Re: Here is my plan for firewall implementation

[Craig Brozefsky <craig () onshore com>]

On Fri, 19 Sep 1997, Jim Raykowski wrote:

> Hello All,
>   Here is my plan for implementating a firewall at my site and I would like
> to hear some comments on the goods and bads.

This is very similiar to what I am running/designing.  We have a small 
LAN of about 20 computers of mixed breed and species doing everything 
from NSCalendar servies to SMB and NFS/NIS+.  I set it up primarily as a 
training ground for several of the tech support people we have around the 
office and ran into several issues which I hope to help you avoid.

>   My plan is to build a Pentium 133 with 32 MB RAM with 540 MB Hard Drive
> running Linux Slackware using kernel 2.0.30 and TIS Firewall Toolkit 2.0.
> I plan to use the SMTP, HTTP, TELNET, and FTP proxies from the FWTK and set
> up a fake DNS on this machine.

May I suggest that you stay away from the 2.0.30 kernel it has several 
problems including but not limited to broken transparent proxy support, 
SCSI flakiness, and other bugs.  kernels earlier that 2.0.27 I beleive 
shouldhave trans proxy working, and for the msot stable environment go 
with 1.2.13 if you don't need the extra features in the 2.0.X kernels.  
2.0.30 pre9 is out and has some memory leaks and other issues, but if 
youcan wait till 2.0.31 it should be a stable kernel since the developers 
are concenrating on releasing a 1.2.13 caliber kernel for the 2.0.X 
series now.

The HTTP gateway has some flakiness whe it comes to rewriting URLs. I
have had it break several pages that have Javascript URLs in them, ie:
<a href="Javascript:funccal(arg,arg,arg)">
got rewriten with a ":" appended ot it, thus breaking things.  What you 
may want to do is either get a beefier box for your firewall and run 
something like Squid in caching mode (slap a SCSI disk on there for the 
cache dirs) or run Squid non-caching.  It has alot of nice features like 
DNS caching and such that will make your web access slicker.  May I also 
suggest using Junkbusters.  I set it up to forward chain to Squid.

The SMAP gateway is nice, but keep an eye on it.  I have in the past had 
it go into a runaway loop and fill up some partitions with log messages 
and bounced mail.  I do not know i the curent version fixed the problem 
which was related to a message not being requeued, or discarded after 
sendmail failed to send it.

>   I will build another Linux computer to act as the internal DNS that will
> forward all queries it cannot answer to the firewall and then forward
> answers back to the systems that asked.  It will also be my network
> monitoring station and the station the I xfer all update to my external web
> and ftp servers.

I also have a Linux box doing much of the same.

>   My default policy will be to deny all unless otherwise permitted.  I am
> trying to protect the information as we deal with government contracts but
> still need access to the internet to look up data and exchange information
> with other contractors.
> Thanks,

I attempted to implement the same policy and have found that the fwtk and 
Linux were not really suitable for it when considering the needs I have, 
but with a little bit of coding I think you could pull it off.  The major 
problem I had was transparent proxies in 2.0.30 not working, as well as 
attempt to proxy ssh.  My goal was/is to create a version of plug-gw that 
could take transparent proxied connection, deduce where the connection 
was attempted to, check against an ACL list, and then forward it.  The 
transproxyd that comes with Debian cannot do.


Craig Brozefsky              craig () onshore com
onShore Inc.                 http://www.onshore.com/~craig
Development Team             p_priority=PFUN+(p_work/4)+(2*p_cash)
I hear my inside, the mechanized hum of another world - Steely Dan