swb dsl
James Hall
JHALL at waddell.com
Fri Dec 8 23:34:04 CST 2000
I used RedHat 6.2 to do exactly what you just described, and I don't think that I used one actual
RedHat "power tool". Therefore I believe that 5.2 should be perfectly adequate. (Although, it
does require that you rebuild your kernel with certain routing options enabled.) You can set up
your ethernet card with ifconfig, your firewall and IP masqing with IP-chains, and a 486 is perfect
for the job (as long as you're not overloading it with packets.) I pretty much just used the
how-to for IP-Chains that I found by searching on Google. (I can't quite remember the link and
it's been a very long time ago since I set that up.) I did however modify it's design into one
that fit my network.
Essentially you need to write a config script that sets up IP Chains every time you boot the
server. (The logical chains reside in memory only, and disappear when you power off your server.)
I placed this in my /etc/rc.d/rc3.d directory. The way you set up the chains is where the artistry
comes in. This is the hardest part of setting up this type of a Linux firewall. This is the
logical structure of my chains, for the most part...
Incoming packet
1 where from?
a) from inside? (go to good queue)
b) from outside? (go to bad queue)
c) other? (probably not, but just in case destroy it)
2 Good queue
a) packet spoofed? (if not, continue or if so, deny it)
b) sent from approved? (if so then forward out and masq OR if not then deny)
c) other? (probably not, but just in case drop it without return)
3 Bad queue
a) packet spoofed? (if not, continue or if so, destroy it)
b) packet headed for approved internal dest and port? (If yes then, forward it to dest OR
if not then deny it)
c) other? (probably dangerous packet so we should destroy it)
All in all, it is mainly a time consuming task rather than difficult. But by taking some time and
being thorough, you can optimize it to run very fast and pretty damn secure. There is a lot more
to it than I have illustrated here, I just thought it would help to have an example chain structure
to start with.
Remember that Linux is the hacker's playground, so it is really best to make your firewall machine
standalone without any extra toys or tools for anyone to make use of against you.. Though the
firewall is running in the kernel, any unnecessary services or daemons may render your firewall
completely worthless.
Good luck
-James
On Fri, 8 Dec 2000, J.J. Kramer wrote:
> Has anyone setup a connection with SWBELL using DSL, IP-masq, and a
> firewall. I have an older PC (486) running Red Hat 5.2 and want to use
> it primarily for my firewall and IP-masq.
>
> For ease of configuration should I go to a new version of Red Hat or
> some other install?
>
> Thanks,
>
> J.J.
>
More information about the Kclug
mailing list