Hello all.

I just got hit by the worm and want to try to see if I can tighten up my network some.

Here is what I have : DSL connection --> Cisco 2611 router --> Win2000 server running DHCP for the internal network, and is running DNS for the internal network.

I ran a port scan and it said that I was basically invisible to the internet. But when trying to rid myself of the worm, I found where some guy from Germany stuck 500 megs of MP3s on my server.

So, it appears I have a security issue I need to deal with.

Questions:

1. It looks from the searching I have done I need to use IP Tables to setup a firewall for my private network. All the guides say to have two NICs, one with a public address and one with private, but my router is my gateway and it has the public / private address setup already. I really don't want to let everything through and then have the linux box filter everything. I would rather have linux box behind the router. Is there a way to route all traffic through a linux box behind this router without having a public address on one of the NICs?

2. I have 4 users that connect through a VPN to this location from another location and they are connecting using the WIN2000 server as the endpoint. Is there a way to have linux manage the VPN connection or can it still pass just certain traffic to the win2000 server?

3. Can I have this linux box act as my DHCP and DNS server without risking my internal clients or should I let the Win2000 box handle that and just have a dedicated firewall?

Sorry for all the questions, but any help is greatly appreciated!!!!!!!!!

thanks.

mattmc

You can do it either way. You can leave the router there but config your clients to use the firewall IP as their gateway so the traffic is routed thru there first. Sorta like this:

<wan ip>--<Cisco>192.168.0.1---192.168.0.2<firewall>192.168.1.1--internal IP range

Or you can remove the router and let the firewall route for you.

<wan ip>--<firewall>192.168.x.x---internal IP range

Yes and yes. Again you can have the firewall be the VPN end point or you could pass VPN traffic to your win2000 server for authentication and tunnel.


Again, both yes but depends on what you want to do with your network. I believe in a firewall as a dedicated device but the ICSA says you can run DHCP and be certified.

Bottom line is how far do you want to go with your network? My setup is a firewall at the DSL side and it does DHCP and acts as the VPN endpoint for roaming users and site to site connections. But then again, that is what the business wanted.

Great info! Thanks for the quick response.

Where is the best place to find out info on setting up the firewall?

I have read that there are some front ends for iptables that make it easier to setup. Do you use them, which ones, or is it better to do it manually?

My remote clients are connecting with the VPN client built into their windows 2000 O/S using their Active Directory passwords on the WIN2000 server. If I mirrored my Active Directory over on the linux VPN and let it authenticate, would Win2000 clients be able to connect to a linux VPN server?

I would like to isolate my windows stuff as much as possible because it seems most of the attacks are mostly on windows machines!

I will be starting from scratch so any further insight would be great!

thanks again.

mattmc

I used to use fwbuilder then I just learned the syntax, then I got even lazier and went and download m0n0wall put it on a soekris net4521 added a wireless card and I am in pig hog heaven. My buddy has a m0n0wall at his house and we have a site to site VPN to share our networks and play head to head games across.

I have all the wireless machines on one subnet and the lan servers on another.

With traffic shaper my buddy limits his roomate's bandwidth since they spend all day downloading crap.