Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Scenerio: I work at a local computer sales/repair company that is also an internet service provider. We currently have a firewall protecting our internal network from the outside world. I need to ba able to plug our computer repair customers into our network (for internet updates, etc) while protecting our clients computers from the outside world as well as protect our network from the customers adware, spyware, virus infested computer. My thought was to put in an interal firewall and plug the customer computers into that, however in my mind that would protect the customers PC from our network not our network from the customer pc. Any advice on how to handle this would be appreciated..
Putting in another firewall would work fine. Keep in mind they operate just as well in both directions as they do in only a single direction. Ideally, you could do something like:
INTERNET
----------------------- Firewall 0
WEB SERVER
MAIL SERVER
----------------------- Firewall 1
TRUSTED NETWORK
----------------------- Firewall 2
CLIENT MACHINE
Firewall 0 would allow in ports 25 (SMTP), 80 (HTTP), and 443 (HTTPS), and everything out. Firewall 1 would allow nothing in, and everything out. Firewall 2 would allow nothing in, and out only to port 80 (HTTP) not bound for a local network (i.e. !192.168.0.0/16, or whatever address grouping you're using). This is pretty restrictive to those client machines, which can only access non-local servers listening on port 80. And it's also really flexible for your trusted network, which can send anything out, but won't get anything pushed into it.
The real configuration will take more work (since you'll probably have to play with NAT, etc.) but at least it's conceptually fairly easy to manage.
is your current firewall a linux box?? cuz if so, you don't need to add another firewall to do this... you just need to add another network card to your current firewall...
Keep in mind they operate just as well in both directions as they do in only a single direction. Ideally, you could do something like:
INTERNET
----------------------- Firewall 0
WEB SERVER
MAIL SERVER
----------------------- Firewall 1
TRUSTED NETWORK
----------------------- Firewall 2
CLIENT MACHINE
Firewall 2 would allow nothing in, and out only to port 80 (HTTP) not bound for a local network (i.e. !192.168.0.0/16, or whatever address grouping you're using). This is pretty restrictive to those client machines, which can only access non-local servers listening on port 80. And it's also really flexible for your trusted network, which can send anything out, but won't get anything pushed into it.
Thank you taylor_venable this is exactly what I was looking for.
Sorry for my poor description I type think I think, erratic and usually only I can understand it.
IMHO it's kinda weird that one would choose to add another firewall in order to achieve an inferior result (more complex management and lower security) as to what one would get by simply adding one or two zones to the current firewall... then again, i don't even know if you have the ability to add another zone, as you completely ignored my question... hehe...
BTW, one of the linux firewalls i manage is set to serve very similar functionality to what you are trying to achieve - it's a basic iptables firewall with 4 network interfaces... each interface is a zone: eth0 is the Internet, eth1 is LAN #1, eth2 is LAN #2, and eth3 is the DMZ... all of the internal networks are completely firewalled from each other (this is in stark contrast to using a separate firewall with a ! 192.168.0.0/16 rule on it)...
it's kinda curious actually, cuz the guy i installed the firewall for originally also thought he would have to use multiple firewalls for the setup he had in mind... it was a pleasant surprise for him when he realized that wasn't the case...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.