Firewall Wizards mailing list archives

Re: Questions about firewall

From: Riccardo Fontana <rfontana () seclab com>
Date: Tue, 20 Jul 1999 09:59:23 +0200



fgb () domain com br wrote:


I'm a begginer in firewall technologies, and I have several questions, so I hope the wizard
will be able to help me a lot. ;-)

I'm using Linux Red Hat 5.2 (Kernel 2.0.36) with two NICs, one in the Internet (connect to an ISP connection throw a 
router) and another in the protect network. I have a little range of valid address and I'll have a mail and a web 
server. My first question is: Do I need to have a third NIC in my firewall machine and a little network (DMZ) where I 
will connect my mail and web server, or can I perform a NAT on the linux machine and make my servers, that are in the 
protect network, visible on the Internet ? In case of the second option, how can I implement the NAT ?

Since I'll be using Red Hat 5.2 (kernel 2.0.36), I should use ipfwadm, is that correct ?

Can I  have IP filters so that I can control access of certain protocols and ports ?

I also want to use a proxy/cache server. Is squid a good choice ?

For these caracteristics I pretend to have in my firewall, what services may I compile in the kernel and what modules 
should I install ?

Any ideas, tips, pointer, etc, would be much appreciated.

Thanks,

Fabio.
fgb () domain com br


Hi Fabio,

I'll give you some personal opinion for securing this situation.
(I usually work with commercial firewalls like Checkpoint and Axent but
I think that these guidelines are good for every kind of firewall)

It's always a good choice to put the public services on a DMZ on a third
network adapter.
If you have problem using NAT you can always subnet your valid IP range
(if your provider permit this option) and use one subnet on your DMZ
network for your Web and Mail servers.

If you don't like this combination you can always create a DMZ with
private addressing (following the IANA recommendations) and export the
servers to Internet via a Static Nat (a one to one traslation).



-- 
Riccardo Fontana
Intesis SECURITY LAB            Phone: +39-2-671563.1
Via Settembrini, 35             Fax: +39-2-66981953
I-20124 Milano  ITALY           Email: rfontana () seclab com

Current thread:

Questions about firewall fgb (Jul 19)
- Re: Questions about firewall Yin To Chu (Jul 20)
- Re: Questions about firewall Riccardo Fontana (Jul 20)
- Re: Questions about firewall dreamwvr (Jul 20)