[ale] IPCop 1.4.6
brucelists at bellsouth.net
brucelists at bellsouth.net
Fri Jul 8 23:30:14 EDT 2005
I had opened a port on my router to allow access in to a small Cisco lab. I wasn't really happy about having a pinhole into my LAN, and from there having a jumping off point to any PC that might have telnet open. Currently I don't have telnet open on anything, but you never know what can happen when you start messing around. Anyway - the Cisco routers use telnet, you need a newer IOS (12.3 I believe) with a security feature set if you want to require SSH access, so opening up a lab also means you open up telnet.
Hmmm, think I'll just shut it down. I opened it so co-workers could have lab access to work through CCNA and CCNP certs. I need to rethink that (in a tough job market, it might be better if I got certs first, then helped friends and co-workers later).
Anyway, I picked up a clunker PC off e-bay. A penny for the PC and 32.95 for S&H. 32.96 gave me an ancient Dell Optiplex 1 running at 333mhz, with 64 meg ram and 4.1 gig hard drive. Definately worth a penny, not sure about 32.96 though.
I had a spare Netgear FA311 Fast Ethernet nic, so popped it in, downloaded the IPCop 1.4.6 ISO, burned to CD and away we go!
First - the 1.4.6 does not automagically find the Netgear FA311 card. You have to specifiy natsemi. It picked up the original Ethernet card in the PC, just wasn't point and shoot with the FA311. No problem. The install went very easy once I figured the FA311 card was working. (I knew the FA311 works fine, I have it running under SuSE and also ran it under Sarge)
I configured a "green" interface for the inside of my LAN. I also set up dhcp, dns and proxy. I configured a "red" interface for connecting to my lab segment. I guess it's a DMZ. It has a DSL connection, a Linksys pretending to block inbound packets and port 23 forwarded to a Cisco router. So, I popped the IPCop firewall on that segment, and am in the process of moving user PCs off that segment and behind the IPCop.
I tested access out from behind the firewall. It worked! I then started a VPN client connection (software on the PC) to my office. That worked. Did some work that actually worked. Pretty happy.
Finally, I installed the IPCop add-on server code. I do not have experience with ssh and scftp (or sftp?) - so that was a learning process. After installing the add-on code, I installed SquidGuard (by pushing a button), updated blacklists (by pushing a button) and clicked on what things I wanted blocked. Set up the range of PCs to use the block filter (all of 'em!), and tried going to a P*rn-o-matic site. I was blocked, and a nifty screen showed up in my browser 'splaining why.
Very simple, very cool, I'm a GUI kind of guy.
Now for the fun part. I have a WRT54G for my router and wireless access point. I need to shut that down and reinstall my BEFSX41 firewall router for wired access. From there, a connection to my lab and to the IPCop firewall. Then pull the WAP54G out and connect that behind the firewall. Anyway - it works for one PC. The trick will be reconfiguring the lan to make it work for the rest of 'em.
Now, for goofy ASCII:
Internet --> BEFSX41 --> DMZ (Cisco LAB) <-- Red -|<-IPCop->|- Green (Home LAN)
192.168.1.1 .3 .x 192.168.2.x
(I know Bob's book would build a much more secure firewall. If this was for a commercial network or if I was more network-savvy, I'd go that route)
More information about the Ale
mailing list