On Sunday 14 December 2003 12:37 am, Lyvim Xaphir wrote: > I have to disagree here, since I was able to install 9.2 on a firewall > box with 2 nics, then use Drakconf to share the connection. The > firewall box is minimal hardware, 200 mhz Pentium I MMX with 80 megs of > memory; not costly at all.
Compared to a $50 or less broadband router device. > All this depends on the intentions of the > newbie; which is whether they are going for a functional installation to > "do stuff" on the internet with or whether they are in this for the > learning process. Most newbies are here to learn, and attack a learning > curve, not run from it. Fact is, there is nothing that says that you can not operate a router at the same time that you operate a firewall. I run both a firewall and a router device. I still prefer the hardware device that disables portscans on my system, again, you may prefer to see those types of attacks, I just want to block them. However, I do not know of any non-techie computer people that just happen to have a spare box lying around, YMMV. Absent a box, there is not really any way to build a standalone firewall box that is going to cost less than the $50 that a hardware router will run you. Installing the firewall on your primary system is not as good as a hardware router device. > If they are in it for the greater understanding of what is going on > underneath, which alot of newbies are, then the ideal route to go is a > Mandrake firewall running 9.2, with internet connection sharing enabled > which btw automatically enables Shorewall, which is of course a > firewall. Even at it's basic configuration, Shorewall is much better > than a hardware router. Well, your experience with newbies appears to differ from mine. In my experience, they are simply looking for a solution that works, not necessarily one that enables them to know what is going on underneath. There is time for learning after your computer is running and doing the things that you want it to do. I definitely would not suggest to someone coming from the Windows world whose current idea of a good firewall is Kerio with a system tray icon on their primary machine, that they should jump full bore into the world of shorewall and iptables while their current machine is open to attack from the Internet. That being said, running a firewall on the same box that you use as your primary computer is simply not a good idea. It needs to be a standalone box that sits between you and the Internet. In fact, in most corporate setups the chain goes, Router - Firewall - Router - Internal lan. There is a reason for setting up routers between those boxes. > Hardware routers are generally for Mac users or non-tech types. That's > fine, but if you are looking for knowledge, a router appliance is not > going to get you there; in fact I recommend against it. We will just have to disagree there. I don't know of any large enterprise that doesn't run a router appliance and can't even begin to imagine why a home user, provided he can afford it, would not want to gain the same benefits as they do. Granted, you will receive less information as some portscans and obvious probes against your machine are blocked so that you never see them unless you check your router log. I don't have a problem with that since they are, in fact, blocked. > Having said all that, to avoid standard newbie frustrations when you are > implementing a solution for learning purposes, it is best to let > Mandrake install programs set up internet connection sharing using two > nics in the firewall; one for the local lan and the other for connection > to DSL. Packet filtering/mangling can then occur between the two nics > inside the firewall box. When internet connection sharing is set up > (using Drakconf), Shorewall is automatically installed/activated. The > newbie should then back up his /etc directory before he messes around > with Drakconf any more; then he should start examining the Shorewall > config files in /etc/shorewall. > > This will give a better understanding of a default firewall setup, from > which they can begin making changes. Or, if you are looking for a very simple solution that provides a fair amount of protection with a minimal amount of issues getting setup, you can plug in a router appliance that provides a hardware firewall, it prevents access to your system from outside and until you physically open up ports, you can't run any servers inside your box. You can still check the log on the device to see all of the traffic that is being blocked. For instance, here you can see all of the Windows traffic (port 137) that my own router is rejecting: WAN Type: PPP over Ethernet (2.57 build 3) Display time: Sun 14 Dec 2003 10:27:10 AM EST Sun 14 Dec 2003 08:40:24 AM EST Unrecognized access from 81.250.114.141:137 to UDP port 137 Sun 14 Dec 2003 08:40:25 AM EST Unrecognized access from 81.250.114.141:137 to UDP port 137 Sun 14 Dec 2003 08:40:54 AM EST Unrecognized access from 81.129.70.76:1039 to UDP port 137 Sun 14 Dec 2003 08:41:50 AM EST Unrecognized access from 67.65.84.220:32799 to UDP port 137 Sun 14 Dec 2003 08:42:08 AM EST Unrecognized access from 217.132.8.159:137 to UDP port 137 Sun 14 Dec 2003 08:42:09 AM EST Unrecognized access from 217.132.8.159:137 to UDP port 137 Sun 14 Dec 2003 08:42:11 AM EST Unrecognized access from 217.132.8.159:137 to UDP port 137 Sun 14 Dec 2003 08:43:22 AM EST Unrecognized access from 80.116.13.224:1026 to UDP port 137 Sun 14 Dec 2003 08:44:51 AM EST Unrecognized access from 207.217.120.20:33746 to TCP port 25 Sun 14 Dec 2003 08:44:54 AM EST Unrecognized access from 207.217.120.20:33746 to TCP port 25 Sun 14 Dec 2003 08:45:01 AM EST Unrecognized access from 207.217.120.20:33746 to TCP port 25 Sun 14 Dec 2003 08:45:01 AM EST Unrecognized access from 207.217.120.20:33873 to TCP port 25 Sun 14 Dec 2003 08:45:04 AM EST Unrecognized access from 207.217.120.20:33873 to TCP port 25 Sun 14 Dec 2003 08:45:11 AM EST Unrecognized access from 207.217.120.20:33873 to TCP port 25 Sun 14 Dec 2003 08:45:50 AM EST Unrecognized access from 212.114.234.160:137 to UDP port 137 Sun 14 Dec 2003 08:45:51 AM EST Unrecognized access from 212.114.234.160:137 to UDP port 137 Sun 14 Dec 2003 08:45:53 AM EST Unrecognized access from 212.114.234.160:137 to UDP port 137 Sun 14 Dec 2003 08:45:58 AM EST Unrecognized access from 80.129.229.185:137 to UDP port 137 Sun 14 Dec 2003 08:45:59 AM EST Unrecognized access from 80.129.229.185:137 to UDP port 137 Sun 14 Dec 2003 08:46:01 AM EST Unrecognized access from 80.129.229.185:137 to UDP port 137 -- Bryan Phinney Software Test Engineer
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
