Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-08-2004, 11:41 PM
|
#1
|
LQ Newbie
Registered: Jan 2004
Distribution: trying to limit to three distros
Posts: 6
Rep:
|
Howto setup two stage firewall? Linux and router-in-a-box?
I would like to use a bare installl of linux to put up a perimeter router (filtering some) outside of a "router-in-a-box" with serious access lists.
Anybody refer me to resources - especially in getting the linux box to properly recognize my smc barricade and vice versa???
|
|
|
01-09-2004, 12:37 AM
|
#2
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
I'm not really sure what this accomplishes, aside from possibly slowing down all your traffic. Typically these type of setups are used to create a "screened subnet" that could be used as a DMZ, but if you don't plan to put anything between your packet filter and your SoHo firewall, I have to say I don't really see what the point is.
|
|
|
01-09-2004, 10:07 AM
|
#3
|
LQ Newbie
Registered: Jan 2004
Distribution: trying to limit to three distros
Posts: 6
Original Poster
Rep:
|
Why...
Maybe it is overkill, but I am trying to play with (and better understand) security as preached by Cisco. You immediately picked up on one of the advantages that they advocate, and there is one other-
One: put a web server in a "screened" zone or "dirty-dmz."
Two: on the perimeter router, filtering outgoing ICMP responses (at least echo responses) blocks conventional reconaissance probes of the inner firewall.
The outer router really doesn't function as a proper firewall. Mainly set up lists to protect it and the inner firewall. And, as you saw, allow traffic like www or ftp into a weak/moderately protected server.
|
|
|
01-09-2004, 10:37 AM
|
#4
|
Senior Member
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552
Rep:
|
Re: Howto setup two stage firewall? Linux and router-in-a-box?
Quote:
Originally posted by drdirt
Anybody refer me to resources - especially in getting the linux box to properly recognize my smc barricade and vice versa???
|
There is some good documentation on setting up Linux firewalls over at TLDP. What do you mean be "recognize"? I would think that just getting each device wanted traffic to the next would suffice. On the Linux side, look at iptables for filtering traffic. Also, if you are going to go through the trouble of having layered firewalls, I would recommend syncing the ruleset as closely as possible between the two devices so that you get full benefit from each. Adding another firewall to simply block outgoing echo replies only adds more network latency by adding another hop. You would be better off just dropping the incoming ICMP types that you don't want on the front side of one firewall.
|
|
|
01-10-2004, 01:29 AM
|
#5
|
LQ Newbie
Registered: Jan 2004
Distribution: trying to limit to three distros
Posts: 6
Original Poster
Rep:
|
Thanks STickman.
Good suggestion - I should have thought enough about it to get it. Filter the ICMP incoming so that no time is wasted passing it, and responding to it. Filter the traffic at the earliest possible point.
Not Recognized = My friend's set up failed to assign an IP to a router-in-a-box (D-link router) from his perimeter box (running freeOS). He said that Tx/Rx lights on NIC and the D-link didn't light up at all. Booted, rebooted, and booted in sequence from wan side (modem, perimeter router, inner router) and still no good.
Any suggestions?
|
|
|
01-10-2004, 02:51 AM
|
#6
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
Are you sure your friend has setup dhcpd on the outside box? If the SoHo router is expecting to get it's WAN IP via DHCP, but you haven't configure a DHCP daemon, well, there's the problem. Most of those SoHo routers let you specify a static WAN IP which would probably be wiser in this case.
If you're 100% positive you're assigning the IP correctly, then you might have a problem with the cables.
|
|
|
All times are GMT -5. The time now is 06:23 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|