[EMAIL PROTECTED] wrote:
>
> Good afternoon, all.
Good Afternoon
> This week I finally joined the broadband world and have a MediaOne / RR
> connection.
When you decide to "go live" with the Linux firewall, you will need to
call your cable company and give them the MAC address of the external
NIC.
> My primary personal machine is a dual boot Debian / Win98 machine (Windoze
> is kept around mostly for gaming...). I also have a second computer
> collecting dust and a Win-only laptop (work issued). I am very interested
> in running a webserver and possibly play w/ a mail server eventually. My
> idea at this time is to have the secondary computer fill the role of
> firewall and (down the road) webserver, and remain always connected to the
> cable modem. The other two computers (my primary box and laptop) will come
> and go from the network...neither remains powered on unless being used. In
> addition to the above, I have a Linksys EZXS55W Workgroup Switch (which I
> have not put to use yet but will be trying out this weekend).
I would suggest having the firewall be only a firewall. You can probably
pick up an old Pentium 100 or whatever for $50 somewhere. You don't need
the power, really. Then you can use ipmaqadmin/ipportfw to forward ports
inside for web, mail, dns, etc. If you run services on the firewall, you
are increasing your risk of being cracked exponentially. I can't stress
this enough. I had the opportunity to look at the log files (what was
left of them) from a system today that was on a cable modem. This box
was cracked no less than 15 times by different people and used to attack
an entire class B network. One of the people was going after
corporations. It wasn't pretty. I don't allow any connections to my
firewall from the outside at all. My web server, mail server, and DNS
server are all behind the firewall with ports 80, 53, and 25 forwarded
inward. Also, when I ssh in, the connection is forwarded to an inside
box as well. Some may consider this to be excessive, but I don't think
that it is enough. My information isn't important, but if someone cracks
my system, they can use it to attack others, and I don't want to deal
with that.
> My first question is mostly hardware related...I would like to have only the
> firewall box get an IP from M1, and any other machines that log into my
> local network will be assigned local addresses by it. I do not yet have any
> network cards in the firewall/server box, so I would welcome any information
> as to what I would need. I am thinking the cable modem would have to plug
> into the firewall/server box, then that would connect to the switch, and any
> other machines would come and go from the switch. This leads me to believe
> I would need two network cards in the firewall/server box (one for the modem
> and one for the switch). I have not found examples of this type of setup
> yet, so please slap me if I'm missing something and let me know if there's a
> better / more efficient way of doing this (I do not want to buy a router
> unless physically absolutely necessary since the firewall/server box should
> be able to do the same thing).
This is correct. You can get examples of a dual-homed host (2 NICs in
one box) in the Firewall-HOWTO. Do exactly what you said: One NIC is
connected to the cable modem and does a DHCP request to your ISP. The
other NIC is plugged into a switch or hub (and set the external NIC as
you default device). You can do DHCP from the firewall (I don't
personally recommend it), but you need to make sure that the broadcasts
are restricted to the internal NIC *only*. ISP's get a little upset
about all of the broadcast traffic ;-) Also, make sure that all of your
systems use the firewall as their gateway. The firewall should NAT all
internal traffic to the outside world so that it can be routed. to make
sure that your firewall script works even if your IP address changes, do
something like "IPADDR="`ifconfig eth0 | grep inet| cut -d : -f 2 | cut
-d \ -f 1`" "
> My next question is to ask what services should I start studying up on to
> run on the firewall box. My first goal would be to learn enough over the
> next month or so to run a secure firewall box. After that's been around for
> a while and I'm comfortable with it I would like to add an Apache webserver
> to play with (I KNOW I shouldn't run anything other than the firewall for
> true security, but unless I find room for a third computer this is how it
> will probably be). I own (but have not needed to read yet) the O'Reilly
> Cricket book (among many others), and will happily pick up other guides as
> needed. I have most of the messages that have gone around this list
> concerning good books on security and will get some of those as well to help
> lock everything down. What I really need to know, however, is what would be
> a minimal set of services to install on the firewall box that will also
> handle any IP masq. and other services needed to put the network together
> (remember, there's at least one Win box in this mess). If it matters for
> the suggestions, I will be running Debian on the firewall box as well.
Here is what is running on my firewall right now:
[kenny@kenlussier kenny]$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.9 1104 460 ? S Mar30 0:07 init [3]
root 2 0.0 0.0 0 0 ? SW Mar30 0:00 [kflushd]
root 3 0.0 0.0 0 0 ? SW Mar30 0:00 [kupdate]
root 4 0.0 0.0 0 0 ? SW Mar30 0:04 [kswapd]
root 5 0.0 0.0 0 0 ? SW Mar30 0:00 [keventd]
root 224 0.0 1.1 1236 524 ? S Mar30 0:00
/sbin/pump -i eth0
root 349 0.0 1.2 1228 572 ? S Mar30 14:54 syslogd
-m 0
root 360 0.0 1.3 1380 636 ? S Mar30 0:17 klogd
root 392 0.0 1.1 1304 552 ? S Mar30 0:00 crond
root 402 0.0 1.6 2300 764 ? S Mar30 0:25 sshd
root 660 0.0 0.6 1108 324 ? S Mar30 0:02
/usr/local/psionic/portsentry
root 662 0.0 0.7 1108 344 ? S Mar30 0:23
/usr/local/psionic/portsentry
root 665 0.0 0.8 1076 384 tty1 S Mar30 0:00
/sbin/mingetty tty1
root 666 0.0 0.8 1076 384 tty2 S Mar30 0:00
/sbin/mingetty tty2
root 667 0.0 0.8 1076 384 tty3 S Mar30 0:00
/sbin/mingetty tty3
root 668 0.0 0.8 1076 384 tty4 S Mar30 0:00
/sbin/mingetty tty4
root 669 0.0 0.8 1076 384 tty5 S Mar30 0:00
/sbin/mingetty tty5
root 670 0.0 0.8 1076 384 tty6 S Mar30 0:00
/sbin/mingetty tty6
root 19302 2.3 2.9 3088 1412 ? S 16:38 0:00 sshd
kenny 19303 2.3 2.0 1748 980 pts/0 S 16:39 0:00 -bash
kenny 19314 0.0 1.7 2492 844 pts/0 R 16:39 0:00 ps aux
As you can see, it's not much. There really shouldn't be any services
running that are not essential to the operation of the box. Now, if you
are looking for other things to run, here are some suggestions for
security utilities that you might want to look into:
Abacus Project - http://www.psionic.com - PortSentry watches ports and
blocks connections; HostSentry is a Tripwire replacement to monitor the
filesystem for changes; LogCheck scrapes your log files and let's you
know what's going on on your system
SNORT - http://www.snort.org - A packet sniffer/IDS system that is
scriptible so that you can exec responses to attacks, dynamically block
hosts, etc. Great system, but extremely complicated to new users (join
the mailing list!!!!! ;-)
BOOKS!!!!!
Ultimate Linux Security by Anonymous
Hackproofing Your Network by Ryan Russell
HOWTO's
Ethernet-3-4
Firewall
IPChains
IPMasquerading
Security
Mailing Lists:
GNHLUG ;-)
Focus-Linux (securityfocus)
Vuln-Dev (securityFocus)
Forensics (securityfocus)
Secbasics (securityfocus)
Snort
> Thanks in advance for the suggestions, and if anyone sees me heading in the
> direction of a serious mistake, please speak up. After I find answers to
> the hardware questions, a simple list of services should be enough for me to
> track down the HOWTOs, books, web sources, etc.
Us? Speak up? I don't know if we can do that. None of us here are all
that concerned about security ;-)
C-Ya,
Kenny
--
-------------------------------------------------
Kenneth E. Lussier
Geek by nature, Linux by choice
PGP KeyID 0xD71DF198
Public key available @ http://pgp.mit.edu
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
