Howto setup two stage firewall? Linux and router-in-a-box?
I would like to use a bare installl of linux to put up a perimeter router (filtering some) outside of a "router-in-a-box" with serious access lists.
Anybody refer me to resources - especially in getting the linux box to properly recognize my smc barricade and vice versa??? |
I'm not really sure what this accomplishes, aside from possibly slowing down all your traffic. Typically these type of setups are used to create a "screened subnet" that could be used as a DMZ, but if you don't plan to put anything between your packet filter and your SoHo firewall, I have to say I don't really see what the point is.
|
Why...
Maybe it is overkill, but I am trying to play with (and better understand) security as preached by Cisco. You immediately picked up on one of the advantages that they advocate, and there is one other-
One: put a web server in a "screened" zone or "dirty-dmz." Two: on the perimeter router, filtering outgoing ICMP responses (at least echo responses) blocks conventional reconaissance probes of the inner firewall. The outer router really doesn't function as a proper firewall. Mainly set up lists to protect it and the inner firewall. And, as you saw, allow traffic like www or ftp into a weak/moderately protected server. |
Re: Howto setup two stage firewall? Linux and router-in-a-box?
Quote:
|
Thanks STickman.
Good suggestion - I should have thought enough about it to get it. Filter the ICMP incoming so that no time is wasted passing it, and responding to it. Filter the traffic at the earliest possible point. Not Recognized = My friend's set up failed to assign an IP to a router-in-a-box (D-link router) from his perimeter box (running freeOS). He said that Tx/Rx lights on NIC and the D-link didn't light up at all. Booted, rebooted, and booted in sequence from wan side (modem, perimeter router, inner router) and still no good. Any suggestions? |
Are you sure your friend has setup dhcpd on the outside box? If the SoHo router is expecting to get it's WAN IP via DHCP, but you haven't configure a DHCP daemon, well, there's the problem. Most of those SoHo routers let you specify a static WAN IP which would probably be wiser in this case.
If you're 100% positive you're assigning the IP correctly, then you might have a problem with the cables. |
All times are GMT -5. The time now is 03:15 AM. |