[CentOS] Re: Firewall frustration
on 1/2/2008 8:34 PM Robert Moskowitz spake the following: Christopher Chan wrote: I spent much of the past 24 hours trying to find out how to set up iptables for firewall routing WITHOUT NATing. Could not find anything. Eh? You just need to enable ip forwarding to enable routing. After that, it is put up the firewall rules as is necessary, build the appropriate routing tables on the firewall box and the boxes on the intranet(s). iptables does not handle routing. No, but iptables controls what is allowed to route, or it seems when you read the tutorials on iptables. I know about routing, Comer taught me, and I reviewed Stevens book. I know about firewalls; Belovin and I go back quite a ways. But configuring software to do what **I** want, well that is were the car hits the brick wall. As Belovin would say, Here be Dragons. Those little words, put up the firewall rules as necessary are equivalent to and magic happens here. I tried it. I had everything open. Then I blocked everything. Then I set up a rule to allow SSH in to eth0 and out eth1 (and the other way). At least I thought that was what the rules said, but no SSH connectivity through the firewall. That was when I realized that I had not found the necessary incantation, and I had already shot most of tuesday. Up and running. I can understand what shorewall rules are saying. And I can see the results. Just don't let the magic smoke out of the box, and you will be fine! Learning to speak netfilter is not as difficult as say perl or php, but it is another thing to add to the plate, and it seems to always be next on the list. Unless you are going to do this regularly, your solution works just as well. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: Firewall frustration
Ugo Bellavance wrote: Mark Weaver wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 1 Jan 2008 08:57:22 -0500 Robert Moskowitz [EMAIL PROTECTED] wrote: Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape. why would you even think about using a Notebook computer as a firewall? I was assuming you were going to delegate this task to an older machine with sufficient resources to handle the task and not give the task to a notebook computer. I guess he wants it to be portable. He seems to be knowing his requirements a lot better than we do. It looks like he wants an easy firewall that would boot for HD only, cost nothing, and runs with usb ethernet devices. I really think he should carry an embedded firewall (like a soekris or a wrap) with pfsense on it. Old laptops make pretty good firewalls, I think. They take little space, have a built-in battery backup and built-in keyboard/monitor to use when you are visiting the datacenter. I have repurposed a couple of older laptops for these reasons since the machine doesn't need to be very fast to accomplish the mission. A lot of 3-4 year old laptops cave in under the weight of Windows, but are really overkill for a simple unix firewall. Better than sending them to the dustbin. Best, ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: Firewall frustration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 01 Jan 2008 10:32:14 -0500 Ugo Bellavance [EMAIL PROTECTED] wrote: I guess he wants it to be portable. He seems to be knowing his requirements a lot better than we do. It looks like he wants an easy firewall that would boot for HD only, cost nothing, and runs with usb ethernet devices. I really think he should carry an embedded firewall (like a soekris or a wrap) with pfsense on it. Ugo well... if he built a live CD that would essentially be a portable firewall. Just boot the CD in what ever machine you've got it configured for and off you go. - -- Mark Drunkenness is not an excuse for stupidity. If you're stupid when you're sober then that's one thing, but if you're sober when you're stupid, then you're just plain stupid! == Powered by CentOS5 (RHEL5) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHemhKAHUWFbtwPigRAls+AJ9kK/E6npMSwZVbtk2EaTwsAJXijQCfZXtM mY7S6pC9N2eqTK+8oVY5qts= =1aig -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: Firewall frustration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 01 Jan 2008 10:59:17 -0500 Chris Mauritz [EMAIL PROTECTED] wrote: Old laptops make pretty good firewalls, I think. They take little space, have a built-in battery backup and built-in keyboard/monitor to use when you are visiting the datacenter. I have repurposed a couple of older laptops for these reasons since the machine doesn't need to be very fast to accomplish the mission. A lot of 3-4 year old laptops cave in under the weight of Windows, but are really overkill for a simple unix firewall. Better than sending them to the dustbin. Best, true... - -- Mark Drunkenness is not an excuse for stupidity. If you're stupid when you're sober then that's one thing, but if you're sober when you're stupid, then you're just plain stupid! == Powered by CentOS5 (RHEL5) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHemiHAHUWFbtwPigRAowzAJ429jU5WZsIo9yA87vemrXm22PUJACfVGp7 RxnJ+67PIkCU7Do6+Nvfl6A= =c3oq -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: Firewall frustration
Chris Mauritz wrote: Ugo Bellavance wrote: Mark Weaver wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 1 Jan 2008 08:57:22 -0500 Robert Moskowitz [EMAIL PROTECTED] wrote: Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape. why would you even think about using a Notebook computer as a firewall? I was assuming you were going to delegate this task to an older machine with sufficient resources to handle the task and not give the task to a notebook computer. I guess he wants it to be portable. He seems to be knowing his requirements a lot better than we do. It looks like he wants an easy firewall that would boot for HD only, cost nothing, and runs with usb ethernet devices. I really think he should carry an embedded firewall (like a soekris or a wrap) with pfsense on it. Old laptops make pretty good firewalls, I think. They take little space, have a built-in battery backup and built-in keyboard/monitor to use when you are visiting the datacenter. I have repurposed a couple of older laptops for these reasons since the machine doesn't need to be very fast to accomplish the mission. A lot of 3-4 year old laptops cave in under the weight of Windows, but are really overkill for a simple unix firewall. Better than sending them to the dustbin. hmmm ... I would think that they do not handle heat very well though. Maybe they do, and certainly it is better than throwing them away I guess. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: Firewall frustration
Ugo Bellavance wrote: Mark Weaver wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 1 Jan 2008 08:57:22 -0500 Robert Moskowitz [EMAIL PROTECTED] wrote: Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape. why would you even think about using a Notebook computer as a firewall? I was assuming you were going to delegate this task to an older machine with sufficient resources to handle the task and not give the task to a notebook computer. I guess he wants it to be portable. He seems to be knowing his requirements a lot better than we do. It looks like he wants an easy firewall that would boot for HD only, cost nothing, and runs with usb ethernet devices. I really think he should carry an embedded firewall (like a soekris or a wrap) with pfsense on it. I have enough gear to get through TSA. My next trip will have me carrying 3 laptops (granted 2 are 12 and one 7) and one microITX box. Plus a bunch of USB gizmos, my Bose 2 headphones, etc. And I do carryon, so space is at a premium. The boxes here in the lab are not portable, but the learning has to be. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: Firewall frustration
Chris Mauritz wrote: Ugo Bellavance wrote: Mark Weaver wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 1 Jan 2008 08:57:22 -0500 Robert Moskowitz [EMAIL PROTECTED] wrote: Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape. why would you even think about using a Notebook computer as a firewall? I was assuming you were going to delegate this task to an older machine with sufficient resources to handle the task and not give the task to a notebook computer. I guess he wants it to be portable. He seems to be knowing his requirements a lot better than we do. It looks like he wants an easy firewall that would boot for HD only, cost nothing, and runs with usb ethernet devices. I really think he should carry an embedded firewall (like a soekris or a wrap) with pfsense on it. Old laptops make pretty good firewalls, I think. They take little space, have a built-in battery backup and built-in keyboard/monitor to use when you are visiting the datacenter. I have repurposed a couple of older laptops for these reasons since the machine doesn't need to be very fast to accomplish the mission. A lot of 3-4 year old laptops cave in under the weight of Windows, but are really overkill for a simple unix firewall. Better than sending them to the dustbin. I have a Dell notebook that functions as my backup Win2000 family finance system. Next project is to see if I can reuse that old Toshiba 4000cdt box ;) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: Firewall frustration
Mark Weaver wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 01 Jan 2008 10:32:14 -0500 Ugo Bellavance [EMAIL PROTECTED] wrote: I guess he wants it to be portable. He seems to be knowing his requirements a lot better than we do. It looks like he wants an easy firewall that would boot for HD only, cost nothing, and runs with usb ethernet devices. I really think he should carry an embedded firewall (like a soekris or a wrap) with pfsense on it. Ugo well... if he built a live CD that would essentially be a portable firewall. Just boot the CD in what ever machine you've got it configured for and off you go. bad assumption about available CD. But bootable USB is an option, and they are cheap enough (check out ecost countdowns), and hold more than a CD. That will be coming next. Centos on a USB drive. DSL on USB is supposedly 'easy'. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: Firewall frustration
--- Johnny Hughes [EMAIL PROTECTED] wrote: Chris Mauritz wrote: Ugo Bellavance wrote: Mark Weaver wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 1 Jan 2008 08:57:22 -0500 Robert Moskowitz [EMAIL PROTECTED] wrote: Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape. why would you even think about using a Notebook computer as a firewall? I was assuming you were going to delegate this task to an older machine with sufficient resources to handle the task and not give the task to a notebook computer. I guess he wants it to be portable. He seems to be knowing his requirements a lot better than we do. It looks like he wants an easy firewall that would boot for HD only, cost nothing, and runs with usb ethernet devices. I really think he should carry an embedded firewall (like a soekris or a wrap) with pfsense on it. Old laptops make pretty good firewalls, I think. They take little space, have a built-in battery backup and built-in keyboard/monitor to use when you are visiting the datacenter. I have repurposed a couple of older laptops for these reasons since the machine doesn't need to be very fast to accomplish the mission. A lot of 3-4 year old laptops cave in under the weight of Windows, but are really overkill for a simple unix firewall. Better than sending them to the dustbin. hmmm ... I would think that they do not handle heat very well though. Maybe they do, and certainly it is better than throwing them away I guess. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos The bad thing is if you always keep the laptop plugged in the battery will be useless and will not hold a charge. That is what happen with one of my laptops. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Firewall frustration
Robert Moskowitz wrote: Firewall is up and running. Used Shorewall with Webmin. Les Bell wrote: Robert Spangler [EMAIL PROTECTED] wrote: While IPTABLES might be CHEAP (price) it is a very good firewall. Learn to set it up from the command line, it isn't that hard. Amen. I've been using CentOS for firewalls here for a long time now, with hand-written rules. Besides, generic firewall configuration tools don't - can't - know about many of the more advanced modules and features of iptables. I spent much of the past 24 hours trying to find out how to set up iptables for firewall routing WITHOUT NATing. Could not find anything. So I decided to try out shorewall, which has a front end in Webmin. The 'nice' thing about this was as I built a portion of Shorewall (say the zones), I could sue the Webmin edit the conf file directly to see the 'raw' config file and looky there, a URL for a help page! Taking it slow, I got Shorewall up in about 1 hour. But I have questions for the Shorewall people. They talk about iptables, then netfilter. The site says that Shorewall is not a deamon. Well I see a Shorewall service running. Can't see that is using any cpu cycles or how much memory. The iptables have the same content they had when I used the upstream's tool at Centos install time to set up basic 'firewall' features. So what gives There is also an iptables 'service', that doesn't mean there is a deamon. It is a simple way to start the firewall at boot time. Have you checked m0n0wall/pfsense livecd? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: Firewall frustration
--- Steven Vishoot [EMAIL PROTECTED] wrote: --- Johnny Hughes [EMAIL PROTECTED] wrote: Chris Mauritz wrote: Ugo Bellavance wrote: Mark Weaver wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 1 Jan 2008 08:57:22 -0500 Robert Moskowitz [EMAIL PROTECTED] wrote: Have you ever thought about how rare floppy drives are now? At best you go with a bootable usb, if your notebook supports bootable USB. My Libretto does have a bootable floppy, but that is something extra to carry. It will not boot from anything else (besides its HD). My nc4010 (this notebook) will boot from usb. My corp notebook (nc2400) is locked down; and I don't see any value at getting corp IT bent out of shape. why would you even think about using a Notebook computer as a firewall? I was assuming you were going to delegate this task to an older machine with sufficient resources to handle the task and not give the task to a notebook computer. I guess he wants it to be portable. He seems to be knowing his requirements a lot better than we do. It looks like he wants an easy firewall that would boot for HD only, cost nothing, and runs with usb ethernet devices. I really think he should carry an embedded firewall (like a soekris or a wrap) with pfsense on it. Old laptops make pretty good firewalls, I think. They take little space, have a built-in battery backup and built-in keyboard/monitor to use when you are visiting the datacenter. I have repurposed a couple of older laptops for these reasons since the machine doesn't need to be very fast to accomplish the mission. A lot of 3-4 year old laptops cave in under the weight of Windows, but are really overkill for a simple unix firewall. Better than sending them to the dustbin. hmmm ... I would think that they do not handle heat very well though. Maybe they do, and certainly it is better than throwing them away I guess. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos The bad thing is if you always keep the laptop plugged in the battery will be useless and will not hold a charge. That is what happen with one of my laptops. You can always take the battery out and keep it plugged in. Runs cooler, too. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Firewall frustration
On Mon, 31 Dec 2007, Robert Moskowitz wrote: Well FWbuilder is NOT easy. I disagree but to each his own. The documentation does not match the current GUI. I have not looked at the docs lately, but Vadam used to be pretty good at keeping the docs updated. There is also a mailing list you can subscribe to. As long as you ask intelligent questions you will usually get good answers. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables To prevent that in the future set the managment ip address on the firewall object. That way fwbuilder will always allow ssh access from that machine no matter how bad you hose the rules. Keep in mind that any of the firewall managment systems mentioned can/will also lock you out if misconfigured. Maybe Shoreline with webmin Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing. Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it Why reinvent the wheel? Use what you are comfortable with. For me that is fwbuilder but for you that sounds like it is Astaro. Regards, -- Tom Diehl [EMAIL PROTECTED] Spamtrap address [EMAIL PROTECTED] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos