At 02:45 PM 7/9/2004 +0000, [EMAIL PROTECTED] wrote:
That was it Ray!!!!!!!
My WinXP host had a default gateway of 192.168.1.255 I changed it to 192.168.1.255
I assume you mean 192.168.1.254.
Now the laptop surfs the net perfectly, as far as I can tell.
I did a port scan from the internet to check the firewall and EVERYTHING was blocked. Wonderful!!!!
Now let me ask you a couple questions for me next baby steps.
Is it possible to connect a Linksys router to the LEAF firewall (internal NIC) and let the Linksys router set up my local network? I guess it would just be acting like a switch at this point. Especially if I continued to run static internal addresses.
If you run static internal addresses, in what sense will the Linksys serve to "set up" your local network?
In at least one sense, the answer to your question is yes. But since I don't know what you have in mind, I can't be sure that that answer is meaningful.
Here, I've set up a network in which a D-Link router was connected to a LAN, which in turn is connected to my ISP via a Linux router. I've done it in two ways:
1. Connect the external interface of the D-Link to the LAN. In this instance, connections from the D'Link's LAN (182.168.0.0/24, I think) were doulbe NAT'd -- first by the D-Link to its external address (192.168.1.something), then by the Linux router to its external address. Worked fine for routine uses, but I didn't test anything exotic.
2. Connect a LAN port on the D-Link to the LAN. In this instance, the D-Link functioned as bridge to connect 802.11b devices to the LAN. Also worked fine for routine uses.
Be more specific about what you have in mind and I may be able to offer more specific advice.
My next step is to run all my (5) static external ip addresses through my Firewall. I have a few more NIC's lying around. I believe I want all 5 ip's to come in through eth0. I read some of the posts and I think I will try the eth0:0 through eth0:4.
After that I am sort of lost. I only have immediate plans to use two more of the ips, one as a web server, one as a media server. I might run double duty on the media server as a ftp server as well. Anyway, my question was could you give me a general overview of the specific modules, settings, files that I would need to change/update. I guess it would be best to masquerade the ip's??
No. You probably want to DNAT (Destination NAT) them. This is the way iptables provides port forwarding. So you would (for example) DNAT 24.227.166.195:80 to 192.168.1.42:80. From the next paragraph, this is similar to what you have done in the past.
Truthfully Ray, the main reason I wanted to use the firewall besides local network security was to protect my web and media server. Is there someway to block bad people doing bad things while allowing everybody else in?
Well, you could tell the router to check all incoming packets for the evil bit. (This is a joke. If you are not familiar with it, Google for "evil bit" and you'll find the details.)
But there is no real solution at the level of generality your question asks. The usual solution -- imperfect but the state of the art -- is to set up the router with 3 interfaces: external, internal, and DMZ. The DMZ interface (DMZ=DeMilitarized Zone, sort of a no man's land) is treated differently from an ordinary internal interface -- iptables rules restrict the ability of hosts on it to initiate connections to the outside world or the LAN, as well as limiting what ports incoming connections can arrive on. Shorewall has docs for this sort of setup, and they are probably the place for you to start (I haven't read them myself, but the Shorewall stuff I have read is well written, so this part probably is too).
Or you could use the LEAF router as a 2-NIC system and have it protect ONLY the media and Web servers (setting it up in DMZ configuration). Then use the Linksys separately from the LEAF router to NAT the LAN to the Internet; router-in-a-box solutions like Linksys aren't really as good as Linux/LEAF routers, but they are not bad and probably are good enough for the small off0ce- and home-LAN uses they are sold for.
The final option is to connect the Web and media servers directly to the Internel, outside the router, and use the router to protect the LAN from attacks originating from either of the servers. Combine this with careful configuration (including on-server firewall rules) of the servers thrmselves to protect them from attacks and ... well, it's not as secure as either of the other approaches, but depending on details of those servers (what OSs do they run? I wouldn't do this with WinXX systems, but I'd try to secure Linux systems this way), it might serve.
I worry because in the past I had to open and forward port 80 (and other specific ports on the media sever). It seems to me like I was just putting a lock on my door but leaving the door wide open.
Well, not wide open, but peroahps a bit ajar. What you really want to do is separate the servers from the LAN, as described above.
Thanks for your help Ray.
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
