Solved

Hardware, not definately linux problem (firewall)

Posted on 1998-06-04
12
301 Views
Last Modified: 2010-03-18
Heya all..

I want to setup a decent firewall using some hardware.  What is the best thing to get for basic firewalls ?  a NIC with firewall on it somehow or does one have to go all out and buy some $4000 3com product ?

Andrew
q@qonline.com.au
0
Comment
Question by:Q010797
12 Comments
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
Use linux, build a kernel with all the *_FIREWALL flags enabled and then use linux's ipfwadm.
$0.0   :-))
0
 
LVL 1

Author Comment

by:Q010797
Comment Utility
nope. . doesn't stop incoming requests . .only outgoing.
0
 
LVL 3

Expert Comment

by:marcelofr
Comment Utility
I'm sorry, but you're wrong. Linux firewalling can grab packets in three points through the routing mecanism: You can put rules to the packet when they are Incoming, when they're Outgoing and when they're getting Forwarded, not to say you can specify packets trying to stablish a connection (-y), or ACKnowledging packets, select tcp, udp or even icmp (and masquerade them), check if the packet will be accepted, denied or rejected, redirect local ports, change type of service field...

And I can see you haven't read the draft about ipchains implemented on kernels 2.1.102 and above, have you? There is an interesting HOWTO you should read.

Good Luck,

-- Marcelo
0
 
LVL 1

Author Comment

by:Q010797
Comment Utility
I can't afford to use development kernels.. I need the stability of the 2.0.xx kernels.

And can you tell me why my ipfwadm firewalling only works on outgoing packets... not incoming ?
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
how about posting:
  ipfwadm -n -l -I
  ipfwadm -n -l -O
  ipfwadm -n -l -F
  ipfwadm -n -l -M
0
 
LVL 1

Author Comment

by:Q010797
Comment Utility
IP firewall input rules, default policy: accept

IP firewall output rules, default policy: accept

IP firewall forward rules, default policy: accept
type  prot source               destination          ports
deny  tcp  203.103.144.0/24     0.0.0.0/0            * -> 80
deny  tcp  203.103.236.0/24     0.0.0.0/0            * -> 80
deny  tcp  203.103.144.0/24     0.0.0.0/0            * -> 8080
deny  tcp  203.103.236.0/24     0.0.0.0/0            * -> 8080
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 21
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 119
deny  tcp  203.103.236.28       0.0.0.0/0            * -> 21
deny  tcp  203.103.236.28       0.0.0.0/0            * -> 119
deny  tcp  203.103.236.215      0.0.0.0/0            * -> 21
deny  tcp  203.103.236.215      0.0.0.0/0            * -> 119
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 0:6000
deny  tcp  203.103.236.16       0.0.0.0/0            * -> 7001:65535

system:~# ipfwadm -n -l -M
ipfwadm: cannot open file /proc/net/ip_masquerade

as you can see there are no rules to deny incoming actions.  But I actually want to deny incoming actions to the PC that is running ipfwadm!  so how can I firewall this machine?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
just an example, there are much more in the man-pages ;-)

  ipfwadm -a accept -I -P all -S badhost -D securehost 513
  ipfwadm -a deny   -I -P all -S 0/0     -D securehost

0
 
LVL 1

Author Comment

by:Q010797
Comment Utility
but if 'securehost' is the LOCAL host?  that won't work will it ?
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
Yes, it won't, if securehost is the gateway itself.
You must protect the gateway on service/protocol level, for example in /etc/inetd.conf, /etc/hosts.{allow,deny} etc.
0
 
LVL 1

Author Comment

by:Q010797
Comment Utility
the gateway is running a server on some ports I'd like to block to the outside world, but they are not inetd orientated.  nor do they support internally firewalling / allow or deny IPs.

so is there anyway to block access?

also, off topic, you have answered a number of my questions in the past, I have a few atm i'd LOVE answered in this area, networking-linux and linux-setup
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
you may try following in /etc/inetd.conf for you ports:

  yourport stream tcp nowait root /usr/sbin/tcpd yourserver

Please check  man inetd.conf  and  man tcpd.

Off topic, put'em there, there are so much experts here :-))
0
 
LVL 4

Accepted Solution

by:
sconnell earned 50 total points
Comment Utility
I'm just in the final stages of our corporate firewall using Linux 2.0.31.  Be warned, if you don't understand tcp/ip you're in for a lot of learning.  I don't know of any non-commercial firewall package that 'holds your hand' through the configuration.  

Rather then repeat what is out there, I'll give you some excellent sources that helped me:

Take a look at the following sites:
ulf.wep.net
linux-rules.samiam.org/firewall.html
www.cs.umsl.edu/~feldt/sluugls/meeting_notes/1996/jun/index.html
www.watchguard.com/index.html  - commercial firewall for Linux
electron.phys.dal.ca/Firewall-HOWTO.html - complete firewall info
scnc.holt.k12.mi.us/~lachniet/tutorial/640/index.htm - neat graphic tutorials here!

Final word of advice, stick with it...you'll be rewarded with a tremendously stable platform that you can put in a corner and forget about (unlike NT!!).
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now