Solved

Hardware, not definately linux problem (firewall)

Posted on 1998-06-04
12
327 Views
Last Modified: 2010-03-18
Heya all..

I want to setup a decent firewall using some hardware.  What is the best thing to get for basic firewalls ?  a NIC with firewall on it somehow or does one have to go all out and buy some $4000 3com product ?

Andrew
q@qonline.com.au
0
Comment
Question by:Q010797
12 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1584457
Use linux, build a kernel with all the *_FIREWALL flags enabled and then use linux's ipfwadm.
$0.0   :-))
0
 
LVL 1

Author Comment

by:Q010797
ID: 1584458
nope. . doesn't stop incoming requests . .only outgoing.
0
 
LVL 3

Expert Comment

by:marcelofr
ID: 1584459
I'm sorry, but you're wrong. Linux firewalling can grab packets in three points through the routing mecanism: You can put rules to the packet when they are Incoming, when they're Outgoing and when they're getting Forwarded, not to say you can specify packets trying to stablish a connection (-y), or ACKnowledging packets, select tcp, udp or even icmp (and masquerade them), check if the packet will be accepted, denied or rejected, redirect local ports, change type of service field...

And I can see you haven't read the draft about ipchains implemented on kernels 2.1.102 and above, have you? There is an interesting HOWTO you should read.

Good Luck,

-- Marcelo
0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 
LVL 1

Author Comment

by:Q010797
ID: 1584460
I can't afford to use development kernels.. I need the stability of the 2.0.xx kernels.

And can you tell me why my ipfwadm firewalling only works on outgoing packets... not incoming ?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1584461
how about posting:
  ipfwadm -n -l -I
  ipfwadm -n -l -O
  ipfwadm -n -l -F
  ipfwadm -n -l -M
0
 
LVL 1

Author Comment

by:Q010797
ID: 1584462
IP firewall input rules, default policy: accept

IP firewall output rules, default policy: accept

IP firewall forward rules, default policy: accept
type  prot source               destination          ports
deny  tcp  203.103.144.0/24     0.0.0.0/0            * -> 80
deny  tcp  203.103.236.0/24     0.0.0.0/0            * -> 80
deny  tcp  203.103.144.0/24     0.0.0.0/0            * -> 8080
deny  tcp  203.103.236.0/24     0.0.0.0/0            * -> 8080
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 21
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 119
deny  tcp  203.103.236.28       0.0.0.0/0            * -> 21
deny  tcp  203.103.236.28       0.0.0.0/0            * -> 119
deny  tcp  203.103.236.215      0.0.0.0/0            * -> 21
deny  tcp  203.103.236.215      0.0.0.0/0            * -> 119
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 0:6000
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 7001:65535

system:~# ipfwadm -n -l -M
ipfwadm: cannot open file /proc/net/ip_masquerade

as you can see there are no rules to deny incoming actions.  But I actually want to deny incoming actions to the PC that is running ipfwadm!  so how can I firewall this machine?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1584463
just an example, there are much more in the man-pages ;-)

  ipfwadm -a accept -I -P all -S badhost -D securehost 513
  ipfwadm -a deny   -I -P all -S 0/0     -D securehost

0
 
LVL 1

Author Comment

by:Q010797
ID: 1584464
but if 'securehost' is the LOCAL host?  that won't work will it ?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1584465
Yes, it won't, if securehost is the gateway itself.
You must protect the gateway on service/protocol level, for example in /etc/inetd.conf, /etc/hosts.{allow,deny} etc.
0
 
LVL 1

Author Comment

by:Q010797
ID: 1584466
the gateway is running a server on some ports I'd like to block to the outside world, but they are not inetd orientated.  nor do they support internally firewalling / allow or deny IPs.

so is there anyway to block access?

also, off topic, you have answered a number of my questions in the past, I have a few atm i'd LOVE answered in this area, networking-linux and linux-setup
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1584467
you may try following in /etc/inetd.conf for you ports:

  yourport stream tcp nowait root /usr/sbin/tcpd yourserver

Please check  man inetd.conf  and  man tcpd.

Off topic, put'em there, there are so much experts here :-))
0
 
LVL 4

Accepted Solution

by:
sconnell earned 50 total points
ID: 1584468
I'm just in the final stages of our corporate firewall using Linux 2.0.31.  Be warned, if you don't understand tcp/ip you're in for a lot of learning.  I don't know of any non-commercial firewall package that 'holds your hand' through the configuration.  

Rather then repeat what is out there, I'll give you some excellent sources that helped me:

Take a look at the following sites:
ulf.wep.net
linux-rules.samiam.org/firewall.html
www.cs.umsl.edu/~feldt/sluugls/meeting_notes/1996/jun/index.html
www.watchguard.com/index.html  - commercial firewall for Linux
electron.phys.dal.ca/Firewall-HOWTO.html - complete firewall info
scnc.holt.k12.mi.us/~lachniet/tutorial/640/index.htm - neat graphic tutorials here!

Final word of advice, stick with it...you'll be rewarded with a tremendously stable platform that you can put in a corner and forget about (unlike NT!!).
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question