Linux Firewall Suggestion

Mike wrote:
> KP wrote:
>
>> I work for a company that has no firewall. We are 20 person company
>> whose connection to the Internet is via Cisco 1610 router - T1.
>>
>> The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External
>> Address (our mail, web site, and FTP) to 3 of the Internal Servers.
>> It does a one to map mapping.
>>
>> Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip
>> 100.100.100.100 to private 192.168.1.10);
>> Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443) -
>> (public ip 100.100.100.101 to private 192.168.1.11);
>> Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip
>> 100.100.100.102 to private 192.168.1.12);
>>
>> My GOALis to get a Linux firewall that is SIMPLE to use to place
>> between the internal network and our Internet router. Also, it has to
>> be able to route traffic destined on public ip xxx.xxx.xxx.xxx to
>> private ip xxx.xxx.xxx.xxx- same as 1 to 1 NAT mapping but more locked
>> down due to firewall features. Because multiple servers have port 80
>> and 443, I can't just do port forwarding. It must be intelligent
>> enough to see the URL/URI to forward to the right box.
>>
>> Hope this made sense.
>>
>> What would you guys suggest in terms in the Linux distro with this
>> capability, and how I should set it up?
>>
>> Thank you!
>>
>
> If you are not sure what you are doing, don't play with your company
> network. This is not the place to start learning about Linux firewalls.
> Invest your money in a hardware solution such as a Watchguard Firebox.
> You will find it easier to implement as it has a Windows front end and
> you will get all the benefits of a Linux/Iptables box as that is what it
> uses. You will also get first rate support (They can even configure the
> box remotely for you) and upgrades.

I second the Watchguard Firebox. While it isn't always the ideal
solution (it really depends on your situation), it is a pretty damn good
product and does what it is supposed to do. They also aren't that
expensive and quite beefy.

> I'm not affiliated to Watchguard in any way. I just use their boxes and
> also build Linux firewalls using IPCOP and Smoothwall or just plain old
> IPtables.

I would have a Linux box on a test network where I could play with
IPtables and fart around with setting up the firewall. Once you
understand it and have it down, you can go live...but Mike is right. It
isn't a good idea to play around with security on your corporate network.

m wrote:

>> What would you guys suggest in terms in the Linux distro with this
>> capability, and how I should set it up?
>>
>> Thank you!
>>
>>
>
> In my opinion you should choose OpenBSD
> as firewall it is great,and easy to setup :)
> pf can do everything what you want and it is quite secure :)
>

Of course all of this can be said for Linux.

Mike wrote:
> KP wrote:
>
>> I work for a company that has no firewall. We are 20 person company
>> whose connection to the Internet is via Cisco 1610 router - T1.
>>
>> The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External
>> Address (our mail, web site, and FTP) to 3 of the Internal Servers.
>> It does a one to map mapping.
>>
>> Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip
>> 100.100.100.100 to private 192.168.1.10);
>> Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443) -
>> (public ip 100.100.100.101 to private 192.168.1.11);
>> Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip
>> 100.100.100.102 to private 192.168.1.12);
>>
>> My GOALis to get a Linux firewall that is SIMPLE to use to place
>> between the internal network and our Internet router. Also, it has to
>> be able to route traffic destined on public ip xxx.xxx.xxx.xxx to
>> private ip xxx.xxx.xxx.xxx- same as 1 to 1 NAT mapping but more locked
>> down due to firewall features. Because multiple servers have port 80
>> and 443, I can't just do port forwarding. It must be intelligent
>> enough to see the URL/URI to forward to the right box.
>>
>> Hope this made sense.
>>
>> What would you guys suggest in terms in the Linux distro with this
>> capability, and how I should set it up?
>>
>> Thank you!
>>
>
> If you are not sure what you are doing, don't play with your company
> network. This is not the place to start learning about Linux firewalls.
> Invest your money in a hardware solution such as a Watchguard Firebox.
> You will find it easier to implement as it has a Windows front end and
> you will get all the benefits of a Linux/Iptables box as that is what it
> uses. You will also get first rate support (They can even configure the
> box remotely for you) and upgrades.
>
> I'm not affiliated to Watchguard in any way. I just use their boxes and
> also build Linux firewalls using IPCOP and Smoothwall or just plain old
> IPtables.
>
> Mike

Any firewall, even a badly configured one, would be better than leaving
the network wide open. Playing with the firewall on a live network may
open one up to (physical) abuse from users that see their lunchtime
surfing/IM interrupted, but starting off with one of the many example
scripts available would be difficult to create a FW that opens the
network up further than it already is.

J

Jack Masters wrote:
> Mike wrote:
>
>> KP wrote:
>>
>>> I work for a company that has no firewall. We are 20 person company
>>> whose connection to the Internet is via Cisco 1610 router - T1.
>>>
>>> The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External
>>> Address (our mail, web site, and FTP) to 3 of the Internal Servers.
>>> It does a one to map mapping.
>>>
>>> Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip
>>> 100.100.100.100 to private 192.168.1.10);
>>> Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443)
>>> - (public ip 100.100.100.101 to private 192.168.1.11);
>>> Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip
>>> 100.100.100.102 to private 192.168.1.12);
>>>
>>> My GOALis to get a Linux firewall that is SIMPLE to use to place
>>> between the internal network and our Internet router. Also, it has
>>> to be able to route traffic destined on public ip xxx.xxx.xxx.xxx to
>>> private ip xxx.xxx.xxx.xxx- same as 1 to 1 NAT mapping but more
>>> locked down due to firewall features. Because multiple servers have
>>> port 80 and 443, I can't just do port forwarding. It must be
>>> intelligent enough to see the URL/URI to forward to the right box.
>>>
>>> Hope this made sense.
>>>
>>> What would you guys suggest in terms in the Linux distro with this
>>> capability, and how I should set it up?
>>>
>>> Thank you!
>>>
>>
>> If you are not sure what you are doing, don't play with your company
>> network. This is not the place to start learning about Linux
>> firewalls. Invest your money in a hardware solution such as a
>> Watchguard Firebox. You will find it easier to implement as it has a
>> Windows front end and you will get all the benefits of a
>> Linux/Iptables box as that is what it uses. You will also get first
>> rate support (They can even configure the box remotely for you) and
>> upgrades.
>>
>> I'm not affiliated to Watchguard in any way. I just use their boxes
>> and also build Linux firewalls using IPCOP and Smoothwall or just
>> plain old IPtables.
>>
>> Mike
>
>
> Any firewall, even a badly configured one, would be better than leaving
> the network wide open. Playing with the firewall on a live network may
> open one up to (physical) abuse from users that see their lunchtime
> surfing/IM interrupted, but starting off with one of the many example
> scripts available would be difficult to create a FW that opens the
> network up further than it already is.
>
> J
>

Would you learn to wire a house by doing it with the power on?

Would you learn to service a car by playing with your fathers brand new
Porche?

Bottom line, you do not learn by playing with live systems. Only a fool
would do that.

Mike wrote:
> Jack Masters wrote:
>
>> Mike wrote:
>>
>>> KP wrote:
>>>
>>>> I work for a company that has no firewall. We are 20 person company
>>>> whose connection to the Internet is via Cisco 1610 router - T1.
>>>>
>>>> The router (pseudo firewall - really NAT) maps 3 PUBLIC IP /
>>>> External Address (our mail, web site, and FTP) to 3 of the Internal
>>>> Servers. It does a one to map mapping.
>>>>
>>>> Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip
>>>> 100.100.100.100 to private 192.168.1.10);
>>>> Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443)
>>>> - (public ip 100.100.100.101 to private 192.168.1.11);
>>>> Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip
>>>> 100.100.100.102 to private 192.168.1.12);
>>>>
>>>> My GOALis to get a Linux firewall that is SIMPLE to use to place
>>>> between the internal network and our Internet router. Also, it has
>>>> to be able to route traffic destined on public ip xxx.xxx.xxx.xxx to
>>>> private ip xxx.xxx.xxx.xxx- same as 1 to 1 NAT mapping but more
>>>> locked down due to firewall features. Because multiple servers have
>>>> port 80 and 443, I can't just do port forwarding. It must be
>>>> intelligent enough to see the URL/URI to forward to the right box.
>>>>
>>>> Hope this made sense.
>>>>
>>>> What would you guys suggest in terms in the Linux distro with this
>>>> capability, and how I should set it up?
>>>>
>>>> Thank you!
>>>>
>>>
>>> If you are not sure what you are doing, don't play with your company
>>> network. This is not the place to start learning about Linux
>>> firewalls. Invest your money in a hardware solution such as a
>>> Watchguard Firebox. You will find it easier to implement as it has a
>>> Windows front end and you will get all the benefits of a
>>> Linux/Iptables box as that is what it uses. You will also get first
>>> rate support (They can even configure the box remotely for you) and
>>> upgrades.
>>>
>>> I'm not affiliated to Watchguard in any way. I just use their boxes
>>> and also build Linux firewalls using IPCOP and Smoothwall or just
>>> plain old IPtables.
>>>
>>> Mike
>>
>>
>>
>> Any firewall, even a badly configured one, would be better than
>> leaving the network wide open. Playing with the firewall on a live
>> network may open one up to (physical) abuse from users that see their
>> lunchtime surfing/IM interrupted, but starting off with one of the
>> many example scripts available would be difficult to create a FW that
>> opens the network up further than it already is.
>>
>> J
>>
>
> Would you learn to wire a house by doing it with the power on?

been there, done that

> Would you learn to service a car by playing with your fathers brand new
> Porche?

wish he had one; anyone owning a Porsche (and not being a motor racing
fanatic) would never think of servicing any car himself.

> Bottom line, you do not learn by playing with live systems. Only a fool
> would do that.

Call me a fool, but in industrial projects sometimes the only thing you
have *is* the live system. Simulations can only go so far, and to build
another multi-million plant to learn the ropes somehow always gets shot
down by the beancounters. So, if modifications need to be made after
initial commissioning, you do it on the live plant. Tends to make one
quite careful before uploading new controller software though.

Back to the original statement, judging by what hits the external
interfaces here any firewall would still be better than none. If a setup
like this has been running without anything resembling a firewall in
place, one would not assume it is extremely mission-critical. So I would
gladly take the small risk of temporary service outages against the much
bigger risk of getting hit by whatever malware they think up tomorrow.

That said, for doing fancy configurations involving multiple virtual
servers a test box (if available) besides the real firewall would be a
good investment.

J.

Jack Masters wrote:
> Mike wrote:
>
>> Jack Masters wrote:
>>
>>> Mike wrote:
>>>
>>>> KP wrote:
>>>>
>>>>> I work for a company that has no firewall. We are 20 person
>>>>> company whose connection to the Internet is via Cisco 1610 router -
>>>>> T1.
>>>>>
>>>>> The router (pseudo firewall - really NAT) maps 3 PUBLIC IP /
>>>>> External Address (our mail, web site, and FTP) to 3 of the Internal
>>>>> Servers. It does a one to map mapping.
>>>>>
>>>>> Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip
>>>>> 100.100.100.100 to private 192.168.1.10);
>>>>> Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and
>>>>> 443) - (public ip 100.100.100.101 to private 192.168.1.11);
>>>>> Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip
>>>>> 100.100.100.102 to private 192.168.1.12);
>>>>>
>>>>> My GOALis to get a Linux firewall that is SIMPLE to use to place
>>>>> between the internal network and our Internet router. Also, it has
>>>>> to be able to route traffic destined on public ip xxx.xxx.xxx.xxx
>>>>> to private ip xxx.xxx.xxx.xxx- same as 1 to 1 NAT mapping but more
>>>>> locked down due to firewall features. Because multiple servers have
>>>>> port 80 and 443, I can't just do port forwarding. It must be
>>>>> intelligent enough to see the URL/URI to forward to the right box.
>>>>>
>>>>> Hope this made sense.
>>>>>
>>>>> What would you guys suggest in terms in the Linux distro with this
>>>>> capability, and how I should set it up?
>>>>>
>>>>> Thank you!
>>>>>
>>>>
>>>> If you are not sure what you are doing, don't play with your company
>>>> network. This is not the place to start learning about Linux
>>>> firewalls. Invest your money in a hardware solution such as a
>>>> Watchguard Firebox. You will find it easier to implement as it has a
>>>> Windows front end and you will get all the benefits of a
>>>> Linux/Iptables box as that is what it uses. You will also get first
>>>> rate support (They can even configure the box remotely for you) and
>>>> upgrades.
>>>>
>>>> I'm not affiliated to Watchguard in any way. I just use their boxes
>>>> and also build Linux firewalls using IPCOP and Smoothwall or just
>>>> plain old IPtables.
>>>>
>>>> Mike
>>>
>>>
>>>
>>>
>>> Any firewall, even a badly configured one, would be better than
>>> leaving the network wide open. Playing with the firewall on a live
>>> network may open one up to (physical) abuse from users that see their
>>> lunchtime surfing/IM interrupted, but starting off with one of the
>>> many example scripts available would be difficult to create a FW that
>>> opens the network up further than it already is.
>>>
>>> J
>>>
>>
>> Would you learn to wire a house by doing it with the power on?
>
>
> been there, done that
>
>> Would you learn to service a car by playing with your fathers brand
>> new Porche?
>
>
> wish he had one; anyone owning a Porsche (and not being a motor racing
> fanatic) would never think of servicing any car himself.
>
>> Bottom line, you do not learn by playing with live systems. Only a
>> fool would do that.
>
>
> Call me a fool, but in industrial projects sometimes the only thing you
> have *is* the live system. Simulations can only go so far, and to build
> another multi-million plant to learn the ropes somehow always gets shot
> down by the beancounters. So, if modifications need to be made after
> initial commissioning, you do it on the live plant. Tends to make one
> quite careful before uploading new controller software though.
>
> Back to the original statement, judging by what hits the external
> interfaces here any firewall would still be better than none.

Agreed.

> If a setup
> like this has been running without anything resembling a firewall in
> place, one would not assume it is extremely mission-critical.

There is an old saying:- Assume makes an ASS out of U and ME


> So I would
> gladly take the small risk of temporary service outages against the much
> bigger risk of getting hit by whatever malware they think up tomorrow.

But its not your risk to take. The OP is obviously not in a suitable
position to learn how to configure a Linux firewall so therefore should
not be playing/learning on a live system.

When giving advice in these newsgroups we have a duty of care and
although it is good to encourage people to learn, it is also important
to make sure that they do so safely and without inconvienencing other
net users by becoming spam relays or zombies.

Beside all that, if there was a level of competence on the OP site, the
question wouldn't have been asked in the first place!

In comp.os.linux.security KP <kipp@idea.com> wrote:
> connection to the Internet is via Cisco 1610 router - T1.

Is it Cisco 160x, or 2610?
Anyway, for a small company it should have enough horsepower
to serve as firewall, not just an address-translating device.
You just need proper IOS image ("IP FW", a.k.a. Firewall
Feature Set).

--
andrei