Solved

Snap Gear Lite 2 Firewall Setup

Posted on 2003-11-10
6
1,441 Views
Last Modified: 2013-11-16
I Have a co-located Dell Server running Win2K Advanced Server, currently the server is using a Zone Alarm Pro for firewall. The Server is running the following services, DNS, HTTP Server (IIS), FTP, POP3, SMTP, PCAnywhere Host

I have just purchased a Snap Gear Lite 2 VPN Firewall but have no idea how to configure the device.

It is brand new from the manufacturer but their support hasn't been, very, well, quick or supportive!

For the moment i intend to use the device purely as a firewall until i buy another and set up a VPN, I believe two of these devices provide a very secure VPN. I will use PC Anywhere to administer the server for the present.

My problem is i would like to configure the device prior to deployment so i don't have to link a monitor up in the datacenter etc. Its goegraphically far and francly the security don't like you hanging around to configure things, especially if you don't know what your doing ;-)

My server has a total of 64 Public Static IP Addresses assigned to it, I'm currently using around 10 of these. For simplicity I would like to setup all the ports i need to be open for each of these IP's.

So my questions are:
How do i preconfigure my Snap Gear Lite 2 prior to deployment so it accepts requests on IP range (example) 210.210.210.1 - 210.210.210.64

listening and responding on the following ports:
Win2KDNS PORT: 53(?)
HTTP PORT: 80
FTP PORT: 21
SMTP PORT: 25
POP3 PORT: 110
DANTZ RETROSPECT PORT: 497
PCAnywhere 10.0 PORTS: 5631 - 5632 (?)
PING (?)


I would really like to preconfigure the Firewall using my desktop at home and just take the device down to the datacenter and plug it in blind. However if this is not possible then I need really clear and concise instructions on how to do this as i have no prior knowledge of how to achieve this.

Hope the gurus can help!

I would really appreciate any comments and good clear answers will be rewarded.

cheers,

martin
0
Comment
Question by:stellamartois
  • 3
  • 3
6 Comments
 
LVL 18

Expert Comment

by:chicagoan
ID: 9731556
Here's their basic setup instructions for static routable ip's, hopefully your address space is contiguous :
Assume the following network configuration:


ISP assigned routable subnet 10.44.79.160/29

Example Network Setup:

          Internet
             |
             |
             |
        (10.44.79.161/29)
       Internet Gateway            
             |
             |      
             |
             |
      (10.44.79.162/29)
          SnapGear

To setup the Snapgear to bridge between the gateway and internal hosts on this subnet do the following on the Snapgears config:

Under Networking -> IP Configuration:
LAN IP: 10.44.79.162/29
Internet IP: 10.44.79.162/29
Gateway: blank

Advanced IP Configuration:
Disable NAT

Under Networking -> Advanced Networking:
Additional routes:
Address       Type Netmask  Gateway       Metric Interface
10.44.79.161  Host -        NONE          NONE   eth1
0.0.0.0       Net  0.0.0.0  10.44.79.161  NONE   eth1

Under Firewall -> Rules, add the following in addition to the built in rules:
cp /etc/1 /proc/sys/net/ipv4/conf/eth0/proxy_arp
cp /etc/1 /proc/sys/net/ipv4/conf/eth1/proxy_arp

You need to add the additional routes to get the Snapgear to have a default route. Otherwise the Snapgear will
want to add the default route to eth0 and this will not route properly.

Once the Snapgear is setup this way go into Networking -> Advanced Networking, and try pinging the gateway and a host on the Internet.

If this is succesfull, then setup your internal machines with IP's in the routable subnet.

To then allow access to any port on any internal machines add the following rule to the Firewall -> Rules page:

iptables -I ExtAcc -d 10.44.79.160/29 -j ACCEPT

If you want to keep the firewall enabled and just allow access to certain ports on this internal subnet do the following:

iptables -I ExtAcc -p tcp -d 10.44.79.160/29 --dport 80 -j ACCEPT


You'll then have to determine the ports you want open for each of your applications.

0
 

Author Comment

by:stellamartois
ID: 9736151
chicagoan

thanks for your time on this. This is like a foreign language to me, i'm just a mere website developer. But I'm willing to learn and give it a try.

 i think you missunderstood me slightly tho'

the server is not part of a LAN so there wont be any routing required to internal machines. It is purely an internet server which i host my own PERL / ASP/ PHP driven sites on. I'm also running my own DNS to resolve names i purchase to IP's on my server, as well as POP3 and SMTP mail for some of the sites.

all i need is to protect my static IP range (example) 10.44.79.162/29 it is contiguous x.x.x.28 - x.x.x.62 (i think!)

Obviously Net Bios is the big one, but basically protect all ports for each of the 64 IP's except the ones listed above.

Hope that makes sense, it does to me, just not familiar with the networking jargon you gurus use ;-)

I posted this question in networking also because no one responded quickly in security but i will reward points on both questions.

cheers

stellamartois
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9736862
It is IS part of a lan.. in the sense that the internet is a network, and that's what you're protecting it from

Your router will deny all inbound traffic by default. In the example above, you are bridging the ip addresses the ISP or hosting center gave you through the router. The router will only allow traffic on the ports specified by the

iptables -I ExtAcc -p tcp -d 10.44.79.160/29 --dport 80 -j ACCEPT

command

In this example, traffic to port 80 is permitted to all the IP addresses in the subnet.

You could do this on a per address basis as well.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:stellamartois
ID: 9738285
Hi Chicagoan,

Thank you for the advice again, it is very helpful.

2 last questions (i hope)

Firstly in your statement:

Under Networking -> Advanced Networking:
Additional routes:
Address       Type Netmask  Gateway       Metric Interface
10.44.79.161  Host -        NONE          NONE   eth1
0.0.0.0       Net  0.0.0.0  10.44.79.161  NONE   eth1

The 2 sets of ip numbers 0.0.0.0 you refer to, are these just examples or is that how it SHOULD be set OR do i need to put my subnet mask numbers in there or something?

FYI my IP details are as follows:
IP Address     X.X.X.130
Subnet Mask  255.255.255.192
DEFAULT GATEWAY X.X.X.129

would it be ok to perform this configuration using my desktop at home, then take it down to the datacentre and just plug it in between the server and gateway connection OR would you advice performing the setup on the server itself?

i haven't even plugged the snap gear in yet or installed the software! too paranoid about screwing up the config until i get a vague idea of what i'm doing :-)

Sorry for sounding so dumb on all this!

Thank you for your help so far it is really appreciated.
0
 
LVL 18

Accepted Solution

by:
chicagoan earned 300 total points
ID: 9738589
The first statement is a route to the Dell's default router ( it just happens to be contiguous in the example)


the second is a "default route" out - comparing traffic tp a mask of 0.0.0.0 0.0.0.0 would match everything, so any traffic the internal hosts put on the firewall would be forwarded to Dell's default router.
Note dell may have multiple routes out, you may want to ask them about their BGP configuration, you may want more than one default route.

I don't see why you can't configure it first.
Before you trot over there though, I'd have a name and phone# of a knowledable person at snapgear to help solve the inevitable glitch.
You might even want to install it at home and get it working on that network to get a feel for the commands and the interface.
0
 

Author Comment

by:stellamartois
ID: 10368557
thanks for the info chicagoan, i'm sorry for the delay in awarding points, i haven't had time to go to the datacenter to fit the appliance (its running behind zonealarm at moment, not good in know!)

I'll keep you posted of how i get on...
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now