[ale] Opinion Call: Firewalls for DSL
Ray Knight - Clientlink
rayk at clientlink.com
Mon Jul 3 10:32:49 EDT 2000
You
could have used any of the number of Linux based firewall/router distros that
use a single floppy approach on your original target machine. The
following is a list of a few that I have tried. I am currently using the
FreeSCO solution, but the others have their advantages as
well:
<SPAN
class=374362114-03072000>Â
<SPAN
class=374362114-03072000>ShareTheNet    <A
href="http://www.ShareTheNet.com/">http://www.ShareTheNet.com/
<SPAN
class=374362114-03072000>FreeSCOÂ Â Â Â Â Â Â Â Â <A
href="http://www.linuxsupportline.com/~router/">http://www.linuxsupportline.com/~router/
<SPAN
class=374362114-03072000>floppyfw           <A
href="http://www.zelow.no/floppyfw/">http://www.zelow.no/floppyfw/
Coyote
Linux    <A
href="http://www.coyotelinux.com/coyote.html">http://www.coyotelinux.com/coyote.html
<SPAN
class=374362114-03072000>FirePlug           <A
href="http://edge.fireplug.net/">http://edge.fireplug.net/
<SPAN
class=374362114-03072000>Â
And of
course there is the Linux Router Project at  <A
href="http://www.linuxrouter.org">http://www.linuxrouter.org Â
<SPAN
class=374362114-03072000>Â
Ray
Knight
<SPAN
class=374362114-03072000>audilvr at speakeasy.org     Â
<BLOCKQUOTE
style="BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px; PADDING-LEFT: 5px">
<FONT face=Tahoma
size=2>-----Original Message-----From: owner-ale at ale.org
[mailto:owner-ale at ale.org]On Behalf Of Jeff HubbsSent:
Monday, July 03, 2000 12:51 AMTo: ale at ale.orgSubject:
[ale] Opinion Call: Firewalls for DSLA couple of months
ago, I made a strategic decision to pop for the NetMax Firewall/Router product
from CyberNet.
My dangerously optimistic premise was that I had a lot of things to
integrate at the house - new computer, firewall, Telocity DSL (no complaints,
BTW), old computer - and I thought that the NetMax' "thin server"
Web-administered approach would help me get going quicker.
My target machine was going to be a VLBus 486DX/33 in which I could put as
much as 32MB of RAM, and I had already set myself up with some ISA-bus
Ethernet cards to choose from, three of them being NE2000 clones. Â
I also scored a 3Com 3C515 - an ISA-bus 10/100 full-duplex card.
The first problem I had was that whereas the NetMax docs said it supported
the 3Com 3C515, there appeared to be no way to get it to work, and when I
called tech support, the person that answered didn't even seem to understand
the question when I tried to find out how. I finally had to insist to
speak to someone who had firsthand experience with the product. When I
finally did, I learned that my question about the 3C515 apparently had no
answer and that the cliam of supporting the 3C515 was apparently a lot of
hogwash. I also learned that when the NetMax docs say that a Pentium is
the minimum required CPU, they mean it - it is unstable on a 486 (he did not
indicate that it was compiled for Pentium that that's my assumption).Â
This fellow offered to set me up with the FreeBSD version in trade for the
Linux version that I bought and my address was taken down. It never
arrived.
I decided that I would try to soldier ahead with what I had. I picked
up a fairly nice Pentium/75 at MicroSeconds. It took me a few tries to
get anywhere with it, but I eventually got it to work with two interfaces,
performing NAT. One key element to my eventual success was that the only
documentation that is usable is a single article on their Web page; the
provided documentation is NOT sufficient to figure out the installation.
Here is my sack of woes to date:
At the moment, even after a reboot, the Web interface is not
reacting. It was working fine, but now, zip.
The interface, when it did work, is DOG SLOW. If you make
config changes, it takes this Pentium/75 with 256KB of cache and 72MB of RAM
*several minutes* to go through the commit/restart services process.
The console sometimes fills up with stuff like "Unable to handle kernel
NULL pointer dereference at..." or "Out of Memory" errors. Most of the
time, NAT operation seems to continue unabated but the "Out of Memory" stuff
got so bad that the machine would only respond to a three-fingered salute.
There is nothing documented or nothing I can locate in the Web interface
(again, when it worked) or the Web site that gives me the ability to enable
or block specific services or even ports - just a rather vaguely labeled set
of check boxes.
Things like sendmail are running. I don't want it running.Â
But, to stop it, I have to dig through /etc/rc.d or whatever in the typical
fashion.
So far, my attempts to configure X have been a total failure. The
video is a supported Cirrus Logic. All three offered methods of X
configuration at the console error out.
You log onto the console using the username and password you enter at
install time. It would be nice to su to root so you can run things
like fsck but the root password is unknown to me.
The Web site support options - the user forum and the knowledge base -
have been essentially useless and my one attempt at phone support was
horrendous. Before I went though all this, I had read the
Firewall-HOWTO and got a fair idea of the theory behind ipchains and I
understood that I had a lot to learn and that I would have to be careful to
harden the Internet-facing interface and generally be on my toes about
it. I had good reason to believe that the NetMax product was going to
help prevent me from having to be quite so down-and-dirty.
So, my question to you fine folks is basically this:Â should I have
bothered? Would I have been as well off if I had just put on a
bare-bones Red Hat 6.2 installation on the 486 and figured out ipchains?Â
Right now I have a marginally unstable firewall that is performing NAT like it
should, but when certain Internet functions don't work, it seems I have to
"open the hood" anyway and I really don't have a good way to know how well
protected my firewall is against the baddies.  I know some of you
have done the firewall thing with some success and inasmuch as I would *like*
a shortcut to a well-done firewall, I've just about concluded that the NetMax
product is not it and my $50 would have been better spent elsewhere.
So what do you think I should do?
- Jeff Â
More information about the Ale
mailing list