LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Firewall/Gateway + Server (http://www.linuxquestions.org/questions/linux-newbie-8/firewall-gateway-server-439503/)

Enrickey 04-27-2006 07:49 PM

Firewall/Gateway + Server
 
I have an old computer (not that old, PIII 866MHz, 256RAM, 4GB HD) and I wanted to turn it into a Firewall/Gateway as well as a server. My current router, a D-Link DI-604 isn't very strong, and it bogs down as soon as I connect to a torrent, or do a lot of things which take advantage of UPnP, so using an old computer would surely be a lot better. I also run a small site, and since I don't get that many visitors, I would like to run it myself.

I want to know how I would go about doing this. I looked at some solutions such as IPcop, or Coyote Linux, but they don't seem to be able to support Apache, MySQL and PHP. I'm guessing that I would probably need to use a general distro and just have seperate software take care of everything, but I'm not sure how I would go about doing that. The Firewall/Gateway component would have to be able to support UPnP, as well as a feature to disable the network during certain hours, and many other kinds of things that routers tend to do. I'm willing to buy a switch for the network, as well as a second network card for the PC, so that won't be a problem.

First of all, is it even possible to achieve what I want to do? And second of all, if it is, what distro should I use along with what software? I'm guessing something light weight, since I don't need a fancy desktop environment for all this. All I want is for the computer to work, and to work well.


Thanks in advance.

AwesomeMachine 04-27-2006 09:14 PM

I don't think you want to run apache on your firewall machine. That means the firewall is running a server. That's insane. You run apache behind the firewall, on a separate machine. Smoothwall is probably the easiest firewall to set up. Debian can be set up as an apache web server.

Enrickey 04-27-2006 11:00 PM

The thing is I only have one spare machine at the moment. Couldn't Apache somehow be set up to run behind the firewall?

I guess I could install Apache on my father's Windows machine which he rarely uses, I was just kind of hoping for a dedicated machine to do everything.

guzzi 04-27-2006 11:25 PM

an idea to consider
 
Hello Enrickey

With a firewall box, I think you would want to have Tripwire and RootKitHunter installed on it as well. I think configuring Tripwire on a system with more than the bare minimums for a firewall would be really, really, really, hard.

Also, in the configuration you are considering, monitoring the logs would be a real pain as well.

A dedicated firewall is really the easiest and best way to go. Nice thing about it is that it can be a 486-66 or something like it. The cost could be zero.

Good Luck

drkstr 04-27-2006 11:28 PM

You can have your server run services and work as a firewall if you want. It's just not as secure as setting it up separately. Linux has the ability to do everything you are looking for in a firewall. As far as which distro to use, I prefer slackware. It hasn't received the highest marks as a desktop environment, but it rocks the house when it comes to stability and security for networking purposes. If this was the network to some company or houses sensitive material on it, you probably wouldn't want to run web services on the same machine as your firewall. I see no problem in doing this on a home network however. The truth is, most hackers out there could care less about getting into your network, they have bigger fish to fry. As long as you can keep the script kiddies out of it, your good.

Hope this was of some help,
...drkstr

farslayer 04-27-2006 11:53 PM

you could always setup pretty much any distro, install guarddog or firestarter on it as well as your LAMP webserver setup. configure the firewall settings for ipmasq.

Although I would tend to agree a dedicated firewall machine should be just that..
Smoothwall is a nice choice for a gateway machine.

drkstr 04-28-2006 02:46 AM

I keep hearing a lot about these "firewall programs" (not sure of the proper name) shurewall, guarddog, firestarter, ..etc. What ever happened to good ol' iptables? Call me old fashion I guess. Sorry if this is a little off topic, but what are the benefits to using these preconfigured firewalls? Are they more secure or are they just easier to use? I've always just written my own iptable rulesets, should I start looking into some of these as well?

regards,
...drkstr

farslayer 04-28-2006 09:58 AM

Quite honestly iptables is an artform that most new users are not able to easily grasp.

firestarter, guarddog, and fwbuilder are all gui front ends that do a nice job of writing the rule sets for you, with firestarter being the most basic, and fwbuilder giving you an object oriented gui that will allow you to not only build iptables rules but also create configs for your PIX or Checkpoint firewall.

The gui gives a nice intro where a user can check some boxes, then look at the iptables rules to see how it was actually done.

firestarter for instance has a checkbox for internet sharing.. WOW can't get much easier than that to setup a machine as a gateway for your network.. if you've been writing yur own rules, firestarter will probably be a disapointment to you, but for a new user that isn't used to firewalls or configuring them it's got a low learning curve.
http://www.fs-security.com/


Guarddog builds a much more complete set of rules by default but also requires alittle more knowledge as it allows you to control more services and ports in more directions..
http://www.simonzone.com/software/guarddog/#screenshots

fwbuilder is pretty impressive as well and requires an even higher level of understanding to utilize. the way it is designed gives you the most flexability for complex configurations.
http://www.fwbuilder.org/archives/cat_about.html

drkstr 04-28-2006 10:18 AM

Thanks for the info. I think I'll just stick to writing my own rules sense it has been working in the past. I might check out some of the more advanced apps that you mentioned and see how they created the policies. I might be able to learn a thing or two. :)

regards,
...drkstr

Enrickey 04-28-2006 03:44 PM

The thing is, I don't really care about security. Even if my Linux box won't be as secure, it doesn't really matter. As far as I know, most attacks are against Windows machines, and mine will be safely behind the Linux firewall.

The Firestarter program looks exactly like what I need.

Thanks a lot for the help, and the warnings. If I can get my hands on another PC, I'll try and set it up as a firewall only, since it would also be nice to have some of the features that many dedicated firewall distro's offer, such as editing through a webpage. Until then though, this will suffice.

Thanks again.

elf0r 05-18-2006 10:33 AM

Hey sorry to revive a deceased topic but are any of these 3 listed firewalls upnp compatible? looking for something for my bit torrent client to autoconfig thanks
~elfy

drkstr 05-18-2006 11:37 AM

try:

http://linux-igd.sourceforge.net/documentation.php

regards,
...drkstr

cs-cam 05-18-2006 11:59 AM

Ick, why bother with UPnP? All it does is forward the ports for you, surely you can do that yourself?

drkstr 05-18-2006 12:58 PM

Quote:

Ick, why bother with UPnP? All it does is forward the ports for you, surely you can do that yourself?
yes, this should give you what you need for bittorrent clients
Code:

iptables -A INPUT -p TCP --dport 6881:6889 -i ${WAN} -j ACCEPT
Update accordingly to your configuration (device, network setup/forwarding).

regards,
...drkstr

elf0r 05-18-2006 05:23 PM

thanks muchly guys :)
~elfy


All times are GMT -5. The time now is 12:46 PM.