LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-12-2006, 08:49 PM   #1
raleighberinger
LQ Newbie
 
Registered: Apr 2006
Posts: 2

Rep: Reputation: 0
Firewall Configuration Help


Scenerio: I work at a local computer sales/repair company that is also an internet service provider. We currently have a firewall protecting our internal network from the outside world. I need to ba able to plug our computer repair customers into our network (for internet updates, etc) while protecting our clients computers from the outside world as well as protect our network from the customers adware, spyware, virus infested computer. My thought was to put in an interal firewall and plug the customer computers into that, however in my mind that would protect the customers PC from our network not our network from the customer pc. Any advice on how to handle this would be appreciated..
 
Old 04-12-2006, 09:40 PM   #2
novice06
Member
 
Registered: Mar 2006
Location: Singapore
Distribution: RHEL, CentOS
Posts: 132

Rep: Reputation: 23
suggest

hi,

i really not understand your idea.

novice
 
Old 04-12-2006, 09:47 PM   #3
taylor_venable
Member
 
Registered: Jun 2005
Location: Indiana, USA
Distribution: OpenBSD, Ubuntu
Posts: 892

Rep: Reputation: 43
Putting in another firewall would work fine. Keep in mind they operate just as well in both directions as they do in only a single direction. Ideally, you could do something like:

INTERNET
----------------------- Firewall 0
WEB SERVER
MAIL SERVER
----------------------- Firewall 1
TRUSTED NETWORK
----------------------- Firewall 2
CLIENT MACHINE

Firewall 0 would allow in ports 25 (SMTP), 80 (HTTP), and 443 (HTTPS), and everything out. Firewall 1 would allow nothing in, and everything out. Firewall 2 would allow nothing in, and out only to port 80 (HTTP) not bound for a local network (i.e. !192.168.0.0/16, or whatever address grouping you're using). This is pretty restrictive to those client machines, which can only access non-local servers listening on port 80. And it's also really flexible for your trusted network, which can send anything out, but won't get anything pushed into it.

The real configuration will take more work (since you'll probably have to play with NAT, etc.) but at least it's conceptually fairly easy to manage.
 
Old 04-12-2006, 10:03 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
is your current firewall a linux box?? cuz if so, you don't need to add another firewall to do this... you just need to add another network card to your current firewall...
 
Old 04-13-2006, 05:26 AM   #5
raleighberinger
LQ Newbie
 
Registered: Apr 2006
Posts: 2

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by taylor_venable
Keep in mind they operate just as well in both directions as they do in only a single direction. Ideally, you could do something like:

INTERNET
----------------------- Firewall 0
WEB SERVER
MAIL SERVER
----------------------- Firewall 1
TRUSTED NETWORK
----------------------- Firewall 2
CLIENT MACHINE

Firewall 2 would allow nothing in, and out only to port 80 (HTTP) not bound for a local network (i.e. !192.168.0.0/16, or whatever address grouping you're using). This is pretty restrictive to those client machines, which can only access non-local servers listening on port 80. And it's also really flexible for your trusted network, which can send anything out, but won't get anything pushed into it.
Thank you taylor_venable this is exactly what I was looking for.

Sorry for my poor description I type think I think, erratic and usually only I can understand it.
 
Old 04-14-2006, 12:41 AM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
IMHO it's kinda weird that one would choose to add another firewall in order to achieve an inferior result (more complex management and lower security) as to what one would get by simply adding one or two zones to the current firewall... then again, i don't even know if you have the ability to add another zone, as you completely ignored my question... hehe...

BTW, one of the linux firewalls i manage is set to serve very similar functionality to what you are trying to achieve - it's a basic iptables firewall with 4 network interfaces... each interface is a zone: eth0 is the Internet, eth1 is LAN #1, eth2 is LAN #2, and eth3 is the DMZ... all of the internal networks are completely firewalled from each other (this is in stark contrast to using a separate firewall with a ! 192.168.0.0/16 rule on it)...

it's kinda curious actually, cuz the guy i installed the firewall for originally also thought he would have to use multiple firewalls for the setup he had in mind... it was a pleasant surprise for him when he realized that wasn't the case...

anyways, to each his own... good luck...

Last edited by win32sux; 04-14-2006 at 12:46 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall configuration EvilAngel Linux - Networking 3 02-05-2005 07:23 AM
firewall configuration rakesh_em Slackware 9 10-13-2004 07:58 PM
Firewall configuration kevinm2 Linux - Security 5 08-19-2004 12:02 PM
firewall configuration Santas Mandriva 7 12-19-2003 10:06 AM
Firewall configuration Lazlo Linux - Networking 1 11-09-2001 09:14 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration