Re: selecting old machines for firewall/router use
Hi, Paul Fraser wrote: On Tue, Feb 22, 2011 at 10:41, Nate Bargmann n...@n0nb.us mailto:n...@n0nb.us wrote: Not only that but as we move to IPv6 there is no such thing as NAT. Oh, how I wish that were true... The IPv6 spec includes NAT. Well NAT does have it's advantages, one being that it can act as a reasonably good barrier as a NATural firewall. Sure, it's not perfect, but if you have every device with IPv6 (or v4 for that matter) being addressable from any location, then personal firewalls will become much more important. An unpatched machine [for whatever reason], behind NAT has a fighting chance, but one which is directly addressable from the Internet is much more vulnerable to attack. -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d6500bd.7000...@affinityvision.com.au
Re: selecting old machines for firewall/router use
On Wed, Feb 23, 2011 at 11:42:37PM +1100, Andrew McGlashan wrote: Well NAT does have it's advantages, one being that it can act as a reasonably good barrier as a NATural firewall. Sure, it's not perfect, but if you have every device with IPv6 (or v4 for that matter) being addressable from any location, then personal firewalls will become much more important. Fix the border gateway. It's a strange myth that suddenly with IPv6 all the security falls down. I'd recommend [1] for a good overview of the NAT and security implications, and for this case here section 4.2. Since most of these routers used at home need at least a firmware update there's the chance to roll out some stateful firewall for IPv6 as a default. I see some oportunity here to get back to kind of a 'real' internet. On the other hand a lot of these devices seem to be Linux based nowdays, Linux 2.4.x that is, so I guess only the diverse hardware it's running on holds back mass exploitation. :-/ Sven [1] http://tools.ietf.org/html/draft-ietf-v6ops-nap-06 -- And I don't know much, but I do know this: With a golden heart comes a rebel fist. [ Streetlight Manifesto - Here's To Life ] -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110223130936.GC2058@marvin
Re: selecting old machines for firewall/router use
Andrew McGlashan a écrit : Well NAT does have it's advantages, one being that it can act as a reasonably good barrier as a NATural firewall. This is a common misconception. I cannot tell about other NAT's, but Netfilter NAT is not a barrier at all. but if you have every device with IPv6 (or v4 for that matter) being addressable from any location, NAT does not prevent this. Private (for IPv4) or unique local (for IPv6) addressing prevents it. then personal firewalls will become much more important. An unpatched machine [for whatever reason], behind NAT has a fighting chance, but one which is directly addressable from the Internet is much more vulnerable to attack. This is not correct. A stateful packet filter replacing the NAT at the border will just do the job. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d650856.6010...@plouf.fr.eu.org
Re: selecting old machines for firewall/router use
Hi, Pascal Hambourg wrote: Andrew McGlashan a écrit : Well NAT does have it's advantages, one being that it can act as a reasonably good barrier as a NATural firewall. This is a common misconception. I cannot tell about other NAT's, but Netfilter NAT is not a barrier at all. It's a good start with private addressing as alluded to below. but if you have every device with IPv6 (or v4 for that matter) being addressable from any location, NAT does not prevent this. Private (for IPv4) or unique local (for IPv6) addressing prevents it. Yes, this is what you typically have with NAT, private addresses that are not Internet routeable. then personal firewalls will become much more important. An unpatched machine [for whatever reason], behind NAT has a fighting chance, but one which is directly addressable from the Internet is much more vulnerable to attack. This is not correct. A stateful packet filter replacing the NAT at the border will just do the job. Of course, most [if not all?] NAT implementations also have SPI [stateful packet inspection] feature as well; And many routers have the ability to add firewall rules with port forwarding as required on top of NAT / SPI setup. And from the further reading referenced in the other response [1] I highlight an excellent point here: quote It must be noted that even a firewall doesn't fully secure a network. Many attacks come from inside or are at a layer higher than the firewall can protect against. In the final analysis, every system has to be responsible for its own security, and every process running on a system has to be robust in the face of challenges like stack overflows etc. What a firewall does is prevent a network administration from having to carry unauthorized traffic, and in so doing reduce the probability of certain kinds of attacks across the protected boundary. /quote Particularly, every machine has to be responsible ... , well, that illustrates quite well that a firewall and port forwarding alone are not enough for security when servicing ports. But again, it is a good start. Sure, any services provided must be kept as secure as possible and admins need to keep an eye out for security advisories for such services. Very glad to see that NAT might not be needed in the whole scheme of things; However, I take it that return conversation needs to know the public IPv6 address and also encapsulate the private address -- thus exposing the private ULA range? With NAT, the actual, in use private range is not necessarily divulged, is it? [1] http://tools.ietf.org/html/draft-ietf-v6ops-nap-06#section-4.1 -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d651a54.4080...@affinityvision.com.au
Re: selecting old machines for firewall/router use
Andrew McGlashan wrote: And from the further reading referenced in the other response [1] I see a problem with the following: quote At the same time, this tracking is per address. In environments where the goal is tracking back to the user, additional external information will be necessary correlating a user with an address. In the case of short lifetime privacy address usage, this external information will need to be based on more stable information such as the layer 2 media address. /quote If layer 2 media address, means MAC, then these are easily spoofed, that might present a problem with the short lifetime privacy address usage. [1] http://tools.ietf.org/html/draft-ietf-v6ops-nap-06#section-4.1 -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d651c6c.5080...@affinityvision.com.au
Re: selecting old machines for firewall/router use
On 22 February 2011 00:45, Stan Hoeppner s...@hardwarefreak.com wrote: shawn wilson put forth on 2/21/2011 6:05 PM: On Mon, Feb 21, 2011 at 6:45 PM, Stan Hoeppner s...@hardwarefreak.com wrote: Pascal Hambourg put forth on 2/21/2011 3:51 PM: Stan Hoeppner a écrit : You only need one NIC in your firewall box when using a switch. You simply plug everything into the switch including the DSL modem and the Netgear. Bind both the public and private IP addresses to the same NIC in the firewall using a virtual NIC: i.e. eth0 and eth0:1. This is a wrong idea because the firewall can be by-passed, leaving a hole in the LAN security. Would you mind explaining why you believe this? well, if you fill up a switch's arp cache, it starts acting like a hub. at that point data goes everywhere. Anything to a MAC in the cache will go to the right place, anything not in the cache is broadcast. If the cache is full, since nothing new can be added to the cache a MAC's location can't be added and any data sent to that MAC will continue to be broadcasted on all ports. Since cache entries also expire, if an entry isn't refreshed in time it'll get removed from the cache. If the cache fills back up before that MAC's location gets readded then data sent to that MAC will also start to be broadcasted. It'd need a large number of ARP packets (an attack) to manage to fill the cache up though... whether that data can get onto the network in the first place is another matter. Would you mind pointing the list to the document that verifies your claim? supposedly, there is also a way to 'pivot' past a nat device - i haven't looked into this, so i can't speak to this much... Again, would you mind pointing us to a document that verifies this? I ask because neither are true, and I'd like to see the source of your misinformation. -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d630722.1030...@hardwarefreak.com
Re: selecting old machines for firewall/router use
On Wed, 23 Feb 2011, Andrew McGlashan wrote: An unpatched machine [for whatever reason], behind NAT has a fighting chance, but one which is directly addressable from the The protection offered by NAT is equivalent to a statefull firewall that only allow sessions to be initiated by the inside[1] Only, a firewall is likely to do a better job of securing the network than a NAT gateway. Nobody ever proposed directly attaching networks to the wide internet without border protection. That has nothing to do with NAT. And that unpatched machine has no fighting chance at all, NAT or no NAT, unless: 1. none of its inside neighbours will attack it 2. all the upgrade paths are safe 3. nothing else is done while it is upgrading itself. (2) can be quite difficult if any of the important software wants to open a browser, and there are ads in the pages for example. (3) depends on user awareness. [1] iptables -I FORWARD -i external interface -m conntrack --ctstate NEW -j DROP (or something like that). -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110223193636.ga13...@khazad-dum.debian.net
Re: selecting old machines for firewall/router use
On Tue, Feb 22, 2011 at 10:41, Nate Bargmann n...@n0nb.us wrote: Not only that but as we move to IPv6 there is no such thing as NAT. Oh, how I wish that were true... The IPv6 spec includes NAT. P.
Re: selecting old machines for firewall/router use
On Wed, 23 Feb 2011, Paul Fraser wrote: On Tue, Feb 22, 2011 at 10:41, Nate Bargmann n...@n0nb.us wrote: Not only that but as we move to IPv6 there is no such thing as NAT. Oh, how I wish that were true... The IPv6 spec includes NAT. Which RFC? -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2011030938.gb15...@khazad-dum.debian.net
Re: selecting old machines for firewall/router use
On Feb 22, 2011 6:10 PM, Henrique de Moraes Holschuh h...@debian.org wrote: On Wed, 23 Feb 2011, Paul Fraser wrote: On Tue, Feb 22, 2011 at 10:41, Nate Bargmann n...@n0nb.us wrote: Not only that but as we move to IPv6 there is no such thing as NAT. Oh, how I wish that were true... The IPv6 spec includes NAT. Which RFC? Lmgtfy - 4684 and 5902 - don't know off hand, you'll have to do some reading to see for sure...
Re: selecting old machines for firewall/router use
On Tue, 22 Feb 2011, shawn wilson wrote: On Feb 22, 2011 6:10 PM, Henrique de Moraes Holschuh h...@debian.org wrote: On Wed, 23 Feb 2011, Paul Fraser wrote: Oh, how I wish that were true... The IPv6 spec includes NAT. Which RFC? Lmgtfy - 4684 and 5902 - don't know off hand, you'll have to do some reading to see for sure... RFC 5902 is about *thoughts* on IPv6 NAT. RFC 4684 is about something else entirely. AFAIK by the start of 2011 IPv6 NAT was still not in any RFC or serious proposal. It might well one day be, and it will be a sad day, and yet another major mistake to add to the damn big stinking pile of crap that is has been accumulating under the IPv6 rug for a while now. I still wonder what kind of weed these people are smoking when they think any leaf AS is going to accept non-provider-independent address space, though. It is the reality already in all RIRs. It will be easier to just scale the routers. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110223010957.ga23...@khazad-dum.debian.net
Re: selecting old machines for firewall/router use
* On 2011 20 Feb 22:06 -0600, Stan Hoeppner wrote: Some consumer wireless routers don't like to do DHCP pass through, and won't serve DHCP when configured as a bridge, in which case the Linux firewall will have to serve DHCP. If the wireless router won't pass DHCP from the wired to wireless segments while in bridge mode, then you're in a catch 22. Some simply can't be configured as bridges at all (access points--APs). In this case, you'll have to run the Netgear in router mode and run multiple RFC 1918 subnets, one for wireless traffic and one for wired, and you'll have to setup the firewall to perform routing as well as packet filtering. I found that one does not necessarily need specific bridging support in the router firmware to make one a simple AP. What I've done with three different router models--two Linksys and one Netgear--was to disable the internal DHCP server and connect the uplink cable to one of the switch ports rather than the WAN port. In that configuration they have worked well by simply passing DHCP and other network protocols. These have been models with four wired LAN ports, a wired WAN port, and wireless. This has the nice effect of my wireless being on the same subnet as my wired LAN and the wireless clients are directly accessable with ping and other protocols creating a seemless network. You've got your work cut out for you, and it will be a painful learning curve if you use the trial and error method of setting it up. All your machines may be unable to access the net while you're changing your network architecture, which means no access to troubleshooting docs or forum help. Thus, you need to have researched _everything_ and have a solid step by step migration plan in place _before_ you change a single thing. If all clients were wired desktop machines and you didn't have the wireless Netgear in the mix it may be easier. You've got a lot of research to do. Indeed. In my experience, the DNSmasq and Shorewall packages are amongst the easiest ways to set up a DHCP server with caching DNS and iptables firewall. If an IPv6 tunnel configures or an IPv6 address is provided by the upstream ISP, then the shorewall6 package will be needed. This can be a very fun project for a learning experience so long as others aren't having a network outage during the transition. Have fun! - Nate -- The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true. Ham radio, Linux, bikes, and more: http://n0nb.us/index.html -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110221131718.ga6...@n0nb.us
Re: selecting old machines for firewall/router use
On Sun, Feb 20, 2011 at 9:26 PM, Greg Madden gomadtr...@gci.net wrote: On Sunday 20 February 2011 03:03:35 pm Nate Bargmann wrote: * On 2011 20 Feb 14:22 -0600, Elmer E. Dow wrote: Greetings: I'd like to set up a network with a firewall for my home computers for security, control and convenience (file sharing), as well as to learn about networking. We have the Internet entering via a Motorola DSL modem and it currently passes data through a NetGear wireless router. I'd like to construct my own firewall/router to connect our three active machines and also use the NetGear for wireless access when needed. Reusing old hardware is fine. Be sure that you're not going to spend as much or more getting the hardware into an old computer as you might with a router capable of running OpenWRT or similar. Last year I bought an Asus WL-500 GP from New Egg for about $60. Granted, one must read specs carefully if more memory/hardware capability is required. Not to be overlooked are the space and energy requirements of an old desktop versus a modern router capable of running an embedded Linux distribution. +1 ditch the old computer , todays routers with dd-wrt or openwrt are more reliable and cheaper to run. Buffalo routers come with dd-wrt pre-installed. Your netgear router may be supported by dd-wrt, some are. If it has wired ports along with the wireless it could be fine. really? i'd be truly interested if you can show me a peace of hardware that can do what vyatta can do on old pc hardware. in fact, i'll give you a $500 finders fee if you can find me hardware that does what vyatta can do for under $500 hell, if you can find anything for under $2k, i'll be impressed - i think the asa 5525 has the ids capabilities for ~2500 or something like that which is the closest and cheapest i think you'll find. that said, i still use a fon for a wifi bridge to my network which runs wrt (err, sorta) and i highly recommend these devices for everything wifi (even business networks - no poe though).
Re: selecting old machines for firewall/router use
On Lu, 21 feb 11, 07:17:18, Nate Bargmann wrote: * On 2011 20 Feb 22:06 -0600, Stan Hoeppner wrote: Some consumer wireless routers don't like to do DHCP pass through, and won't serve DHCP when configured as a bridge, in which case the Linux firewall will have to serve DHCP. If the wireless router won't pass DHCP from the wired to wireless segments while in bridge mode, then you're in a catch 22. Some simply can't be configured as bridges at all (access points--APs). In this case, you'll have to run the Netgear in router mode and run multiple RFC 1918 subnets, one for wireless traffic and one for wired, and you'll have to setup the firewall to perform routing as well as packet filtering. I found that one does not necessarily need specific bridging support in the router firmware to make one a simple AP. What I've done with three different router models--two Linksys and one Netgear--was to disable the internal DHCP server and connect the uplink cable to one of the switch ports rather than the WAN port. In that configuration they have worked well by simply passing DHCP and other network protocols. These have been models with four wired LAN ports, a wired WAN port, and wireless. This has the nice effect of my wireless being on the same subnet as my wired LAN and the wireless clients are directly accessable with ping and other protocols creating a seemless network. +1 Just don't forget to make sure the router's internal IP address is different from any other machine on the network. Easiest way for me was to just use different sub-nets. Example: leave the router on 192.168.1.1 and build my own network on 192.158.0.XXX Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: selecting old machines for firewall/router use
Andrei Popescu a écrit : Just don't forget to make sure the router's internal IP address is different from any other machine on the network. Just like any other device. Nothing special here. Easiest way for me was to just use different sub-nets. Example: leave the router on 192.168.1.1 and build my own network on 192.158.0.XXX This is unnecessary, and makes it hard to manage the device. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d62dda5.7080...@plouf.fr.eu.org
Re: selecting old machines for firewall/router use
Stan Hoeppner a écrit : You only need one NIC in your firewall box when using a switch. You simply plug everything into the switch including the DSL modem and the Netgear. Bind both the public and private IP addresses to the same NIC in the firewall using a virtual NIC: i.e. eth0 and eth0:1. This is a wrong idea because the firewall can be by-passed, leaving a hole in the LAN security. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d62de67.4050...@plouf.fr.eu.org
Re: selecting old machines for firewall/router use
Adrian Levi a écrit : I'd also suggest a static ip configuration with a setup like this, as you'll only have one computer at the end of each ethernet segement you won't gain anything from DHCP, you'd need a subnet declaration for each nic and a pool statement. Ethernet cards can be bridged together to form one LAN, with one subnet. But an easier solution would be to use a cheap dumb switch, or the extra LAN ports of the internal switch of the wifi router now set up and used as an access point. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d62df78.8000...@plouf.fr.eu.org
Re: selecting old machines for firewall/router use
On Lu, 21 feb 11, 22:48:21, Pascal Hambourg wrote: Easiest way for me was to just use different sub-nets. Example: leave the router on 192.168.1.1 and build my own network on 192.158.0.XXX This is unnecessary, and makes it hard to manage the device. Ok, but IMVHO it would be a good idea to make sure the DHCP server does not allocate the router's IP to some other host. Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: selecting old machines for firewall/router use
Andrei Popescu a écrit : Ok, but IMVHO it would be a good idea to make sure the DHCP server does not allocate the router's IP to some other host. Of course, like any other statically assigned address. Again, nothing special here. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d62e313.9060...@plouf.fr.eu.org
Re: selecting old machines for firewall/router use
Pascal Hambourg put forth on 2/21/2011 3:51 PM: Stan Hoeppner a écrit : You only need one NIC in your firewall box when using a switch. You simply plug everything into the switch including the DSL modem and the Netgear. Bind both the public and private IP addresses to the same NIC in the firewall using a virtual NIC: i.e. eth0 and eth0:1. This is a wrong idea because the firewall can be by-passed, leaving a hole in the LAN security. Would you mind explaining why you believe this? The DSL modem is an ethernet to ATM bridge and the connection to the DSLAM is point-to-point. So, with my recommended setup, while in theory broadcast packets could reach the other end, typically the DSLAM is going to instantly drop any such packets as they have no valid destination. Thus, nothing on the public side of the bridge is going to know the MAC addresses of internal hosts except the DSLAM, so there's no chance of things like an ARP attack. For this to be a real security issue, any attack must start below the IP level, eliminating any threat from a remote internet host. The attacker would have to be a telco employee generating attack packets from the DSLAM itself. The odds of this are probably lower than being struck by lighting while being attacked by a shark. Remember, the OP has xDSL service, _not_ cable. If he'd said cable, I'd not have recommended what I did, as cable is a shared medium, and broadcast traffic is seen by other customers' equipment on the same segment. What I proposed is perfectly safe for xDSL. For a cable situation, you should have two physical NICs in the firewall to eliminate the possibility of broadcast traffic and things like ARP attacks. -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d62f904.3040...@hardwarefreak.com
Re: selecting old machines for firewall/router use
On Mon, Feb 21, 2011 at 6:45 PM, Stan Hoeppner s...@hardwarefreak.comwrote: Pascal Hambourg put forth on 2/21/2011 3:51 PM: Stan Hoeppner a écrit : You only need one NIC in your firewall box when using a switch. You simply plug everything into the switch including the DSL modem and the Netgear. Bind both the public and private IP addresses to the same NIC in the firewall using a virtual NIC: i.e. eth0 and eth0:1. This is a wrong idea because the firewall can be by-passed, leaving a hole in the LAN security. Would you mind explaining why you believe this? well, if you fill up a switch's arp cache, it starts acting like a hub. at that point data goes everywhere. supposedly, there is also a way to 'pivot' past a nat device - i haven't looked into this, so i can't speak to this much...
Re: selecting old machines for firewall/router use
* On 2011 21 Feb 18:14 -0600, shawn wilson wrote: supposedly, there is also a way to 'pivot' past a nat device - i haven't looked into this, so i can't speak to this much... Not only that but as we move to IPv6 there is no such thing as NAT. New network device installations should be taking IPv6 into account, Of course any use of later Linux distributions assure IPv6 support. Even though the WRT55AG is not specifically IPv6 capable nor are the Ubiquity devices I have on my LAN, as they are operating as bridges they pass IPv6 just fine. They just can't be assigned an IPv6 address up to this point. - Nate -- The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true. Ham radio, Linux, bikes, and more: http://n0nb.us/index.html -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110222004104.gc19...@n0nb.us
Re: selecting old machines for firewall/router use
Stan writes: For this to be a real security issue, any attack must start below the IP level... Or from the inside. If none of the machines on the LAN are running Windows you're probably ok. -- John Hasler -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/871v30lxwe@thumper.dhh.gt.org
Re: selecting old machines for firewall/router use
shawn wilson put forth on 2/21/2011 6:05 PM: On Mon, Feb 21, 2011 at 6:45 PM, Stan Hoeppner s...@hardwarefreak.comwrote: Pascal Hambourg put forth on 2/21/2011 3:51 PM: Stan Hoeppner a écrit : You only need one NIC in your firewall box when using a switch. You simply plug everything into the switch including the DSL modem and the Netgear. Bind both the public and private IP addresses to the same NIC in the firewall using a virtual NIC: i.e. eth0 and eth0:1. This is a wrong idea because the firewall can be by-passed, leaving a hole in the LAN security. Would you mind explaining why you believe this? well, if you fill up a switch's arp cache, it starts acting like a hub. at that point data goes everywhere. Would you mind pointing the list to the document that verifies your claim? supposedly, there is also a way to 'pivot' past a nat device - i haven't looked into this, so i can't speak to this much... Again, would you mind pointing us to a document that verifies this? I ask because neither are true, and I'd like to see the source of your misinformation. -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d630722.1030...@hardwarefreak.com
Re: selecting old machines for firewall/router use
John Hasler put forth on 2/21/2011 6:24 PM: Stan writes: For this to be a real security issue, any attack must start below the IP level... Or from the inside. If none of the machines on the LAN are running Windows you're probably ok. How is this a security issue? Broadcast packets coming from the customer that hit the DSLAM are instantly dropped. Even if you have Windows machines there's no issue. Again, we're talking about xDSL here not cable. The DSLAM acts as a broadcast packet firewall. xDSL + broadcast = no problem cable + broadcast = potential problem -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d630872.3020...@hardwarefreak.com
Re: selecting old machines for firewall/router use
I wrote: Or from the inside. If none of the machines on the LAN are running Windows you're probably ok. Stan writes: How is this a security issue? Broadcast packets coming from the customer that hit the DSLAM are instantly dropped. Nothing to do with the DSLAM. These routers usually expose a Web interface on the LAN side. Malware on a Windows machine on the LAN could break into the router. -- John Hasler -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87wrkskg37@thumper.dhh.gt.org
Re: selecting old machines for firewall/router use
John Hasler put forth on 2/21/2011 7:34 PM: I wrote: Or from the inside. If none of the machines on the LAN are running Windows you're probably ok. Stan writes: How is this a security issue? Broadcast packets coming from the customer that hit the DSLAM are instantly dropped. Nothing to do with the DSLAM. These routers usually expose a Web interface on the LAN side. Malware on a Windows machine on the LAN could break into the router. You're confusing Windows malware can potentially acceess router admin interface with Windows malware can automatically subvert the router Setting a strong password thwarts such a thing, and one should be setting such a password anyway. On the flip side, this same router _is_ the default NAT+SPI firewall for the vast majority of home users. They don't have a separate Linux firewall box in the middle. So I guess you're saying they're all totally vulnerable to this fanciful malware you describe, which can access the admin page of any and all home routers instantly and make any changes it wishes? In your scenario, how would this differ from the admin interface of SmoothWall, IPCop, etc? The admin interfaces of all such firewalls fall across a wide spectrum of TCP ports. Does your malware scan them all? If the consumer hardware router is vulnerable to this fanciful malware of yours then Smoothy, IPCop, etc, are as well. Yes? If you say no, please explain the technical difference, as I don't see one. -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d631dfe.8020...@hardwarefreak.com
Re: selecting old machines for firewall/router use
On 21 February 2011 06:02, Elmer E. Dow elmere...@att.net wrote: Greetings: Snipped 300 Mhz processor boot manager on 3.5-inch diskette so it can boot from diskette, CD or hard drive ethernet jack on motherboard 5 pci slots 4 isa slots (I have a pci nic and 2 isa nics on hand, plus there's that built-in jack on the board) I'm leaning toward using the above machine since it has both pci and isa slots for nics (and an ethernet jack on the motherboard) so I won't have to buy a switch right away. I'll be able to connect the firewall/router box direct to the networked machines. (Will I need crossover cables?) However, it's the slowest of the bunch and I suspect that those isa nics might be very slow and problematic. Would I be best off just buying a network switch or replacing the isa nics with pci nics? Would one of my faster old machines be a more practical choice here? I have the following available: Throw in the ISA nics, they will be fine abeit most probably limited to 10Mbit, fine for internet but probably a bit tedious transferring anything larger than a couple of gigs. You'll be wanting 100Mbit pretty fast. Yes you will need crossover cables. I'd also suggest a static ip configuration with a setup like this, as you'll only have one computer at the end of each ethernet segement you won't gain anything from DHCP, you'd need a subnet declaration for each nic and a pool statement. It would be much easier to configure with static ip's. Something else to look into is to make sure your cable modem is plugged into one of the 10Mbit nics unless your internet connection goes faster than 1M Byte per sec you won't notice any speed gain, save any 100Mbit nics you have for your client machines. Some programs you can have a look at running are: Apache - Local intranet webserver for a homepage shared across machines, Samba - Share files across windows / linux machines, Squid - Caching proxy server - save some download bandwith, Bind - Run your own caching name server, Hook it all up and have a play ;-) Adrian -- 24x7x365 != 24x7x52 Stupid or bad maths? erno hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/AANLkTi=joisnwnbeaomgzl7kl7cwoz4s7mveewe4c...@mail.gmail.com
Re: selecting old machines for firewall/router use
Elmer writes: 300 Mhz processor boot manager on 3.5-inch diskette so it can boot from diskette, CD or hard drive That'll work fine as long as it has enough RAM to install Debian. -- John Hasler -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8762sel8hf@thumper.dhh.gt.org
Re: selecting old machines for firewall/router use
* On 2011 20 Feb 14:22 -0600, Elmer E. Dow wrote: Greetings: I'd like to set up a network with a firewall for my home computers for security, control and convenience (file sharing), as well as to learn about networking. We have the Internet entering via a Motorola DSL modem and it currently passes data through a NetGear wireless router. I'd like to construct my own firewall/router to connect our three active machines and also use the NetGear for wireless access when needed. Reusing old hardware is fine. Be sure that you're not going to spend as much or more getting the hardware into an old computer as you might with a router capable of running OpenWRT or similar. Last year I bought an Asus WL-500 GP from New Egg for about $60. Granted, one must read specs carefully if more memory/hardware capability is required. Not to be overlooked are the space and energy requirements of an old desktop versus a modern router capable of running an embedded Linux distribution. I have my OpenWRT router working as an IPv4 DHCP server for my LAN and caching DNS server with DNSmasq. It also handles the IPv6 tunnel I have and serves as the IPv6 router and address configurator with the radvd package. As it is a limited platform with only vi available for an editor, I have it setup so I can mount the file system with sshfs, fuse, and sftp-server so I can do most of its management from my desktop. As I prefer to use a WRT55AG for 802.11a access, I disabled the WL500GP's 802.11b/g wireless so I cannot comment on its performance. While there is value in re-purposing old hardware, going this route has been a gain all the way around for me. It may be something to consider. - Nate -- The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true. Ham radio, Linux, bikes, and more: http://n0nb.us/index.html -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110221000335.gd4...@n0nb.us
Re: selecting old machines for firewall/router use
On Sunday 20 February 2011 03:03:35 pm Nate Bargmann wrote: * On 2011 20 Feb 14:22 -0600, Elmer E. Dow wrote: Greetings: I'd like to set up a network with a firewall for my home computers for security, control and convenience (file sharing), as well as to learn about networking. We have the Internet entering via a Motorola DSL modem and it currently passes data through a NetGear wireless router. I'd like to construct my own firewall/router to connect our three active machines and also use the NetGear for wireless access when needed. Reusing old hardware is fine. Be sure that you're not going to spend as much or more getting the hardware into an old computer as you might with a router capable of running OpenWRT or similar. Last year I bought an Asus WL-500 GP from New Egg for about $60. Granted, one must read specs carefully if more memory/hardware capability is required. Not to be overlooked are the space and energy requirements of an old desktop versus a modern router capable of running an embedded Linux distribution. +1 ditch the old computer , todays routers with dd-wrt or openwrt are more reliable and cheaper to run. Buffalo routers come with dd-wrt pre-installed. Your netgear router may be supported by dd-wrt, some are. If it has wired ports along with the wireless it could be fine. -- Peace, Greg -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201102201726.13826.gomadtr...@gci.net
Re: selecting old machines for firewall/router use
Elmer E. Dow put forth on 2/20/2011 2:02 PM: Greetings: I'd like to set up a network with a firewall for my home computers for security, control and convenience (file sharing), as well as to learn about networking. We have the Internet entering via a Motorola DSL modem and it currently passes data through a NetGear wireless router. I'd like to construct my own firewall/router to connect our three active machines and also use the NetGear for wireless access when needed. You may have a devil of a time setting up a dedicated Linux firewall machine and reconfiguring the Netgear to function properly as a wireless ethernet bridge instead of an IP router. It may or not not be able to depending on which model you have. Since you have wireless clients (I assume laptops) you'll still want/need DHCP. So you'll have to decide who serves DHCP, the Linux firewall or the Netgear. Some consumer wireless routers don't like to do DHCP pass through, and won't serve DHCP when configured as a bridge, in which case the Linux firewall will have to serve DHCP. If the wireless router won't pass DHCP from the wired to wireless segments while in bridge mode, then you're in a catch 22. Some simply can't be configured as bridges at all (access points--APs). In this case, you'll have to run the Netgear in router mode and run multiple RFC 1918 subnets, one for wireless traffic and one for wired, and you'll have to setup the firewall to perform routing as well as packet filtering. You've got your work cut out for you, and it will be a painful learning curve if you use the trial and error method of setting it up. All your machines may be unable to access the net while you're changing your network architecture, which means no access to troubleshooting docs or forum help. Thus, you need to have researched _everything_ and have a solid step by step migration plan in place _before_ you change a single thing. If all clients were wired desktop machines and you didn't have the wireless Netgear in the mix it may be easier. You've got a lot of research to do. I'm leaning toward using the above machine since it has both pci and isa slots for nics (and an ethernet jack on the motherboard) so I won't have to buy a switch right away. An 8 port 10/100 FDX Rosewill desktop switch is $10 at Newegg, other brands around the same price ranging from 4-8 ports. You only need one NIC in your firewall box when using a switch. You simply plug everything into the switch including the DSL modem and the Netgear. Bind both the public and private IP addresses to the same NIC in the firewall using a virtual NIC: i.e. eth0 and eth0:1. Plenty of docs on the web to teach you this. e-machines 1.7 Ghz processor ethernet jack on motherboard 3 pci slots It seems like this one would have the greatest energy costs. I'd need to buy more pci nics, too. This most likely uses a Celeron chip. This box will use no more juice than the others, maybe a little less actually, due to the smaller feature size of the CPU silicon and the newer lower voltage memory. I wouldn't worry about power draw. All these machines will be very similar, within 20% of each other tops. Which would be most suitable as a firewall/router? I'm thinking that any will work, but the e-machines box will be the most expensive to operate. And most of the above machines will require me to get more nics or purchase a switch. Any other things that I should consider? Your selection criteria should be solely based on which of these machines has proven to be most reliable. If you acquired them used or for any reason don't have such information available, go with the youngest box. Before entrusting it with all of your internet traffic, I'd thoroughly beat on the network interface to make sure it's solid. Check for problems using ifconfig: ~$ ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:90:27:65:01:69 inet addr:192.168.100.9 Bcast:192.168.100.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2350006 errors:0 dropped:0 overruns:0 frame:0 TX packets:2708546 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:629009753 (599.8 MiB) TX bytes:1874802396 (1.7 GiB) Ideally you should see zeros in the same places as above. If you see values above zero that means you have errors at the ethernet level. This points to a bad NIC, cable, or switch port. -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d61e478.4080...@hardwarefreak.com
Re: selecting old machines for firewall/router use
John Hasler put forth on 2/20/2011 3:08 PM: Elmer writes: 300 Mhz processor boot manager on 3.5-inch diskette so it can boot from diskette, CD or hard drive That'll work fine as long as it has enough RAM to install Debian. Not to mention disk space. Even though the OP asked on this list, I'm guessing he'd be better off with something like IPCop instead of a regular distro. I get the feeling he's not up to manually configuring iptables rules. -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d61e536.80...@hardwarefreak.com
