Linux Firewall Suggestion
This is a discussion on Linux Firewall Suggestion within the Linux Security forums, part of the System Security and Security Related category; I work for a company that has no firewall. We are 20 person company whose connection to the Internet is ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-01-2005
|
|||
|
|||
Linux Firewall Suggestion
I work for a company that has no firewall. We are 20 person company whose
connection to the Internet is via Cisco 1610 router - T1. The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External Address (our mail, web site, and FTP) to 3 of the Internal Servers. It does a one to map mapping. Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip 100.100.100.100 to private 192.168.1.10); Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443) - (public ip 100.100.100.101 to private 192.168.1.11); Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip 100.100.100.102 to private 192.168.1.12); My GOALis to get a Linux firewall that is SIMPLE to use to place between the internal network and our Internet router. Also, it has to be able to route traffic destined on public ip xxx.xxx.xxx.xxx to private ip xxx.xxx.xxx.xxx- same as 1 to 1 NAT mapping but more locked down due to firewall features. Because multiple servers have port 80 and 443, I can't just do port forwarding. It must be intelligent enough to see the URL/URI to forward to the right box. Hope this made sense. What would you guys suggest in terms in the Linux distro with this capability, and how I should set it up? Thank you! 
|
|
05-01-2005
|
|||
|
|||
|
Re: Linux Firewall Suggestion
KP wrote:
> I work for a company that has no firewall. We are 20 person company whose > connection to the Internet is via Cisco 1610 router - T1. > > The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External > Address (our mail, web site, and FTP) to 3 of the Internal Servers. It does > a one to map mapping. > > Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip > 100.100.100.100 to private 192.168.1.10); > Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443) - > (public ip 100.100.100.101 to private 192.168.1.11); > Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip > 100.100.100.102 to private 192.168.1.12); > > My GOALis to get a Linux firewall that is SIMPLE to use to place between the > internal network and our Internet router. Also, it has to be able to route > traffic destined on public ip xxx.xxx.xxx.xxx to private ip xxx.xxx.xxx.xxx- > same as 1 to 1 NAT mapping but more locked down due to firewall features. > Because multiple servers have port 80 and 443, I can't just do port > forwarding. It must be intelligent enough to see the URL/URI to forward to > the right box. > > Hope this made sense. > > What would you guys suggest in terms in the Linux distro with this > capability, and how I should set it up? > Any Linux distibution will contain iptables. And no offence meant, but you will need to master iptables yourself. Most Linux admins can and will offer you example iptables scripts, but you must know what is going on, as you will certainly have to alter things from time to time. You will need to set up temporary logging rules, and the odd troubleshooting chain, and you really need to know exactly what you are doing. When users cannot connect to some service, the firewall is one of the main troubleshooting tools. And I'm sure you have already had plenty of advice about what you are running. There is no need to open port 80, as the services you mention can be accessed on https, and even Microsoft people do not advise opening unencrypted web access to the Internet. As for FTP from a Microsoft box.... unless you really desperately need to upload, use https for this as well. Oh, and PPTP needs IP protocol 47 (*not* port 47) open as well as 1721. Best of luck, and in future do not post IP addresses on Usenet, especially just after a statement that they are not firewalled.
|
|
05-02-2005
|
|||
|
|||
|
Re: Linux Firewall Suggestion
On Sun, 01 May 2005 22:35:01 +0100, Joe wrote:
> Any Linux distibution will contain iptables. And no offence meant, but > you will need to master iptables yourself. Most Linux admins can and > will offer you example iptables scripts, but you must know what is going > on, as you will certainly have to alter things from time to time. You > will need to set up temporary logging rules, and the odd troubleshooting > chain, and you really need to know exactly what you are doing. When > users cannot connect to some service, the firewall is one of the main > troubleshooting tools. Something like Shorewall can take a lot of the pain out of this process. http://www.shorewall.net/ > As for FTP from a Microsoft box.... unless you really desperately need > to upload, use https for this as well. Using WebDAV and XP's 'webfolders' feature may be an option here? > in future do not post IP addresses on Usenet, especially just after a > statement that they are not firewalled. Hello 80.177.211.93! -- Mommy, what happens to your files when you die?
|
|
05-02-2005
|
|||
|
|||
|
Re: Linux Firewall Suggestion
On Sun, 01 May 2005 20:41:30 GMT, "KP" <kipp@idea.com> wrote:
>I work for a company that has no firewall. We are 20 person company whose >connection to the Internet is via Cisco 1610 router - T1. > >The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External >Address (our mail, web site, and FTP) to 3 of the Internal Servers. It does >a one to map mapping. > >Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip >100.100.100.100 to private 192.168.1.10); >Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443) - >(public ip 100.100.100.101 to private 192.168.1.11); >Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip >100.100.100.102 to private 192.168.1.12); > >My GOALis to get a Linux firewall that is SIMPLE to use to place between the >internal network and our Internet router. Also, it has to be able to route >traffic destined on public ip xxx.xxx.xxx.xxx to private ip xxx.xxx.xxx.xxx- >same as 1 to 1 NAT mapping but more locked down due to firewall features. >Because multiple servers have port 80 and 443, I can't just do port >forwarding. It must be intelligent enough to see the URL/URI to forward to >the right box. > >Hope this made sense. > >What would you guys suggest in terms in the Linux distro with this >capability, and how I should set it up? > >Thank you! > Shorewall is the best compromise I've seen between having to learn iptables (which is NOT for the new user) and one of those useless linksys boxes. It's as flexible as your ability to configure it. I've been using it here and installing it at client sites for several years. I haven't had anything that it coldn't do yet, and it really is uch simpler than native iptables. http://www.shorewall.net Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments. ----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==---- http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups ----= East and West-Coast Server Farms - Total Privacy via Encryption =----
|
|
05-02-2005
|
|||
|
|||
|
Re: Linux Firewall Suggestion
KP wrote:
> I work for a company that has no firewall. We are 20 person company whose > connection to the Internet is via Cisco 1610 router - T1. > > The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External > Address (our mail, web site, and FTP) to 3 of the Internal Servers. It does > a one to map mapping. > > Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip > 100.100.100.100 to private 192.168.1.10); > Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443) - > (public ip 100.100.100.101 to private 192.168.1.11); > Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip > 100.100.100.102 to private 192.168.1.12); > > My GOALis to get a Linux firewall that is SIMPLE to use to place between the > internal network and our Internet router. Also, it has to be able to route > traffic destined on public ip xxx.xxx.xxx.xxx to private ip xxx.xxx.xxx.xxx- > same as 1 to 1 NAT mapping but more locked down due to firewall features. > Because multiple servers have port 80 and 443, I can't just do port > forwarding. It must be intelligent enough to see the URL/URI to forward to > the right box. > > Hope this made sense. > > What would you guys suggest in terms in the Linux distro with this > capability, and how I should set it up? > I think you forgot port 25 (SMTP). Consider setting up proxies on the boundary box, especially a mail proxy for the Exchange box. Cheers, Cliff -- Barzoomian the Martian - http://barzoomian.blogspot.com
|
|
05-02-2005
|
|||
|
|||
|
Re: Linux Firewall Suggestion
Michael W Cocke <cocke@catherders.com> wrote in
news:6f7b71l3qnqs9di5ktptpaev09r306brag@4ax.com: > On Sun, 01 May 2005 20:41:30 GMT, "KP" <kipp@idea.com> wrote: > >>I work for a company that has no firewall. We are 20 person company >>whose connection to the Internet is via Cisco 1610 router - T1. >> >>The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External >>Address (our mail, web site, and FTP) to 3 of the Internal Servers. >>It does a one to map mapping. >> >>Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip >>100.100.100.100 to private 192.168.1.10); >>Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443) - >>(public ip 100.100.100.101 to private 192.168.1.11); >>Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip >>100.100.100.102 to private 192.168.1.12); >> >>My GOALis to get a Linux firewall that is SIMPLE to use to place >>between the internal network and our Internet router. Also, it has to >>be able to route traffic destined on public ip xxx.xxx.xxx.xxx to >>private ip xxx.xxx.xxx.xxx- same as 1 to 1 NAT mapping but more locked >>down due to firewall features. Because multiple servers have port 80 >>and 443, I can't just do port forwarding. It must be intelligent >>enough to see the URL/URI to forward to the right box. >> >>Hope this made sense. >> >>What would you guys suggest in terms in the Linux distro with this >>capability, and how I should set it up? >> >>Thank you! >> > > Shorewall is the best compromise I've seen between having to learn > iptables (which is NOT for the new user) and one of those useless > linksys boxes. It's as flexible as your ability to configure it. > I've been using it here and installing it at client sites for several > years. I haven't had anything that it coldn't do yet, and it really > is uch simpler than native iptables. > > http://www.shorewall.net > <snip> Do you find shorewall more flexible than smoothwall with mods? -- # cd /usr/src/ # make buildworld "This is gonna take all night, isn't it?"
|
|
05-02-2005
|
|||
|
|||
|
Re: Linux Firewall Suggestion
On Mon, 02 May 2005 05:38:03 -0500, Darko Gavrilovic
<darkogAThushmailDOTcom> wrote: >Michael W Cocke <cocke@catherders.com> wrote in >news:6f7b71l3qnqs9di5ktptpaev09r306brag@4ax.com : > >> On Sun, 01 May 2005 20:41:30 GMT, "KP" <kipp@idea.com> wrote: >> >>>I work for a company that has no firewall. We are 20 person company >>>whose connection to the Internet is via Cisco 1610 router - T1. >>> >>>The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External >>>Address (our mail, web site, and FTP) to 3 of the Internal Servers. >>>It does a one to map mapping. >>> >>>Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip >>>100.100.100.100 to private 192.168.1.10); >>>Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443) - >>>(public ip 100.100.100.101 to private 192.168.1.11); >>>Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip >>>100.100.100.102 to private 192.168.1.12); >>> >>>My GOALis to get a Linux firewall that is SIMPLE to use to place >>>between the internal network and our Internet router. Also, it has to >>>be able to route traffic destined on public ip xxx.xxx.xxx.xxx to >>>private ip xxx.xxx.xxx.xxx- same as 1 to 1 NAT mapping but more locked >>>down due to firewall features. Because multiple servers have port 80 >>>and 443, I can't just do port forwarding. It must be intelligent >>>enough to see the URL/URI to forward to the right box. >>> >>>Hope this made sense. >>> >>>What would you guys suggest in terms in the Linux distro with this >>>capability, and how I should set it up? >>> >>>Thank you! >>> >> >> Shorewall is the best compromise I've seen between having to learn >> iptables (which is NOT for the new user) and one of those useless >> linksys boxes. It's as flexible as your ability to configure it. >> I've been using it here and installing it at client sites for several >> years. I haven't had anything that it coldn't do yet, and it really >> is uch simpler than native iptables. >> >> http://www.shorewall.net >> > ><snip> > > >Do you find shorewall more flexible than smoothwall with mods? Yes. Smoothwall is designed to be used in one specific way, and its configurability is constrained. It's good if you want what it does and don't want to have to learn how to configure a firewall, but if either of those factors is false, it's a bad choice. Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments. ----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==---- http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups ----= East and West-Coast Server Farms - Total Privacy via Encryption =----
|
|
05-03-2005
|
|||
|
|||
|
Re: Linux Firewall Suggestion
KP wrote:
> I work for a company that has no firewall. We are 20 person company whose > connection to the Internet is via Cisco 1610 router - T1. > > The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External > Address (our mail, web site, and FTP) to 3 of the Internal Servers. It does > a one to map mapping. > > Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip > 100.100.100.100 to private 192.168.1.10); > Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443) - > (public ip 100.100.100.101 to private 192.168.1.11); > Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip > 100.100.100.102 to private 192.168.1.12); > > My GOALis to get a Linux firewall that is SIMPLE to use to place between the > internal network and our Internet router. Also, it has to be able to route > traffic destined on public ip xxx.xxx.xxx.xxx to private ip xxx.xxx.xxx.xxx- > same as 1 to 1 NAT mapping but more locked down due to firewall features. > Because multiple servers have port 80 and 443, I can't just do port > forwarding. It must be intelligent enough to see the URL/URI to forward to > the right box. > > Hope this made sense. > > What would you guys suggest in terms in the Linux distro with this > capability, and how I should set it up? > > Thank you! > > If you are not sure what you are doing, don't play with your company network. This is not the place to start learning about Linux firewalls. Invest your money in a hardware solution such as a Watchguard Firebox. You will find it easier to implement as it has a Windows front end and you will get all the benefits of a Linux/Iptables box as that is what it uses. You will also get first rate support (They can even configure the box remotely for you) and upgrades. I'm not affiliated to Watchguard in any way. I just use their boxes and also build Linux firewalls using IPCOP and Smoothwall or just plain old IPtables. Mike
|
Linear Mode
