Re: [gentoo-user] making my own router

[Bill Roberts]

On 21:42 Thu 06 Oct , Mark wrote:
I'd like to build a gentoo box to act as a single router between a
hardware firewall (appliance) and two internal separate network segments.
The goal is to allow both internal segments to access the Internet via the
same firewall, but not allow them to see eachother.
 
Here's my general idea - please tell me if it makes sense so far.

Your outline looks good. Haven't ever used a hardware firewall, though.

My setup is a firewall/router, external port to dsl modem, two internal,
one wired, one wireless. I bridged the two internals into a single subnet.

I used:

http://www.gentoo.org/doc/en/home-router-howto.xml

as my guide, then did some googling on bridging for the rest. Works great!

By the way, I used iptables for the firewall, but there is some terrific
documentation for shorewall, which you might find a bit easier.

Bill Roberts
 


pgp1tQvgIrtFk.pgp
Description: PGP signature

RE: [gentoo-user] making my own router

[Dave Nebinger]

 Sound OK so far?

Yup, same setup I'm using (kinda).  Works out very well.

 Next steps I think are figuring out how to provide DHCP
 to both internal subnets from the same Gentoo box, and
 what gateway address(es) the clients should use.

The gentoo box is the gateway.  Assuming it is 192.168.{0,1}.1,
that would be the address to feed to the internal network boxen.

DHCP is easily configured to serve based upon the card, you just
need to dig into the config file to get it set up.  Don't forget
to add iptables rules to block DHCP traffic coming or going on
the card connected to the network; you don't want to offer DHCP
to anyone outside of your internal network.

Along with DHCP you might want to add a caching DNS proxy on the
gateway box.  This will simplify the network settings of the
internal systems (everything network-related would point to the
gateway).

 Finally, I need to be able to do port-forwarding from the
 outside to a specific host on one of the internal subnets.
 Can I do that?

Yes, it's all done via iptables.  You'll need to chain it up; the
cable modem forwards to the firewall which forwards to the gentoo
box which forwards to the specific host.  You'll have to get all
of the DNAT stuff right along the way.

 One quandary I have is regarding the hardware firewall. We have
 money invested in it, but does it buy me anything now that we are
 creating the 2 separate subnets? Should I just sell it and let
 the Gentoo box be the firewall as well?

As one poster said it will offer another layer of protection, but...

Personally I found it unwieldy to maintain iptables rules in such a
fashion.  If traffic can't get to/from a destination you'll have like
5 points of failure: the local box, the switch, the gentoo box, the
firewall, and finally the cable modem.

And with the correct iptables rules in place your gentoo box will
be just as secure as the firewall appliance.  It also offers you the
opportunity to see all incoming traffic, not just the traffic the
firewall appliance allows.  So, for example, I have the ssh port open
on the gentoo box but it is basically a honey pot; folks trying to
connect there get automatically added to the blacklist and traffic
is blocked from them permanently.

I'm not sure how feature-full your firewall appliance is, but the ones
that I was using had limited port forwarding capabilities (10 to be
exact).  Once I wanted to start hosting basic services, I quickly
consumed those ports (imap, pop3, ssh, ident, smtp, ftp, http/s, ...).

This however might not be a problem for you.


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] making my own router

[W.Kenworthy]

Unless its limiting you in some fashion, leave it there as an extra
layer of protection - dedicated HW firewalls are often more secure than
a general purpose machine, but lose out in the flexibility/functionality
stakes.  You can also get funky and use the gentoo box to detect suspect
traffic, and then deny it by uploading the ACL deny to the firewall.

Personally, while I really like my gentoo firewall/gateway, I would love
to have this option to completely remove traffic I designate from
hitting the inner firewall at all.  Make the most of it!

BillK

On Thu, 2005-10-06 at 21:42 -0500, Mark wrote:
 I'd like to build a gentoo box to act as a single router between a 
...
 One quandary I have is regarding the hardware firewall. We have money
 invested in it, but does it buy me anything now that we are creating
 the 2 separate subnets? Should I just sell it and let the Gentoo box
 be the firewall as well?
 
 Thanks for any insight, as always.
 -- 
 Mark
 [unwieldy legal disclaimer would go here - feel free to type your own]
-- 
gentoo-user@gentoo.org mailing list