Firewall Wizards mailing list archives
Re: Here is my plan for firewall implementation
From: Craig Brozefsky <craig () onshore com>
Date: Sun, 21 Sep 1997 12:05:07 -0500
On Fri, 19 Sep 1997, Jim Raykowski wrote:
Hello All, Here is my plan for implementating a firewall at my site and I would like to hear some comments on the goods and bads.
This is very similiar to what I am running/designing. We have a small LAN of about 20 computers of mixed breed and species doing everything from NSCalendar servies to SMB and NFS/NIS+. I set it up primarily as a training ground for several of the tech support people we have around the office and ran into several issues which I hope to help you avoid.
My plan is to build a Pentium 133 with 32 MB RAM with 540 MB Hard Drive running Linux Slackware using kernel 2.0.30 and TIS Firewall Toolkit 2.0. I plan to use the SMTP, HTTP, TELNET, and FTP proxies from the FWTK and set up a fake DNS on this machine.
May I suggest that you stay away from the 2.0.30 kernel it has several problems including but not limited to broken transparent proxy support, SCSI flakiness, and other bugs. kernels earlier that 2.0.27 I beleive shouldhave trans proxy working, and for the msot stable environment go with 1.2.13 if you don't need the extra features in the 2.0.X kernels. 2.0.30 pre9 is out and has some memory leaks and other issues, but if youcan wait till 2.0.31 it should be a stable kernel since the developers are concenrating on releasing a 1.2.13 caliber kernel for the 2.0.X series now. The HTTP gateway has some flakiness whe it comes to rewriting URLs. I have had it break several pages that have Javascript URLs in them, ie: <a href="Javascript:funccal(arg,arg,arg)"> got rewriten with a ":" appended ot it, thus breaking things. What you may want to do is either get a beefier box for your firewall and run something like Squid in caching mode (slap a SCSI disk on there for the cache dirs) or run Squid non-caching. It has alot of nice features like DNS caching and such that will make your web access slicker. May I also suggest using Junkbusters. I set it up to forward chain to Squid. The SMAP gateway is nice, but keep an eye on it. I have in the past had it go into a runaway loop and fill up some partitions with log messages and bounced mail. I do not know i the curent version fixed the problem which was related to a message not being requeued, or discarded after sendmail failed to send it.
I will build another Linux computer to act as the internal DNS that will forward all queries it cannot answer to the firewall and then forward answers back to the systems that asked. It will also be my network monitoring station and the station the I xfer all update to my external web and ftp servers.
I also have a Linux box doing much of the same.
My default policy will be to deny all unless otherwise permitted. I am trying to protect the information as we deal with government contracts but still need access to the internet to look up data and exchange information with other contractors. Thanks,
I attempted to implement the same policy and have found that the fwtk and Linux were not really suitable for it when considering the needs I have, but with a little bit of coding I think you could pull it off. The major problem I had was transparent proxies in 2.0.30 not working, as well as attempt to proxy ssh. My goal was/is to create a version of plug-gw that could take transparent proxied connection, deduce where the connection was attempted to, check against an ACL list, and then forward it. The transproxyd that comes with Debian cannot do. Craig Brozefsky craig () onshore com onShore Inc. http://www.onshore.com/~craig Development Team p_priority=PFUN+(p_work/4)+(2*p_cash) I hear my inside, the mechanized hum of another world - Steely Dan
Current thread:
- Here is my plan for firewall implementation Jim Raykowski (Sep 21)
- Re: Here is my plan for firewall implementation Marcus J. Ranum (Sep 21)
- Re: Here is my plan for firewall implementation Jyri Kaljundi (Sep 21)
- Re: Here is my plan for firewall implementation Bennett Todd (Sep 22)
- Re: Here is my plan for firewall implementation Jyri Kaljundi (Sep 21)
- Re: Here is my plan for firewall implementation Craig Brozefsky (Sep 21)
- Re: Here is my plan for firewall implementation Marcus J. Ranum (Sep 21)
- Re: Here is my plan for firewall implementation Craig Brozefsky (Sep 22)
- NCSA's RECON Service Adept (Sep 22)
- Re: Here is my plan for firewall implementation Joseph S. D. Yao (Sep 22)
- Re: Here is my plan for firewall implementation Adam Shostack (Sep 22)
- Re: Here is my plan for firewall implementation Paul D. Robertson (Sep 23)
- Re: Here is my plan for firewall implementation Alfred Huger (Sep 24)
- Re: Here is my plan for firewall implementation Marcus J. Ranum (Sep 21)
- Re: Here is my plan for firewall implementation Marcus J. Ranum (Sep 21)
- <Possible follow-ups>
- Re: Here is my plan for firewall implementation See, Matthew (Sep 22)
- Re: Here is my plan for firewall implementation Peter Jeremy (Sep 22)
- RE: Here is my plan for firewall implementation Tong, Aaron (Sep 23)