1) if i was to setup an old pc as a firewall box running something like mandrake 9.2 what do i need?

i assume 2 nic cards? 1 connected to adsl modem other connected to a hub/switch which i connect home pcs too?

2) Also say i _was_ to use a linux firewall instead of the built in port forwarding in my adsl/router how much more safe is it... assuming i keep all patches up-to-date.

in short, basically how hard is it for someone to hack a patched up linux firewall with all ports closed except ports 80 and 23? (i'll be using it for basic home webhosting and email)

cheers for any help

It all depends on your needs,


I have a on old p133 with a minimum install , and iptables with NAT.

and yes you need 2 network cards altho it is possible to do it with one. It is better to use 2.

As far as getting hacked, It all depends on your firewall script and how well
you locked down the machine your using as a firewall box.


hope this answers your question, if not let me know.



-Nex6

nex
cheers, big help so basically i just install the bare minimum and only open the low ports for 80, 23 and 25. for mail, ftp and web

well maybe 8080... are you going to be running any chat clients? If so, keep the ports they use open also.

yep i'll remember to only open ports as they are specifically needed... im fairly disciplined in that regard as i use port forwarding on my adsl router at home with windows and know i have to open ports when a program is requesting them

you can also use 3 network cards and have a DMZ,


just a thought....



Nex6

nex hmm whats the 3rd card used for in regards to dmz? Could you just use two cards? one which has a dmz from the modem and the other connected to a switch?

basicly, you setup iptables,


eth0 = internet
eth1 = internal LAN
eth2 =DMZ

you setup iptables to send incomming traffic to the dmz, and block ALL incomming traffic to the internal LAN


this way you can have the public server thats not public and a secured internal network.

note: you can get all fancey with ip alias's and othe funky things to have less network cards , but it easyer to use 3 keep it simple.




-nex6

I have the same problem, interesting thread!

I'll have to read up more on DMZ, as far as i've gathered so far...

You have web/mail/ftp - basically anything public - inside the DMZ attached to eth2. For example, You setup routes so that any traffic going to http is directed to webserver x within the DMZ, you can either use public IPs for those servers or internal.

You have all external web traffic coming into eth0 checked then routed internally if need be

eth1 is internal

am i understanding that correctly? sorry its just really re iterating what you said anyways but i just needed to get it clear in my head

Sounds about right to me....

DMZ's are a good thing!