[gentoo-user] A Gentoo Firewall howto?

[gentoo-user] A Gentoo Firewall howto?

[James]

Hello,

I've decided to take the plunge and build my first, full featured
firewall on Gentoo. At first I was going to use 'gnap' but further
reading reveals that this sort of derived firewall is stateless,
and I want a statefull firewall. It's also masked.
(feel free to correct me if I miss something).

The firewall will have (3) nics, Outside(static IP) 
DMZ for several  web servers, mail server and DNS secondaries
and a private for a DNS server, PCs(doz) and assorted Linux systems.
So after googling for a while, I could not find any detailed documentation
on building a gentoo based robust firewall (I sure thought I'd ran across 
such a page/document, but, nothing today).

I did find some packages to 'ease the pain' on configuring iptables
and completing the firewall: Recommendations here?
fwbuilder
bastille
kmyfirewall
firestarter

I did find this gentoo document:
http://www.gentoo.org/doc/en/home-router-howto.xml
This example is for a 2 nic basic firewall. 
I need a dmz that will have web servers, dns servers, and
will ensure security.

I did find one Debian-centric security document:
http://www.debian.org/doc/manuals/securing-debian-howto

Alternatively, since this machine is only going to be a firewall
& ethernet router so rather than securing a complete Gentoo system
I could just use a 'firewall cd' installation, if one exists
as a Gentoo derivative.

Any other ideas or recommendations on documents or firewall install
config  on gentoo or a gentoo derivative are most welcome?

Note: my firewall experience is mostly with openbsd.


James

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] A Gentoo Firewall howto?

[Pablo A. Salgado]

[-- Attachment #1: Type: text/plain, Size: 1978 bytes --]

James,

I recently installed a firewall on Gentoo with 3 nics I used Firehol to 
configure it but I you want something kind of visual: Guardog is my second 
choice.

On 8/26/05, James <wireless@tampabay.rr.com> wrote:
> 
> Hello,
> 
> I've decided to take the plunge and build my first, full featured
> firewall on Gentoo. At first I was going to use 'gnap' but further
> reading reveals that this sort of derived firewall is stateless,
> and I want a statefull firewall. It's also masked.
> (feel free to correct me if I miss something).
> 
> The firewall will have (3) nics, Outside(static IP)
> DMZ for several web servers, mail server and DNS secondaries
> and a private for a DNS server, PCs(doz) and assorted Linux systems.
> So after googling for a while, I could not find any detailed documentation
> on building a gentoo based robust firewall (I sure thought I'd ran across
> such a page/document, but, nothing today).
> 
> I did find some packages to 'ease the pain' on configuring iptables
> and completing the firewall: Recommendations here?
> fwbuilder
> bastille
> kmyfirewall
> firestarter
> 
> I did find this gentoo document:
> http://www.gentoo.org/doc/en/home-router-howto.xml
> This example is for a 2 nic basic firewall.
> I need a dmz that will have web servers, dns servers, and
> will ensure security.
> 
> I did find one Debian-centric security document:
> http://www.debian.org/doc/manuals/securing-debian-howto
> 
> Alternatively, since this machine is only going to be a firewall
> & ethernet router so rather than securing a complete Gentoo system
> I could just use a 'firewall cd' installation, if one exists
> as a Gentoo derivative.
> 
> Any other ideas or recommendations on documents or firewall install
> config on gentoo or a gentoo derivative are most welcome?
> 
> Note: my firewall experience is mostly with openbsd.
> 
> 
> James
> 
> --
> gentoo-user@gentoo.org mailing list
> 
>

[-- Attachment #2: Type: text/html, Size: 2478 bytes --]

Re: [gentoo-user] A Gentoo Firewall howto?

[Ron Bickers]

On Fri August 26 2005 06:36 pm, James wrote:

> I've decided to take the plunge and build my first, full featured
> firewall on Gentoo.

> Any other ideas or recommendations on documents or firewall install
> config  on gentoo or a gentoo derivative are most welcome?

I've had good luck using Shorewall (shorewall.net).  It should work the same 
on any Linux with netfilter/iptables.

-- 
Ron
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] A Gentoo Firewall howto?

[Heinz Sporn]

Am Samstag, den 27.08.2005, 00:22 -0400 schrieb Ron Bickers:
> On Fri August 26 2005 06:36 pm, James wrote:
> 
> > I've decided to take the plunge and build my first, full featured
> > firewall on Gentoo.
> 
> > Any other ideas or recommendations on documents or firewall install
> > config  on gentoo or a gentoo derivative are most welcome?
> 
> I've had good luck using Shorewall (shorewall.net).  It should work the same 
> on any Linux with netfilter/iptables.

Just wanted to second Shorewall especially for it's great
documentations. 

> -- 
> Ron
-- 
Mit freundlichen Grüßen

Heinz Sporn

SPORN it-freelancing

Mobile:  ++43 (0)699 / 127 827 07
Email:   heinz.sporn@sporn-it.com
         heinz.sporn@utanet.at
Website: http://www.sporn-it.com
Snail:   Steyrer Str. 20
         A-4540 Bad Hall
         Austria / Europe

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] A Gentoo Firewall howto?

[Oscar]

I've used both firehol and shorewall, and they're both great!
But for a more advanced setup, I would recommend shorewall (firehol is a bit tricky at some points, like port-forwarding), it will save you a lot of time (setting up a 3 NIC firewall with shorewall takes less than 30 minutes)...

Oscar

On Fri, 26 Aug 2005 22:36:39 +0000 (UTC)
James <wireless@tampabay.rr.com> wrote:

> Hello,
> 
> I've decided to take the plunge and build my first, full featured
> firewall on Gentoo. At first I was going to use 'gnap' but further
> reading reveals that this sort of derived firewall is stateless,
> and I want a statefull firewall. It's also masked.
> (feel free to correct me if I miss something).
> 
> The firewall will have (3) nics, Outside(static IP) 
> DMZ for several  web servers, mail server and DNS secondaries
> and a private for a DNS server, PCs(doz) and assorted Linux systems.
> So after googling for a while, I could not find any detailed documentation
> on building a gentoo based robust firewall (I sure thought I'd ran across 
> such a page/document, but, nothing today).
> 
> I did find some packages to 'ease the pain' on configuring iptables
> and completing the firewall: Recommendations here?
> fwbuilder
> bastille
> kmyfirewall
> firestarter
> 
> I did find this gentoo document:
> http://www.gentoo.org/doc/en/home-router-howto.xml
> This example is for a 2 nic basic firewall. 
> I need a dmz that will have web servers, dns servers, and
> will ensure security.
> 
> I did find one Debian-centric security document:
> http://www.debian.org/doc/manuals/securing-debian-howto
> 
> Alternatively, since this machine is only going to be a firewall
> & ethernet router so rather than securing a complete Gentoo system
> I could just use a 'firewall cd' installation, if one exists
> as a Gentoo derivative.
> 
> Any other ideas or recommendations on documents or firewall install
> config  on gentoo or a gentoo derivative are most welcome?
> 
> Note: my firewall experience is mostly with openbsd.
> 
> 
> James
> 
> -- 
> gentoo-user@gentoo.org mailing list
> 
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] A Gentoo Firewall howto?

[William Kenworthy]

Or use monmotha and be up an running in a couple of minutes.  I am using
3 nics at the moment with it.  I did try shorewall, but the setup time
and learning curve was so much greater I dumped it (the complexity
worried me as well - complex means it may be vulnerable to
misconfiguration).  Mind you, on complex/commercial setups it probably
has an advantage, but not for SOHO/home use.

BillK


On Sat, 2005-08-27 at 12:23 +0200, Oscar wrote:
> I've used both firehol and shorewall, and they're both great!
> But for a more advanced setup, I would recommend shorewall (firehol is a bit tricky at some points, like port-forwarding), it will save you a lot of time (setting up a 3 NIC firewall with shorewall takes less than 30 minutes)...
> 
> Oscar
> 
> On Fri, 26 Aug 2005 22:36:39 +0000 (UTC)
> James <wireless@tampabay.rr.com> wrote:
> 
> > Hello,
> > 
> > I've decided to take the plunge and build my first, full featured
> > firewall on Gentoo. At first I was going to use 'gnap' but further
> > reading reveals that this sort of derived firewall is stateless,
> > and I want a statefull firewall. It's also masked.
> > (feel free to correct me if I miss something).
> > 
> > The firewall will have (3) nics, Outside(static IP) 
> > DMZ for several  web servers, mail server and DNS secondaries
> > and a private for a DNS server, PCs(doz) and assorted Linux systems.
> > So after googling for a while, I could not find any detailed documentation
> > on building a gentoo based robust firewall (I sure thought I'd ran across 
> > such a page/document, but, nothing today).
> > 
> > I did find some packages to 'ease the pain' on configuring iptables
> > and completing the firewall: Recommendations here?
> > fwbuilder
> > bastille
> > kmyfirewall
> > firestarter
> > 
> > I did find this gentoo document:
> > http://www.gentoo.org/doc/en/home-router-howto.xml
> > This example is for a 2 nic basic firewall. 
> > I need a dmz that will have web servers, dns servers, and
> > will ensure security.
> > 
> > I did find one Debian-centric security document:
> > http://www.debian.org/doc/manuals/securing-debian-howto
> > 
> > Alternatively, since this machine is only going to be a firewall
> > & ethernet router so rather than securing a complete Gentoo system
> > I could just use a 'firewall cd' installation, if one exists
> > as a Gentoo derivative.
> > 
> > Any other ideas or recommendations on documents or firewall install
> > config  on gentoo or a gentoo derivative are most welcome?
> > 
> > Note: my firewall experience is mostly with openbsd.
> > 
> > 
> > James
> > 
> > -- 
> > gentoo-user@gentoo.org mailing list
> > 
-- 
William Kenworthy <billk@iinet.net.au>
Home!

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] A Gentoo Firewall howto?

[Mark Shields]

I know you mentioned easing the pain, but good old iptables worked for
me - along with http://www.gentoo.org/doc/en/home-router-howto.xml -
after using that initial setup and becoming somewhat familiar with
iptables, I was able to modify a script to suit my needs, a 49-line
file that gets what I need done.


On 8/27/05, William Kenworthy <billk@iinet.net.au> wrote:
> Or use monmotha and be up an running in a couple of minutes.  I am using
> 3 nics at the moment with it.  I did try shorewall, but the setup time
> and learning curve was so much greater I dumped it (the complexity
> worried me as well - complex means it may be vulnerable to
> misconfiguration).  Mind you, on complex/commercial setups it probably
> has an advantage, but not for SOHO/home use.
> 
> BillK
> 
> 
> On Sat, 2005-08-27 at 12:23 +0200, Oscar wrote:
> > I've used both firehol and shorewall, and they're both great!
> > But for a more advanced setup, I would recommend shorewall (firehol is a bit tricky at some points, like port-forwarding), it will save you a lot of time (setting up a 3 NIC firewall with shorewall takes less than 30 minutes)...
> >
> > Oscar
> >
> > On Fri, 26 Aug 2005 22:36:39 +0000 (UTC)
> > James <wireless@tampabay.rr.com> wrote:
> >
> > > Hello,
> > >
> > > I've decided to take the plunge and build my first, full featured
> > > firewall on Gentoo. At first I was going to use 'gnap' but further
> > > reading reveals that this sort of derived firewall is stateless,
> > > and I want a statefull firewall. It's also masked.
> > > (feel free to correct me if I miss something).
> > >
> > > The firewall will have (3) nics, Outside(static IP)
> > > DMZ for several  web servers, mail server and DNS secondaries
> > > and a private for a DNS server, PCs(doz) and assorted Linux systems.
> > > So after googling for a while, I could not find any detailed documentation
> > > on building a gentoo based robust firewall (I sure thought I'd ran across
> > > such a page/document, but, nothing today).
> > >
> > > I did find some packages to 'ease the pain' on configuring iptables
> > > and completing the firewall: Recommendations here?
> > > fwbuilder
> > > bastille
> > > kmyfirewall
> > > firestarter
> > >
> > > I did find this gentoo document:
> > > http://www.gentoo.org/doc/en/home-router-howto.xml
> > > This example is for a 2 nic basic firewall.
> > > I need a dmz that will have web servers, dns servers, and
> > > will ensure security.
> > >
> > > I did find one Debian-centric security document:
> > > http://www.debian.org/doc/manuals/securing-debian-howto
> > >
> > > Alternatively, since this machine is only going to be a firewall
> > > & ethernet router so rather than securing a complete Gentoo system
> > > I could just use a 'firewall cd' installation, if one exists
> > > as a Gentoo derivative.
> > >
> > > Any other ideas or recommendations on documents or firewall install
> > > config  on gentoo or a gentoo derivative are most welcome?
> > >
> > > Note: my firewall experience is mostly with openbsd.
> > >
> > >
> > > James
> > >
> > > --
> > > gentoo-user@gentoo.org mailing list
> > >
> --
> William Kenworthy <billk@iinet.net.au>
> Home!
> 
> --
> gentoo-user@gentoo.org mailing list
> 
> 


-- 
- Mark Shields

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: A Gentoo Firewall howto?

[James]

Mark Shields <laebshade <at> gmail.com> writes:

> I know you mentioned easing the pain, but good old iptables worked for
> me - along with http://www.gentoo.org/doc/en/home-router-howto.xml -
> after using that initial setup and becoming somewhat familiar with
> iptables, I was able to modify a script to suit my needs, a 49-line
> file that gets what I need done.

Well, I was going to follow this howto and try to figure out how to
add the dmz later. Since it's a firewall, I decided to use:
http://open-systems.ufl.edu/mirrors/gentoo/experimental/x86/hardened/livecd

Problem is it gives many options. I'm going to select:
grsec-noX
and then try to use this web page on home-router. Maybe when some folks
'get lucky' we can spin a version of this page that address a 
DMZ with web servers and dns servers, call it the home-office version.

I'm sure I'll be whinning on the list, when I do something stupid...


James

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: A Gentoo Firewall howto?

[Mark Shields]

I used this setup on a multi-purpose server I built from parts.  It
also functions as a ftp, http, sftp, ssh, vnc, samba server.  Hey,
have to put it to work somehow.

On 8/27/05, James <wireless@tampabay.rr.com> wrote:
> Mark Shields <laebshade <at> gmail.com> writes:
> 
> > I know you mentioned easing the pain, but good old iptables worked for
> > me - along with http://www.gentoo.org/doc/en/home-router-howto.xml -
> > after using that initial setup and becoming somewhat familiar with
> > iptables, I was able to modify a script to suit my needs, a 49-line
> > file that gets what I need done.
> 
> Well, I was going to follow this howto and try to figure out how to
> add the dmz later. Since it's a firewall, I decided to use:
> http://open-systems.ufl.edu/mirrors/gentoo/experimental/x86/hardened/livecd
> 
> Problem is it gives many options. I'm going to select:
> grsec-noX
> and then try to use this web page on home-router. Maybe when some folks
> 'get lucky' we can spin a version of this page that address a
> DMZ with web servers and dns servers, call it the home-office version.
> 
> I'm sure I'll be whinning on the list, when I do something stupid...
> 
> 
> James
> 
> --
> gentoo-user@gentoo.org mailing list
> 
> 


-- 
- Mark Shields

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] A Gentoo Firewall howto?

[William Kenworthy]

Its not just easing the pain: I am not sure that someone who is not
intimately familiar with iptables doing what amounts to a home brew is
advisable.  There's quite a number of ways to screw up and leave your
system exposed.  The way to minimise the risk is to start with a known,
popular,  opensource (i.e., many eyes) script that does the main things
for you - and then *test* it from both inside and outside.

The time to fiddle with something as "critical" as this is when you know
what you are doing.  Many (most?) will be successful, but what about
those who try and do everything right and fail ...

BillK

On Sat, 2005-08-27 at 09:11 -0400, Mark Shields wrote:
> I know you mentioned easing the pain, but good old iptables worked for
...


-- 
gentoo-user@gentoo.org mailing list