Security·4,791 discussions

Setting up a firewall

Locked

I recently got a T-1 connection in our office. Our server is running on NT Server. I want to set up a Linux box as a firewall. How would I go about doing so??? Would I have to run my NT Box into the Linux Box?

Topic

Setting up a firewall

In reply to Setting up a firewall

T1 —–|Linux|——-|NT

Yes, you should run your NT box into the Linux box, i.e. they are both on a local LAN and using the same subnet IP mask. The NT box is configured to use the Linux IP address for its default gateway.

The Linux box will have have 2 cards:
1 NIC for the local LAN connection with NT; a second card for the T1 connection.

Regards,
Jerry

Setting up a firewall

In reply to Setting up a firewall

Setting up a firewall

In reply to Setting up a firewall

There is an article posted on WebMonkey:
Have a Ball with IP Masquerade
by Todd Troutman 22 Jul 1999. Take a look at it, I started at a ZDTV site. Do a search there and get links to a couple of sites with a howto. Good Luck, I plan to try thismyself this year.
RJ

Setting up a firewall

In reply to Setting up a firewall

Setting up a firewall

In reply to Setting up a firewall

As Jerry mentioned above, definitely run your Linux box in front of the NT Server. Using the Linux box as your firewall has several advantages. If you use the NAT firewall program included with most recent Linux releases, you can -ipchains the addresses which can acces the T1 line for internet access. If the IP address is not listed in the -ipchains list, your user will not be able to access the internet (good for controlling access 🙂 Plus, it limits who comes in on the T1 line from the outside by the same procedure. You are safe from incoming and controlled as far as outgoing. We used this during testing for our new network and it worked very well. Itis also an inexpensive solution to a very real security problem with networks. You cost will be the cost of a Linux box (even a 386 will work if your office is small), two ethernet cards, and a copy of Linux (I recommend Redhat 6.x) Good Luck!

Tom

Setting up a firewall

In reply to Setting up a firewall

Setting up a firewall

In reply to Setting up a firewall

You don’t say about the resto of your network topology, just your server.

Depending on how it is configured, and what you actually run on the server, you might also think about putting another firewall / ip masquerading to hide your clients from the internet but still give them access.

Take a look at the Linux IP Masquerade HOWTO, this explains it being used in conjunction with ipchains for a firewall scenario.

Phil Smith

Setting up a firewall

In reply to Setting up a firewall

Setting up a firewall

In reply to Setting up a firewall

While it is possible to run the NT box into the Linux Box, I would cautious using it to protect your internal subnet. Linux is an open source environment with many backdoors still lurking about. There are plenty of good Solaris and NT based firewalls that have been put to the test with great success. It is possible to do what you want, but do you really want to? That’s the real question. Placing two nics is the start where one is configured to listen for untrusted traffic and the other for trusted traffic. See Reference – http://home.earthlink.net/~michaelburns/fire.html

Setting up a firewall

In reply to Setting up a firewall

Setting up a firewall

In reply to Setting up a firewall

You are talking about protecting your business here. Security isn’t something to be taken lightly. Throw out the Linux and freeware and spend the money on Solaris7 and Firewall1 (or comperable product). It will be expensive up front, but in the end you will be happy you spent the money.

Setting up a firewall

In reply to Setting up a firewall

Setting up a firewall

In reply to Setting up a firewall

Linux is a good choice but you need to know that installing and configuring such a firewall box is not so easy. Much efforts have to be placed after the installation to assure that the system is well monitored.
2 NIC interfaces, are OK, I may also suggest you to apply ipchains rules (search the internet for trinityOS…) which permit to control packets, but also to configure some application level gateway, try TIS if you want to do all the work by yourself. Another way to assure http and ftp navigation to all your client could be a proxy (try squid…).
Don’t forget to read and read over the net about this subject and to mantain your system well uptodate against possibly discovered bugs on some applications. A good start is also the posting the security administration guide. HAVE FUN!

Setting up a firewall

In reply to Setting up a firewall

Setting up a firewall

In reply to Setting up a firewall

I highly disagree with the persons saying that Linux is not a good choice. Most industry gurus worth their salt also agree that Linux, while it is open source, is an excellent choice for many tasks, including building a firewall. Answers #1, 3, and 7 offer good advice, especially the 2 NIC’s and the IP Masquerade suggestions. There are several FAQ and How_to documents on how to setup Linux for your situation. Since RedHat was mentioned (good choice) a good place to start looking for documentation is http://www.redhat.com where you’ll see several links to the Linux Documentation Project. I am setting up a Linux box in a similar way using Samba to emulate an NT server to provide another level of “security”, since if they think it’s NT, they’llattack NT. Good hunting!

Setting up a firewall

In reply to Setting up a firewall

Setting up a firewall

In reply to Setting up a firewall

Well your first step would be to setup IPForwarding, and ipchains on the linux system. Once you have that working and tested, you would physically connect the Linux machines external interface to the T1 via your gateway router. Set the linux boxes default gateway to be that router. Then set up your internal machines default gateway to be the ip address of the Linux boxes internal network card. You then need to setup routes between the internal and external networks useing the route command. That should get you basic conncetivity

Setting up a firewall

In reply to Setting up a firewall

Setting up a firewall

In reply to Setting up a firewall

Hi

You could find your self spending loads of cash (answer 6) here or having a nightmare trying to configure (answer 7) a Linux of NT firewall. Have a look at the GNAT Box http://www.gnatbox.com it’s easy to configure and it won’t break the bank. TheGNAT Box has been built to run on a free bsd kernel with all the frills taken out. It will boot from a floppy disk and will run on anything for a 486 upwards, so there is on need to buy all that expensive hardware.

Cheers

Ewan.

Setting up a firewall

In reply to Setting up a firewall

Setting up a firewall

In reply to Setting up a firewall

For almost all your Linux answers I recommend O’Rielly’s books. In this case, you need to get a copy of “Linux Firewalls”, I don’t remember the author’s name but it starts with a ‘Z’. It will take you through how to configure a Linux firewall for home, work, multiple LAN’s, etc. And all for only $25.
As for the earlier comment about not risking the security of your business to Linux. I disagree with the poster completely. A properly configured Linux firewall is just as secure as any other packet firewall and when kernel 2.2.4 is released this summer, Linux firewalls will be as secure as any other firewall available.

Setting up a firewall

In reply to Setting up a firewall

Setting up a firewall

In reply to Setting up a firewall

Yes, and you can do this with very low cost. Check out http://www.linuxrouter.org. The 486 solution boots from a single floppy, and can handle 10Mb/s. The routing capabilities were tested in our lab and seemed to work fine. We did not, however, officially test the speed, but it seemed to be able to handle the load.

As per usual firewall configurations, limit the available connections to only the protocols/ports you need.

Setting up a firewall

In reply to Setting up a firewall

[Author]

Replies