On Fri, 22 Jun 2001, Reckhard, Tobias wrote:
First, thanks for the reply!
> However, even in that case you can always
> download the tarballs, compile and install them yourself.
That sounds like hours of work though.:-) Not sure I'd know where to begin
either. And there is always the question of what RPMs are safe to
remove. How would one know that?
>
> Note, too, that there is a document online that's fairly good, called
> "Securing and Optimizing Linux: RedHat Edition". I don't have a link handy,
> but Google should be able to find it quickly.
Thanks I will look for that.
> > - Is Linux the best choice because of my familiarity with it or should I
> Well, familiarity is definitely a big plus,
Ok, seems like reason enough to move forward with it then...
Now 6.2 or 7.1?
- 6.2 is older (may be bad), but there may be more known issues with it
than something brand new (may be good)
- 7.1 has many fixes over 6.2 (may be good), but there are also new bugs
introduced in a new version (may be bad). So what is the most logical
choice? Or is my logic flawed???? :-)
> > - Is there an easy and or more effective way to way to upgrade Redhat rpms
> I suppose it's the easiest way and it'll help you avoid circling
> cross-dependencies (RPM A needs RPM B needs RPM A...) that I've seen with
> RedHat RPMs.
Yes, this is SOOOOO frustrating!
> What you probably want to do is verify that all the RPMs are
> the ones you expect, so I suppose you'd need to 'rpm -qi' them and check the
> versions.
Ok, I will manually do so.
> > - What's the are some of the best ways to set up a VPN and what are some
> Well, FreeS/WAN is the predominant IPSec implementation on Linux. There is
> also a PPTP server, but that protocol is not viewed too highly by many. Note
> that IPSec has problems with NAT.
Will check it out. Why the dim view on PPTP?
I had heard that IPSEC fails over NAT. Why is that?
> A VPN basically extends your network. You can transport anything TCP/IP
> over a VPN, so yes, you can do NetBIOS over TCP/IP and NFS across a VPN,
> if you want to.
But, **do** I want to? Are there pros and cons to doing allowing NFS and
SMB this way? Is there a better way?
> > - I have only set up a previous NAT box and the current Bastille firewall
> > using an external IP and a private internal network. I want to set up a
> > firewall for a lab that contains machines with external IP addresses. How
> > would I do that or am I better off to redo the internal network with a
> > private IP range? What are the security implications of both alternatives?
> >
> I'm not sure I understand how they relate. Do you want the lab on the same
> network as the internal one?
Sorry, I didn't state that very well. Let me try with my limited
understanding to explain better. I want to understand the mechanics of
how to set this up differently (than is my experience).
- Is setting up a private IP network (192.X.X.X, 172.X.X.X
10.X.X.X) with NAT more secure as the private addresses are not routeable
from the public internet?
What I was trying to say is that I have set up an internal network before
and then connected it to the public internet with a routeable IP provided
by an ISP and set up NAT (ipchains) - so thats my paradigm....
What I don't understand is how I set up a firewall to protect a collection
of hosts that are on the public internet now and have public addresses.
Do I just physical stick the firewall between Public and Private
networks- physically isolating them? How does the traffic get passed back
and forth?
I guess NAT works like a router between Public and Private networks,
huh? If I just seperate (PHYSICALLY) publicly addressed hosts, then
do I need to set up a routing deamon to pass the traffic between
Public and Private physical networks (but public addresses)?
How do I hide the hosts behind the firewall and sill allow
them to reach the internet?
Or should I just set up NAT and renumber them
all internally? Guess I'd need my own name server for internal use too,
then, huh? See if this diagram makes sense, (and if the formatting works)
e.g.
I
N
T routed needed???
E ------ PubNIC 136.* FIREWALL PvtNIC 136.* ------- NETWORK 136.x.x.x
R
N
E
T
I
N
T
E------ PubNIC 136.* FIREWALL/NAT PvtNIC 192.* ---- NETWORK 192.168.0.0
R
N
E
T
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
