I'm starting on my Linux Journey finaly. It looks like its going to be fun. I did this because my employers want me to utlilize it for building a firewall for the company. I'm installing RedHat 9 on this machine and am getting ready to start researching firewalling techniques. Can anyone make some suggestions as to whats better, Linux native Firewall capabilities or some FIREWALL addon?
Additionally,because our Cisco routers are doing all of our NAT for our LAN, how do you go about setting up the firewalls two NICS? Do both receive internal (LAN) IPS or do I still need to assign the outside NIC a "real" IP?
WOW, am I a

Thanks for any help.

If that's the specific purpose firewalling take a look at smoothwall which is dedicated to the purpose

Is it a big/medium size company or just a small office? If it is a first one I'd suggest implementing CheckPoint firewall solution from http://www.checkpoint.com , also regarding the NIC cards - one supposed to recieve/transmit packets to/from outiside so yes it must be configured with external IP, and the other to your LAN. As for linux - linux provides stateful software based firewall with netfilter configured for iptables I believe it will suffice for a home/small office network scheme - visit our linux-security forums to familirize yourself with them. Good luck

iptables is the firewalling subsystem of Kernel 2.4

Netfilter has documentation, HowTOs and tutorials for iptables.
http://www.netfilter.org/


GUI frontends for iptables
http://firestarter.sourceforge.net/
http://www.shorewall.net/

Firewalls
http://www.ipcop.org
http://www.fwbuilder.org/

Thanks alot guys! Lots of good information there! Back to my NIC question. Our set up looks like this..

Internet - CiscoRouter - FireWall - Internal network
Router - 206.101.11.1
INternal Network - 192.168.1.x

Because the Cisco is doing NAT for our bogus 192.168 network addresses, why should I give the firewall's external NIC an outside address? Should the external NIC still have a 192.168 address? Because we are limited to a very few "real" IP addresses for our site, Im not even sure there IS an extra one available.
Any documents to get my noobie ass in the right direction?
Thanks again guys (and girls?)

You can give your Firewall's external NIC a private IP.
And keep your public IPs for servers that connect directly to the Internet.

However, your Cisco Router has a built-in Firewalling subsystem.
You can add ACLs on your Cisco Router.

You can download the documentation for your router at the Cisco web site.
http://www.cisco.com/

So then the Linux firewall could have a 192.168 address on the external NIC?
Yes, Cisco 2600 has firewall but isnt that an additional liscense and package?
The keyword here is free!

There is always the solution to set your firewall PC up as a router as well. This is what I am doing. Give the external NIC the public IP and the internal on the 192.168.x.x and configure iptables with a NAT. With iptables you can set up a NAT (SNAT and DNAT) use port forwarding and pretty much everything else. If you are running other servers, you can also set up a DMZ to add another layer of protection for you LAN.

Like I mentioned, this is how I have mine set up so I am not sure how you would set up a firewall without having it route as well.

PhilD

Edit: Humm, it may be as easy as giving the firewall private IP for both nics and then just pointing your pcs to the incoming NIC as their gateway. It still seems like you are doing double work as all traffic would be coming to the router and being directly routed to the firewall only. Humm.... Okay, I am not so sure that will do what you want.....

If your Cisco router is doing NAT, then the Linux server can have a private IP (192.168.x.x).

The Cisco 2600 router series has a firewall system that is included into the router -- no extra cost.
The firewall rules are called Access Control Lists (ACL).

I strongly suggest reading the manuals and documentation on your Router.
You will find that you can do alot with the router including firewall (ACL), Virtual Private Networks (VPN), inter-VLAN routing, etc.

Cisco 2600
http://www.cisco.com/en/US/products/...259/index.html

I will certainly give it every bit of my attention. I wasnt aware it was standard with the router.
Thanks so much!!