Firewall box configuration
This is a discussion on Firewall box configuration within the Linux Security forums, part of the System Security and Security Related category; Please offer comments, suggestions, criticism(constructive please) on the following plan: I would like to filter my small home network (...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-06-2004
|
|||
|
|||
Firewall box configuration
Please offer comments, suggestions, criticism(constructive please) on
the following plan: I would like to filter my small home network (keep the crap from appearing in front of the kids.) I recently succumbed to zestyfind/look2me after my wife failed to read all the boxes that were popping up. (Yes, I know I should have had the settings on ie tightened down and I shouldn't have windoze in the first place....but that's what I need for a lot of what I do.) Cable====Cable Modem=====Linux Firewall====Speedstream Router/Firewall | | | | | | | | | | | | Box1 Box2 Box3 I understand there is some redundancy, but the speedstream also is a print server(I imagine the linux box could do that also...but I'm not ready for that yet.) I plan on Dan's Guardian....what else should I be doing? Links and general info are appreciated. John 
|
|
05-06-2004
|
|||
|
|||
|
Re: Firewall box configuration
Accurately, what kind of fitering do you want? Do you want to hide your
computers from outer network? If it's not, do you want to block up your kids connecting the crap? Do you want to filter html tag in 80 port? There are so many method to filter network packet. If you will offer more accurate need , you will be able to take the information you want. "John" <jecottrell@sprynet.com> wrote in message news:178dc3a6.0405051533.1b88d8be@posting.google.c om... > Please offer comments, suggestions, criticism(constructive please) on > the following plan: > > I would like to filter my small home network (keep the crap from > appearing in front of the kids.) I recently succumbed to > zestyfind/look2me after my wife failed to read all the boxes that were > popping up. (Yes, I know I should have had the settings on ie > tightened down and I shouldn't have windoze in the first place....but > that's what I need for a lot of what I do.) > > Cable====Cable Modem=====Linux Firewall====Speedstream Router/Firewall > | | | > | | | > | | | > | | | > Box1 Box2 Box3 > > I understand there is some redundancy, but the speedstream also is a > print server(I imagine the linux box could do that also...but I'm not > ready for that yet.) > > I plan on Dan's Guardian....what else should I be doing? > > Links and general info are appreciated. > > John
|
|
05-06-2004
|
|||
|
|||
|
Re: Firewall box configuration
jecottrell@sprynet.com (John) wrote in message news:<178dc3a6.0405051533.1b88d8be@posting.google. com>...
> Please offer comments, suggestions, criticism(constructive please) on > the following plan: > > I would like to filter my small home network (keep the crap from > appearing in front of the kids.) I recently succumbed to > zestyfind/look2me after my wife failed to read all the boxes that were > popping up. (Yes, I know I should have had the settings on ie > tightened down and I shouldn't have windoze in the first place....but > that's what I need for a lot of what I do.) > > Cable====Cable Modem=====Linux Firewall====Speedstream Router/Firewall > | | | > | | | > | | | > | | | > Box1 Box2 Box3 > > I understand there is some redundancy, but the speedstream also is a > print server(I imagine the linux box could do that also...but I'm not > ready for that yet.) > > I plan on Dan's Guardian....what else should I be doing? > > Links and general info are appreciated. > > John Been a while since I've looked over Dan's Guardian -- IIRC, fetching updates is the biggest hassle. Check that it works as expected/wanted before assuming it's doing what you want. The Windows boxes should _each_ have some kind of personal firewall -- I've always used the free Zone Alarm, but some folks _hate_ it. Choose your poison ;-) The Speedstream router has probably been MASQing or NATing your other machines -- you will need to let the Linux box provide that now probably. Not familiar with the Speedstream so check whether it was also providing any DHCP services for the lan machines -- ie., automatically assigning IPs, DNS, and GW routes. Decide if it can/should still do that behind the Linux box. I wouldn't disable the Speedstream FW till I knew it was causing a problem or not needed. You may need/want to disable it when testing your network configuration till you get things going. The Linux box should block all connection (SYN) requests from the outside world -- if you're not hosting any public services, like a web server. Do _not_ enable/allow any file/printer sharing to leak out onto the internet. The biggest problem is cutting down on the number of "background" net traffic (services) that XP generates -- especially Universal Plug-n-Play. There are many others, however. Have a look here for a maintained list of such services and which ones you may want to disable: http://www.blackviper.com/WinXP/servicecfg.htm Get the latest fix for Windows' security problems -- the same one that allows sasser to do its thing. This is an ugly hole that's been suspected for years -- now it's out in the wild! https://www.microsoft.com/security/incident/sasser.asp http://www.microsoft.com/downloads/d...displaylang=en Good iptables (linux FW) info and scripts: http://www.linuxguruz.com/iptables/ Don't use a script till you understand it -- some are pretty (overly, IMO) complicated. Those are the main things that come to mind offhand. Others will doubtless offer additional suggestions -- digest slowly. The main thing is to understand what is/should be occurring on your network rather than cluelessly abiding by the advice of others -- me included ;-) hth, prg email above disabled
|
|
05-11-2004
|
|||
|
|||
|
Re: Firewall box configuration
P Gentry wrote:
> jecottrell@sprynet.com (John) wrote in message > news:<178dc3a6.0405051533.1b88d8be@posting.google. com>... >> Please offer comments, suggestions, criticism(constructive please) on >> the following plan: >> >> I would like to filter my small home network (keep the crap from >> appearing in front of the kids.) I recently succumbed to >> zestyfind/look2me after my wife failed to read all the boxes that were >> popping up. (Yes, I know I should have had the settings on ie >> tightened down and I shouldn't have windoze in the first place....but >> that's what I need for a lot of what I do.) >> >> Cable====Cable Modem=====Linux Firewall====Speedstream Router/Firewall >> | | | >> | | | >> | | | >> | | | >> Box1 Box2 Box3 >> >> I understand there is some redundancy, but the speedstream also is a >> print server(I imagine the linux box could do that also...but I'm not >> ready for that yet.) >> >> I plan on Dan's Guardian....what else should I be doing? >> >> Links and general info are appreciated. >> >> John > > Been a while since I've looked over Dan's Guardian -- IIRC, fetching > updates is the biggest hassle. Check that it works as expected/wanted > before assuming it's doing what you want. > > The Windows boxes should _each_ have some kind of personal firewall -- > I've always used the free Zone Alarm, but some folks _hate_ it. > Choose your poison ;-) > > The Speedstream router has probably been MASQing or NATing your other > machines -- you will need to let the Linux box provide that now > probably. Not familiar with the Speedstream so check whether it was > also providing any DHCP services for the lan machines -- ie., > automatically assigning IPs, DNS, and GW routes. Decide if it > can/should still do that behind the Linux box. > > I wouldn't disable the Speedstream FW till I knew it was causing a > problem or not needed. You may need/want to disable it when testing > your network configuration till you get things going. > > The Linux box should block all connection (SYN) requests from the > outside world -- if you're not hosting any public services, like a web > server. Do _not_ enable/allow any file/printer sharing to leak out > onto the internet. > > The biggest problem is cutting down on the number of "background" net > traffic (services) that XP generates -- especially Universal > Plug-n-Play. There are many others, however. Have a look here for a > maintained list of such services and which ones you may want to > disable: > http://www.blackviper.com/WinXP/servicecfg.htm > > Get the latest fix for Windows' security problems -- the same one that > allows sasser to do its thing. This is an ugly hole that's been > suspected for years -- now it's out in the wild! > https://www.microsoft.com/security/incident/sasser.asp > http://www.microsoft.com/downloads/d...displaylang=en > > Good iptables (linux FW) info and scripts: > http://www.linuxguruz.com/iptables/ > Don't use a script till you understand it -- some are pretty (overly, > IMO) complicated. > > Those are the main things that come to mind offhand. Others will > doubtless offer additional suggestions -- digest slowly. The main > thing is to understand what is/should be occurring on your network > rather than cluelessly abiding by the advice of others -- me included > ;-) > > hth, > prg > email above disabled i use gsheild, IMHO one of the easier ones to configure. If you have a good firewall on the linux box, you will not need a firewall on the windows boxes, however you will still need antivirus. I personally find that running an MTA on the linux box and then getting the windows boxes to pick up the mail from there has tremendous advantages, such as defnaging and catching virii on the linux box. -- David McKenzie david@rugby.mckenziefamily.biz remove rugby
|
Linear Mode
