Good Morning.

I am fairly fimilar with linux commands, permissions etc. I currently have a secondary system in which I plan to partiton and install Slackware 10.2 to use as a Gateway.

I have a few specfic questions, which I am hoping I could get assistance with.

My goals for the gateway are:

Providing a single connection point for any other system attached to my home network.
Providing the home network with a firewall

So the questions I have are as follows.

1: Installing only base Linux system, which are the perfered packages to select during install from the Networking menu to handle Firewall fuctions (iptables?) and ipforwarding.

2: Should I place a DNS service on the gateway, or should I select another box to act as a DNS server for the network. I am trying to design the home network from a security point of view )the increase understanding on network security and configuration), hence why I plan to run and install as little as possiable on the gateway machine.

3: I plan to have the gateway run SSH. Is there a way to set the system to only accept SSH conections when they are from an internal network address on the internal NIC card while excluding all IP traffic using the internal networks IP range to the NIC card attached to the cable modem. If so, could someone list off which packages I should read the MAN pages on, or refer me to a How-To link?

4: Lastly, I run several IP based games / Messenging services off the primary Windows 2k Machine. Is their a way to easily ID which ports it requires so I can leave these ports available when configuring the firewall?

I really don't mind figuring things out on my own, and I am more then willing to read the correct man pages, I am just looking for a pointer in the right direction.

Thank you for your time.

-Fenier

There are many, many, many threads in this forum about 'gateway', 'iptables', and the like.

However, since you said you like to read, look in your /usr/doc directory. Tons of stuff in there.

As far as what to install, I would install everything but KDE. True, it maybe a bit of overkill, but until you have everything sussed out, you never know what you'll need. Just run pkgtool at a later date to trim it down.

My question about iptables (as I see there has been a lot written on it) is simply - is this the preferred firewall package from the Slackware discs? If it is (for whatever reason) I will spend the time to get it working, however - if there is something which may be better from the install discs, I would like to work on that instead.

I am really not looking for step by step, just a minor rough list of things to look at, which is why I was as specfic as I could be in my intinal post.

-Fenier

Slackware does not have any 'firewall/NAT' specific software packages, except iptables.

1. Installing all packages from the 'n' package set would cover the requirements I guess, but what cwwilson721 said makes sense and is easier: install everything except for the x, xap, tex and emacs packages.
2. There is nothing against running DNS for you internal network on the firewall host. You should use a iptables firewall rule to block outside access to your DNS server.
3. You can instruct SSH to only listen on the internal NIC (check out /etc/ssh/sshd_config for "ListenAddress")
4. Port numbers for popular applications are well-documented on the internet, like here: http://www.portforward.com/cports.htm

A simple web-based generator for an iptables based firewall script is http://www.slackware.com/~alien/efg/ - but there are many such programs available on the internet. Just search and read.

Eric

They're are two different ways you can go about this:

If your goal is to simply turn this secondary machine into an appliance which you can stick in a corner and forget about, I suggest you look into Smoothwall Express. Yes, I know this is (damn near) heresy for a bona fide slacker such as myself, but Smoothwall is designed to do exactly what you've described and it does it in a very secure way.

On the other hand: if you're looking for a new project to tinker with (and learn something new in the process) then Slack is an excellent choice, but keep in mind that you will need to put some time and effort into making it more secure. After all, this machine will be accessible from the big bad internet.

The general term for this is OS hardening, but some specific things you'll want to examine are:

- what services are running on the machine (ssh, http, ftp, inetd, etc) and how to turn them on/off etc.

- tweaking your ssh daemon to be as secure as possible (this may seem counter-intuitive, but port-scanners are easy to come by and at the very least you don't want to run ssh on the default port). there are many threads in this forum on this topic..I think I even wrote one at one point. search is your friend.

- recompliling your kernel to eliminate anything that is unecessary

- and as a caveat to something cww said..go ahead and do a full (or nearly full) install at first, but it would probably be wise to go back later and get rid of anything you didn't need and/or anything the machine doesn't need to run day to day.


As I said search is your friend and so is google. Hope this was helpful.