Newbie firewall/masqarade/proxy confusion

Dave Chacko dave@chacko.org
Tue, 1 Aug 2000 08:32:34 -0700


This is a multi-part message in MIME format.

------=_NextPart_000_011F_01BFFB93.0A4B3B10
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Alan,

Another easily configurable firewall/masquerade solution would be =
Pmfirewall available from ftp.pointman.org or www.pointman.org . This =
script configures ipchains for you with only a few question, and will =
run magnificently on linux. It can also be custom configured by an =
experienced user that wants a more custom firewall.

Dave Chacko

>Date: Mon, 31 Jul 2000 22:25:13 -0700
>From: Doug Winterburn <doug@winterburn.net>
>Reply-To: doug@winterburn.net
>To: plug-discuss@lists.PLUG.phoenix.az.us
>Subject: Re: Newbie firewall/masqarade/proxy confusion
>Reply-To: plug-discuss@lists.PLUG.phoenix.az.us
>
>Alan,
>
>I'm doing exactly what you want to do.  My ISP is Sprint Broadband
>(formerly Speedchoice).
>
>First, you have picked the appropiate hardware - a 486 makes a great
>router/firewall/server.  You will want two NICs in it.  One should be a
>10MB/sec to connect to the DSL external modem, and the other will be to
>connect to your internal network and can be a 10MB, 10/100 or 100,
>depending on what you think you need internally.  I have gotten by
>rather well with cheapo ($10/NIC) Dlink, Linksys, SMC, etc NICs.  10MB
>has been entirely sufficient for me and I have 8 machines on the
>internal network.  I've found that the plain old NE2000 compatible NICs
>are easily supported, but you may have to manually configure if you =
only
>have an ISA bus.  Also, an 8 port rj45, 1 port bnc hub can be had for
>about $40 if you for a 10MB internal network.
>
>I also run RH 6.2.  your firewall will consist of a startup script
>(calling ipchains many times) to do packet filtering and masquerading,
>and possibly a tcpwrappers config file set as a second level of
>protection.  I set up my firewall script from the following site:
>
>http://linux-firewall-tools.com/linux/firewall/index.html
>
>The two tcpwrapper scripts you need could look like:
>
>/etc/hosts.deny
>-------------
>
>ALL     : ALL
>
>/etc/hosts.allow
>--------------
>
>ALL     : 192.168.1.0/255.255.255.0 127.0.0.1
>
>Assuming your internal network is 192.168.1.x, the above two files will
>allow any connections from your internal network to inet daemons, but
>will prevent any other access to those daemons.
>
>You will also need to think about whether you want to run an internal
>DNS, web server, sendmail or some other email MTA.  Also, you want to
>consider whether you want your internal clients to run pop or imap.=20
>Also, you probably want to get openssh and possibly openssl for secure
>access from the outside.  Also, Samba is a must if you have windows
>machines on your internal network, and can be very helpful even if you
>don't.  and don't be without Webmin: http://www.webmin.com/webmin/ for
>system administration.  With webmin, I run my 486 from a browser - the
>machine has no KB, mouse or terminal.
>
>Definitely, you should apply for your own domain name.
>
>I'm sure I've forgotten many little things.  It's so much fun, I can't
>get it all into one email :-)
>
>If you would like to discuss my experiences with all this, don't
>hesitate to email.  I can send you sample config files, etc.
>
>-Doug Winterburn
>Date: Mon, 31 Jul 2000 13:07:58 -0700
>To: plug-discuss@lists.plug.phoenix.az.us
>From: "Alan Dayley" <ADayley@adtron.com>
>Subject: Newbie firewall/masqarade/proxy confusion
>Reply-To: plug-discuss@lists.PLUG.phoenix.az.us
>
>I confess to being a MS user for, low, many years.  I am now
>coming into the Linux light!  It is making computer exciting
>again.
>
>I am scheduled to get DSL with a static IP in a week or two.
>As a first Linux learning experience, I have setup an old 100MHz
>486 PC, 32MB RAM, 1.5GB hard disk space, 2 16-bit Intel network
>cards, VGA, mouse, blah, blah... with RedHat 6.2.  X still does
>not work but that is not important now.  My intention is to have
>this little PC be a firewall for my other computers to share the
>DSL connection.
>
>My confusion is this:  I am finding in my readings that what I
>thought was a firewall maybe something more.  I am still trying
>to understand the differences between the terms firewall,
>masqarading, routing and proxy server.  Maybe the confusion is
>from the fact that configuring TCP/IP is still a new thing to me
>along with Linux.
>
>What I want to make is my Linux box providing a single "presence"
>to the internet while the workstations "behind" the Linux box can
>surf and do email without being "visible" to the internet.  What
>combination of firewall/masqarade/proxy stuff do I need?
>
>Remember, I am a newbie, be kind.
>
>Alan


------=_NextPart_000_011F_01BFFB93.0A4B3B10
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.3103.1000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Alan,</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Another easily configurable =
firewall/masquerade=20
solution would be Pmfirewall available from <A=20
href=3D"ftp://ftp.pointman.org">ftp.pointman.org</A> or&nbsp;<A=20
href=3D"http://www.pointman.org">www.pointman.org</A> . This script =
configures=20
ipchains for you with only a few question, and will run magnificently on =
linux.=20
It can also be custom configured by an experienced user that wants a =
more custom=20
firewall.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Dave Chacko</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>&gt;Date: Mon, 31 Jul 2000 22:25:13=20
-0700<BR>&gt;From: Doug Winterburn &lt;<A=20
href=3D"mailto:doug@winterburn.net">doug@winterburn.net</A>&gt;<BR>&gt;Re=
ply-To:=20
<A =
href=3D"mailto:doug@winterburn.net">doug@winterburn.net</A><BR>&gt;To: =
<A=20
href=3D"mailto:plug-discuss@lists.PLUG.phoenix.az.us">plug-discuss@lists.=
PLUG.phoenix.az.us</A><BR>&gt;Subject:=20
Re: Newbie firewall/masqarade/proxy confusion<BR>&gt;Reply-To: <A=20
href=3D"mailto:plug-discuss@lists.PLUG.phoenix.az.us">plug-discuss@lists.=
PLUG.phoenix.az.us</A><BR>&gt;<BR>&gt;Alan,<BR>&gt;<BR>&gt;I'm=20
doing exactly what you want to do.&nbsp; My ISP is Sprint=20
Broadband<BR>&gt;(formerly Speedchoice).<BR>&gt;<BR>&gt;First, you have =
picked=20
the appropiate hardware - a 486 makes a=20
great<BR>&gt;router/firewall/server.&nbsp; You will want two NICs in =
it.&nbsp;=20
One should be a<BR>&gt;10MB/sec to connect to the DSL external modem, =
and the=20
other will be to<BR>&gt;connect to your internal network and can be a =
10MB,=20
10/100 or 100,<BR>&gt;depending on what you think you need =
internally.&nbsp; I=20
have gotten by<BR>&gt;rather well with cheapo ($10/NIC) Dlink, Linksys, =
SMC, etc=20
NICs.&nbsp; 10MB<BR>&gt;has been entirely sufficient for me and I have 8 =

machines on the<BR>&gt;internal network.&nbsp; I've found that the plain =
old=20
NE2000 compatible NICs<BR>&gt;are easily supported, but you may have to =
manually=20
configure if you only<BR>&gt;have an ISA bus.&nbsp; Also, an 8 port =
rj45, 1 port=20
bnc hub can be had for<BR>&gt;about $40 if you for a 10MB internal=20
network.<BR>&gt;<BR>&gt;I also run RH 6.2.&nbsp; your firewall will =
consist of a=20
startup script<BR>&gt;(calling ipchains many times) to do packet =
filtering and=20
masquerading,<BR>&gt;and possibly a tcpwrappers config file set as a =
second=20
level of<BR>&gt;protection.&nbsp; I set up my firewall script from the =
following=20
site:<BR>&gt;<BR>&gt;<A=20
href=3D"http://linux-firewall-tools.com/linux/firewall/index.html">http:/=
/linux-firewall-tools.com/linux/firewall/index.html</A><BR>&gt;<BR>&gt;Th=
e=20
two tcpwrapper scripts you need could look=20
like:<BR>&gt;<BR>&gt;/etc/hosts.deny<BR>&gt;-------------<BR>&gt;<BR>&gt;=
ALL&nbsp;&nbsp;&nbsp;&nbsp;=20
:=20
ALL<BR>&gt;<BR>&gt;/etc/hosts.allow<BR>&gt;--------------<BR>&gt;<BR>&gt;=
ALL&nbsp;&nbsp;&nbsp;&nbsp;=20
: 192.168.1.0/255.255.255.0 127.0.0.1<BR>&gt;<BR>&gt;Assuming your =
internal=20
network is 192.168.1.x, the above two files will<BR>&gt;allow any =
connections=20
from your internal network to inet daemons, but<BR>&gt;will prevent any =
other=20
access to those daemons.<BR>&gt;<BR>&gt;You will also need to think =
about=20
whether you want to run an internal<BR>&gt;DNS, web server, sendmail or =
some=20
other email MTA.&nbsp; Also, you want to<BR>&gt;consider whether you =
want your=20
internal clients to run pop or imap. <BR>&gt;Also, you probably want to =
get=20
openssh and possibly openssl for secure<BR>&gt;access from the =
outside.&nbsp;=20
Also, Samba is a must if you have windows<BR>&gt;machines on your =
internal=20
network, and can be very helpful even if you<BR>&gt;don't.&nbsp; and =
don't be=20
without Webmin: <A=20
href=3D"http://www.webmin.com/webmin/">http://www.webmin.com/webmin/</A> =

for<BR>&gt;system administration.&nbsp; With webmin, I run my 486 from a =
browser=20
- the<BR>&gt;machine has no KB, mouse or =
terminal.<BR>&gt;<BR>&gt;Definitely,=20
you should apply for your own domain name.<BR>&gt;<BR>&gt;I'm sure I've=20
forgotten many little things.&nbsp; It's so much fun, I can't<BR>&gt;get =
it all=20
into one email :-)<BR>&gt;<BR>&gt;If you would like to discuss my =
experiences=20
with all this, don't<BR>&gt;hesitate to email.&nbsp; I can send you =
sample=20
config files, etc.<BR>&gt;<BR>&gt;-Doug Winterburn<BR>&gt;Date: Mon, 31 =
Jul 2000=20
13:07:58 -0700<BR>&gt;To: <A=20
href=3D"mailto:plug-discuss@lists.plug.phoenix.az.us">plug-discuss@lists.=
plug.phoenix.az.us</A><BR>&gt;From:=20
"Alan Dayley" &lt;<A=20
href=3D"mailto:ADayley@adtron.com">ADayley@adtron.com</A>&gt;<BR>&gt;Subj=
ect:=20
Newbie firewall/masqarade/proxy confusion<BR>&gt;Reply-To: <A=20
href=3D"mailto:plug-discuss@lists.PLUG.phoenix.az.us">plug-discuss@lists.=
PLUG.phoenix.az.us</A><BR>&gt;<BR>&gt;I=20
confess to being a MS user for, low, many years.&nbsp; I am =
now<BR>&gt;coming=20
into the Linux light!&nbsp; It is making computer=20
exciting<BR>&gt;again.<BR>&gt;<BR>&gt;I am scheduled to get DSL with a =
static IP=20
in a week or two.<BR>&gt;As a first Linux learning experience, I have =
setup an=20
old 100MHz<BR>&gt;486 PC, 32MB RAM, 1.5GB hard disk space, 2 16-bit =
Intel=20
network<BR>&gt;cards, VGA, mouse, blah, blah... with RedHat 6.2.&nbsp; X =
still=20
does<BR>&gt;not work but that is not important now.&nbsp; My intention =
is to=20
have<BR>&gt;this little PC be a firewall for my other computers to share =

the<BR>&gt;DSL connection.<BR>&gt;<BR>&gt;My confusion is this:&nbsp; I =
am=20
finding in my readings that what I<BR>&gt;thought was a firewall maybe =
something=20
more.&nbsp; I am still trying<BR>&gt;to understand the differences =
between the=20
terms firewall,<BR>&gt;masqarading, routing and proxy server.&nbsp; =
Maybe the=20
confusion is<BR>&gt;from the fact that configuring TCP/IP is still a new =
thing=20
to me<BR>&gt;along with Linux.<BR>&gt;<BR>&gt;What I want to make is my =
Linux=20
box providing a single "presence"<BR>&gt;to the internet while the =
workstations=20
"behind" the Linux box can<BR>&gt;surf and do email without being =
"visible" to=20
the internet.&nbsp; What<BR>&gt;combination of firewall/masqarade/proxy =
stuff do=20
I need?<BR>&gt;<BR>&gt;Remember, I am a newbie, be=20
kind.<BR>&gt;<BR>&gt;Alan<BR></FONT></DIV></BODY></HTML>

------=_NextPart_000_011F_01BFFB93.0A4B3B10--