> Hi, I need to set up a firewall on my company's small network. What I > have in mind is a box that does packet filtering, shuts down unused ports, > and such. This machine would have to be transparent as we do web > hosting. So some thing that looks like this: > > +------+ +------------+ +------+ > The Internet --|Router|--|Firewall Box|--|Switch|-- Our Network > +------+ +------------+ +------+
How transparent does this box have to be? Like a bridge (i.e. like your switch) or like a router? like a router is easy, but you need to change settings on your existing router (which can be hard if you do not have access to it...) Like a bridge requires kernel patching (currently broken for 2.4.0 but works fine with 2.2.) in order to get firewalling capabilities. Like a bridge has one huge improvment, though: Your firewall does not need an ip address - so you can make it pretty invisible to the internet. It's a lot harder to setup therefore... > If that makes any sense. My question is where do I start? Is there any > good software or documentation that deals with this kind of set up? I > know I can start shutting down ports using ipchains, but some one else > must already be using a set up like this. I would recommend looking at the "ipmasq" package, which is intended for automatically setting up firewalls on dialn boxes. And do read the Firewall FAQs, even the iptables-FAQ if you are not running 2.4. - theres a lot of helpful information in there. and search for "firewall" with apt-cache, there are thousands of tools ;) Just to list some tools available as debian packages: ---- fwctl - configure ipchains firewall using higher level abstraction ipchains-perl - Perl interface to ipchains gfcc - GTK firewall control center logcheck - Mails anomalies in the system logfiles to the administrator dotfile-ipfwadm - Dotfile Generator, module for ipfwadm ipmasq - Securely initializes IP Masquerade forwarding/firewalling portsentry - Portscan detection daemon mason - Interactively creates a Linux packet filtering firewall. --- I'm using portsentry and logcheck and i love them a lot. logcheck mails me any "suspicious" line in the log files, whereas portsentry automatically blocks IPs from my box that do portscans etc. do install "aide", too. This tool calculates checksums of all your files and mails you any changes made... (at least if you are able to protect your aide.db database, binaries and cron-job ;) ipmasq is for dialup-boxes, but a good concept and good for learing. i do not know mason, gfcc, fmctl and all these ipchains-frontends, i prefer writing an own script for setting up the firewall. Greetings, Erich
