If you want to use later versions (2.4)of the kernel for your firewall, I seem to remember needing at least 4 MB of ram for install. If you run public services, I would suggest a triple interface host (one for the INET, one for your LAN, one for your public DMZ), but you have to go with what you have... Jeff's suggestions are _very_ good (as always). If you come to the next meeting, hopefully I can shed some light on how to get the most from iptables. However, my favorite how-to on the subject is (watch out for the striking similarity to the talk that I'll be giving): http://people.unix-fu.org/andreasson/index.html (props to BoingWorld) It's a very good walk-through of the rule sets and why. HTHO. If you want to use ipchains and an older kernel, I know of some good howtos for that as well. Just let me know ;-P jan --- Jeff Newmiller <[EMAIL PROTECTED]> wrote: > On Thu, 6 Sep 2001, Ryan wrote: > > > Ok, I've got an old 486 sitting in my > > closet that I got from my dad a while > > ago, intending to set it up as a linux > > based server/bridging firewall. It has > > 2 NICs so I was hoping to set up some > > routing software and whatnot to allow > > me to run a webserver and mail server > > on the 486 while still being able to > > use games and whatnot that need to act > > accept incoming connections on my main > > box. > > You have to be a little more careful with multi-function computers also > acting as firewalls, but it is doable. Multiple functions allow hackers > more flexibility if they get through your outer perimeter. > > > My prefered setup for dealing with > > incoming connections on eth0 is to have > > a list of ports to block connections > > to and a list of ports to allow incomming > > connections to, and what IP on the > > internal network those requests should > > be directed to (or to direct it to a > > server that's running localy). > > More commonly, all incoming connections are blocked, unless they meet > specific requirements. You only end up with one list that way. > > > > > Traffic to the internet from eth1 (the > > internal network) should sent out to > > the WAN, prefreably without a proxy. > > Masquerading. > > > > > Oh, and I do only have one internal IP. > > Definitely on the poor side of the tracks. ;) > > Actually, I think you mean one _external_ IP. > > > Suggestions on what programs would be > > needed to do this stuff and hints on > > setting things up? > > I use a customized Linux Router Project configuration, but that takes a > little more doing to include mailservers and webservers. Seems like there > are a lot of variations on this base now... LEAF > (http://leaf.sourceforge.net), Coyote (http://www.coyotelinux.com) are two > that come to mind. http://www.linuxsecurity.com has information on quite > a few Linux security issues. > > There are a few configurable firewall scripts, like rcf > (http://rcf.mvlan.net/) or seawall (http://seawall.sourceforge.net/) for > ipchains. There are some advantages to going with Linux 2.4's iptables, > but fewer people are familiar with it... you can try shorewall > (http://shorewall.sourceforge.net/). > > > I currently have Storm installed on it, > > but I have A copy on Mandrake SNF and > > could get and burn any other Distro off > > the net. > > I would expect that either of these could do the job, assuming you have > enough disk space and ram in this box. Use whichever you find more > familiar. Look for Bastille Linux, a script for hardening a RedHat-based > distribution. > > --------------------------------------------------------------------------- > Jeff Newmiller The ..... ..... Go Live... > DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go... > Live: OO#.. Dead: OO#.. Playing > Research Engineer (Solar/Batteries O.O#. #.O#. with > /Software/Embedded Controllers) .OO#. .OO#. rocks...2k > --------------------------------------------------------------------------- > __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com
