Using Fedora as firewall.

Brian Fahrlander brian at fahrlander.net
Sat Apr 17 16:43:42 UTC 2004 

On Sat, 2004-04-17 at 07:18, Luciano Miguel Ferreira Rocha wrote:

> Either the dhcp client for your company overwrites the /etc/resolv.conf
> file for name resolution, or it's adding/replacing the default route for
> the internet.
> 
> Check the file /etc/resolv.conf and report the output of /sbin/route -n,
> please.

    Or, there's that setting whether the thing should 'be a router'-
I've been trying to think of that setting since last night.  In earlier
releases, you'd echo "1" > /proc/sys/net/something and it would allow
routing...but isn't it in a better place, now?

    There it is: redhat-config-proc.  It's under Networking, IP [2], "IP
Forwarding". Just check it, then check "Apply" or whatever, and it'll
allow you to route packets from one subnet to the other.

    And as to firewall, this one's really nice: rc.firewall, from
http://projectfiles.com/firewall/.  Just plug in some details (like,
what the 'trusted' side is, and very little else, and you're ready to
go.

    BUT:

    If you're using really old hardware (I'm using one of my 20 486's I
bought at an auction for $3.15 each!) run the program ONCE to set up the
firewall, don't make it part of the normal boot process.  It doesn't
have to change much, and every time IPtables is turned on, it reloads
the last patterns/rules and takes no time at all.  But on the old
hardware it's brutal: my friend across town is routing with an Athlon
1Ghz and it takes 2-3 seconds. The 486 runs the same thing in THIRTY
MINUTES.  One day I woke up to remember the "iptables save" option, and
it turns out Redhat does that by default. MUCH better.

    This firewall has won my heart because it does all that complicated
SYN/ACK testing, (A little more than I know how to do, manually) and has
a nice, simple way of saying "Take this port and pass it back to this
machine behind the firewall on this port."

    I think you'll like it; I sure do, and I'm no stellar network-guy.

    Enjoy!
    
-- 
------------------------------------------------------------------------
Brian Fahrländer                  Christian, Conservative, and Technomad
Evansville, IN                                 http://www.fahrlander.net 
ICQ 5119262
AIM: WheelDweller
------------------------------------------------------------------------
angegangen, Schlange-Hüften, sein es ganz rüber jetzt. Bügel innen fest,
weil es eine lange, süsse Fahrt ist. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040417/5c867561/attachment-0001.sig>

More information about the fedora-list mailing list