We help IT Professionals succeed at work.

Hardware, not definately linux problem (firewall)

Q010797
Q010797 asked
on
Medium Priority
379 Views
Last Modified: 2010-03-18
Heya all..

I want to setup a decent firewall using some hardware.  What is the best thing to get for basic firewalls ?  a NIC with firewall on it somehow or does one have to go all out and buy some $4000 3com product ?

Andrew
q@qonline.com.au
Comment
Watch Question

Use linux, build a kernel with all the *_FIREWALL flags enabled and then use linux's ipfwadm.
$0.0   :-))

Author

Commented:
nope. . doesn't stop incoming requests . .only outgoing.
I'm sorry, but you're wrong. Linux firewalling can grab packets in three points through the routing mecanism: You can put rules to the packet when they are Incoming, when they're Outgoing and when they're getting Forwarded, not to say you can specify packets trying to stablish a connection (-y), or ACKnowledging packets, select tcp, udp or even icmp (and masquerade them), check if the packet will be accepted, denied or rejected, redirect local ports, change type of service field...

And I can see you haven't read the draft about ipchains implemented on kernels 2.1.102 and above, have you? There is an interesting HOWTO you should read.

Good Luck,

-- Marcelo

Author

Commented:
I can't afford to use development kernels.. I need the stability of the 2.0.xx kernels.

And can you tell me why my ipfwadm firewalling only works on outgoing packets... not incoming ?
how about posting:
  ipfwadm -n -l -I
  ipfwadm -n -l -O
  ipfwadm -n -l -F
  ipfwadm -n -l -M

Author

Commented:
IP firewall input rules, default policy: accept

IP firewall output rules, default policy: accept

IP firewall forward rules, default policy: accept
type  prot source               destination          ports
deny  tcp  203.103.144.0/24     0.0.0.0/0            * -> 80
deny  tcp  203.103.236.0/24     0.0.0.0/0            * -> 80
deny  tcp  203.103.144.0/24     0.0.0.0/0            * -> 8080
deny  tcp  203.103.236.0/24     0.0.0.0/0            * -> 8080
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 21
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 119
deny  tcp  203.103.236.28       0.0.0.0/0            * -> 21
deny  tcp  203.103.236.28       0.0.0.0/0            * -> 119
deny  tcp  203.103.236.215      0.0.0.0/0            * -> 21
deny  tcp  203.103.236.215      0.0.0.0/0            * -> 119
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 0:6000
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 7001:65535

system:~# ipfwadm -n -l -M
ipfwadm: cannot open file /proc/net/ip_masquerade

as you can see there are no rules to deny incoming actions.  But I actually want to deny incoming actions to the PC that is running ipfwadm!  so how can I firewall this machine?
just an example, there are much more in the man-pages ;-)

  ipfwadm -a accept -I -P all -S badhost -D securehost 513
  ipfwadm -a deny   -I -P all -S 0/0     -D securehost

Author

Commented:
but if 'securehost' is the LOCAL host?  that won't work will it ?
Yes, it won't, if securehost is the gateway itself.
You must protect the gateway on service/protocol level, for example in /etc/inetd.conf, /etc/hosts.{allow,deny} etc.

Author

Commented:
the gateway is running a server on some ports I'd like to block to the outside world, but they are not inetd orientated.  nor do they support internally firewalling / allow or deny IPs.

so is there anyway to block access?

also, off topic, you have answered a number of my questions in the past, I have a few atm i'd LOVE answered in this area, networking-linux and linux-setup
you may try following in /etc/inetd.conf for you ports:

  yourport stream tcp nowait root /usr/sbin/tcpd yourserver

Please check  man inetd.conf  and  man tcpd.

Off topic, put'em there, there are so much experts here :-))
Technical Writer
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.