[ale] Opinion Call: Firewalls for DSL

[Jeff Hubbs]

Robert -

Thanks for your response and Ray, thanks for yours as well.

I downloaded the Coyote distro and I think I can get somewhere with it.  Is
your FreeBSD solution also a single-floppy deal or did you go forward from a
regular on-hard-drive installation?  

I haven't seen the answer to this on the Coyote Web site, but does it have a
reasonable ipchains rule set in place when it's first brought up (I'm
assuming it uses ipchains)?

About the use of a 486:  This particular machine (an NEC Ready 433) has
actually shown to be quite hardy.  I remove the HD and CD-ROM drives, it
should be hardier still by virtue of less heat and less draw on the PS.  

- Jeff

> -----Original Message-----
> From: Robert Hoffman [mailto:rob at frankenlinux.com]
> Sent: Tuesday, July 04, 2000 5:57 PM
> To: ale at ale.org; Jeff Hubbs
> Subject: Re: [ale] Opinion Call: Firewalls for DSL
> 
> 
> Hi Jeff,
> 
> I've been using Coyote Linux for the last month. It's an 
> adapted version of the Linux Router Project. It runs on a 
> single write-protected floppy that you create from a nice 
> script that walks you through your options. It does a nice 
> job, especially as an interim or emergency solution.
> 
> I have just built a new firewall using FreeBSD. This was my 
> first foray into the FreeBSD world but it wasn't that hard to 
> figure out (it is very similar to Linux but without the 
> SystemV init system.) I have to say that I really like 
> FreeBSD. The reason I switched was for the rock-solid 
> stability, and the TCP/IP stack. I figure that if FreeBSD's 
> IP stack is 10% more efficient than Linux's, that's 10% more 
> bandwidth for my users.
> 
> The hardest part for me was setting up the firewall rules. I 
> can send you my rc.firewall file if you decide to go this route.
> 
> I think that many of the things giving you a headache so far 
> shouldn't even be messed with. You don't need X, a web 
> interface, or regular user accounts on a Firewall.
> 
> The firewall rules are rarely going to change. Just set the 
> box up using a TUI (text user interface), run tripwire on it, 
> back up your scripts to floppy, and leave it alone. You might 
> also condider forwarding critical log alerts to your workstation.
> 
> I'll probably get flamed for this but I don't think mission 
> critical servers should be running on 486 hardware, even if 
> the services don't require more horsepower. I just don't 
> trust 5 year old hardware to run production boxes. Your 
> pentium 75 is at least a year or two younger.
> 
> If you stick with a Linux solution, you can get rid of 
> unwanted services easily by doing an 'ls /etc/rc.d/rc3.d' to 
> see which services are set to start in run level 3 (they 
> start with an 'S') Then use chkconfig <service> off on each 
> unwanted service to remove it from the runlevel. For a 
> firewall, I would remove everything you don't need, this 
> includes inetd. (I know chkconfig works for RedHat based 
> systems...don't know about the other distros.) Restart or 
> manually stop the services for the changes to take effect.
> 
> Hope you have a great 4th of July.
> 
> -Rob Hoffman
> 
> 
> ---------- Original Message ----------------------------------
> From: Jeff Hubbs <jhubbs at telocity.com>
> Date: Mon, 03 Jul 2000 00:50:33 -0400
> 
> >A couple of months ago, I made a strategic decision to pop for the
> >NetMax Firewall/Router product from CyberNet.
> >
> >My dangerously optimistic premise was that I had a lot of things to
> >integrate at the house - new computer, firewall, Telocity DSL (no
> >complaints, BTW), old computer - and I thought that the NetMax' "thin
> >server" Web-administered approach would help me get going quicker.
> >
> >My target machine was going to be a VLBus 486DX/33 in which 
> I could put
> >as much as 32MB of RAM, and I had already set myself up with some
> >ISA-bus Ethernet cards to choose from, three of them being NE2000
> >clones.   I also scored a 3Com 3C515 - an ISA-bus 10/100 full-duplex
> >card.
> >
> >The first problem I had was that whereas the NetMax docs said it
> >supported the 3Com 3C515, there appeared to be no way to get 
> it to work,
> >and when I called tech support, the person that answered didn't even
> >seem to understand the question when I tried to find out 
> how.  I finally
> >had to insist to speak to someone who had firsthand 
> experience with the
> >product.  When I finally did, I learned that my question 
> about the 3C515
> >apparently had no answer and that the cliam of supporting 
> the 3C515 was
> >apparently a lot of hogwash.  I also learned that when the 
> NetMax docs
> >say that a Pentium is the minimum required CPU, they mean it - it is
> >unstable on a 486 (he did not indicate that it was compiled 
> for Pentium
> >that that's my assumption).  This fellow offered to set me 
> up with the
> >FreeBSD version in trade for the Linux version that I bought and my
> >address was taken down.  It never arrived.
> >
> >I decided that I would try to soldier ahead with what I had. 
>  I picked
> >up a fairly nice Pentium/75 at MicroSeconds.  It took me a 
> few tries to
> >get anywhere with it, but I eventually got it to work with two
> >interfaces, performing NAT.  One key element to my eventual 
> success was
> >that the only documentation that is usable is a single 
> article on their
> >Web page; the provided documentation is NOT sufficient to 
> figure out the
> >installation.
> >
> >Here is my sack of woes to date:
> >
> >  1. At the moment, even after a reboot, the Web interface is not
> >     reacting.  It was working fine, but now, zip.
> >  2. The interface, when it did work, is DOG SLOW.  If you 
> make config
> >     changes, it takes this Pentium/75 with 256KB of cache 
> and 72MB of
> >     RAM *several minutes* to go through the commit/restart services
> >     process.
> >  3. The console sometimes fills up with stuff like "Unable to handle
> >     kernel NULL pointer dereference at..." or "Out of 
> Memory" errors.
> >     Most of the time, NAT operation seems to continue 
> unabated but the
> >     "Out of Memory" stuff got so bad that the machine would only
> >     respond to a three-fingered salute.
> >  4. There is nothing documented or nothing I can locate in the Web
> >     interface (again, when it worked) or the Web site that 
> gives me the
> >     ability to enable or block specific services or even 
> ports - just a
> >     rather vaguely labeled set of check boxes.
> >  5. Things like sendmail are running.  I don't want it 
> running.  But,
> >     to stop it, I have to dig through /etc/rc.d or whatever in the
> >     typical fashion.
> >  6. So far, my attempts to configure X have been a total 
> failure.  The
> >     video is a supported Cirrus Logic.  All three offered 
> methods of X
> >     configuration at the console error out.
> >  7. You log onto the console using the username and 
> password you enter
> >     at install time.  It would be nice to su to root so you can run
> >     things like fsck but the root password is unknown to me.
> >  8. The Web site support options - the user forum and the knowledge
> >     base - have been essentially useless and my one attempt at phone
> >     support was horrendous.
> >
> >Before I went though all this, I had read the Firewall-HOWTO 
> and got a
> >fair idea of the theory behind ipchains and I understood that I had a
> >lot to learn and that I would have to be careful to harden the
> >Internet-facing interface and generally be on my toes about 
> it.  I had
> >good reason to believe that the NetMax product was going to 
> help prevent
> >me from having to be quite so down-and-dirty.
> >
> >So, my question to you fine folks is basically this:  should I have
> >bothered?  Would I have been as well off if I had just put on a
> >bare-bones Red Hat 6.2 installation on the 486 and figured out
> >ipchains?  Right now I have a marginally unstable firewall that is
> >performing NAT like it should, but when certain Internet 
> functions don't
> >work, it seems I have to "open the hood" anyway and I really 
> don't have
> >a good way to know how well protected my firewall is against the
> >baddies.   I know some of you have done the firewall thing with some
> >success and inasmuch as I would *like* a shortcut to a well-done
> >firewall, I've just about concluded that the NetMax product is not it
> >and my $50 would have been better spent elsewhere.
> >
> >So what do you think I should do?
> >
> >- Jeff
> >
> >
> >
> >--
> >To unsubscribe: mail majordomo at ale.org with "unsubscribe 
> ale" in message body.
> >
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" 
> in message body.
> 
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.