On Thu, 10 Jan 2002, Carl Buchmann wrote: > I recently discovered Debian, (I was using RedHat for a while) and I'm > very impressed with the software and it's capabilities. I want to > replace my current redhat box which is running as a firewall / Nat with > a new Debian Box. I would like to know how to configure the firewall and > Nat script on Debian. All I've done now is I set it up the potato and > configured it as DHCP & Apache server. I was wondering if you could help > me in any way setting up a firewall \ Nat , and the appropriate steps on > applying it to Debian.
Welcome to the club. You seem to have followed the same path I (and many other people here) did some time ago. Debian stable usually has less "bells and whistles" than the latest RH/SuSE/Mandrake distributions, but it is invariably and reliably rock solid, once you properly set it up, and way easier to maintain. I do administer a firewall on a potato-based box, with a few additions, remarkably similar to your setup. This firewall has four NICs already, for the Internet, the protected LAN and two DMZs with different permissions. Some time ago I used an almost pure potato setup, with the added spf package (recompiled from unstable) to provide user-space stateful firewalling. Then, as 2.4.x kernel got more and more reliable, I switched to them, to be able to use their native stateful packet filtering capability, and my set of needed filtering rules shrinked impressively as a result. You can get an unofficial (yet valid) set of packages to use 2.4.x kernels at http://people.debian.org/~bunk/debian, e.g. add the lines deb http://people.debian.org/~bunk/debian potato main deb-src http://people.debian.org/~bunk/debian potato main to your /etc/apt/sources.list file. If you choose to install a 2.4.x kernel, do also install the iptables packege from the above (or another) source. To configure the firewall, create an init script in /etc/init.d (mine is called "netfilter"), and add a soft link to it in the rcS.d directory, making sure it gets called _before_ the network interfaces are brought up, for maximum security. In debian, the network is brought up by the "networking" script, usually softlinked to "S40networking" in the rcS.d directory, so that you will need to use a lower number for you firewall setup script (e.g. "S39netfilter" will do). In that script, put a "DROP" default policy and then add as many exceptions as you need for the connections that you do need. Since that script runs before you are connected to the net, there is no DNS available yet when it runs, therefore you will have to use numeric IP addresses. If you really want to use names (which makes you somewhat vulnerable to some DNS attacks), split the script in two: the first one runs before the NICs are brought up, and it DROPs anything not strictly needed for your firewall to resolve names, the second, setting up the actual policy, runs after the network is up and your firewall can resolve addresses. Also in that script, or in another one, depending on your taste, you may add any commands needed for your NAT policy (usually one or two commands are enough for most simple setups). Another, more flexible but more complex possibility is add "pre-up", "up", "down" and "post-down" configuration lines to the /etc/network/interfaces configuration file, so that you can have a very fine-grained control over what happens if you bring up or down selected interfaces. This is not how I implemented my firewall here, but I would probably do so if I were to redo it anew now. If you wish, I may send you some excerpts of my firewall setup script, but I will not post it to the list (unless many people are interested), to avoid annoying others. Be patient, Debian may require some effort at the beginning but it pays off handsomely afterwards. Bye Giacomo -- _________________________________________________________________ Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> _________________________________________________________________ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _________________________________________________________________ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _________________________________________________________________
