Secure P2P with a Linux/XP network. Mad?

Posted on 2003-03-10
Medium Priority
Last Modified: 2012-05-04

I am not looking for detailed help on the following, rather advice on wheteher the concept itself is sound or
somehow flawed. Or even to know if there is a simpler way to do what I want (probably!) ;)

I want to set up a 2 PC home network consisting of a Linux box connected one way to the WWW via a NIC and DSL modem
and the other way via a NIC/crossover cable to a Win XP Pro machine. I have a fair degree of XP experiwnce but very
little with Linux. My motivation is partly to learn more about Linux, networking and firewalls but also to run a P2P
client (Limewire or similar) on the Linux machine. I am very keen to keep P2P off the XP box itself.

The Linux 'gateway' machine would have 3 'states', interchangeable without a reboot if possible.

State 1
Linux box used as sole machine for all web browsing, email, FTP and P2P applications. Network to XP disabled.
Firewall on Linux box compatible with P2P client and single shared P2P folder with appropriate permissions. All
other files/folders logged on user only. Appropriate trojan/av soft.

State 2
NIC/DSL connection disabled. No firewall. XP/Linux network enabled. XP machine can see appropriate folders (x2) on
Linux box with permissions to transfer files. Virus/trojan checking on XP box.

Required to enable 'live update' of AV/OS and other soft on XP box.
Linux box 'bridges' DSL connection, via firewall, to appropriate named services on XP machine. P2P disabled (either
via firewall or kill client).

Linux box does not need to share other XP resources. No need for remote access.

I have a broad idea how to achieve the above (or where to find out how) from the configuration standpoint.

I hope from the above it's clear what I am trying to achieve. At no point do I want a 'live' connection to the XP
box when the Linux P2P client is active and any direct XP box connection to the WWW must be tightly controlled. No XP web browsing or email, just a handful of live update services.

Paranoia? Maybe.


Is this reasonable or way, way out? If OK, is anyone aware of any specifically relevant FAQs or HOWTOs?

Is this same level of security achievable another (simpler) way?

Will a standard Linux distro (mandrake, RH, Suse) suffice or do I need a 'hardened' kernel?

Thank you all very much for your time and opinions. Really.


Question by:babysnake
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Accepted Solution

jimbb earned 1000 total points
ID: 8108655
I don't know of any FAQs or HOW-TOs for your specific request, but it certainly can be done.    Two ways I can think of off-hand are a) use different runlevels for each of these profiles.. for example in runlevel 3 you can have your #1 setup.. runlevel 4 will be your #2 setup and so on.

Alternatively, and probably easier, would be to just write scripts to turn things on/off as necessary.

You really don't need a "hardened" kernel/distro to do what you're doing, no.  Just make sure you secure the machine properly.  IMHO, your main weakness is going to be possible vulnerabilities in your P2P client (assuming you don't run any external services, as I didn't see mention of any).

I am a very paranoid individual myself, if it were my setup I think I'd prefer to have a single "trusted" box and _not_ run the P2P client, or anything else dangerous, on it and instead do all that stuff on a sacrificial machine that I wouldn't cry over if it got compromised.  But everyone wants different things, so I'm just putting some food for thought on the table. :)

Expert Comment

ID: 8108662
Oh one more comment, you mentioned "bridge."  If you literally mean ethernet bridging, I'm not sure what the status of that is with the 2.4 kernel and Netfilter.  It may not work without patching the kernel.

If you just want to forward some ports to the XP box though, you can do that without bridging.

Author Comment

ID: 8109711

Bridging is covered by a miniHOWTO I found somewhere. U have to patch the kernel first.

I'll probably use scripts for it all

Nice 2 know I've not totally lost it!! :>)


Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question