LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-08-2004, 11:41 PM   #1
drdirt
LQ Newbie
 
Registered: Jan 2004
Distribution: trying to limit to three distros
Posts: 6

Rep: Reputation: 0
Howto setup two stage firewall? Linux and router-in-a-box?


I would like to use a bare installl of linux to put up a perimeter router (filtering some) outside of a "router-in-a-box" with serious access lists.

Anybody refer me to resources - especially in getting the linux box to properly recognize my smc barricade and vice versa???
 
Old 01-09-2004, 12:37 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
I'm not really sure what this accomplishes, aside from possibly slowing down all your traffic. Typically these type of setups are used to create a "screened subnet" that could be used as a DMZ, but if you don't plan to put anything between your packet filter and your SoHo firewall, I have to say I don't really see what the point is.
 
Old 01-09-2004, 10:07 AM   #3
drdirt
LQ Newbie
 
Registered: Jan 2004
Distribution: trying to limit to three distros
Posts: 6

Original Poster
Rep: Reputation: 0
Why...

Maybe it is overkill, but I am trying to play with (and better understand) security as preached by Cisco. You immediately picked up on one of the advantages that they advocate, and there is one other-

One: put a web server in a "screened" zone or "dirty-dmz."

Two: on the perimeter router, filtering outgoing ICMP responses (at least echo responses) blocks conventional reconaissance probes of the inner firewall.

The outer router really doesn't function as a proper firewall. Mainly set up lists to protect it and the inner firewall. And, as you saw, allow traffic like www or ftp into a weak/moderately protected server.
 
Old 01-09-2004, 10:37 AM   #4
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Re: Howto setup two stage firewall? Linux and router-in-a-box?

Quote:
Originally posted by drdirt
Anybody refer me to resources - especially in getting the linux box to properly recognize my smc barricade and vice versa???
There is some good documentation on setting up Linux firewalls over at TLDP. What do you mean be "recognize"? I would think that just getting each device wanted traffic to the next would suffice. On the Linux side, look at iptables for filtering traffic. Also, if you are going to go through the trouble of having layered firewalls, I would recommend syncing the ruleset as closely as possible between the two devices so that you get full benefit from each. Adding another firewall to simply block outgoing echo replies only adds more network latency by adding another hop. You would be better off just dropping the incoming ICMP types that you don't want on the front side of one firewall.
 
Old 01-10-2004, 01:29 AM   #5
drdirt
LQ Newbie
 
Registered: Jan 2004
Distribution: trying to limit to three distros
Posts: 6

Original Poster
Rep: Reputation: 0
Thanks STickman.

Good suggestion - I should have thought enough about it to get it. Filter the ICMP incoming so that no time is wasted passing it, and responding to it. Filter the traffic at the earliest possible point.

Not Recognized = My friend's set up failed to assign an IP to a router-in-a-box (D-link router) from his perimeter box (running freeOS). He said that Tx/Rx lights on NIC and the D-link didn't light up at all. Booted, rebooted, and booted in sequence from wan side (modem, perimeter router, inner router) and still no good.

Any suggestions?
 
Old 01-10-2004, 02:51 AM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Are you sure your friend has setup dhcpd on the outside box? If the SoHo router is expecting to get it's WAN IP via DHCP, but you haven't configure a DHCP daemon, well, there's the problem. Most of those SoHo routers let you specify a static WAN IP which would probably be wiser in this case.

If you're 100% positive you're assigning the IP correctly, then you might have a problem with the cables.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux router/firewall box for shared Internet access from 3 separate LANs? dan.patton Linux - Networking 4 04-15-2006 05:37 PM
Linksys cable router setup Linux box no net access Phebes Linux - Networking 19 09-17-2004 11:53 PM
Trying to set linux box as router firewall that'll boot from floppy only dbiswaswb Linux - Newbie 7 05-09-2004 08:26 AM
how to setup router on linux as a open firewall thirumala Linux - Networking 8 04-10-2004 05:38 PM
setup linux firewall/router sub_netter Linux - Networking 4 08-15-2003 06:18 AM


All times are GMT -5. The time now is 05:43 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration