RE: Most stable firewall distro

RE: Most stable firewall distro

[George Vieira]

Yes Bering is a good distro and very up to date but I rewrote the smoothwall
script as it not only took ~83KB of diskspace, it also was too confusing for
me.. call me lazy to read.... ;)
I just deleted their confs files and rewrote the /etc/init.d/smoothwall
scripts and resaved them back to the floppy.

Works wonders but 1.68MB is very limited especially if you want IPSEC then
it's very hard to get it to fit. I just got 1-3KB left on the floppy after
removing alot of stuff..

But in the end it's worth it as long as you make backups of your floppy.
Verbatim disks apparently are good with this 1.68MB setup and holds for
years...

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au



-----Original Message-----
From: Steve Fink [mailto:stevef@netvantix.com]
Sent: Thursday, 04 July 2002 9:17 AM
To: 'Antony Stone'; netfilter@lists.samba.org
Subject: RE: Most stable firewall distro


Anthony,

	For use of iptables on a mini-firewall distro ( fits on a diskette
or
two ). I would have to recommend Bering, available at
http://leaf.sourceforge.net.

Best,

Steve



-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Antony Stone
Sent: Wednesday, July 03, 2002 4:34 PM
To: netfilter@lists.samba.org
Subject: Re: Most stable firewall distro


On Wednesday 03 July 2002 11:23 pm, riffraff wrote:

> ---------- Original Message ----------------------------------
> From: "Miguel Laborde" <miguel.laborde@canada.com>
> Date: Wed, 3 Jul 2002 18:22:38 -0400
>
> >Hello all,
> >	I have a question here for those of you who use iptables heavily in
a
> >production environment. Right now I am about to replace a older Mandrake
> >(release 7.2) with an updated linux firewall however before I go ahead
and
> >do that, I'm interested in knowing what you people consider the most
> > stable distribution for a linux firewall.
> >	I realize that the underlying OS and iptables software is common
across
> > all distributions however some distributions apply patches which others
> > don't, and as result might be better suitable as a firewall.
> >
> >
> >	Thanks for your time,
> >				Miguel
>
> I just used redhat 7.0 (I think, it's been a while), and removed
everything
> that was completely unnecessary, then compiled a whole new kernel (I had
> to; I'm using the bridge-netfilter patch).  So, it isn't much of a redhat
> anymore, just uses redhat paths and rpm.

I agree with this approach.   A firewall shouldn't really be any
recognisable
distro, because distros basically differ in all the add-ons they include
around the kernel, nearly all of which you should not have on a firewall.

And, as suggested above, you really ought to compile your own kernel for a
firewall, too, so it contains what you want and doesn't contain what you
don't want, therefore you start from ftp://ftp.kernel.org and 'make config'
(or whichever variation of that you prefer).

The 'distro' I would really like to see people use for firewalls is Linux
From Scratch, because this is expressly designed to contain only the tools
you choose for a specific job, and not a whole bunch that someone else
thought might come in handy one day.....

Not the easiest thing to play with though, admittedly.

http://www.linuxfromscratch.org



Antony.

RE: Most stable firewall distro

[leolistas]

   Altough I know floppy distro works absolutely well, in general i dont 
like to use them. As you mentioned, they are 100% limited and nothing can 
be done, specially if you need disk writings. I just cant imagine a 
firewall with no logging at all !!! Using a squid proxy would save about 
15% on your www bandwidth ( depends on each case, but 10-15% is generally 
ok ).

   And, the most important, IDE disks are as cheap as they are fast .....

   So, if you need a firewall for your home ( connect 2-3 machines through 
adsl ), I'd recommend a floppy firewall. For ANY other firewall machine i 
would strongly recommend a full firewall installation based on the distro 
you're used to work. I personally would recommend redhat, as I told in 
last message. But if you're used to SuSe, GREAT, use it ! Slack ? Use it ! 
Debian ? Use it ! No matter which distro you'll use if you really know 
what you're doing.

   Sincerily,
   Leonardo Rodrigues


Citando George Vieira <GeorgeV@citadelcomputer.com.au>:

> Works wonders but 1.68MB is very limited especially if you want IPSEC
> then
> it's very hard to get it to fit. I just got 1-3KB left on the floppy
> after
> removing alot of stuff..

Re: Most stable firewall distro

[George Georgalis]

On Wed, Jul 03, 2002 at 09:56:08PM -0300, leolistas@solucoesip.net wrote:
>
>
>   Altough I know floppy distro works absolutely well, in general i dont 
>like to use them. As you mentioned, they are 100% limited and nothing can 
>be done, specially if you need disk writings. I just cant imagine a 
>firewall with no logging at all !!! Using a squid proxy would save about 
>15% on your www bandwidth ( depends on each case, but 10-15% is generally 
>ok ).
>
>   And, the most important, IDE disks are as cheap as they are fast .....

If anything is 100% limited, may as well say everything is 100% limited.
I use bering (floppy distro) _because_ there is no IDE drive to generate
heat, use electricity or break. Since I'm throwing the oldest box around
up as a firewall, I'm like the fact that that their is minimal load on
the powersupply. 

I've got ssh, iptables, weblet (an http server for status, logs
etc). You can put everything on a cdrom if you want more. It does log,
you could use weblet to download your logs, I'm using ssh, but could
be using NFS instead. It's easy to add another floppy, I think all the
other packages would fit on it.

I don't see running squid on an LRP, if you need that, put it on a lan host, 
or use a regular distro... :) 

// George

BTW - those new IDE disks are not very fast with older controllers or
cpu.



-- 
GEORGE GEORGALIS, System Admin/Architect    cell: 347-451-8229 
Security Services, Web, Mail,            mailto:george@galis.org 
File, Print, DB and DNS Servers.       http://www.galis.org/george 

MSM Mesanger through a iptables firewall.

[Stephan Viljoen]

Hi there , some of my clients is having problems to send files to each other
with MSN. The problem
seems to be that I'm running 2 firewalls behind each other.

PC 1 can't send a file to PC 2 but PC 2 can send a file to PC 1. PC 3 and PC
1 can send files
to each other.  Now all the pcs can serve the web , ftp , chat , blah blah
blah. I'm not blocking any ports what
so ever , so it's just masq. and normal packet forwarding.

Here's all the information.

Help will be apreciated.

PC 1 :
IP : 10.0.0.10 , Gateway : 10.0.0.1

Firewall 1:
eth0 : 193.220.24.230 : uplink  , Gateway : 193.220.24.193
eth1 : 10.0.0.1/16

echo "   enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 10.0.0.1/16 -o eth0 -j MASQUERADE
$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT

Firewall 2:
eth0 : 193.220.24.8
eth1 : 193.220.24.193
eth2 : 192.168.1.1

$IPTABLES -F
$IPTABLES -X
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -s 192.168.1.1/24 -o $EXTIF -j MASQUERADE
$IPTABLES -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -i eth2 -o eth0 -j ACCEPT

PC 2 :
IP : 193.220.24.242 , Gateway : 193.220.24.193

PC3 :
IP : 192.168.1.10 , Gateway : 192.168.1.1

Re: MSM Mesanger through a iptables firewall.

[Antony Stone]

On Thursday 04 July 2002 3:06 pm, Stephan Viljoen wrote:

> Firewall 2:
> eth0 : 193.220.24.8
> eth1 : 193.220.24.193
> eth2 : 192.168.1.1

What are the netmasks on eth0 and eth1 ?

What's the routing table on this machine ?

 

Antony.

Re: MSN Mesanger through a iptables firewall.

[Antony Stone]

On Thursday 04 July 2002 3:06 pm, Stephan Viljoen wrote:

> Firewall 1:
> eth0 : 193.220.24.230 : uplink  , Gateway : 193.220.24.193
> eth1 : 10.0.0.1/16
>
> echo "   enabling forwarding.."
> echo "1" > /proc/sys/net/ipv4/ip_forward
> $IPTABLES -F
> $IPTABLES -X
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -t nat -A POSTROUTING -s 10.0.0.1/16 -o eth0 -j MASQUERADE
> $IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED
> -j ACCEPT
> $IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT

I don't see the point of you having these two FORWARDing rules when the 
default policy on this chain is ACCEPT ?   It's just an open router.

> Firewall 2:
> eth0 : 193.220.24.8
> eth1 : 193.220.24.193
> eth2 : 192.168.1.1
>
> $IPTABLES -F
> $IPTABLES -X
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED
> -j ACCEPT
> $IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT
>
> $IPTABLES -t nat -A POSTROUTING -s 192.168.1.1/24 -o $EXTIF -j MASQUERADE
> $IPTABLES -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED
> -j ACCEPT
> $IPTABLES -A FORWARD -i eth2 -o eth0 -j ACCEPT

Again, there's no point in having any of these four FORWARDing rules when the 
default policy is ACCEPT.   This firewall is also simply an open router.

 

Antony.