Newbie firewall/masqarade/proxy confusion
Doug Winterburn
doug@winterburn.net
Mon, 31 Jul 2000 22:25:13 -0700
Alan,
I'm doing exactly what you want to do. My ISP is Sprint Broadband
(formerly Speedchoice).
First, you have picked the appropiate hardware - a 486 makes a great
router/firewall/server. You will want two NICs in it. One should be a
10MB/sec to connect to the DSL external modem, and the other will be to
connect to your internal network and can be a 10MB, 10/100 or 100,
depending on what you think you need internally. I have gotten by
rather well with cheapo ($10/NIC) Dlink, Linksys, SMC, etc NICs. 10MB
has been entirely sufficient for me and I have 8 machines on the
internal network. I've found that the plain old NE2000 compatible NICs
are easily supported, but you may have to manually configure if you only
have an ISA bus. Also, an 8 port rj45, 1 port bnc hub can be had for
about $40 if you for a 10MB internal network.
I also run RH 6.2. your firewall will consist of a startup script
(calling ipchains many times) to do packet filtering and masquerading,
and possibly a tcpwrappers config file set as a second level of
protection. I set up my firewall script from the following site:
http://linux-firewall-tools.com/linux/firewall/index.html
The two tcpwrapper scripts you need could look like:
/etc/hosts.deny
-------------
ALL : ALL
/etc/hosts.allow
--------------
ALL : 192.168.1.0/255.255.255.0 127.0.0.1
Assuming your internal network is 192.168.1.x, the above two files will
allow any connections from your internal network to inet daemons, but
will prevent any other access to those daemons.
You will also need to think about whether you want to run an internal
DNS, web server, sendmail or some other email MTA. Also, you want to
consider whether you want your internal clients to run pop or imap.
Also, you probably want to get openssh and possibly openssl for secure
access from the outside. Also, Samba is a must if you have windows
machines on your internal network, and can be very helpful even if you
don't. and don't be without Webmin: http://www.webmin.com/webmin/ for
system administration. With webmin, I run my 486 from a browser - the
machine has no KB, mouse or terminal.
Definitely, you should apply for your own domain name.
I'm sure I've forgotten many little things. It's so much fun, I can't
get it all into one email :-)
If you would like to discuss my experiences with all this, don't
hesitate to email. I can send you sample config files, etc.
-Doug Winterburn
Date: Mon, 31 Jul 2000 13:07:58 -0700
To: plug-discuss@lists.plug.phoenix.az.us
From: "Alan Dayley" <ADayley@adtron.com>
Subject: Newbie firewall/masqarade/proxy confusion
Reply-To: plug-discuss@lists.PLUG.phoenix.az.us
I confess to being a MS user for, low, many years. I am now
coming into the Linux light! It is making computer exciting
again.
I am scheduled to get DSL with a static IP in a week or two.
As a first Linux learning experience, I have setup an old 100MHz
486 PC, 32MB RAM, 1.5GB hard disk space, 2 16-bit Intel network
cards, VGA, mouse, blah, blah... with RedHat 6.2. X still does
not work but that is not important now. My intention is to have
this little PC be a firewall for my other computers to share the
DSL connection.
My confusion is this: I am finding in my readings that what I
thought was a firewall maybe something more. I am still trying
to understand the differences between the terms firewall,
masqarading, routing and proxy server. Maybe the confusion is
from the fact that configuring TCP/IP is still a new thing to me
along with Linux.
What I want to make is my Linux box providing a single "presence"
to the internet while the workstations "behind" the Linux box can
surf and do email without being "visible" to the internet. What
combination of firewall/masqarade/proxy stuff do I need?
Remember, I am a newbie, be kind.
Alan
/------------------------------------------
|Alan Dayley www.adtron.com
|Software Engineer 602-735-0300 x331
|ADayley@adtron.com
|
|Adtron Corporation
|3710 E. University Drive, Suite 5
|Phoenix, AZ 85034
\-------------------------------------------