LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-18-2010, 07:25 AM   #1
Winanjaya
Member
 
Registered: Sep 2003
Posts: 209

Rep: Reputation: 32
old CISCO PIX 515 firewall to Linux firewall


Hello All,

I want to replace our old CISCO PIX 515 firewall to Linux firewall.. is it possible?

any tips for doing this?

Thanks & Regards
Winanjaya
 
Old 03-18-2010, 10:44 AM   #2
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Yes it is possible. Although depending on what all features of the pix you're using you may have to utilize some external programs (for vpns and such). A lot of it can out right be handled by iptables. If you want to post more details we could probably give you some assistance on it.
 
Old 03-18-2010, 10:52 AM   #3
Winanjaya
Member
 
Registered: Sep 2003
Posts: 209

Original Poster
Rep: Reputation: 32
thanks,
my network topology is:

Inbound:
Internet -> Router -> PIX -> Users
and
Outbound:
Users -> Squid (Transparent) -> PIX

and in my PIX firewall only contains below:

NAT for some services: POP3, SMTP, WEB, DNS
Only IP 172.16.1.5 allow to go to internet

could you please help?

Thanks a lot in advance

Regards
Winanjaya
 
Old 03-18-2010, 10:54 AM   #4
Winanjaya
Member
 
Registered: Sep 2003
Posts: 209

Original Poster
Rep: Reputation: 32
and do I need to add 1 more NIC to my Linux Box ..?
Eth0 -> connects to Internet Router
and
Eth1 -> connects to switch
 
Old 03-18-2010, 11:20 AM   #5
Winanjaya
Member
 
Registered: Sep 2003
Posts: 209

Original Poster
Rep: Reputation: 32
ok.. pls find complete info below:

Inbound:
Internet -> Router -> PIX -> Switch -> Users

Outbound:
Users -> Squid Proxy -> PIX -> Internet

NAT:

DNS:
202.1.2.3 to 172.16.1.20
WEB:
202.1.2.4 to 172.16.1.21
SMTP:
202.1.2.5 to 172.16.1.22
POP3:
202.1.2.5 to 172.16.1.22

DMZ:
202.1.2.6 to 172.16.1.13

My Squid proxy on 172.16.1.5 .. so I configured in PIX to only allow squid proxy to access the internet.

What I am confusing is:
Do I need to equip it 1 more NIC? .. so it would be: Eth0 -> Internet Router and Eth1 -> Switch

please help
 
Old 03-20-2010, 05:01 AM   #6
navanni
LQ Newbie
 
Registered: Mar 2010
Posts: 1

Rep: Reputation: 0
If you want a dmz you need to add one more nic , so you can filter traffic to and out of dmz, just like your pix, what i would do is eth0 to router , eth1 to switch , eth2 to another switch that would be the dmz so yuo can plug your public server's there.
 
Old 03-20-2010, 08:45 AM   #7
Winanjaya
Member
 
Registered: Sep 2003
Posts: 209

Original Poster
Rep: Reputation: 32
ok, noted about dmz on eth2, but how to NAT my services below:

DNS:
202.1.2.3 to 172.16.1.20
WEB:
202.1.2.4 to 172.16.1.21
SMTP:
202.1.2.5 to 172.16.1.22
POP3:
202.1.2.5 to 172.16.1.22

please help

thanks & regards
Winanjaya
 
Old 03-21-2010, 11:15 AM   #8
devwatchdog
Member
 
Registered: Jan 2010
Posts: 198

Rep: Reputation: 44
What distro of Linux were you planning on using?

I'm not a big fan of using a regular distribution for purposes of a firewall, although they obviously do work. I consider a firewall/router a very specific purpose, and anything not directly related to networking as an extraneous waste of resources. Also, from a security standpoint, having services that aren't needed running on a firewall are a vulnerability. I went the route of stripping out unneeded daemons and commands from Slackware back in '01 for firewall use on a secondary IP address at work for testing and as a live backup, but I would not bother now. It's a waste of time considering the alternatives out there.

I've been using Vyatta for the last several months, and find it to perform very well. It is a Linux based firewall/router distribution. The web site has an open source edition available to anyone. It has everything you need to set up a firewall to handle what you are doing. I've tested with m0n0wall, pfSense and Smoothwall, but did not like them as much as Vyatta.

I'll post an example configuration which is based directly on a working config, but the IP addresses are changed to protect the innocent. The complete configuration for a Vyatta firewall is contained in one file, so backing one up is simple. The only thing that isn't is the keys for OpenVPN.

Code:
firewall {
    broadcast-ping disable
    conntrack-tcp-loose enable
    ip-src-route disable
    log-martians enable
    name ALLOW_ESTABLISHED {
        rule 10 {
            action accept
            state {
                established enable
            }
        }
    }
    name INLAN-IN {
        rule 10 {
            action accept
            state {
                established enable
            }
        }
        rule 20 {
            action accept
            destination {
                address 192.168.77.0/24
            }
            source {
                address 10.78.24.0/24
            }
            state {
                established enable
                invalid enable
                new enable
                related enable
            }
        }
        rule 30 {
            action accept
            destination {
                address 0.0.0.0/0
            }
            source {
                address 192.168.77.0/24
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
    }
    name INWAN-LOCAL {
        rule 1 {
            action accept
            state {
                established enable
            }
        }
        rule 10 {
            action accept
            destination {
                address 25.196.69.210
                port 500
            }
            protocol udp
            source {
                address 69.190.127.9
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 20 {
            action accept
            destination {
                address 25.196.69.210
            }
            protocol esp
            source {
                address 69.190.127.9
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 30 {
            action accept
            destination {
                address 25.196.69.210
                port 1194
            }
            protocol udp
            source {
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 40 {
            action accept
            destination {
                address 192.168.77.0/24
            }
            protocol all
            source {
                address 10.78.24.0/24
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
    }
    name INWEB-1 {
        rule 1 {
            action accept
            state {
                established enable
            }
        }
        rule 5 {
            action accept
            destination {
                address 10.52.32.100/32
                port 80
            }
            protocol tcp
            source {
                address 0.0.0.0/0
            }
        }
        rule 10 {
            action accept
            destination {
                address 192.168.77.100/32
                port 22,18081
            }
            protocol tcp
            source {
                address 24.240.67.38
            }
        }
        rule 20 {
            action accept
            destination {
                address 192.168.77.0/24
            }
            source {
                address 10.78.24.0/24
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 30 {
            action accept
            destination {
                address 10.78.24.0/24
            }
            source {
                address 192.168.77.0/24
            }
            state {
                established enable
                invalid enable
                new enable
                related enable
            }
        }
        rule 500 {
            action drop
            destination {
                address 0.0.0.0/0
            }
            protocol all
            source {
                address 59.56.0.0/13
            }
            state {
                established disable
                invalid disable
                new disable
                related disable
            }
        }
    }
    name WAN-VIF11-IN {
    }
    name WAN-VIF11-LOCAL {
    }
    receive-redirects disable
    send-redirects disable
    syn-cookies enable
}
interfaces {
    ethernet eth1 {
        address 192.168.77.1/24
        duplex auto
        firewall {
            in {
                name INLAN-IN
            }
        }
        hw-id 00:06:27:24:d5:9e
        speed auto
    }
    ethernet eth2 {
        address 25.196.69.210/29
        duplex auto
        firewall {
            in {
                name INWEB-1
            }
            local {
                name INWAN-LOCAL
            }
        }
        hw-id 00:0e:0d:84:01:42
        speed auto
        vif 11 {
            address 25.196.69.211/29
            firewall {
                in {
                    name WAN-VIF11-IN
                }
                local {
                    name WAN-VIF11-LOCAL
                }
            }
        }
    }
    ethernet eth3 {
        address 10.52.32.1/24
        duplex auto
        hw-id 00:0e:0d:62:c4:4c
        speed auto
    }
    openvpn vtun0 {
        local-host 25.196.69.210
        local-port 1194
        mode server
        openvpn-option "--push route 192.168.77.0 255.255.255.0 --comp-lzo --tls-auth /etc/openvpn/keys/ta.key 0"
        protocol udp
        server {
            subnet 172.20.23.64/28
        }
        tls {
            ca-cert-file /etc/openvpn/keys/ca.crt
            cert-file /etc/openvpn/keys/vyatta.crt
            crl-file /etc/openvpn/keys/crl.pem
            dh-file /etc/openvpn/keys/dh2048.pem
            key-file /etc/openvpn/keys/vyatta.key
        }
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name ETH1_POOL {
            authoritative disable
            subnet 192.168.77.0/24 {
                default-router 192.168.77.1
                dns-server 192.168.77.1
                lease 86400
                start 192.168.77.203 {
                    stop 192.168.77.249
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            name-server 24.196.64.53
            name-server 24.159.193.40
            name-server 68.115.71.53
        }
    }
    https
    nat {
        rule 5 {
            destination {
                address 25.196.69.210
                port 80
            }
            inbound-interface eth+
            inside-address {
                address 10.52.32.100
            }
            protocol tcp
            source {
                address 0.0.0.0/0
            }
            type destination
        }
        rule 10 {
            destination {
                address 25.196.69.210
                port 22,18081
            }
            inbound-interface eth2
            inside-address {
                address 192.168.77.100
            }
            protocol tcp
            source {
                address 24.240.67.38
            }
            type destination
        }
        rule 20 {
            destination {
                address 10.52.32.100
            }
            outbound-interface eth+
            outside-address {
                address 25.196.69.210
            }
            protocol all
            source {
                address 192.168.77.0/24
            }
            type source
        }
        rule 500 {
            destination {
                address !10.78.24.0/24
            }
            outbound-interface eth2
            source {
                address 192.168.77.0/24
            }
            type masquerade
        }
    }
    ssh {
        allow-root false
        port 22
        protocol-version v2
    }
}
system {
    domain-name example.com
    gateway-address 25.196.69.209
    host-name myatta
    login {
        user root {
            authentication {
                encrypted-password not_going_to_show_this_here
                plaintext-password ""
            }
            level admin
        }
        user vyatta {
            authentication {
                encrypted-password not_going_to_show_this_here
                plaintext-password ""
            }
            level admin
        }
    }
    name-server 24.196.64.53
    name-server 24.159.193.40
    name-server 68.115.71.53
    ntp-server 69.59.150.135
    package {
        auto-sync 1
        repository community {
            components main
            distribution stable
            password ""
            url http://packages.vyatta.com/vyatta
            username ""
        }
    }
    static-host-mapping {
    }
    syslog {
        global {
            facility all {
                level info
            }
        }
        host 10.78.24.103 {
            facility all {
                level err
            }
        }
    }
    time-zone GMT
}
vpn {
    ipsec {
        copy-tos disable
        esp-group ESP-JOHN-S2S {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption 3des
                hash sha1
            }
        }
        ike-group IKE-JOHN-S2S {
            aggressive-mode disable
            lifetime 86400
            proposal 1 {
                dh-group 5
                encryption 3des
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth2
        }
        logging {
            log-modes all
        }
        site-to-site {
            peer 69.190.127.9 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret example_secret
                }
                ike-group IKE-JOHN-S2S
                local-ip 25.196.69.210
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group ESP-JOHN-S2S
                    local-subnet 192.168.77.0/24
                    remote-subnet 10.78.24.0/24
                }
            }
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@1:nat@3:quagga@1:serial@1:vrrp@1:wanloadbalance@1:webgui@1" === */
/* Release version: VC5.0.2 */
That probably looks overwhelming, but let me give you a few notes on it.

The system is set up as such:

eth1 - LAN
eth2 - WAN
eth3 - DMZ

There is a web server hosted in the DMZ.

I have an site to site IPSEC VPN tunnel set up, and OpenVPN for mobile users to access the system when on the road.

You can figure out what sections of the firewall rulesets apply to which interfaces by looking at the interfaces themselves to see which section is listed there. If you look at eth2, you see that INWEB-1 and INWAN-LOCAL are being used on the WAN. (eth2)

DHCP as well as a caching DNS server are being offered as services on the LAN. (eth1)

The NAT service rule 500 is the rule that handles masquerading outbound traffic to public space. If you look at the destination on it, instead of 0.0.0.0/24, it is !10.78.24.0/24. The reason I did it that way is because 10.78.24.0/24 is the network on the other side of the IPSEC VPN tunnel, and I don't want that traffic being NAT'ed and set out the WAN (eth2).

As for your question about how to NAT traffic to the LAN/DMZ, here is an example.

First, here is the firewall rule:

Code:
name INWEB-1 {
        rule 5 {
            action accept
            destination {
                address 10.52.32.100/32
                port 80
            }
            protocol tcp
            source {
                address 0.0.0.0/0
            }
        }
And the corresponding NAT service rule:

Code:
    nat {
        rule 5 {
            destination {
                address 25.196.69.210
                port 80
            }
            inbound-interface eth+
            inside-address {
                address 10.52.32.100
            }
            protocol tcp
            source {
                address 0.0.0.0/0
            }
            type destination
        }
External traffic with a destination of 25.196.69.210 on port 80 will be NAT'ed and sent to 10.52.32.100 in the DMZ.

As you can see, there is a virtual interface defined on eth2 (WAN) as vif 11. There are empty firewall sections for it, and no NAT rules as of yet, but you can see the structure needed to add additional IP addresses on the WAN.

The firewall rules listed in sections listed as 'local' define rules intended to accept traffic destined to that interface itself, and not to be NAT'ed or masqueraded. The IPSEC & OpenVPN traffic is listed in the local (INWAN-LOCAL) firewall rulesets because that traffic is destined to the firewall, not to be sent to a system on the LAN.

That is actually a fairly basic firewall config overall. That firewall is installed at a location where the primary activity is software/database development. All traffic sourced from internal systems is allowed out.

I like the configuration interface for Vyatta, too. Once you get used to it, it's straightforward and easy to add/remove functionality as needed.

Last edited by devwatchdog; 03-21-2010 at 11:19 AM.
 
Old 03-22-2010, 11:56 AM   #9
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
I would agree with dev, unless you're an expert or intend this as a learning experience you might be better serviced by say m0n0wall.

Last edited by rweaver; 03-26-2010 at 03:37 PM. Reason: typo
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco PIX 500 Series Secure Firewall (PIX-520) robertwolfe Linux - Networking 1 01-19-2006 04:37 AM
Open port in Cisco PIX firewall aisalen Linux - General 8 12-15-2005 06:51 PM
PIX firewall MAC address trebek Linux - Networking 2 08-12-2005 05:36 PM
Networking/ pix firewall issue. chuck77 Linux - Networking 1 05-21-2003 02:50 PM
Im running syslogd. I also have my PIX firewall logs being written to my linux syslog adamrau Linux - Security 2 12-19-2001 01:38 PM


All times are GMT -5. The time now is 01:12 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration