Ladies & Gentlemen

I have been using linux for a couple of years now and I am ready to try some new things. But first I need to set up a (secure as I can make it) dhcp/firewall. I am currently using a Debian Lenny box with firestarter but I don't really need the gui and I want to utilize some old (read ancient) hardware that I have on hand.

I have looked at several options but I am not sure which is the best option for my setup. I want that setup to look like this when complete.

Cable modem > router/firewall > my network { local, dmz, myth-TV, mail, other all as I have the hardware and time}

The options I have looked at are:
floppyfw http://www.zelow.no/floppyfw/
building a Debian based unit http://www.aboutdebian.com/firewall.htm
ipcop http://www.ipcop.org/index.php

I like the idea of floppyfw because I can use the cd version and the box doesn't need a hard drive (green) and I have some even older hardware that it would work on. The down side is that if I use that even older hardware can it, the older hardware, keep up with the demands that will be placed on it when I set up my local mail serve and web server.

I see some advantages with the Debian based route too. Mostly in that I am familiar with the system. Also there are some features that I want to incorporate into my setup. Like Dynamic DNS and such to setup my own web server in a dmz. The instructions on the site seam clear to me but they lack certainty of a secure system when complete.

I do understand that security is an on going pursuit and I am not sure that the other options are any better at the start. I have been learning lately that I am not as secure as I thought I was and I have a lot of learning to do on this topic. That is why I am asking for your advice.

Ipcop seams like a great option on the surface. But after having read most of the install instructions I see that they seam to have taken away most of the on the fly configuration. I.E. In order to change the nic configuration, you have to rerun the network setup wizard you can't just take the interface down, change it's config and bring it back up. Also I am not sure it will do the things that the Debian based system will do, like allowing me to use dynamic dns to setup my own web/mail server. I am also not sure that I like the whole "configure from your web browser" idea.

Of course there may be another/better option that I don't know about yet that you all can point me to.

Eagerly awaiting your thoughts.

Hi, most linux systems are secure by default.

Iptables can be setup to cover a wide ranges of addresses

and ipcop can be used to ban certain ip addresses.

I have found this site useful when setting up my firewalled gateway proxy server.

iptables...
http://www.linuxhomenetworking.com/w...Using_iptables

squid...
http://www.linuxhomenetworking.com/w...ess_with_Squid

Maybe you will find it useful too. It is non-specific as far as distribution...

http://www.linuxhomenetworking.com/

regards, Glenn

Thanks GlennsPerf

I will be adding that site to my collection of goto's for setting up new features.

I am leaning towards the Debian based option and you have pointed me to some very useful info, Thanks again.

Does anyone else have some input?

There is also the question of what the hardware I want to use can handle. I am really shying away from the very old hardware I have, pre-pentium stuff because I don't think it will serve me long term. The hardware I want to use is an old HP pavilion 4440 that runs at 333 MHz. I have another (a Packard Bell) that runs at 400 but I think it has some mainboard issues.

So if I set it up how do I know that it is not able to handle the load? Obviously lack of connectivity under heavy load is a given, but are there any symptoms that would warn of it? Does anyone have any insight to share on this? I have 4 users and sometimes a guest or two on my network. Not sure how much bandwidth the web/mail server may need to start, but it's not set up yet anyway.

Willingly waiting for options/advice to consider.

Try it. We do not know the load, but for a home user it sounds as if any of the above should work if set up efficiently. Once you have it set up have a look at, eg, 'top' with the system under load.

As these are old systems, they could be light on ram, but without a gui
you should be fine, unless they are very light on ram.

So I am back to this again. I have decided to go ahead and use Debian Lenny for the os on my new firewall. Both of the old desktops I had that I was going to use developed mainboard problems and are not subtable any more. I did acquire some other hardware that is better suited to the load I may have in the near future.

I have installed a base system form a netinstall Lenny cd with no internet access. Side note: The last couple of times I have tried to install apps from it internet during a clean install the process would hang and not get a complete install.

Anyway, this install is very basic. I have fully updated the installed packages and installed midnight commander and dns. Other than that it is pretty much the way the netinstall cd left it.

In time I plan on installing Webmin but I am not sure that should be my next step.

I do have this machine behind a plastic box sub-net on my main network for added security while I build the system.

I have been reading the info you have pointed me to and one page is telling me that I need to go through the start-up scripts and comment out every thing I don't need. That is all well and fine but I am not sure just what I will and will not need. I know that you-all can't really tell me either. But I do seek your counsel because I am sure there are some givens that I won't need, aka alsa, smb to name a couple. Is this the next step I should take? Or would I be better off to install more of the packages I know I want first, aka snort, logcheck, rootkit detectors and other hardening packages and then do the pruning?

Thanks for your guidance.

Hi, do the pruning first, keep the system slim.

With the services you don't know, trial and error, try one at a time. see what happens.

Oh, and Google is your friend!

Cheers, Glenn