, then you probably won't have to do a thing.
Before you build the firewall, you will need to lock down the box it is going to be installed on completely.
I will say this however, if you are new to Linux, you have some work ahead of you before you get this firewall to where it needs to be as a production level box. But that dosne't mean you cannot do it. The book I posted really is the best reference I have found. The netfiler website may also be of some help, though their documentation is a little more cryptic. A book or two on linux security might also be helpful.
Setting up a linux firewall is rougher than a turnkey solution like Checkpoint, but as far as firewalls go, IMHO, if set up properly, it can be every bit as good.
My advice, get the right books, do the right reading, make sure you know what you are doing, lock down your linux box--test, test, test--then build the firewall. Otherwise, you'll just be building a false sense of security.
[quote author=tolstoy link=board=5;threadid=4651;start=0#46426 date=1029879130]
Setting up a linux firewall is rougher than a turnkey solution like Checkpoint, but as far as firewalls go, IMHO, if set up properly, it can be every bit as good.
[/quote]
This is excellent advice Tolstoy, but I would like your opinion of something.
The LEAF distro "Bering" does all that you have mentioned (including IPSEC,
CIPE, PPTP, etc....) and uses Shorewall to "easily" setup IPTables.... other
than the obvious advantage of learning iptables, do you find anything wrong
with using a distro similar to this??? It is much faster to setup and locked down
from the original image and has been used in commercial settings with up to
16 IFACES.
TIA
[quote author=Guitarlynn link=board=5;threadid=4651;start=0#46530 date=1029938052]
[quote author=tolstoy link=board=5;threadid=4651;start=0#46426 date=1029879130]
Setting up a linux firewall is rougher than a turnkey solution like Checkpoint, but as far as firewalls go, IMHO, if set up properly, it can be every bit as good.
[/quote]
This is excellent advice Tolstoy, but I would like your opinion of something.
The LEAF distro "Bering" does all that you have mentioned (including IPSEC,
CIPE, PPTP, etc....) and uses Shorewall to "easily" setup IPTables.... other
than the obvious advantage of learning iptables, do you find anything wrong
with using a distro similar to this??? It is much faster to setup and locked down
from the original image and has been used in commercial settings with up to
16 IFACES.
TIA
[/quote]
I don't really have much or an opinion on any of those linux solutions, though that's not to say they are not good. I usually just do the leanest RH install I can. Then I write an iptables script and compile in support for FreeSWAN. The scripts take a while to write and debug, but I like writing them for some odd reason. Currently I'm looking into ulogd so I can log dropped packets to a mysql box and manage the logs with a php script of some sort (thesea re my winter plans at least). Just as a security precaution, and as a way to centralize log management, I always log to a dedicated syslog server.
I hear ya, I have a couple that send syslog back to a dedicated
dot-matrix printer so I don't chance losing the info on a server.
As long as the DROP's are put in right, I don't go through *too*
much paper. :-)
I'll have to check on that "ulogd" as well, sounds neat!
Posting Permissions
Reply With Quote
Bookmarks