Re: Firewall question

[dreamwvr <dreamwvr () dreamwvr com>]

hi Carl,
At 10:57 AM 7/13/99 -0700, Carl Swanson wrote:
> I had a firewall question that I hoped the wizard
i don't know if i qualify by here goes..
> might be able to help me with ;-)
>
> I want to set up a firewall on a Linux RedHat 5.2
> machine with 2 NICs protecting a little network
> from the internet (connected using ISDN or DSL to
> an ISP connection). There will eventually be several of these
> little isolated networks.
not a problem so far..
> I need to have static IP addresses and will have
> a block of 16 or 32 address per network, so total
> static ip addressing.
again this is just fine .. see RFC 1918
and choose your network:-)
> I need to need able to connect to the little network via
> the internet to do admin work, etc, but obviously I don't
> want anyone else in, just me from a static IP address or two.

> And I of course want to allow the little network
> users full access to the internet, including web,
> telnet, ftp, etc.
use masquerading feature of Linux which works like a charm..
> It has been suggested that I set things up thusly:
>    I want to set up both a firewall and a proxy server. Each
>    machine in the local net will have its own IP address, and
>    my firewall in the linux machine will only let certain internet IP
>    addresses to connect (mine). All other ip address that
>    try a direct connection will be denied (except machines that are
>    responding to a telnet initiation, etc, from the local net)
not a problem this is simple as pie to control what ips which b.t.w. is 
not that secure since they can be ..err.. impersonated:-) hmmm.. for 
good proxy stuff goto www.fwtk.org for a pretty good ipfwadm guide goto
the same and click the IPFWADM FAQ written by someone i know;-)
>    I'll also install a proxy server so I can control what users use
>    what services through the gateway machine and onto the internet.
>    I want to be able to control who has access and log where
>    they go.
see SQUID for that as well as use the logging feature of ipfwadm.
>    I'll also disable telnet and ftp into the gateway machine, and use
>    ssh, and the secure telnet and sftp versions (but I do need
>    telnet and ftp access)
ssh does everything you need and sftp is part of ssh..
>    Since I'll be using RedHat 5.2 (kernel 2.0.36) I should use ipfwadm
>    for the firewall.
here this would be a good choice it will get you what you want going for you.
> Here are some questions I have:
>
>    - First of all how does the above sound
>    - What proxy software should I use?
see above and layer it with the features for screening and logging 
packets as part of the ipfwadm firewall stuff..
>    - Will I then need VPN at all between two linux machines
>       over the internet? Or is the ssh and secure telnet and ftp
>       enough? (I also want to do VNC remote control sessions,
now you will have to determine what port VNC uses as it is pretty 
busy and use ssh feature to portforward the connection. if you are 
going to connect to your network over the big I from another network
then ssh should be good enough. Also see FreeSWAN if mem serves as 
it is a Free VPN implementation. remember you will need to redirect 
somehow legit ips to RFC1918 ips coming in else it goes nowhere..
see 'redir' or debian ipportfw. Well that pretty much covers it:-)
>       so that might be an issue).

Reuters, London, February 29, 1998: 
Scientists have announced discovering a meteorite which will strike the 
earth in March, 2028.  Millions of UNIX coders expressed relief for being 
spared the UNIX epoch "crisis" of 2038.
_______________________________________________________________________

************** DREAMWVR.COM - TOTAL INTERNET SERVICES ****************
  TOTAL DESIGN - DEVELOPMENT - INTEGRATION - SECURITY - Click Here..
           <http://www.dreamwvr.com/services/MAX_SEC.html>
   DREAMWVR.COM - The Console of Many... 90 Topics Covered
<http://www.dreamwvr.com/dynamicduo.html> <mailto:dreamwvr () dreamwvr com>
 -> Linux-Mandrake Solution Provider and North American Distributor <-
         <http://www.dreamwvr.com/mandrake/mandrake-main.html>
                       "===0 PGP Key Available  
*************** "As Unique as the Company You Keep." *****************
________________________________________________________________________