From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.43) id 1EDT3k-0007wo-JY for garchives@archives.gentoo.org; Thu, 08 Sep 2005 20:31:49 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j88KRCMJ020254; Thu, 8 Sep 2005 20:27:12 GMT Received: from vms048pub.verizon.net (vms048pub.verizon.net [206.46.252.48]) by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j88KNXNj000142 for ; Thu, 8 Sep 2005 20:23:34 GMT Received: from mail.joat.com ([71.114.131.89]) by vms048.mailsrvcs.net (Sun Java System Messaging Server 6.2 HotFix 0.04 (built Dec 24 2004)) with ESMTPA id <0IMI00CA1M5E04N1@vms048.mailsrvcs.net> for gentoo-user@lists.gentoo.org; Thu, 08 Sep 2005 15:27:15 -0500 (CDT) Received: from localhost (cornholio.joat.com [127.0.0.1]) by mail.joat.com (Postfix) with ESMTP id 464E17261 for ; Thu, 08 Sep 2005 16:27:14 -0400 (EDT) Received: from mail.joat.com ([127.0.0.1]) by localhost (cornholio [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15025-07 for ; Thu, 08 Sep 2005 16:27:05 -0400 (EDT) Received: from butthead (butthead.joat.com [192.168.0.10]) by mail.joat.com (Postfix) with ESMTP for ; Thu, 08 Sep 2005 16:27:05 -0400 (EDT) Date: Thu, 08 Sep 2005 16:27:04 -0400 From: "Dave Nebinger" Subject: Re: [gentoo-user] Re: iptables advice for stand alone box under different usage scenarios To: Message-id: <003501c5b4b3$ad61a350$0a00a8c0@butthead> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-Mailer: Microsoft Outlook Express 6.00.2900.2670 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal DomainKey-Signature: a=rsa-sha1; b=UPsmiW8Zh3iN8EMLOyUtHmSlmw554e2l5U3qmKojgmaVlMW1waX/Tn1T5EN1RLdQxnzP/Oz/qnw0ZJge/RO5EmkQZADijMC97tPr/1mf9KoW2b4wbKDfYcRt2hAIOvv4/hzdoW6cKR4m5+APjqvVyQMV87ApUB7PudK7WywTZmY=; c=nofws; d=joat.com; q=dns; s=selector1 X-Virus-Scanned: amavisd-new 2.3.2 (20050629) at joat.com References: <00e201c5b497$93b4acc0$0a00a8c0@butthead> X-Archives-Salt: 0e95f65b-85bb-42fb-9571-e11766151005 X-Archives-Hash: 56f4a96ef7dfee9baf7718fe5cbb1998 >> For the gentoo box to act as the router/gateway/hub, you need more than >> one ethernet card in the box. > > OK, but under the ADSL connection scenario (diagram A) I already have a > hardware router/gateway, so do I still need a two card configuration? > What > I am trying to do is protect the Gentoo box from other boxes in the LAN > (behind the Netgear router), or when connected to the Internet via dialup > then protect it from other internet machines. Depends. Personnally I had little love for my netgear router when it was in place. I had a couple of issues: 1. Although my gentoo box allowed for externally-generated syslog entries, the netgear router (even though the gui suggested it would) would not forward syslog messages to my gentoo box, so I missed out on things like knowing who was hitting the router. 2. Could not find an easy way to extract the external IP address from the darn thing. My domain name is managed via dyndns.org, and I only wanted to trigger an update when an actual ip address change occurred. It was either that or tickle the dyndns.org system every few minutes so it would update IP address from the incoming connnection. 3. Performance, over time, would drop down to a trickle. The only way to get it back up was to reboot the router. And since I didn't want to expose the admin interface to the world, that meant that I would have to wait till I was on-site to reboot it. 4. DNS & DHCP - It still isn't clear to me how their DNS is set up; although it will act as the gateway for internal systems, I couldn't tell if it was using a caching DNS service or was just passing DNS queries up the stream for processing. DHCP gets managed by the router, so you have little control beyond designating the range to use for dynamic address assignments. 5. No DMZ support - everything plugged into the netgear box is 'exposed'. In my current gentoo gateway, I can and do severely limit traffic on the intranet side while being a little less controlling on the DMZ side. Should a penentration of the DMZ occur, I know that the line of demarcation between the DMZ and the intranet should protect my sensitive information. 6. No ssh access, no ability to programmatically get information from the router, and other minor complaints. In any case I ended up dumping netgear and running with a Sangoma ADSL card. All the benefits of using ADSL whilst including all the access and administration my gentoo box allows. >> As for the firewall questions, your rules are going to fall into a couple >> of different flavors: >> >> a) desktop only: For this setup you're basically going to block all >> incoming >> traffic, allow all outbound traffic and existing traffic. Forwarding is >> not an issue. > > Right, is that tight enough? I mean, shouldn't I accept only specific > outgoing protocols/ports and then be blocking everything else which might > try to get out? I'm thinking here in trojan terms and the way certain > M$Windoze 'personal firewalls' are usually set up. Well, as a desktop system (meaning there is no other windblows systems behind the gentoo box), you really won't have to worry too much about that. All incoming connections would be denied (i.e. mail, dns, ssh, etc.) so no one could get into the box to plant a trojan or virus, so nothing would be exposed. In this scenario somehow you'd have to install something that would open a backdoor to a remote hacker's system - they couldn't connect automatically and the whole thing would be a pain in the ass for them to develop as opposed to your standard windblows problems. >> d) combination: The combo system wraps service providing and gateway (and >> possibly desktop) into one box. This setup is similar to the server >> scenario, except it also must include the gateway type rules to ensure >> that internal entities can get to the outside & back. > > I guess that I'll need some sort of a combo set up if I am to use the > Gentoo > box as a server to be accessed both by machines in the WAN and by > PC/laptop > in my LAN. On the other hand, I am thinking that all this > masquarading/IPforwarding and NATing could be achieved by my Netgear? That's the setup I run. I've got a gentoo box that is the gateway and, since it is beefed up, also runs my ftp and mail service. Web and other services are routed into the DMZ. The local network where I serve my printer, windows boxen, and other gentoo systems are on another card. The main box manages the communications with the outside world, from the outside world, as well as internal traffic. Quite a sweet setup, if I do say so myself. Yes, the netgear will handle the NAT and forwarding stuff for you, as long as you're happy with it. -- gentoo-user@gentoo.org mailing list