Re: [CentOS] Firewall frustration

2008-01-05 Thread Robert Moskowitz



Christopher Chan wrote:
Now I have to hop over to the Asterisk list to figure why with one 
firewall the INVITE properly redirects the RTP to the RTP server, and 
the with the other firewall this is not in the INVITE so the RTP flow 
does not. ARGH!




I hope you are not trying to get around a double nat situation. client 
- nat - nat - asterisk.


I never managed to get things to work in that scenario. I have a vpn 
setup to get things to work.

No.  That in part of my frustration.  I have 64 publicly routed addresses.

My open net is 8 addresses, for 6 systems.  DSL router and so far 2 
firewalls standard (occational honeypot).
I assigned 8 addresses for my VoIPnet.  All Trixboxes on VoIPnet have 2 
NICs.  Their second NIC is to an 192.168 addressed net with the various 
VoIP clients.


So I have a WRT54g running sveasoft with NAT turned off.  But even with 
NAT turned off, the box is basically brain-dead.  It would only allow 
the ONE server defined as the DMZ server to be accessed even when the 
firewall is disabled!  And I have 2 Trixboxes (part of my testing.  Have 
to learn DUNDI too).


So I now have a REAL firewall; well Centos wiht Shorewall.  And it 
seemed to be working, but the SIP/SDP INVITE when I have the sveasoft 
box has a redirect from the SIP server to the actual RTP server.  But 
with Shorewall, that information is NOT in the INVITE so the SIP server 
responds with an ICMP of no such port.  And so far I have not figured 
this out...



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-05 Thread Robert Moskowitz



Toby Bluhm wrote:

Robert Moskowitz wrote:

qsm wrote:

maybe shorewall can do your live so easy.
It does not support the rtl8150 chipset.  That is what the I have in 
the way of USB ethernet dongles.


Which is another reason to go with a Centos based solution when you 
need to put something up as you go.


Which is how I have shorewall/shoreline working . . . .


OOPS...  I was thinking you were saying Smoothwall!

There I go again.

Yes, it IS Shorewall that I am using with the Webmin front end (though 
more and more now I am doing quick edits to add rules via VI).



[EMAIL PROTECTED] ~]$ cat /etc/redhat-release
CentOS release 5 (Final)

[EMAIL PROTECTED] ~]$ rpm -qi shorewall
Name: shorewallRelocations: (not relocatable)
Version : 4.0.2 Vendor: Invoca Systems
Release : 3 Build Date: Mon Aug 20 
09:03:41 2007

Install Date: Mon Aug 20 09:05:25 2007  Build Host: nutube
Group   : System Environment/Base   Source RPM: 
shorewall-4.0.2-3.src.rpm

Size: 483558   License: GPL
Signature   : (none)
Packager: Simon Matter [EMAIL PROTECTED]
URL : http://www.shorewall.net/
Summary : Shoreline Firewall is an iptables-based firewall for 
Linux systems

Description :
The Shoreline Firewall, more commonly known as Shorewall, is a 
Netfilter
(iptables) based firewall that can be used on a dedicated firewall 
system,
a multi-function gateway/router/server or on a standalone GNU/Linux 
system.


Shorewall offers two alternative firewall compilers, shorewall-perl and
shorewall-shell. The shorewall-perl compiler is suggested for new 
installed
systems and shorewall-shell is provided for backwards compability and 
smooth
legacy system upgrades because shorewall perl is not fully compatible 
with

all legacy configurations.



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-04 Thread Robert Moskowitz

qsm wrote:

maybe shorewall can do your live so easy.
It does not support the rtl8150 chipset.  That is what the I have in the 
way of USB ethernet dongles.


Which is another reason to go with a Centos based solution when you need 
to put something up as you go.


--


*-- Original Message ---*
From: Robert Moskowitz [EMAIL PROTECTED]
To: CentOS mailing list centos@centos.org
Sent: Thu, 3 Jan 2008 08:03:09 -0500
Subject: Re: [CentOS] Firewall frustration

 Christopher Chan wrote:
 
  I tried it. I had everything open. Then I blocked everything. Then I
  set up a rule to allow SSH in to eth0 and out eth1 (and the other
  way). At least I thought that was what the rules said, but no SSH
  connectivity through the firewall. That was when I realized that I
  had not found the necessary incantation, and I had already shot most
  of tuesday.
 
 
  Too bad you missed the documentation on netfilter then.
 And that is the crux of the problem. Finding the right 
documentation


 And to look at documentation on netfilter besides iptables.
  It would have told you that the INPUT chain controls what comes to 
the

  box, the OUTPUT chain what originates from the box and the FORWARD
  chain what goes through the box.
 
  You would have needed a rule in FORWARD to allow ssh connections
  through the box. The rules in the INPUT and OUTPUT chains would have
  zero effect on connections going through.
 
  Anyways, you have something now but in case you want to give iptables
  another go...
  ___
  CentOS mailing list
  CentOS@centos.org
  http://lists.centos.org/mailman/listinfo/centos
 
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

 --
 Este mensaje ha sido analizado por MailScanner
 en busca de virus y otros contenidos peligrosos,
 y se considera que está limpio.
 For all your IT requirements visit: http://www.transtec.co.uk 
http://www.transtec.co.uk/

*--- End of Original Message ---*

--
Este mensaje ha sido analizado por *MailScanner* 
http://www.mailscanner.info/

en busca de virus y otros contenidos peligrosos,
y se considera que está limpio.
MailScanner agradece a transtec Computers http://www.transtec.co.uk/ 
por su apoyo.



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
  

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-04 Thread Robert Moskowitz

Marko A. Jennings wrote:

On Thu, January 3, 2008 8:18 am, Robert Moskowitz wrote:
  

Steven Haigh wrote:


On 03/01/2008, at 3:34 PM, Robert Moskowitz wrote:
  

Christopher Chan wrote:


I spent much of the past 24 hours trying to find out how to set up
iptables for firewall routing WITHOUT NATing. Could not find
anything.



Eh? You just need to enable ip forwarding to enable routing. After
that, it is put up the firewall rules as is necessary, build the
appropriate routing tables on the firewall box and the boxes on the
intranet(s).

iptables does not handle routing.
  

No, but iptables controls what is allowed to route,


I think this is where you are getting confused and causing yourself
issues. iptables has ZERO effect on what is allowed to route. It is a
simple YES or NO as to if it should be allowed to pass or be filtered.
  

I have been tested as having a significant language usage problem, and
am working on it. 'what is allowed to route', was a poor choice of
wording. What you wrote above is much closer to what I wanted to say.

ip src/dest is used for routing decisions by the kernel. The IP state
machine (check the RFC or any decent TCP/IP textbook) is really quite
simple. But iptables sticks its nose into the center of that state
machine and can mangle addresses to change how packets flow through the
machine, or just simplely yank packets right out of the machine with a
simple NO (drop).

So in my mind's eye of the IP state machine (my MSU CPS 410 prof was
death on state machines; turn in a perfectly executing assignment
without one and there went half your grade. See HIP for its state
machine) is dictated by iptables as to what it is allowed to route.


Those little words, put up the firewall rules as necessary are
equivalent to and magic happens here.


It's actually not magical at all... Work with the mindset of I want
to allow X, Y, and Z, then deny everything else. This translates
easily into iptables rules -j ACCEPT and then your last rule (or
policy) should be a deny/drop/reject.
  

That is exactly what I tried to do. I just used the wrong bit of pixie
dust (during some of the 'heated' IPsec meeting debates one fellow would
try to sneak up a speaker 'that just did not get it' and sprinkle some
glitter on them. He had labeled his tube of glitter as 'security pixie
dust').



If you are interested in learning how iptables work, I suggest reading
this book:

Linux Firewalls, Second Edition
by Robert L. Ziegler
ISBN 0-7357-1099-6

It covers everything from packet filtering concepts to practical examples.

  

Now here is a recommendation to follow up on. Thanks!

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-04 Thread Robert Moskowitz

Christopher Chan wrote:


ip src/dest is used for routing decisions by the kernel. The IP state 
machine (check the RFC or any decent TCP/IP textbook) is really quite 
simple. But iptables sticks its nose into the center of that state 
machine and can mangle addresses to change how packets flow through 
the machine, or just simplely yank packets right out of the machine 
with a simple NO (drop).


So in my mind's eye of the IP state machine (my MSU CPS 410 prof was 
death on state machines; turn in a perfectly executing assignment 
without one and there went half your grade. See HIP for its state 
machine) is dictated by iptables as to what it is allowed to route.


That just means iptables can influence routing by manipulating packet 
headers. Routing is still controlled by the kernel. 
We are playing with words here, and english tends to be too rich in 
interpretation. I work on standards. I let one regional joke left in an 
RFC: 2410, the Null ESP cipher. There we joke about the null cipher 
having a key length of zero. A very America joke for at the time we were 
killing aspects of the ITAR control on crypto export. But a few years 
later, over at my day job at ICSAlabs, we are trying to figure out why 
this one firewall product for TW is not working with the others. The 
connections are terminated in the ISAKMP negotiation. We dig down and 
find that there is an ISAKMO ESP-NULL proposal with a key payload with a 
value of zero. No one else is accepting this and rejects the whole 
ISAKMP exchange per the ISAKMP RFC. We then find a few other IPsec 
implementations coming out like this and all the authors are people 
following on, just reading the RFCs and NOT getting the joke. There are 
some MAD developers as they have to change their code,and some blushing 
IETFers as we realize we have to maintain the lore of the RFC 
development as there are other RFCs with zingers in them.


Over at the IEEE 802, we are voting ballots on wording that can be 
interpreted on way with the Webster dictionary and another with the 
Oxford dictionary.


So I am right about iptables controlling routing and you are right about 
iptables NOT controlling routing, only influencing it. What does 
'control' mean in this context? IEEE is really big on state machines and 
truly covers the transfer of 'control' from one layer to another. Look 
at the MLME in 802.11. Look at the 802.1X machines. So since I have to 
live this control architecture and work in live debates about what layer 
is controling what, I have a particular language set.



BTW, should we table this debate? Webster says that means stopping, 
'taking the subject off the table.' Oxford says that means to start, 
'placing the subject on the table.' Boy did we have some moments back in 
the mid-90s with the ISO crowd descended on the IETF. Also can we reach 
a concensus here? Webster will accept a majority, Oxford wants complete 
agreement. (Or at least that is what these sources said back in the 
mid-90s when we lived Bernard Shaw's line of: 'Two nations separated by 
a common language')



:)

Now I have to hop over to the Asterisk list to figure why with one 
firewall the INVITE properly redirects the RTP to the RTP server, and 
the with the other firewall this is not in the INVITE so the RTP flow 
does not. ARGH!



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-04 Thread Christopher Chan


Over at the IEEE 802, we are voting ballots on wording that can be 
interpreted on way with the Webster dictionary and another with the 
Oxford dictionary.


So I am right about iptables controlling routing and you are right about 
iptables NOT controlling routing, only influencing it. What does 
'control' mean in this context? IEEE is really big on state machines and 
truly covers the transfer of 'control' from one layer to another. Look 
at the MLME in 802.11. Look at the 802.1X machines. So since I have to 
live this control architecture and work in live debates about what layer 
is controling what, I have a particular language set.




Kernel routing code makes decision, iptables can influence that decision. :P



BTW, should we table this debate? Webster says that means stopping, 
'taking the subject off the table.' Oxford says that means to start, 
'placing the subject on the table.' Boy did we have some moments back in 
the mid-90s with the ISO crowd descended on the IETF. Also can we reach 
a concensus here? Webster will accept a majority, Oxford wants complete 
agreement. (Or at least that is what these sources said back in the 
mid-90s when we lived Bernard Shaw's line of: 'Two nations separated by 
a common language')




^O^



:)

Now I have to hop over to the Asterisk list to figure why with one 
firewall the INVITE properly redirects the RTP to the RTP server, and 
the with the other firewall this is not in the INVITE so the RTP flow 
does not. ARGH!




I hope you are not trying to get around a double nat situation. client 
- nat - nat - asterisk.


I never managed to get things to work in that scenario. I have a vpn 
setup to get things to work.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-04 Thread Toby Bluhm

Robert Moskowitz wrote:

qsm wrote:

maybe shorewall can do your live so easy.
It does not support the rtl8150 chipset.  That is what the I have in 
the way of USB ethernet dongles.


Which is another reason to go with a Centos based solution when you 
need to put something up as you go.


Which is how I have shorewall/shoreline working . . . .


[EMAIL PROTECTED] ~]$ cat /etc/redhat-release
CentOS release 5 (Final)

[EMAIL PROTECTED] ~]$ rpm -qi shorewall
Name: shorewallRelocations: (not relocatable)
Version : 4.0.2 Vendor: Invoca Systems
Release : 3 Build Date: Mon Aug 20 
09:03:41 2007

Install Date: Mon Aug 20 09:05:25 2007  Build Host: nutube
Group   : System Environment/Base   Source RPM: 
shorewall-4.0.2-3.src.rpm

Size: 483558   License: GPL
Signature   : (none)
Packager: Simon Matter [EMAIL PROTECTED]
URL : http://www.shorewall.net/
Summary : Shoreline Firewall is an iptables-based firewall for Linux 
systems

Description :
The Shoreline Firewall, more commonly known as Shorewall, is a Netfilter
(iptables) based firewall that can be used on a dedicated firewall system,
a multi-function gateway/router/server or on a standalone GNU/Linux system.

Shorewall offers two alternative firewall compilers, shorewall-perl and
shorewall-shell. The shorewall-perl compiler is suggested for new installed
systems and shorewall-shell is provided for backwards compability and smooth
legacy system upgrades because shorewall perl is not fully compatible with
all legacy configurations.


--
Toby Bluhm
Alltech Medical Systems America, Inc.
30825 Aurora Road Suite 100
Solon Ohio 44139
440-424-2240


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-03 Thread Fajar Priyanto
On Thursday 03 January 2008 12:37:56 Christopher Chan wrote:
 Too bad you missed the documentation on netfilter then. It would have
 told you that the INPUT chain controls what comes to the box, the OUTPUT
 chain what originates from the box and the FORWARD chain what goes
 through the box.

 You would have needed a rule in FORWARD to allow ssh connections through
 the box. The rules in the INPUT and OUTPUT chains would have zero effect
 on connections going through.

It might also help if we put a rule that will log what happens for 
troubleshooting. Put these lines in the last of your rules (pls mind the word 
wrap):
iptables -A INPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** 
INPUT DROP ** '
iptables -A OUTPUT -m limit --limit 2/m --limit-burst 2 -j 
LOG --log-prefix '** OUTPUT DROP ** '
iptables -A FORWARD -m limit --limit 2/m --limit-burst 2 -j 
LOG --log-prefix '** FORWARD DROP ** '

We can now see the result in /var/log/messages
HTH,
-- 
Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial 
http://linux2.arinet.org
17:14:40 up 9:52, 2.6.22-14-generic GNU/Linux 
Let's use OpenOffice. http://www.openoffice.org
The real challenge of teaching is getting your students motivated to learn.


signature.asc
Description: This is a digitally signed message part.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-03 Thread Steven Haigh

On 03/01/2008, at 3:34 PM, Robert Moskowitz wrote:

Christopher Chan wrote:


I spent much of the past 24 hours trying to find out how to set up  
iptables for firewall routing WITHOUT NATing. Could not find  
anything.




Eh? You just need to enable ip forwarding to enable routing. After  
that, it is put up the firewall rules as is necessary, build the  
appropriate routing tables on the firewall box and the boxes on the  
intranet(s).


iptables does not handle routing.

No, but iptables controls what is allowed to route,


I think this is where you are getting confused and causing yourself  
issues. iptables has ZERO effect on what is allowed to route. It is a  
simple YES or NO as to if it should be allowed to pass or be filtered.


or it seems when you read the tutorials on iptables. I know about  
routing, Comer taught me, and I reviewed Stevens book. I know about  
firewalls; Belovin and I go back quite a ways. But configuring  
software to do what **I** want, well that is were the car hits the  
brick wall. As Belovin would say, Here be Dragons.


Those little words, put up the firewall rules as necessary are  
equivalent to and magic happens here.



It's actually not magical at all... Work with the mindset of I want  
to allow X, Y, and Z, then deny everything else. This translates  
easily into iptables rules -j ACCEPT and then your last rule (or  
policy) should be a deny/drop/reject.




I tried it. I had everything open. Then I blocked everything. Then I  
set up a rule to allow SSH in to eth0 and out eth1 (and the other  
way). At least I thought that was what the rules said, but no SSH  
connectivity through the firewall. That was when I realized that I  
had not found the necessary incantation, and I had already shot most  
of tuesday.


Again, you are using the wrong mindset here... You rule would  
translate to:
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j  
ACCEPT
iptables -A FORWARD -i eth0 -d my.ssh.server.ip.here -p tcp -m state -- 
state NEW -m tcp --dport 22 -j ACCEPT

iptables -A FORWARD -j DROP

This allows you to put PER HOST restrictions on what you want to do.  
If you want to do it on a per interface basis, then you will have the  
same rules for every host in your subnet. Easy, but not ideal.


To break down that rule into bitesized chunks for learning:
 -A FORWARD = adds this rule to the forwarding chain - as this will  
pass through us.

-i eth0 = if the traffic comes in on eth0
-d my.ssh.server.ip.here = the destination of where the traffic will  
end up

-p tcp = this rule only applies to the tcp protocol
-m state --state NEW = We'll allow the SYN packet so that the rest  
will be accepted by a RELATED,ESTABLISHED rule.

-m tcp = part of the stateful matching off the top of my head
--dport = this rule only applies to things heading to port 22 (our  
earlier TCP flag will make sure we only act on tcp/22 traffic).

-j ACCEPT = allow the traffic to pass.

As an exercise for the reader, write down a rule that would accept  
traffic from eth0, and destined for a web server on 1.2.3.4. You  
should notice that the rules will be pretty much identical. You would  
insert this rule somewhere after the related/established, and  
somewhere before the -j DROP rule.


Now keep in mind that iptables is a VERY simple beast and will apply  
the first rule that matches! Consider the following:
	iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j  
ACCEPT
	iptables -A FORWARD -i eth0 -p tcp -d 1.2.3.4 -m state --state NEW -m  
tcp --dport 22 -j ACCEPT

iptables -A FORWARD -i eth0 -p tcp --dport 22 -j DROP

What would happen here, is that an incoming request for ssh to 1.2.3.4  
would be accepted by rule #2, but the rule inspection would never make  
it to rule #3 to be dropped - so take care in the ordering of your  
rules.




Up and running. I can understand what shorewall rules are saying.  
And I can see the results.



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos



--
Steven Haigh

Email: [EMAIL PROTECTED]
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-03 Thread qsm




maybe shorewall can do your live so easy.

-- 




-- Original Message 
---

From: Robert Moskowitz [EMAIL PROTECTED] 


To: CentOS mailing list centos@centos.org 


Sent: Thu, 3 Jan 2008 08:03:09 -0500 


Subject: Re: [CentOS] Firewall frustration 



 Christopher Chan wrote: 
 

 
 

 I tried it. I had everything open. Then I blocked everything. Then I  

 

 set up a rule to allow SSH in to eth0 and out eth1 (and the other  

 

 way). At least I thought that was what the rules said, but no SSH  

 

 connectivity through the firewall. That was when I realized that I  

 

 had not found the necessary incantation, and I had already shot most  

 

 of tuesday. 
 

 
 

 
 

 Too bad you missed the documentation on netfilter then.  
 

And that is the crux of the problem. Finding the right documentation 

 
 

And to look at documentation on netfilter besides iptables. 
 

 It would have told you that the INPUT chain controls what comes to the  

 

 box, the OUTPUT chain what originates from the box and the FORWARD  

 

 chain what goes through the box. 
 

 
 

 You would have needed a rule in FORWARD to allow ssh connections  
 

 through the box. The rules in the INPUT and OUTPUT chains would have  

 

 zero effect on connections going through. 
 

 
 

 Anyways, you have something now but in case you want to give iptables  

 

 another go... 
 

 ___ 
 

 CentOS mailing list 
 

 CentOS@centos.org 
 

 http://lists.centos.org/mailman/listinfo/centos 
 

 
 

___ 
 

CentOS mailing list 
 

CentOS@centos.org 
 

http://lists.centos.org/mailman/listinfo/centos 
 

 

--  
 

Este mensaje ha sido analizado por MailScanner 
 

en busca de virus y otros contenidos peligrosos, 
 

y se considera que está limpio. 
 

For all your IT requirements visit: http://www.transtec.co.uk 
--- End of Original 
Message 
---




-- 
Este mensaje ha sido analizado por 
MailScanner
en busca de virus y otros contenidos peligrosos,
y se considera que est limpio.
MailScanner agradece a transtec Computers por su apoyo.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-03 Thread Marko A. Jennings
On Thu, January 3, 2008 8:18 am, Robert Moskowitz wrote:
 Steven Haigh wrote:
 On 03/01/2008, at 3:34 PM, Robert Moskowitz wrote:
 Christopher Chan wrote:

 I spent much of the past 24 hours trying to find out how to set up
 iptables for firewall routing WITHOUT NATing. Could not find
 anything.


 Eh? You just need to enable ip forwarding to enable routing. After
 that, it is put up the firewall rules as is necessary, build the
 appropriate routing tables on the firewall box and the boxes on the
 intranet(s).

 iptables does not handle routing.
 No, but iptables controls what is allowed to route,

 I think this is where you are getting confused and causing yourself
 issues. iptables has ZERO effect on what is allowed to route. It is a
 simple YES or NO as to if it should be allowed to pass or be filtered.
 I have been tested as having a significant language usage problem, and
 am working on it. 'what is allowed to route', was a poor choice of
 wording. What you wrote above is much closer to what I wanted to say.

 ip src/dest is used for routing decisions by the kernel. The IP state
 machine (check the RFC or any decent TCP/IP textbook) is really quite
 simple. But iptables sticks its nose into the center of that state
 machine and can mangle addresses to change how packets flow through the
 machine, or just simplely yank packets right out of the machine with a
 simple NO (drop).

 So in my mind's eye of the IP state machine (my MSU CPS 410 prof was
 death on state machines; turn in a perfectly executing assignment
 without one and there went half your grade. See HIP for its state
 machine) is dictated by iptables as to what it is allowed to route.

 Those little words, put up the firewall rules as necessary are
 equivalent to and magic happens here.

 It's actually not magical at all... Work with the mindset of I want
 to allow X, Y, and Z, then deny everything else. This translates
 easily into iptables rules -j ACCEPT and then your last rule (or
 policy) should be a deny/drop/reject.
 That is exactly what I tried to do. I just used the wrong bit of pixie
 dust (during some of the 'heated' IPsec meeting debates one fellow would
 try to sneak up a speaker 'that just did not get it' and sprinkle some
 glitter on them. He had labeled his tube of glitter as 'security pixie
 dust').

If you are interested in learning how iptables work, I suggest reading
this book:

Linux Firewalls, Second Edition
by Robert L. Ziegler
ISBN 0-7357-1099-6

It covers everything from packet filtering concepts to practical examples.

Marko
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


RE: [CentOS] Firewall frustration

2008-01-03 Thread Dennis McLeod
 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Marko A. Jennings
 Sent: Thursday, January 03, 2008 7:29 AM
 To: centos@centos.org
 Subject: Re: [CentOS] Firewall frustration
 
 On Thu, January 3, 2008 8:18 am, Robert Moskowitz wrote:
  Steven Haigh wrote:
  On 03/01/2008, at 3:34 PM, Robert Moskowitz wrote:
  Christopher Chan wrote:
 
  I spent much of the past 24 hours trying to find out 
 how to set up 
  iptables for firewall routing WITHOUT NATing. Could not find 
  anything.
 
 
  Eh? You just need to enable ip forwarding to enable 
 routing. After 
  that, it is put up the firewall rules as is necessary, build the 
  appropriate routing tables on the firewall box and the 
 boxes on the 
  intranet(s).
 
  iptables does not handle routing.
  No, but iptables controls what is allowed to route,
 
  I think this is where you are getting confused and causing 
 yourself 
  issues. iptables has ZERO effect on what is allowed to 
 route. It is a 
  simple YES or NO as to if it should be allowed to pass or 
 be filtered.
  I have been tested as having a significant language usage 
 problem, and 
  am working on it. 'what is allowed to route', was a poor choice of 
  wording. What you wrote above is much closer to what I 
 wanted to say.
 
  ip src/dest is used for routing decisions by the kernel. 
 The IP state 
  machine (check the RFC or any decent TCP/IP textbook) is 
 really quite 
  simple. But iptables sticks its nose into the center of that state 
  machine and can mangle addresses to change how packets flow through 
  the machine, or just simplely yank packets right out of the machine 
  with a simple NO (drop).
 
  So in my mind's eye of the IP state machine (my MSU CPS 410 
 prof was 
  death on state machines; turn in a perfectly executing assignment 
  without one and there went half your grade. See HIP for its state
  machine) is dictated by iptables as to what it is allowed to route.
 
  Those little words, put up the firewall rules as necessary are 
  equivalent to and magic happens here.
 
  It's actually not magical at all... Work with the mindset 
 of I want 
  to allow X, Y, and Z, then deny everything else. This translates 
  easily into iptables rules -j ACCEPT and then your last rule (or
  policy) should be a deny/drop/reject.
  That is exactly what I tried to do. I just used the wrong 
 bit of pixie 
  dust (during some of the 'heated' IPsec meeting debates one fellow 
  would try to sneak up a speaker 'that just did not get it' and 
  sprinkle some glitter on them. He had labeled his tube of 
 glitter as 
  'security pixie dust').
 
 If you are interested in learning how iptables work, I 
 suggest reading this book:
 
 Linux Firewalls, Second Edition
 by Robert L. Ziegler
 ISBN 0-7357-1099-6
 
 It covers everything from packet filtering concepts to 
 practical examples.
 
 Marko



Thanks, I was just going to ask
Dennis

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-03 Thread Christopher Chan


ip src/dest is used for routing decisions by the kernel. The IP state 
machine (check the RFC or any decent TCP/IP textbook) is really quite 
simple. But iptables sticks its nose into the center of that state 
machine and can mangle addresses to change how packets flow through the 
machine, or just simplely yank packets right out of the machine with a 
simple NO (drop).


So in my mind's eye of the IP state machine (my MSU CPS 410 prof was 
death on state machines; turn in a perfectly executing assignment 
without one and there went half your grade. See HIP for its state 
machine) is dictated by iptables as to what it is allowed to route.


That just means iptables can influence routing by manipulating packet 
headers. Routing is still controlled by the kernel.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-02 Thread Christopher Chan


I spent much of the past 24 hours trying to find out how to set up 
iptables for firewall routing WITHOUT NATing. Could not find anything.




Eh? You just need to enable ip forwarding to enable routing. After that, 
it is put up the firewall rules as is necessary, build the appropriate 
routing tables on the firewall box and the boxes on the intranet(s).


iptables does not handle routing.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-02 Thread Robert Moskowitz

Christopher Chan wrote:


I spent much of the past 24 hours trying to find out how to set up 
iptables for firewall routing WITHOUT NATing. Could not find anything.




Eh? You just need to enable ip forwarding to enable routing. After 
that, it is put up the firewall rules as is necessary, build the 
appropriate routing tables on the firewall box and the boxes on the 
intranet(s).


iptables does not handle routing. 
No, but iptables controls what is allowed to route, or it seems when you 
read the tutorials on iptables. I know about routing, Comer taught me, 
and I reviewed Stevens book. I know about firewalls; Belovin and I go 
back quite a ways. But configuring software to do what **I** want, well 
that is were the car hits the brick wall. As Belovin would say, Here be 
Dragons.


Those little words, put up the firewall rules as necessary are 
equivalent to and magic happens here.


I tried it. I had everything open. Then I blocked everything. Then I set 
up a rule to allow SSH in to eth0 and out eth1 (and the other way). At 
least I thought that was what the rules said, but no SSH connectivity 
through the firewall. That was when I realized that I had not found the 
necessary incantation, and I had already shot most of tuesday.


Up and running. I can understand what shorewall rules are saying. And I 
can see the results.



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-02 Thread Christopher Chan


I tried it. I had everything open. Then I blocked everything. Then I set 
up a rule to allow SSH in to eth0 and out eth1 (and the other way). At 
least I thought that was what the rules said, but no SSH connectivity 
through the firewall. That was when I realized that I had not found the 
necessary incantation, and I had already shot most of tuesday.




Too bad you missed the documentation on netfilter then. It would have 
told you that the INPUT chain controls what comes to the box, the OUTPUT 
chain what originates from the box and the FORWARD chain what goes 
through the box.


You would have needed a rule in FORWARD to allow ssh connections through 
the box. The rules in the INPUT and OUTPUT chains would have zero effect 
on connections going through.


Anyways, you have something now but in case you want to give iptables 
another go...

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-01 Thread Robert Moskowitz



Mark Weaver wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, 31 Dec 2007 12:21:34 -0500
Robert Moskowitz [EMAIL PROTECTED] wrote:

  

William L. Maltby wrote:


On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:
  
  

Peter Farrell wrote:



Problem is I want a REAL router/firewall with little work.

Run a smoothwall installtion and replace your CentOS install.

http://www.smoothwall.org/
  
  
  

well first challenge is my unit's USB ethernet dongles. Centos
uses the RTL 8150 driver for them. Smoothwall only lists the RTL
8129, 8139, and 8169...



I've used this at home for years. I don't know if it's suitable,
but it seems *very* flexible. Allows for NAT or not, has typical
zones, reporting, IPTables modification support, ...

   http://www.ipcop.org/

Has run/tested successfully on various configurations here. It's
another ditch your CentOS solution though. But you can put it on
any old junk laying around and it'ss probably work. Using cable
modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium
200MHz pci gives = 700MB/sec - both from decent sites. Tested
using both ISA and PCI bus adapters through both twisted pair and
thin coax.
  

As I thought about things this morning, trying to put up smoothwall,
I realized that one of my goals is to have a tool to turn a Centos
system that I am using for foo, into a firewall for bar for a day.  I
have Astaro for my serious firewall needs (see later post), but need 
something 'portable'.  You see I have these plans with some small itx 
systems



have you considered linux that fits on a floppy disk?

http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/

http://www.linuxlinks.com/Distributions/Floppy/

http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distributions/Tiny/Floppy_Sized/

get one running and configured and save to floppy... things go south
reboot the machine and everything is back. no hard drives to worry
about...
  
Have you ever thought about how rare floppy drives are now?  At best you 
go with a bootable usb, if your notebook supports bootable USB.  My 
Libretto does have a bootable floppy, but that is something extra to 
carry.  It will not boot from anything else (besides its HD).  My nc4010 
(this notebook) will boot from usb.  My corp notebook (nc2400) is locked 
down; and I don't see any value at getting corp IT bent out of shape.



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-01 Thread Scott Ehrlich

On Tue, 1 Jan 2008, Robert Moskowitz wrote:




Mark Weaver wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, 31 Dec 2007 12:21:34 -0500
Robert Moskowitz [EMAIL PROTECTED] wrote:



William L. Maltby wrote:


On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:


Peter Farrell wrote:


Problem is I want a REAL router/firewall with little work.

Run a smoothwall installtion and replace your CentOS install.

http://www.smoothwall.org/


well first challenge is my unit's USB ethernet dongles. Centos
uses the RTL 8150 driver for them. Smoothwall only lists the RTL
8129, 8139, and 8169...


I've used this at home for years. I don't know if it's suitable,
but it seems *very* flexible. Allows for NAT or not, has typical
zones, reporting, IPTables modification support, ...

   http://www.ipcop.org/

Has run/tested successfully on various configurations here. It's
another ditch your CentOS solution though. But you can put it on
any old junk laying around and it'ss probably work. Using cable
modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium
200MHz pci gives = 700MB/sec - both from decent sites. Tested
using both ISA and PCI bus adapters through both twisted pair and
thin coax.


As I thought about things this morning, trying to put up smoothwall,
I realized that one of my goals is to have a tool to turn a Centos
system that I am using for foo, into a firewall for bar for a day.  I
have Astaro for my serious firewall needs (see later post), but need 
something 'portable'.  You see I have these plans with some small itx 
systems




have you considered linux that fits on a floppy disk?

http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/

http://www.linuxlinks.com/Distributions/Floppy/

http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distributions/Tiny/Floppy_Sized/

get one running and configured and save to floppy... things go south
reboot the machine and everything is back. no hard drives to worry
about...

Have you ever thought about how rare floppy drives are now?  At best you go 
with a bootable usb, if your notebook supports bootable USB.  My Libretto 
does have a bootable floppy, but that is something extra to carry.  It will 
not boot from anything else (besides its HD).  My nc4010 (this notebook) will 
boot from usb.  My corp notebook (nc2400) is locked down; and I don't see any 
value at getting corp IT bent out of shape.




Yes, floppy drives are rare - but they are still incredibly valuable. 
I've dealt with needing to install drivers from floppy for OSes, and the 
OSse are looking to floppy.


I've needed DOS' fdisk to get me out of problems at times, and having a 
bootable copy of DOS on-hand has done the job.


Some BIOS updates are only available from a bootable floppy (won't install 
to anything else).


Saves times and frusteration in having a reusable floppy around than 
having to sometimes create a bootable CD to put the files on.  Reuse the 
floppy as often as needed.


Old hardware still exists and is usable, and sometimes only work, or work 
best, with floppies.


Sometimes old school is still good school.

We still often use VT100 or 3270 emulation for remote connectivity... 
Think about their origins.


Scott



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-01 Thread Mark Weaver
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 1 Jan 2008 08:57:22 -0500
Robert Moskowitz [EMAIL PROTECTED] wrote:
 Have you ever thought about how rare floppy drives are now?  At best
 you go with a bootable usb, if your notebook supports bootable USB.
 My Libretto does have a bootable floppy, but that is something extra
 to carry.  It will not boot from anything else (besides its HD).  My
 nc4010 (this notebook) will boot from usb.  My corp notebook (nc2400)
 is locked down; and I don't see any value at getting corp IT bent out
 of shape.

why would you even think about using a Notebook computer as a firewall?
I was assuming you were going to delegate this task to an older machine
with sufficient resources to handle the task and not give the task to a
notebook computer.

- -- 
Mark

Drunkenness is not an excuse for stupidity. If you're stupid when
you're sober then that's one thing, but if you're sober when you're
stupid, then you're just plain stupid!
== Powered by CentOS5
(RHEL5)
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4-svn0 (GNU/Linux)

iD8DBQFHelHmAHUWFbtwPigRAnENAJ4lTmw4Y/zYA0o2UoLkS9kfS0BmBgCfdCaY
MMt82ApSGiXMHn10XOFXslQ=
=fm8P
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-01 Thread Robert Moskowitz

Mark Weaver wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 1 Jan 2008 08:57:22 -0500
Robert Moskowitz [EMAIL PROTECTED] wrote:
  

Have you ever thought about how rare floppy drives are now?  At best
you go with a bootable usb, if your notebook supports bootable USB.
My Libretto does have a bootable floppy, but that is something extra
to carry.  It will not boot from anything else (besides its HD).  My
nc4010 (this notebook) will boot from usb.  My corp notebook (nc2400)
is locked down; and I don't see any value at getting corp IT bent out
of shape.



why would you even think about using a Notebook computer as a firewall?
I was assuming you were going to delegate this task to an older machine
with sufficient resources to handle the task and not give the task to a
notebook computer.
Of course in my lab, the firewall is a 'older' machine.  But I want to 
learn from this so that when I am at a conference or trade show and need 
a firewall 'fast', I can put up the services on one of my Centos notebooks.


BTW, WRT 'older' machines.  I am looking more at the cost of running 
these machines (power draw).  It is not just a matter of the $0.124/KWH 
that I pay, but the cost to add another circuit (my NOC shares two 
circuits that were already runnning at 50% utilizatoin), and the cost of 
cooling in the summer (we added a tap into the cold air return system by 
the rack fans to capture the computer heat for the winter).


I just got the firewall running (see later note) on a decTOP micro PC 
that I pulled the 10Gb 3.5 drive and installed a 2.5 6Gb drive.  The 
system pulls about 10W!  Compared to ~100W for some of my Compaq SFFs.  
Let's see 90W/day = 2.16KWH = ~$0.27/day = ~$97.76/year.  That can pay 
for replacing another old Compaq with another decTOP (well not really as 
you have to add memory,  switch out drives, and add a second USB 
ethernet dongle; guess the ROI is around 2 years).


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-01 Thread Robert Moskowitz

Firewall is up and running.

Used Shorewall with Webmin.

Les Bell wrote:

Robert Spangler [EMAIL PROTECTED] wrote:

  
While IPTABLES might be CHEAP (price) it is a very good firewall.

Learn to set it up from the command line, it isn't that hard.


Amen. I've been using CentOS for firewalls here for a long time now, with
hand-written rules. Besides, generic firewall configuration tools don't -
can't - know about many of the more advanced modules and features of
iptables.
I spent much of the past 24 hours trying to find out how to set up 
iptables for firewall routing WITHOUT NATing. Could not find anything.


So I decided to try out shorewall, which has a front end in Webmin. The 
'nice' thing about this was as I built a portion of Shorewall (say the 
zones), I could sue the Webmin edit the conf file directly to see the 
'raw' config file and looky there, a URL for a help page!


Taking it slow, I got Shorewall up in about 1 hour.

But I have questions for the Shorewall people. They talk about iptables, 
then netfilter. The site says that Shorewall is not a deamon. Well I see 
a Shorewall service running. Can't see that is using any cpu cycles or 
how much memory. The iptables have the same content they had when I used 
the upstream's tool at Centos install time to set up basic 'firewall' 
features. So what gives



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-01 Thread Steven Haigh


On 02/01/2008, at 4:11 AM, Robert Moskowitz wrote:
I spent much of the past 24 hours trying to find out how to set up  
iptables for firewall routing WITHOUT NATing. Could not find anything.



*boggle* Is it really that hard?

## Clear up whatever is in there at the moment.
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -t nat -F POSTROUTING

## Accept anything related to existing connections
iptables -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED -j  
ACCEPT


## I want to allow incoming port 80 to 1.2.3.4
iptables -A FORWARD -i ppp0 -d 1.2.3.4 -p tcp -m state --state NEW -m  
tcp --dport 80 -j ACCEPT


## I want to allow incoming port 123 (ntp) to 1.2.3.6
iptables -A FORWARD -i ppp0 -d 1.2.3.6 -p udp -m udp --dport 123 -j  
ACCEPT


## Lets block ALL other incoming things
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

There you go. That's a very basic firewall using iptables in about 3  
minutes :)


--
Steven Haigh

Email: [EMAIL PROTECTED]
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-01 Thread jarmo
Steven Haigh kirjoitti viestissään (lähetysaika tiistai, 1. tammikuuta 2008 
20:23):
 On 02/01/2008, at 4:11 AM, Robert Moskowitz wrote:
  I spent much of the past 24 hours trying to find out how to set up
  iptables for firewall routing WITHOUT NATing. Could not find anything.

 There you go. That's a very basic firewall using iptables in about 3
 minutes :)

 --
 Steven Haigh

How about look:
http://easyfwgen.morizot.net/gen/
It has been quite long time very easy tool for n00bs to generate
rules... I've using it for ages now. After generation very easy
to use and configure more rules, if needed.

Jarmo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2008-01-01 Thread Robert Moskowitz
Thanks I will read this through a bit later. Perhaps I was making more 
of it than needed, but my attempts were not working. And all I was 
trying for at first was to allow SSH through.


Steven Haigh wrote:


On 02/01/2008, at 4:11 AM, Robert Moskowitz wrote:
I spent much of the past 24 hours trying to find out how to set up 
iptables for firewall routing WITHOUT NATing. Could not find anything.



*boggle* Is it really that hard?

## Clear up whatever is in there at the moment.
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -t nat -F POSTROUTING

## Accept anything related to existing connections
iptables -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED -j 
ACCEPT


## I want to allow incoming port 80 to 1.2.3.4
iptables -A FORWARD -i ppp0 -d 1.2.3.4 -p tcp -m state --state NEW -m 
tcp --dport 80 -j ACCEPT


## I want to allow incoming port 123 (ntp) to 1.2.3.6
iptables -A FORWARD -i ppp0 -d 1.2.3.6 -p udp -m udp --dport 123 -j 
ACCEPT


## Lets block ALL other incoming things
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

There you go. That's a very basic firewall using iptables in about 3 
minutes :)


--
Steven Haigh

Email: [EMAIL PROTECTED]
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2007-12-31 Thread Peter Farrell
Problem is I want a REAL router/firewall with little work.

Run a smoothwall installtion and replace your CentOS install.

http://www.smoothwall.org/

-Peter

On 31/12/2007, Matt Shields [EMAIL PROTECTED] wrote:
 On Dec 31, 2007 12:13 AM, Robert Moskowitz [EMAIL PROTECTED] wrote:
  Well FWbuilder is NOT easy.  The documentation does not match the
  current GUI.  Now the box is locked up.  I will have to pull it again,
  hook it up to a kybd/VGA and reset iptables
 
  Maybe Shoreline with webmin
 
  Problem is I want a REAL router/firewall with little work.  Both public
  and private nets have routable addresses.  No NATing for me!  I just
  help write the RFC ;)  And all the templates for fwbuilder want you to
  be using NATing.
 
  Perhaps I should just set up another Astaro firewall.  I have been using
  Astaro since v3, so I am comfortable with it
 

 If you've ever used a Checkpoint firewall, FWBuilder is exactly like
 that interface.  It even comes with a module that will let you modify
 Checkpoint firewalls.


 --
 -matt
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2007-12-31 Thread Robert Moskowitz

Matt Shields wrote:

On Dec 31, 2007 12:13 AM, Robert Moskowitz [EMAIL PROTECTED] wrote:
  

Well FWbuilder is NOT easy.  The documentation does not match the
current GUI.  Now the box is locked up.  I will have to pull it again,
hook it up to a kybd/VGA and reset iptables

Maybe Shoreline with webmin

Problem is I want a REAL router/firewall with little work.  Both public
and private nets have routable addresses.  No NATing for me!  I just
help write the RFC ;)  And all the templates for fwbuilder want you to
be using NATing.

Perhaps I should just set up another Astaro firewall.  I have been using
Astaro since v3, so I am comfortable with it




If you've ever used a Checkpoint firewall, FWBuilder is exactly like
that interface.  It even comes with a module that will let you modify
Checkpoint firewalls.
I noticed the later, also a PIX module. No I have not personally needed 
that costly of a firewall.


Full discloser time. My day job is with ICSAlabs. My area is security 
protocols research (like setttin up the initial IPsec certification 
criteria), but when I visit the labs there are all those firewall 
products up and running So, yeah, I know checkpoint. I talk with the 
gang over in the labs about 'simple' firewalls, but there are only 
certain things the boss funds here. So then I have to go cheap.



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2007-12-31 Thread Robert Moskowitz

Peter Farrell wrote:

Problem is I want a REAL router/firewall with little work.

Run a smoothwall installtion and replace your CentOS install.

http://www.smoothwall.org/
  
well first challenge is my unit's USB ethernet dongles. Centos uses the 
RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 
8169...


So have to see what info I can get on their website. Astaro 6 cannot 
recognize the dongles either. Shorewall still looks like an option. I do 
have Centos (and DSL) on these units

-Peter

On 31/12/2007, Matt Shields [EMAIL PROTECTED] wrote:
  

On Dec 31, 2007 12:13 AM, Robert Moskowitz [EMAIL PROTECTED] wrote:


Well FWbuilder is NOT easy.  The documentation does not match the
current GUI.  Now the box is locked up.  I will have to pull it again,
hook it up to a kybd/VGA and reset iptables

Maybe Shoreline with webmin

Problem is I want a REAL router/firewall with little work.  Both public
and private nets have routable addresses.  No NATing for me!  I just
help write the RFC ;)  And all the templates for fwbuilder want you to
be using NATing.

Perhaps I should just set up another Astaro firewall.  I have been using
Astaro since v3, so I am comfortable with it

  

If you've ever used a Checkpoint firewall, FWBuilder is exactly like
that interface.  It even comes with a module that will let you modify
Checkpoint firewalls.


--
-matt
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

  

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2007-12-31 Thread Robert Slade

Robert Moskowitz wrote:

Peter Farrell wrote:

Problem is I want a REAL router/firewall with little work.

Run a smoothwall installtion and replace your CentOS install.

http://www.smoothwall.org/
  
well first challenge is my unit's USB ethernet dongles. Centos uses 
the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 
8139, and 8169...


So have to see what info I can get on their website. Astaro 6 cannot 
recognize the dongles either. Shorewall still looks like an option. I 
do have Centos (and DSL) on these units

-Peter

On 31/12/2007, Matt Shields [EMAIL PROTECTED] wrote:
 

On Dec 31, 2007 12:13 AM, Robert Moskowitz [EMAIL PROTECTED] wrote:
   

Well FWbuilder is NOT easy.  The documentation does not match the
current GUI.  Now the box is locked up.  I will have to pull it again,
hook it up to a kybd/VGA and reset iptables

Maybe Shoreline with webmin

Problem is I want a REAL router/firewall with little work.  Both 
public

and private nets have routable addresses.  No NATing for me!  I just
help write the RFC ;)  And all the templates for fwbuilder want you to
be using NATing.

Perhaps I should just set up another Astaro firewall.  I have been 
using

Astaro since v3, so I am comfortable with it

  

If you've ever used a Checkpoint firewall, FWBuilder is exactly like
that interface.  It even comes with a module that will let you modify
Checkpoint firewalls.


--
-matt
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

  

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

There is also Ipcop - http://ipcop.org/

Rob
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2007-12-31 Thread William L. Maltby
On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:
 Peter Farrell wrote:
  Problem is I want a REAL router/firewall with little work.
 
  Run a smoothwall installtion and replace your CentOS install.
 
  http://www.smoothwall.org/

 well first challenge is my unit's USB ethernet dongles. Centos uses the 
 RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 
 8169...

I've used this at home for years. I don't know if it's suitable, but it
seems *very* flexible. Allows for NAT or not, has typical zones,
reporting, IPTables modification support, ...

   http://www.ipcop.org/

Has run/tested successfully on various configurations here. It's another
ditch your CentOS solution though. But you can put it on any old junk
laying around and it'ss probably work. Using cable modem in the boonies,
486DX/66 gives about 450KB/sec, Pentium 200MHz pci gives = 700MB/sec -
both from decent sites. Tested using both ISA and PCI bus adapters
through both twisted pair and thin coax.


 snip

HTH
-- 
Bill

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


RE: [CentOS] Firewall frustration

2007-12-31 Thread Dennis McLeod
 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Robert Moskowitz
 Sent: Sunday, December 30, 2007 9:13 PM
 To: CentOS mailing list
 Subject: [CentOS] Firewall frustration
 
 Well FWbuilder is NOT easy.  The documentation does not match 
 the current GUI.  Now the box is locked up.  I will have to 
 pull it again, hook it up to a kybd/VGA and reset iptables
 
 Maybe Shoreline with webmin
 
 Problem is I want a REAL router/firewall with little work.  
 Both public and private nets have routable addresses.  No 
 NATing for me!  I just help write the RFC ;)  And all the 
 templates for fwbuilder want you to be using NATing.
 
 Perhaps I should just set up another Astaro firewall.  I have 
 been using Astaro since v3, so I am comfortable with it
 



I just turned off my Astaro Gateway, as it pissed me off by continually
throttling my 10M/10M FIOS connection.:^
I liked the integration of services in the box, and I likely would have kept
it for that one item.
I'll be looking at an IPCOP/Smoothwall/Monowall replacement.
I have an IPCOP box at work for our public access DSL connection. (Customers
kept surfing p*rn in the waiting area. Squidguard on IPcop fixed that..)
Uptime on that box (Compaq P2-733) is around 250 days right now. I had to
move the box, so it would be more like 400

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2007-12-31 Thread Robert Spangler
On Mon December 31 2007 07:58, Robert Moskowitz wrote:

  Full discloser time. My day job is with ICSAlabs. My area is security
  protocols research (like setttin up the initial IPsec certification
  criteria), but when I visit the labs there are all those firewall
  products up and running So, yeah, I know checkpoint. I talk with the
  gang over in the labs about 'simple' firewalls, but there are only
  certain things the boss funds here. So then I have to go cheap.

While IPTABLES might be CHEAP (price) it is a very good firewall.
Learn to set it up from the command line, it isn't that hard.
Try the following to learn it;

http://iptables.rlworkman.net/chunkyhtml/index.html

Forget those GUI interfaces.


-- 

Regards
Robert

Smile... it increases your face value!
Linux User #296285
http://counter.li.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2007-12-31 Thread John R Pierce

Robert Spangler wrote:

While IPTABLES might be CHEAP (price) it is a very good firewall.
Learn to set it up from the command line, it isn't that hard.
Try the following to learn it;

http://iptables.rlworkman.net/chunkyhtml/index.html

Forget those GUI interfaces.

  



one thing that bugs me about most canned iptables rulesets, including 
the ones generated by most of those GUI packages, is that they are way 
more complex than needed, its like they are trying to reinvent the 
entire tcp stack.   eg: you really don't need to reject non-SYN packets 
on unopened connections, tcp will do that quite nicely on its own and 
far more efficiently than a pile of iptables rules.



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2007-12-31 Thread Robert Moskowitz

William L. Maltby wrote:

On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:
  

Peter Farrell wrote:


Problem is I want a REAL router/firewall with little work.

Run a smoothwall installtion and replace your CentOS install.

http://www.smoothwall.org/
  
  
well first challenge is my unit's USB ethernet dongles. Centos uses the 
RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 8139, and 
8169...



I've used this at home for years. I don't know if it's suitable, but it
seems *very* flexible. Allows for NAT or not, has typical zones,
reporting, IPTables modification support, ...

   http://www.ipcop.org/

Has run/tested successfully on various configurations here. It's another
ditch your CentOS solution though. But you can put it on any old junk
laying around and it'ss probably work. Using cable modem in the boonies,
486DX/66 gives about 450KB/sec, Pentium 200MHz pci gives = 700MB/sec -
both from decent sites. Tested using both ISA and PCI bus adapters
through both twisted pair and thin coax.
As I thought about things this morning, trying to put up smoothwall, I 
realized that one of my goals is to have a tool to turn a Centos system 
that I am using for foo, into a firewall for bar for a day.  I have 
Astaro for my serious firewall needs (see later post), but need 
something 'portable'.  You see I have these plans with some small itx 
systems



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2007-12-31 Thread Robert Moskowitz

Dennis McLeod wrote:

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Robert Moskowitz

Sent: Sunday, December 30, 2007 9:13 PM
To: CentOS mailing list
Subject: [CentOS] Firewall frustration

Well FWbuilder is NOT easy.  The documentation does not match 
the current GUI.  Now the box is locked up.  I will have to 
pull it again, hook it up to a kybd/VGA and reset iptables


Maybe Shoreline with webmin

Problem is I want a REAL router/firewall with little work.  
Both public and private nets have routable addresses.  No 
NATing for me!  I just help write the RFC ;)  And all the 
templates for fwbuilder want you to be using NATing.


Perhaps I should just set up another Astaro firewall.  I have 
been using Astaro since v3, so I am comfortable with it







I just turned off my Astaro Gateway, as it pissed me off by continually
throttling my 10M/10M FIOS connection.:^
  
For all that it does, you would need it on a pretty hefty box of 10M. 
But then I have seen LAN-LAN  10M working here

I liked the integration of services in the box, and I likely would have kept
it for that one item.
I'll be looking at an IPCOP/Smoothwall/Monowall replacement.
I have an IPCOP box at work for our public access DSL connection. (Customers
kept surfing p*rn in the waiting area. Squidguard on IPcop fixed that..)
Uptime on that box (Compaq P2-733) is around 250 days right now. I had to
move the box, so it would be more like 400
I run Astaro on a Compaq SFF 1Ghz with 512Mb memory. It has a 4-port 
10/100 card as well as the internal ethernet. I use VLANing extensively, 
as I have ~12 LANs connected to the box. I have the public net on one 
port, then all the others are plugged into a HP 2650 48-port switch. I 
can move systems to the subnet I need for whatever testing or production 
I use. I ONLY use the firewall for packet filtering. No SPAM control, 
web proxying, etc



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2007-12-31 Thread Robert Moskowitz

Robert Spangler wrote:

On Mon December 31 2007 07:58, Robert Moskowitz wrote:

  

 Full discloser time. My day job is with ICSAlabs. My area is security
 protocols research (like setttin up the initial IPsec certification
 criteria), but when I visit the labs there are all those firewall
 products up and running So, yeah, I know checkpoint. I talk with the
 gang over in the labs about 'simple' firewalls, but there are only
 certain things the boss funds here. So then I have to go cheap.



While IPTABLES might be CHEAP (price) it is a very good firewall.
Learn to set it up from the command line, it isn't that hard.
Try the following to learn it;

http://iptables.rlworkman.net/chunkyhtml/index.html

Forget those GUI interfaces.

This might be best for my current needs...

thanks
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2007-12-31 Thread Matt Shields
On Dec 31, 2007 7:58 AM, Robert Moskowitz [EMAIL PROTECTED] wrote:

 Matt Shields wrote:
  On Dec 31, 2007 12:13 AM, Robert Moskowitz [EMAIL PROTECTED] wrote:
 
  Well FWbuilder is NOT easy.  The documentation does not match the
  current GUI.  Now the box is locked up.  I will have to pull it again,
  hook it up to a kybd/VGA and reset iptables
 
  Maybe Shoreline with webmin
 
  Problem is I want a REAL router/firewall with little work.  Both public
  and private nets have routable addresses.  No NATing for me!  I just
  help write the RFC ;)  And all the templates for fwbuilder want you to
  be using NATing.
 
  Perhaps I should just set up another Astaro firewall.  I have been using
  Astaro since v3, so I am comfortable with it
 
 
 
  If you've ever used a Checkpoint firewall, FWBuilder is exactly like
  that interface.  It even comes with a module that will let you modify
  Checkpoint firewalls.
 I noticed the later, also a PIX module. No I have not personally needed
 that costly of a firewall.

 Full discloser time. My day job is with ICSAlabs. My area is security
 protocols research (like setttin up the initial IPsec certification
 criteria), but when I visit the labs there are all those firewall
 products up and running So, yeah, I know checkpoint. I talk with the
 gang over in the labs about 'simple' firewalls, but there are only
 certain things the boss funds here. So then I have to go cheap.


If you're running a single firewall, then maybe FWBuilder isn't for
you, although it will do what you want.  The real benefit of FWBuilder
is when you have more than one firewall in your network and you want
to use common objects to to simplify maintaining rules.

For example, the company I work for has 4 datacenters, plus a number
of leased servers (like Rackspace).  At each of the datacenters we
have at least 1 pair of redundant firewalls.  On all our firewalls we
have common rules to allow traffic from every other datacenter/server
that we own.  So we define an object for each datacenter, the object
is a subnet.  Then we define a group called datacenters which includes
all the previous subnets objects.  Then when building a new firewall
we just include the same rule that says from datacenters allow all.

If we add a new datacenter or leased server, we add a new subnet
object and include it in the datacenter group.  We then just recompile
and redeploy each of the firewalls without having to add anything to
the firewalls, because they already have the datacenter rule.

When you maintain a large network you really see the benefit of
FWBuilder.  If you're running Windows there is a $50 license fee, but
for those people who are network admins but do not like Linux on the
desktop it's well worth the price for the Windows license.

-- 
-matt
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2007-12-31 Thread Robert Moskowitz

Matt Shields wrote:

On Dec 31, 2007 7:58 AM, Robert Moskowitz [EMAIL PROTECTED] wrote:
  

Matt Shields wrote:


On Dec 31, 2007 12:13 AM, Robert Moskowitz [EMAIL PROTECTED] wrote:

  

Well FWbuilder is NOT easy.  The documentation does not match the
current GUI.  Now the box is locked up.  I will have to pull it again,
hook it up to a kybd/VGA and reset iptables

Maybe Shoreline with webmin

Problem is I want a REAL router/firewall with little work.  Both public
and private nets have routable addresses.  No NATing for me!  I just
help write the RFC ;)  And all the templates for fwbuilder want you to
be using NATing.

Perhaps I should just set up another Astaro firewall.  I have been using
Astaro since v3, so I am comfortable with it




If you've ever used a Checkpoint firewall, FWBuilder is exactly like
that interface.  It even comes with a module that will let you modify
Checkpoint firewalls.
  

I noticed the later, also a PIX module. No I have not personally needed
that costly of a firewall.

Full discloser time. My day job is with ICSAlabs. My area is security
protocols research (like setttin up the initial IPsec certification
criteria), but when I visit the labs there are all those firewall
products up and running So, yeah, I know checkpoint. I talk with the
gang over in the labs about 'simple' firewalls, but there are only
certain things the boss funds here. So then I have to go cheap.




If you're running a single firewall, then maybe FWBuilder isn't for
you, although it will do what you want.  The real benefit of FWBuilder
is when you have more than one firewall in your network and you want
to use common objects to to simplify maintaining rules.

For example, the company I work for has 4 datacenters, plus a number
of leased servers (like Rackspace).  At each of the datacenters we
have at least 1 pair of redundant firewalls.  On all our firewalls we
have common rules to allow traffic from every other datacenter/server
that we own.  So we define an object for each datacenter, the object
is a subnet.  Then we define a group called datacenters which includes
all the previous subnets objects.  Then when building a new firewall
we just include the same rule that says from datacenters allow all.

If we add a new datacenter or leased server, we add a new subnet
object and include it in the datacenter group.  We then just recompile
and redeploy each of the firewalls without having to add anything to
the firewalls, because they already have the datacenter rule.

When you maintain a large network you really see the benefit of
FWBuilder.  If you're running Windows there is a $50 license fee, but
for those people who are network admins but do not like Linux on the
desktop it's well worth the price for the Windows license.
I saw that about fwbuilder. Going to have to ask the crew back in the 
labs about it.


But, yes. I 'run' a research facility out of my house. I have to pay the 
electric bill, never convinced the boss to allow me to expense it; they 
have bought some of my equip and pay for part of the ISP cost. So as a 
lab, I have need for flexiblity, not replicatiblity. Also I might be at 
a conference and need to get something up running on one of the 
notebooks I travel with



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2007-12-31 Thread Les Bell

Robert Spangler [EMAIL PROTECTED] wrote:


While IPTABLES might be CHEAP (price) it is a very good firewall.
Learn to set it up from the command line, it isn't that hard.


Amen. I've been using CentOS for firewalls here for a long time now, with
hand-written rules. Besides, generic firewall configuration tools don't -
can't - know about many of the more advanced modules and features of
iptables.

Best,

--- Les Bell, RHCE, CISSP
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2007-12-31 Thread Mark Weaver
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, 31 Dec 2007 12:21:34 -0500
Robert Moskowitz [EMAIL PROTECTED] wrote:

 William L. Maltby wrote:
  On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:

  Peter Farrell wrote:
  
  Problem is I want a REAL router/firewall with little work.
 
  Run a smoothwall installtion and replace your CentOS install.
 
  http://www.smoothwall.org/


  well first challenge is my unit's USB ethernet dongles. Centos
  uses the RTL 8150 driver for them. Smoothwall only lists the RTL
  8129, 8139, and 8169...
  
 
  I've used this at home for years. I don't know if it's suitable,
  but it seems *very* flexible. Allows for NAT or not, has typical
  zones, reporting, IPTables modification support, ...
 
 http://www.ipcop.org/
 
  Has run/tested successfully on various configurations here. It's
  another ditch your CentOS solution though. But you can put it on
  any old junk laying around and it'ss probably work. Using cable
  modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium
  200MHz pci gives = 700MB/sec - both from decent sites. Tested
  using both ISA and PCI bus adapters through both twisted pair and
  thin coax.
 As I thought about things this morning, trying to put up smoothwall,
 I realized that one of my goals is to have a tool to turn a Centos
 system that I am using for foo, into a firewall for bar for a day.  I
 have Astaro for my serious firewall needs (see later post), but need 
 something 'portable'.  You see I have these plans with some small itx 
 systems

have you considered linux that fits on a floppy disk?

http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/

http://www.linuxlinks.com/Distributions/Floppy/

http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distributions/Tiny/Floppy_Sized/

get one running and configured and save to floppy... things go south
reboot the machine and everything is back. no hard drives to worry
about...

- -- 
Mark

Drunkenness is not an excuse for stupidity. If you're stupid when
you're sober then that's one thing, but if you're sober when you're
stupid, then you're just plain stupid!
== Powered by CentOS5
(RHEL5)
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4-svn0 (GNU/Linux)

iD8DBQFHeZKZAHUWFbtwPigRAqlLAJ9NrXCoPuh0vyCET81GKQ7a27RQ0QCbBvkT
Ez253XYLAOfSJS7u5ij36U4=
=jb20
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


RE: [CentOS] Firewall frustration

2007-12-31 Thread Mark A. Lewis


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Mark Weaver
Sent: Monday, December 31, 2007 8:09 PM
To: centos@centos.org
Subject: Re: [CentOS] Firewall frustration

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, 31 Dec 2007 12:21:34 -0500
Robert Moskowitz [EMAIL PROTECTED] wrote:

 William L. Maltby wrote:
  On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:

  Peter Farrell wrote:
  
  Problem is I want a REAL router/firewall with little work.
 
  Run a smoothwall installtion and replace your CentOS install.
 
  http://www.smoothwall.org/


  well first challenge is my unit's USB ethernet dongles. Centos uses

  the RTL 8150 driver for them. Smoothwall only lists the RTL 8129, 
  8139, and 8169...
  
 
  I've used this at home for years. I don't know if it's suitable, but

  it seems *very* flexible. Allows for NAT or not, has typical zones, 
  reporting, IPTables modification support, ...
 
 http://www.ipcop.org/
 
  Has run/tested successfully on various configurations here. It's 
  another ditch your CentOS solution though. But you can put it on 
  any old junk laying around and it'ss probably work. Using cable 
  modem in the boonies, 486DX/66 gives about 450KB/sec, Pentium 200MHz

  pci gives = 700MB/sec - both from decent sites. Tested using both 
  ISA and PCI bus adapters through both twisted pair and thin coax.
 As I thought about things this morning, trying to put up smoothwall, I

 realized that one of my goals is to have a tool to turn a Centos 
 system that I am using for foo, into a firewall for bar for a day.  I 
 have Astaro for my serious firewall needs (see later post), but need 
 something 'portable'.  You see I have these plans with some small itx 
 systems

have you considered linux that fits on a floppy disk?

http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/

http://www.linuxlinks.com/Distributions/Floppy/

http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distribut
ions/Tiny/Floppy_Sized/

get one running and configured and save to floppy... things go south
reboot the machine and everything is back. no hard drives to worry
about...

- --
Mark

Drunkenness is not an excuse for stupidity. If you're stupid when
you're sober then that's one thing, but if you're sober when you're
stupid, then you're just plain stupid!
== Powered by CentOS5
(RHEL5)
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4-svn0 (GNU/Linux)

iD8DBQFHeZKZAHUWFbtwPigRAqlLAJ9NrXCoPuh0vyCET81GKQ7a27RQ0QCbBvkT
Ez253XYLAOfSJS7u5ij36U4=
=jb20
-END PGP SIGNATURE-


I have this vision of a live CD that would come up and pull down it's
config via SCP or HTTPS and run. Or maybe a PGP encrypted file over
TFTP. No writable media in the machine at all, no access to write to the
configs, just a dumb device that knows where to get it's config. Any
compromise could be fixed with just a reboot, the config could even be
reloaded at some interval automatically, off machine logging, perhaps
even without an interface. You could more than likely go one step
further and use PXE to load everything over NFS or something, then you
are at no moving parts. Unfortunately, I have the ideas but not the
knowledge or time. In my opinion, this would be the ultimate evolution
of things like IP Cop and Smoothwall.

I want to say that monowall had this on the roadmap, but I haven't
looked lately. Appears someone has done some work on it:
http://people.freebsd.org/~nik/m0n0wall/pxe+nfs/article.html
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2007-12-31 Thread Mark Weaver
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, 31 Dec 2007 21:36:09 -0500
Mark A. Lewis [EMAIL PROTECTED] wrote:

 
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
 Behalf Of Mark Weaver
 Sent: Monday, December 31, 2007 8:09 PM
 To: centos@centos.org
 Subject: Re: [CentOS] Firewall frustration
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On Mon, 31 Dec 2007 12:21:34 -0500
 Robert Moskowitz [EMAIL PROTECTED] wrote:
 
  William L. Maltby wrote:
   On Mon, 2007-12-31 at 09:33 -0500, Robert Moskowitz wrote:
 
   Peter Farrell wrote:
   
   Problem is I want a REAL router/firewall with little work.
  
   Run a smoothwall installtion and replace your CentOS install.
  
   http://www.smoothwall.org/
 
 
   well first challenge is my unit's USB ethernet dongles. Centos
   uses
 
   the RTL 8150 driver for them. Smoothwall only lists the RTL
   8129, 8139, and 8169...
   
  
   I've used this at home for years. I don't know if it's suitable,
   but
 
   it seems *very* flexible. Allows for NAT or not, has typical
   zones, reporting, IPTables modification support, ...
  
  http://www.ipcop.org/
  
   Has run/tested successfully on various configurations here. It's 
   another ditch your CentOS solution though. But you can put it
   on any old junk laying around and it'ss probably work. Using
   cable modem in the boonies, 486DX/66 gives about 450KB/sec,
   Pentium 200MHz
 
   pci gives = 700MB/sec - both from decent sites. Tested using
   both ISA and PCI bus adapters through both twisted pair and thin
   coax.
  As I thought about things this morning, trying to put up
  smoothwall, I
 
  realized that one of my goals is to have a tool to turn a Centos 
  system that I am using for foo, into a firewall for bar for a day.
  I have Astaro for my serious firewall needs (see later post), but
  need something 'portable'.  You see I have these plans with some
  small itx systems
 
 have you considered linux that fits on a floppy disk?
 
 http://mypage.uniserve.ca/~thelinuxguy/small_and_floppy_linux/
 
 http://www.linuxlinks.com/Distributions/Floppy/
 
 http://www.dmoz.org/Computers/Software/Operating_Systems/Linux/Distribut
 ions/Tiny/Floppy_Sized/
 
 get one running and configured and save to floppy... things go south
 reboot the machine and everything is back. no hard drives to worry
 about...
 
 - --
 Mark
 
 Drunkenness is not an excuse for stupidity. If you're stupid when
 you're sober then that's one thing, but if you're sober when you're
 stupid, then you're just plain stupid!
 == Powered by CentOS5
 (RHEL5)
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2.0.4-svn0 (GNU/Linux)
 
 iD8DBQFHeZKZAHUWFbtwPigRAqlLAJ9NrXCoPuh0vyCET81GKQ7a27RQ0QCbBvkT
 Ez253XYLAOfSJS7u5ij36U4=
 =jb20
 -END PGP SIGNATURE-
 
 
 I have this vision of a live CD that would come up and pull down it's
 config via SCP or HTTPS and run. Or maybe a PGP encrypted file over
 TFTP. No writable media in the machine at all, no access to write to
 the configs, just a dumb device that knows where to get it's config.
 Any compromise could be fixed with just a reboot, the config could
 even be reloaded at some interval automatically, off machine logging,
 perhaps even without an interface. You could more than likely go one
 step further and use PXE to load everything over NFS or something,
 then you are at no moving parts. Unfortunately, I have the ideas but
 not the knowledge or time. In my opinion, this would be the ultimate
 evolution of things like IP Cop and Smoothwall.
 
 I want to say that monowall had this on the roadmap, but I haven't
 looked lately. Appears someone has done some work on it:
 http://people.freebsd.org/~nik/m0n0wall/pxe+nfs/article.html

I seem to remember there being distro ISO tools out there that allow
one to roll their own distro, but for the life of me can't remember
what it's called.

Anyway, if you're feeling ambitious you could load an OS, season to
taste and then create your OS using the Live CD technology that's out
there. 

- -- 
Mark

Drunkenness is not an excuse for stupidity. If you're stupid when
you're sober then that's one thing, but if you're sober when you're
stupid, then you're just plain stupid!
== Powered by CentOS5
(RHEL5)
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4-svn0 (GNU/Linux)

iD8DBQFHebdaAHUWFbtwPigRAvj8AJ9oIHAwN4NEopzJFJ8q+mxtTsQEGwCfUk6N
6DnfuAGUJR6WYDi1HUlKcaI=
=rE1u
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


[CentOS] Firewall frustration

2007-12-30 Thread Robert Moskowitz
Well FWbuilder is NOT easy.  The documentation does not match the 
current GUI.  Now the box is locked up.  I will have to pull it again, 
hook it up to a kybd/VGA and reset iptables


Maybe Shoreline with webmin

Problem is I want a REAL router/firewall with little work.  Both public 
and private nets have routable addresses.  No NATing for me!  I just 
help write the RFC ;)  And all the templates for fwbuilder want you to 
be using NATing.


Perhaps I should just set up another Astaro firewall.  I have been using 
Astaro since v3, so I am comfortable with it



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2007-12-30 Thread centos
On Mon, 31 Dec 2007 00:13:22 -0500
Robert Moskowitz [EMAIL PROTECTED] wrote:

 Well FWbuilder is NOT easy.  The documentation does not match

Take a look at FireStarter: http://www.fs-security.com/

It very easy to set and use. It's only a front-end for iptables.
But watch out, it has it's limitations in the scenarios that it
can handle. 

On the other hand, you can use it to generate the iptables rules
and then just use it in text mode only.


-- 
Thanks
http://www.911networks.com
When the network has to work
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall frustration

2007-12-30 Thread Matt Shields
On Dec 31, 2007 12:13 AM, Robert Moskowitz [EMAIL PROTECTED] wrote:
 Well FWbuilder is NOT easy.  The documentation does not match the
 current GUI.  Now the box is locked up.  I will have to pull it again,
 hook it up to a kybd/VGA and reset iptables

 Maybe Shoreline with webmin

 Problem is I want a REAL router/firewall with little work.  Both public
 and private nets have routable addresses.  No NATing for me!  I just
 help write the RFC ;)  And all the templates for fwbuilder want you to
 be using NATing.

 Perhaps I should just set up another Astaro firewall.  I have been using
 Astaro since v3, so I am comfortable with it


If you've ever used a Checkpoint firewall, FWBuilder is exactly like
that interface.  It even comes with a module that will let you modify
Checkpoint firewalls.


-- 
-matt
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos