[ale] Opinion Call: Firewalls for DSL

Robert Hoffman rob at frankenlinux.com
Tue Jul 4 17:56:48 EDT 2000


Hi Jeff,

I've been using Coyote Linux for the last month. It's an adapted version of the Linux Router Project. It runs on a single write-protected floppy that you create from a nice script that walks you through your options. It does a nice job, especially as an interim or emergency solution.

I have just built a new firewall using FreeBSD. This was my first foray into the FreeBSD world but it wasn't that hard to figure out (it is very similar to Linux but without the SystemV init system.) I have to say that I really like FreeBSD. The reason I switched was for the rock-solid stability, and the TCP/IP stack. I figure that if FreeBSD's IP stack is 10% more efficient than Linux's, that's 10% more bandwidth for my users.

The hardest part for me was setting up the firewall rules. I can send you my rc.firewall file if you decide to go this route.

I think that many of the things giving you a headache so far shouldn't even be messed with. You don't need X, a web interface, or regular user accounts on a Firewall.

The firewall rules are rarely going to change. Just set the box up using a TUI (text user interface), run tripwire on it, back up your scripts to floppy, and leave it alone. You might also condider forwarding critical log alerts to your workstation.

I'll probably get flamed for this but I don't think mission critical servers should be running on 486 hardware, even if the services don't require more horsepower. I just don't trust 5 year old hardware to run production boxes. Your pentium 75 is at least a year or two younger.

If you stick with a Linux solution, you can get rid of unwanted services easily by doing an 'ls /etc/rc.d/rc3.d' to see which services are set to start in run level 3 (they start with an 'S') Then use chkconfig <service> off on each unwanted service to remove it from the runlevel. For a firewall, I would remove everything you don't need, this includes inetd. (I know chkconfig works for RedHat based systems...don't know about the other distros.) Restart or manually stop the services for the changes to take effect.

Hope you have a great 4th of July.

-Rob Hoffman


---------- Original Message ----------------------------------
From: Jeff Hubbs <jhubbs at telocity.com>
To: ale at ale.org
Date: Mon, 03 Jul 2000 00:50:33 -0400

>A couple of months ago, I made a strategic decision to pop for the
>NetMax Firewall/Router product from CyberNet.
>
>My dangerously optimistic premise was that I had a lot of things to
>integrate at the house - new computer, firewall, Telocity DSL (no
>complaints, BTW), old computer - and I thought that the NetMax' "thin
>server" Web-administered approach would help me get going quicker.
>
>My target machine was going to be a VLBus 486DX/33 in which I could put
>as much as 32MB of RAM, and I had already set myself up with some
>ISA-bus Ethernet cards to choose from, three of them being NE2000
>clones.   I also scored a 3Com 3C515 - an ISA-bus 10/100 full-duplex
>card.
>
>The first problem I had was that whereas the NetMax docs said it
>supported the 3Com 3C515, there appeared to be no way to get it to work,
>and when I called tech support, the person that answered didn't even
>seem to understand the question when I tried to find out how.  I finally
>had to insist to speak to someone who had firsthand experience with the
>product.  When I finally did, I learned that my question about the 3C515
>apparently had no answer and that the cliam of supporting the 3C515 was
>apparently a lot of hogwash.  I also learned that when the NetMax docs
>say that a Pentium is the minimum required CPU, they mean it - it is
>unstable on a 486 (he did not indicate that it was compiled for Pentium
>that that's my assumption).  This fellow offered to set me up with the
>FreeBSD version in trade for the Linux version that I bought and my
>address was taken down.  It never arrived.
>
>I decided that I would try to soldier ahead with what I had.  I picked
>up a fairly nice Pentium/75 at MicroSeconds.  It took me a few tries to
>get anywhere with it, but I eventually got it to work with two
>interfaces, performing NAT.  One key element to my eventual success was
>that the only documentation that is usable is a single article on their
>Web page; the provided documentation is NOT sufficient to figure out the
>installation.
>
>Here is my sack of woes to date:
>
>  1. At the moment, even after a reboot, the Web interface is not
>     reacting.  It was working fine, but now, zip.
>  2. The interface, when it did work, is DOG SLOW.  If you make config
>     changes, it takes this Pentium/75 with 256KB of cache and 72MB of
>     RAM *several minutes* to go through the commit/restart services
>     process.
>  3. The console sometimes fills up with stuff like "Unable to handle
>     kernel NULL pointer dereference at..." or "Out of Memory" errors.
>     Most of the time, NAT operation seems to continue unabated but the
>     "Out of Memory" stuff got so bad that the machine would only
>     respond to a three-fingered salute.
>  4. There is nothing documented or nothing I can locate in the Web
>     interface (again, when it worked) or the Web site that gives me the
>     ability to enable or block specific services or even ports - just a
>     rather vaguely labeled set of check boxes.
>  5. Things like sendmail are running.  I don't want it running.  But,
>     to stop it, I have to dig through /etc/rc.d or whatever in the
>     typical fashion.
>  6. So far, my attempts to configure X have been a total failure.  The
>     video is a supported Cirrus Logic.  All three offered methods of X
>     configuration at the console error out.
>  7. You log onto the console using the username and password you enter
>     at install time.  It would be nice to su to root so you can run
>     things like fsck but the root password is unknown to me.
>  8. The Web site support options - the user forum and the knowledge
>     base - have been essentially useless and my one attempt at phone
>     support was horrendous.
>
>Before I went though all this, I had read the Firewall-HOWTO and got a
>fair idea of the theory behind ipchains and I understood that I had a
>lot to learn and that I would have to be careful to harden the
>Internet-facing interface and generally be on my toes about it.  I had
>good reason to believe that the NetMax product was going to help prevent
>me from having to be quite so down-and-dirty.
>
>So, my question to you fine folks is basically this:  should I have
>bothered?  Would I have been as well off if I had just put on a
>bare-bones Red Hat 6.2 installation on the 486 and figured out
>ipchains?  Right now I have a marginally unstable firewall that is
>performing NAT like it should, but when certain Internet functions don't
>work, it seems I have to "open the hood" anyway and I really don't have
>a good way to know how well protected my firewall is against the
>baddies.   I know some of you have done the firewall thing with some
>success and inasmuch as I would *like* a shortcut to a well-done
>firewall, I've just about concluded that the NetMax product is not it
>and my $50 would have been better spent elsewhere.
>
>So what do you think I should do?
>
>- Jeff
>
>
>
>--
>To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
>
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list