• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 370
  • Last Modified:

Hardware, not definately linux problem (firewall)

Heya all..

I want to setup a decent firewall using some hardware.  What is the best thing to get for basic firewalls ?  a NIC with firewall on it somehow or does one have to go all out and buy some $4000 3com product ?

Andrew
q@qonline.com.au
0
Q010797
Asked:
Q010797
1 Solution
 
ahoffmannCommented:
Use linux, build a kernel with all the *_FIREWALL flags enabled and then use linux's ipfwadm.
$0.0   :-))
0
 
Q010797Author Commented:
nope. . doesn't stop incoming requests . .only outgoing.
0
 
marcelofrCommented:
I'm sorry, but you're wrong. Linux firewalling can grab packets in three points through the routing mecanism: You can put rules to the packet when they are Incoming, when they're Outgoing and when they're getting Forwarded, not to say you can specify packets trying to stablish a connection (-y), or ACKnowledging packets, select tcp, udp or even icmp (and masquerade them), check if the packet will be accepted, denied or rejected, redirect local ports, change type of service field...

And I can see you haven't read the draft about ipchains implemented on kernels 2.1.102 and above, have you? There is an interesting HOWTO you should read.

Good Luck,

-- Marcelo
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
Q010797Author Commented:
I can't afford to use development kernels.. I need the stability of the 2.0.xx kernels.

And can you tell me why my ipfwadm firewalling only works on outgoing packets... not incoming ?
0
 
ahoffmannCommented:
how about posting:
  ipfwadm -n -l -I
  ipfwadm -n -l -O
  ipfwadm -n -l -F
  ipfwadm -n -l -M
0
 
Q010797Author Commented:
IP firewall input rules, default policy: accept

IP firewall output rules, default policy: accept

IP firewall forward rules, default policy: accept
type  prot source               destination          ports
deny  tcp  203.103.144.0/24     0.0.0.0/0            * -> 80
deny  tcp  203.103.236.0/24     0.0.0.0/0            * -> 80
deny  tcp  203.103.144.0/24     0.0.0.0/0            * -> 8080
deny  tcp  203.103.236.0/24     0.0.0.0/0            * -> 8080
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 21
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 119
deny  tcp  203.103.236.28       0.0.0.0/0            * -> 21
deny  tcp  203.103.236.28       0.0.0.0/0            * -> 119
deny  tcp  203.103.236.215      0.0.0.0/0            * -> 21
deny  tcp  203.103.236.215      0.0.0.0/0            * -> 119
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 0:6000
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 7001:65535

system:~# ipfwadm -n -l -M
ipfwadm: cannot open file /proc/net/ip_masquerade

as you can see there are no rules to deny incoming actions.  But I actually want to deny incoming actions to the PC that is running ipfwadm!  so how can I firewall this machine?
0
 
ahoffmannCommented:
just an example, there are much more in the man-pages ;-)

  ipfwadm -a accept -I -P all -S badhost -D securehost 513
  ipfwadm -a deny   -I -P all -S 0/0     -D securehost

0
 
Q010797Author Commented:
but if 'securehost' is the LOCAL host?  that won't work will it ?
0
 
ahoffmannCommented:
Yes, it won't, if securehost is the gateway itself.
You must protect the gateway on service/protocol level, for example in /etc/inetd.conf, /etc/hosts.{allow,deny} etc.
0
 
Q010797Author Commented:
the gateway is running a server on some ports I'd like to block to the outside world, but they are not inetd orientated.  nor do they support internally firewalling / allow or deny IPs.

so is there anyway to block access?

also, off topic, you have answered a number of my questions in the past, I have a few atm i'd LOVE answered in this area, networking-linux and linux-setup
0
 
ahoffmannCommented:
you may try following in /etc/inetd.conf for you ports:

  yourport stream tcp nowait root /usr/sbin/tcpd yourserver

Please check  man inetd.conf  and  man tcpd.

Off topic, put'em there, there are so much experts here :-))
0
 
Shawn ConnellyTechnical WriterCommented:
I'm just in the final stages of our corporate firewall using Linux 2.0.31.  Be warned, if you don't understand tcp/ip you're in for a lot of learning.  I don't know of any non-commercial firewall package that 'holds your hand' through the configuration.  

Rather then repeat what is out there, I'll give you some excellent sources that helped me:

Take a look at the following sites:
ulf.wep.net
linux-rules.samiam.org/firewall.html
www.cs.umsl.edu/~feldt/sluugls/meeting_notes/1996/jun/index.html
www.watchguard.com/index.html  - commercial firewall for Linux
electron.phys.dal.ca/Firewall-HOWTO.html - complete firewall info
scnc.holt.k12.mi.us/~lachniet/tutorial/640/index.htm - neat graphic tutorials here!

Final word of advice, stick with it...you'll be rewarded with a tremendously stable platform that you can put in a corner and forget about (unlike NT!!).
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now