Howto setup two stage firewall? Linux and router-in-a-box?
 

I would like to use a bare installl of linux to put up a perimeter router (filtering some) outside of a "router-in-a-box" with serious access lists.

Anybody refer me to resources - especially in getting the linux box to properly recognize my smc barricade and vice versa???

I'm not really sure what this accomplishes, aside from possibly slowing down all your traffic. Typically these type of setups are used to create a "screened subnet" that could be used as a DMZ, but if you don't plan to put anything between your packet filter and your SoHo firewall, I have to say I don't really see what the point is.

Why...
 

Maybe it is overkill, but I am trying to play with (and better understand) security as preached by Cisco. You immediately picked up on one of the advantages that they advocate, and there is one other-

One: put a web server in a "screened" zone or "dirty-dmz."

Two: on the perimeter router, filtering outgoing ICMP responses (at least echo responses) blocks conventional reconaissance probes of the inner firewall.

The outer router really doesn't function as a proper firewall. Mainly set up lists to protect it and the inner firewall. And, as you saw, allow traffic like www or ftp into a weak/moderately protected server.

Re: Howto setup two stage firewall? Linux and router-in-a-box?
 

There is some good documentation on setting up Linux firewalls over at TLDP. What do you mean be "recognize"? I would think that just getting each device wanted traffic to the next would suffice. On the Linux side, look at iptables for filtering traffic. Also, if you are going to go through the trouble of having layered firewalls, I would recommend syncing the ruleset as closely as possible between the two devices so that you get full benefit from each. Adding another firewall to simply block outgoing echo replies only adds more network latency by adding another hop. You would be better off just dropping the incoming ICMP types that you don't want on the front side of one firewall.

Thanks STickman.

Good suggestion - I should have thought enough about it to get it. Filter the ICMP incoming so that no time is wasted passing it, and responding to it. Filter the traffic at the earliest possible point.

Not Recognized = My friend's set up failed to assign an IP to a router-in-a-box (D-link router) from his perimeter box (running freeOS). He said that Tx/Rx lights on NIC and the D-link didn't light up at all. Booted, rebooted, and booted in sequence from wan side (modem, perimeter router, inner router) and still no good.

Any suggestions?

Are you sure your friend has setup dhcpd on the outside box? If the SoHo router is expecting to get it's WAN IP via DHCP, but you haven't configure a DHCP daemon, well, there's the problem. Most of those SoHo routers let you specify a static WAN IP which would probably be wiser in this case.

If you're 100% positive you're assigning the IP correctly, then you might have a problem with the cables.