Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 371
  • Last Modified:

Hardware, not definately linux problem (firewall)

Heya all..

I want to setup a decent firewall using some hardware.  What is the best thing to get for basic firewalls ?  a NIC with firewall on it somehow or does one have to go all out and buy some $4000 3com product ?

Andrew
q@qonline.com.au
0
Q010797
Asked:
Q010797
1 Solution
 
ahoffmannCommented:
Use linux, build a kernel with all the *_FIREWALL flags enabled and then use linux's ipfwadm.
$0.0   :-))
0
 
Q010797Author Commented:
nope. . doesn't stop incoming requests . .only outgoing.
0
 
marcelofrCommented:
I'm sorry, but you're wrong. Linux firewalling can grab packets in three points through the routing mecanism: You can put rules to the packet when they are Incoming, when they're Outgoing and when they're getting Forwarded, not to say you can specify packets trying to stablish a connection (-y), or ACKnowledging packets, select tcp, udp or even icmp (and masquerade them), check if the packet will be accepted, denied or rejected, redirect local ports, change type of service field...

And I can see you haven't read the draft about ipchains implemented on kernels 2.1.102 and above, have you? There is an interesting HOWTO you should read.

Good Luck,

-- Marcelo
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Q010797Author Commented:
I can't afford to use development kernels.. I need the stability of the 2.0.xx kernels.

And can you tell me why my ipfwadm firewalling only works on outgoing packets... not incoming ?
0
 
ahoffmannCommented:
how about posting:
  ipfwadm -n -l -I
  ipfwadm -n -l -O
  ipfwadm -n -l -F
  ipfwadm -n -l -M
0
 
Q010797Author Commented:
IP firewall input rules, default policy: accept

IP firewall output rules, default policy: accept

IP firewall forward rules, default policy: accept
type  prot source               destination          ports
deny  tcp  203.103.144.0/24     0.0.0.0/0            * -> 80
deny  tcp  203.103.236.0/24     0.0.0.0/0            * -> 80
deny  tcp  203.103.144.0/24     0.0.0.0/0            * -> 8080
deny  tcp  203.103.236.0/24     0.0.0.0/0            * -> 8080
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 21
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 119
deny  tcp  203.103.236.28       0.0.0.0/0            * -> 21
deny  tcp  203.103.236.28       0.0.0.0/0            * -> 119
deny  tcp  203.103.236.215      0.0.0.0/0            * -> 21
deny  tcp  203.103.236.215      0.0.0.0/0            * -> 119
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 0:6000
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 7001:65535

system:~# ipfwadm -n -l -M
ipfwadm: cannot open file /proc/net/ip_masquerade

as you can see there are no rules to deny incoming actions.  But I actually want to deny incoming actions to the PC that is running ipfwadm!  so how can I firewall this machine?
0
 
ahoffmannCommented:
just an example, there are much more in the man-pages ;-)

  ipfwadm -a accept -I -P all -S badhost -D securehost 513
  ipfwadm -a deny   -I -P all -S 0/0     -D securehost

0
 
Q010797Author Commented:
but if 'securehost' is the LOCAL host?  that won't work will it ?
0
 
ahoffmannCommented:
Yes, it won't, if securehost is the gateway itself.
You must protect the gateway on service/protocol level, for example in /etc/inetd.conf, /etc/hosts.{allow,deny} etc.
0
 
Q010797Author Commented:
the gateway is running a server on some ports I'd like to block to the outside world, but they are not inetd orientated.  nor do they support internally firewalling / allow or deny IPs.

so is there anyway to block access?

also, off topic, you have answered a number of my questions in the past, I have a few atm i'd LOVE answered in this area, networking-linux and linux-setup
0
 
ahoffmannCommented:
you may try following in /etc/inetd.conf for you ports:

  yourport stream tcp nowait root /usr/sbin/tcpd yourserver

Please check  man inetd.conf  and  man tcpd.

Off topic, put'em there, there are so much experts here :-))
0
 
S ConnellyTechnical WriterCommented:
I'm just in the final stages of our corporate firewall using Linux 2.0.31.  Be warned, if you don't understand tcp/ip you're in for a lot of learning.  I don't know of any non-commercial firewall package that 'holds your hand' through the configuration.  

Rather then repeat what is out there, I'll give you some excellent sources that helped me:

Take a look at the following sites:
ulf.wep.net
linux-rules.samiam.org/firewall.html
www.cs.umsl.edu/~feldt/sluugls/meeting_notes/1996/jun/index.html
www.watchguard.com/index.html  - commercial firewall for Linux
electron.phys.dal.ca/Firewall-HOWTO.html - complete firewall info
scnc.holt.k12.mi.us/~lachniet/tutorial/640/index.htm - neat graphic tutorials here!

Final word of advice, stick with it...you'll be rewarded with a tremendously stable platform that you can put in a corner and forget about (unlike NT!!).
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now