Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm going to be setting up a firewall/router. Originally I bought a Soekris net4501, but decided to use an older desktop for the task.
So, I'll probably end up using SuSE for the base distro, as I haven't been able to find a suitable pre-tailored firewall distro.
The requirements which aren't met by most firewall distros are:
1) Need to be able to install additional software, such as NRPE daemon for Nagios, rkhunter, etc.
2) Would REALLY like to have shell access, it makes me feel more comfortable.
3) Need to be able to customize logging via syslog{I]ng[/I] - i.e. log both locally and to a LAN host.
4) This will be a headless server after initial setup, so I need to be able to administer everything remotely.
5) I do NOT want administration over the WAN without a workaround unless I have to. I would consider Webmin with a restricted user and HTTPS, but would prefer having to SSH into a LAN server (will have SSH passed thru firewall to one server) and then back into the firewall.
6) SMTP support.
Any ideas? Recommendations? Is this complex enough that I should just build one from the ground up with SuSE?
Which firewall distro's did you review? Because I don't see the problem. IMHO, and by my taxonomy, none of the points you posted are of real concern wrt aspects of security. And none should be a problem with (FW) distro's that can be installed on a HD. If you are more comfortable building one up using SuSE, then why not? Any way you choose it's GNU/Linux and that spells flexibility and such...
I looked into IPcop, m0n0wall, etc. and none of them support a real way to install software. Even with HDD installation, they all have SSH disabled, and no real way to install additional software.
I already have working configurations of everything I need, as well as a plethora of admin scripts, for SuSE, so I'll just go with that.
The main issue that I'll have to tackle is setting up a relatively easy administration interface for configuration of the firewall. I can't seem to find any popular CLI/Ncurses tools (though I haven't done a full search yet). I'll probably start with webmin and, if need be, write my own admin tool and GPL it.
I'm currently using SmoothWall Express 2 & I've been considering looking seriously at IPCop. One of my concerns is the ability to easily install new software w/o worrying about breaking things. I decided shortly after I started using SWE that it is too much of an integrated pkg. for me to mess w/ safely.
About the only non-standard tweaks I have made are to dnsmasq.conf to block a variety of advertising & malware sites.
I would strongly recommend considering dnsmasq for your DHCP/DNS server -- its domain to IP mapping (read "blocking") syntax is little more complicated than that of a hosts file, yet it maps (blocks) whole domains as well as single hosts. (If you've ever encountered a 45,000 line, let alone a 450,000 line ad etc. blocking hosts file, you will appreciate the savings & simplicity.)
It also serves the FW's hosts file as if it were a "master" hosts file. This is especially convenient if you use DHCP to serve fixed IP addresses, you can then put the assignments, including aliases, in the the FW's hosts & have them available across your network w/o the hassle of maintaining a copy on each box.
I take it you want to understand your FW by building it, rather than analyzing someone else's work that you picked as a starting point. I assume that re-working IPCop, for instance, would be more work & less fun than starting from a SuSE base.
I believe all the IPCop code is GPL'ed, so you might be able to adapt their web interface.
I am curious, btw, did IPCop really fail all 6 of your criteria? Since I am thinking of moving to it, any insight would be appreciated.
One last Q: why SMTP? For a full mail server, or something else?
Well, it's done and running. I have everything finished, except for the VPN, which (given that I have a dynamic IP and the client is behind NAT) will take some work.
I went with IPcop. There's an option in the web interface to enable SSH, and this gets me a root command line on the machine. The only major issue that I ran into is the pack of a package manager. If I can find out what distro (if any) it was based on, perhaps I can install rpm or apt. For now, I'm going to be setting up GCC on it for some basic installation... though the filesystem is organized differently from the SuSE that I'm used to.
There are some good addons packages for IPcop, though as far as my quick research could tell, there's no widely accepted package manager. As long as I can get GCC on it (and the required libraries), it will be a bit of a pain, but I can live with it.
Right now I'm using the IPcop default DHCP server (which supposedly can have options added in the config file manually), but in the future I plan on adding a DNS server when I migrate to DNS and LDAP for the LAN.
To specifically answer your last questions:
Getting all of the information on IPcop wasn't easy. Eventually, I decided to just give it a shot, and it worked. I had the base SuSE system installed, and was really liking it, but after coming up dry in my search for a firewall GUI (I can handle the configuration initially by hand, but if I just want to open one port to test something, a GUI is much easier) that also handles NAT, I decided to give IPcop a shot.
Once I found the SSH option for IPcop, things moved smoothly...
Yes, I run a full mailserver using SMTP and IMAP. Given my dynamic IP, a mail server has a few issues - primarily the fact that it's not redundant (anything sent directly may have issues if there's a hiccup) and that since it doesn't reverse-validate, most big ISP's reject the mail.
I solved this by forwarding all of my email accounts to a POP address at my ISP, then using fetchmail every 2 minutes to pull the mail down to my server. Mail is stored locally and accessed either with Thunderbird via IMAP or with squirrelmail as a web gateway. For outgoing, all of my mail clients send via SMTP (with Cyrus SASL auth), which then relays via my ISP's server (once again with SASL auth).
The only big issue in this was getting sending to work remotely... the LAN that my remote client is on blocks port 25, so I just forwarded port 10008 on the WAN to 25 on the server.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.