Network Security
 

Hello all. I have worked with Linux since Slackware 3, but it was in an ISP environment and I didn't require the use of Firewall and Proxy. Well, no I do. I went out and downloaded the Smoothwall product, while it is great and the scripts are wonderful, it is lacking alot of things. So, I have to set out, and using LFS, create a Firewall/Proxy that suits my needs. So, first off, I'm going to be running kernel 2.6.6, and definatly going to have Squid running. So, my basic questions are:

1) Setup IPTables, and block all ports except whats specified to be open, including >1024

2) Setup Port Forwarding

3) Setup PAM Authentication to authenticate against my Windows AD Server, or some way of syncing the local passwd/shadow files wiht the Active Directory Domain

4) Setup Squid, possibly with above authentication relm.

After I get this LFS distro built and working, I'm going to offer it as a general distro if anyone is interested. One of my biggest problems with Smoothwall is that the USB system, for the most part, is crippled, so I cannot use a USB 56k modem as a backup to the WAN interface, and there's no possiblity of setting up a wireless on the LAN side.
Also, if anyone else has any suggestions, like Spam filtering, or AV that can run on a firewall/proxy, let me know and I'll try and integrate it into a Linux system that will knock the socks off of anything M$ can dream of.

Thanks,
Tibby

To tell you the truth, IMHO LFS is great for learning what all goes into a distro and such but I wouldn't want to run it for something like that. I would simply take a slackware 9.1 install, with no X, and the basic needed for networking and such, and throw shorewall on it, and use webmin to administrate it. It's a quick solution compared to the compile time of the other... Shorewall has everything you'd need for what you're doing, and it's a small install, if you've got limited space. However if you're all about the compiling and it's not a problem then go for it. I found that since I like slack a ton, and have used it since 3 myself as you have, I generally ended up with a slimmed down slack distro when I built my LFS one :eek: soooo theres my $0.02

I don't think your going to be able to beat SmoothWall. It is the best dedicated firewall distro out there. I think you are probably the first person I can remember having anything bad to say about SmoothWall as well.

Why do you want your firewall to authenticate against Active Directory?

And as for SmoothWall not supporting 56K, well, that is just it's design. SmoothWall is designed as an Ethernet firewall, as are 90% of firewalls out there (hardware anyway). You would be hard pressed to find a hardware firewall that supports 56K, let alone any sort of USB modems.

Besides, any sort of fall-over for the WAN should be done at the gateway, not the firewall. If you don't have a gateway (using a broadband modem instead of a router maybe) then you could setup a machine as a gateway, and setup your broadband device and a 56K modem on it, and connect that to the WAN side of the SmoothWall with a crossover cable. Then the SmoothWall could be fed either broadband or 56K.

And I don't see why you can't setup wireless on the LAN side. You should be able to connect a wireless access point (access point only, no integrated router) to the LAN side of the SmoothWall, and SmoothWall should hand out dynamic IPs to anything within range of the access point.

I'll have to agree with tibby, Smoothwall is lacking in some things. At my previous job we chose Shorewall over smoothwall for that fact that Shorewall had everything we needed and smoothwall didn't.

What did you find lacking?

I have run SmoothWall in a 120+ client network (I have since moved over to a dedicated hardware firewall) and didn't have any problems.

I'm just curious as to what others expect from their firewall.

Well we needed to be able to have multiple IP's for the same interface to allow static nat, that was one thing that smoothwall didn't support at the time of the implementation. We also wanted to be able to monitor the box better, such as with MRTG and snmp and such, of which smoothwall wouldn't do for that.

I have got an Astaro Firewall it it works great. There are many features, like HTTP,SMTP, POP3-Proxies, Intrusion Prevention, Virus Scanning for Web and Mail, Spam Protection ... .
Have a look at www.astaro.com.
/bagira