For the gentoo box to act as the router/gateway/hub, you need more than
one ethernet card in the box.
OK, but under the ADSL connection scenario (diagram A) I already have a
hardware router/gateway, so do I still need a two card configuration?
What
I am trying to do is protect the Gentoo box from other boxes in the LAN
(behind the Netgear router), or when connected to the Internet via dialup
then protect it from other internet machines.
Depends. Personnally I had little love for my netgear router when it was in
place. I had a couple of issues:
1. Although my gentoo box allowed for externally-generated syslog entries,
the netgear router (even though the gui suggested it would) would not
forward syslog messages to my gentoo box, so I missed out on things like
knowing who was hitting the router.
2. Could not find an easy way to extract the external IP address from the
darn thing. My domain name is managed via dyndns.org, and I only wanted to
trigger an update when an actual ip address change occurred. It was either
that or tickle the dyndns.org system every few minutes so it would update IP
address from the incoming connnection.
3. Performance, over time, would drop down to a trickle. The only way to
get it back up was to reboot the router. And since I didn't want to expose
the admin interface to the world, that meant that I would have to wait till
I was on-site to reboot it.
4. DNS & DHCP - It still isn't clear to me how their DNS is set up; although
it will act as the gateway for internal systems, I couldn't tell if it was
using a caching DNS service or was just passing DNS queries up the stream
for processing. DHCP gets managed by the router, so you have little control
beyond designating the range to use for dynamic address assignments.
5. No DMZ support - everything plugged into the netgear box is 'exposed'.
In my current gentoo gateway, I can and do severely limit traffic on the
intranet side while being a little less controlling on the DMZ side. Should
a penentration of the DMZ occur, I know that the line of demarcation between
the DMZ and the intranet should protect my sensitive information.
6. No ssh access, no ability to programmatically get information from the
router, and other minor complaints.
In any case I ended up dumping netgear and running with a Sangoma ADSL card.
All the benefits of using ADSL whilst including all the access and
administration my gentoo box allows.
As for the firewall questions, your rules are going to fall into a couple
of different flavors:
a) desktop only: For this setup you're basically going to block all
incoming
traffic, allow all outbound traffic and existing traffic. Forwarding is
not an issue.
Right, is that tight enough? I mean, shouldn't I accept only specific
outgoing protocols/ports and then be blocking everything else which might
try to get out? I'm thinking here in trojan terms and the way certain
M$Windoze 'personal firewalls' are usually set up.
Well, as a desktop system (meaning there is no other windblows systems
behind the gentoo box), you really won't have to worry too much about that.
All incoming connections would be denied (i.e. mail, dns, ssh, etc.) so no
one could get into the box to plant a trojan or virus, so nothing would be
exposed. In this scenario somehow you'd have to install something that
would open a backdoor to a remote hacker's system - they couldn't connect
automatically and the whole thing would be a pain in the ass for them to
develop as opposed to your standard windblows problems.
d) combination: The combo system wraps service providing and gateway (and
possibly desktop) into one box. This setup is similar to the server
scenario, except it also must include the gateway type rules to ensure
that internal entities can get to the outside & back.
I guess that I'll need some sort of a combo set up if I am to use the
Gentoo
box as a server to be accessed both by machines in the WAN and by
PC/laptop
in my LAN. On the other hand, I am thinking that all this
masquarading/IPforwarding and NATing could be achieved by my Netgear?
That's the setup I run. I've got a gentoo box that is the gateway and,
since it is beefed up, also runs my ftp and mail service. Web and other
services are routed into the DMZ. The local network where I serve my
printer, windows boxen, and other gentoo systems are on another card. The
main box manages the communications with the outside world, from the outside
world, as well as internal traffic. Quite a sweet setup, if I do say so
myself.
Yes, the netgear will handle the NAT and forwarding stuff for you, as long
as you're happy with it.
--
gentoo-user@gentoo.org mailing list
