[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Firewall Questions...



I personally wouldn't. I believe that the fewer things you stick on a firewall box, the better off you are. Actually, I generally put the Web proxy on the trusted network (the LAN) and use router rules to force all TCP 80 and TCP 443 traffic to go through that proxy. You can certainly make the firewall be your default gateway (SOHO networks do exactly this), but for non-SOHO situations, I prefer to put a router in between the LAN and the firewall for security and traffic control reasons. One ramification of doing that is that it becomes a lot easier to force Web traffic through the proxy.

As for the mail and Web servers, that depends. First, the Web server. If you need it to be accessible from the Internet, then put it in a DMZ. If not, just stick it on the trusted network. For the mail server, it depends on a few things:

1.)  Is it the SMTP gateway to/from the Internet?
2.)  Which MTA are we talking about here?

For item 1.), If this is your Internet SMTP gateway, then put that in a DMZ and make sure that both it and the DMZ are configured right (read: securely). If it doesn't talk directly to the Internet, i. e. you already have a SMTP gateway, then just put it in the trusted network. For item 2.), if you're using sendmail as a SMTP gateway, I would consider putting postfix or qmail in front of it unless you don't mind doing regular recompiles of sendmail every time it gets rooted. No slam on sendmail; I use it, too. It simply needs to be protected properly.

With that said, if you really do want to make your Web proxy server into your firewall, then that means doing iptables from the command line, 'cause Red Hat's default rules won't cut it. Those rules are really intended for single-NIC end-user workstations. If you're using private IP's, you'll need to do Port Address Translation (PAT). If you're not, then I would strongly suggest doing so. Once this is set up, then you'll need to tweak iptables to not route TCP 80 and TCP 443 traffic through, which will force such traffic to go up the OSI stack to the Application layer, i. e. through the proxy software. Unless you're quite comfortable with CLI iptables, I'd just get a dedicated box (e. g. OpenBSD or Trustix, both secure as hell by default). Also, since you're running Red Hat 8, that means that you get to go through and remove all that crap that Red Hat installs if you want to use your current proxy server as a firewall. I would recommend reading "Securing and Optimizing Red Hat Linux", available on http://www.tldp.org/. It's not trivial to go through the distro and remove all that needs to be removed, and it's quite time-consuming, hence my recommendation for an OpenBSD (http://www.openbsd.org) or Trustix (http://www.trustix.net) box. Much easier to deal with what you want to do.

--TP

Richard K. Ingalls wrote:

Hi list members!

I've got a firewall question for you...

First some details...

I've got several linux boxes (RedHat 8) and I use the default iptables firewall that comes standard. I administer them via webmin. But they aren't setup to be firewalls for the entire network. These boxes are: 1 web/email server, 1 proxy filter (DansGuardian), 2 K12LTSP servers.

Can / should I setup my current proxy filter to be my network firewall? Here are the box stats:
- Celeron 533 Mhz
- 380 Mb RAM
- 15 Gb HDD
- 2 NICs (one not being used currently)
- RedHat 8
- DansGuardian & squid
- transparent proxy settings (via DansGuardian's instructions)


Can this box handle the extra work of being the firewall for the entire network (approx 100 clients) as well as being the proxy filter?

How do I set it up to be the firewall for the entire network? Do I simply tell all other machines to use this existing machine as their gateway to the internet? Or is there more to it than that?

Thanks for your help!!


--
------------------------------------------------------------------------
Do you Slack!?
Slackware GNU/Linux <http://www.slackware.com/> - Clean, secure, and just works.





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]