>Can i use linux router for Framerelay connections .... >Can you tell me some requirment equipment and software ....
Sure. You'll need to check with the carrier provider to make sure they aren't using anything weird, but you'll typically need a TSU/DSU to wind up with ye old RJ45 port talking 10Mb ethernet. Then you just need an additional ethernet card for your internal network. If you are doing complex routing (not advised for your first foray) you can have multiple ethernet cards but at a certain point a dedicated router becomes more effective due to limitations of the PC architecture. The basics of setting up the routing involves enabling port forwarding via echo "1" > /proc/sys/net/ipv4/ip_forward Firewalling is a must. IPchains should be installed by default on a RH71 system. Put this script file in /etc/rc.d/init.d/ as the file ipchains. It is a very, very, very basic ipchains ruleset I wrote from memory. It assumes eth0 is your external ethernet card (attached to the frame circuit) and your internal IP addresses are on the 192.168.1.x subnet. --------------------------------- echo "1" > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -F /sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 25 -d 0/0 -p tcp /sbin/ipchains -P forward REJECT /sbin/ipchains -A forward -s 192.168.1.0/0 -j MASQ -------------------------------- This will enable masquerading for your internal clients and block incoming requests to those machines. That linux box, however, will be completely exposed with this ruleset. IIRC. You really need to get a decent ruleset configured to keep this thing low maintenance and still service your network. There are several good IPCHAINS how-tos and FAQs on the net that will let you write something appropriate for your specific situation. There are a number of other settings you can enable, such as blocking fragmentary packets or ones with incomplete headers. They are activated the same way as ip_forward but I'm afraid I don't remember right now. You'll also want to disable or, preferrably, uninstall every service you have no intention of using. Ditch telnet and only use SSH (PuTTY and TeratermSSH are good SSH clients for WinDoze machines). If you aren't using them get rid of sendmail, FTP, apache, and any other services you can find. Go into /etc/xinetd.conf and set the disable flag on just about everything. Xinetd is the daemon that activates services when an incoming request is received. When you telnet to the machine xinetd is what actually turns telnet on to receive your call. Then, when you've got all the services you don't want disabled and uninstalled, make sure the firewall ruleset blocks them. I'm suggesting you leave that for last right now since it really complicates the IPchains rules but it really, REALLY needs to be done there. This will get your router up and running a little quicker and you can play with the firewall rules on the fly with only minimal service interruptions. If this is a dedicated router you may want to go the one-disk option. I believe someone else posted one, but essentially it is a floppy disk with just the services you need (port forwarding, a firewall, and ethernet drivers). Flip the write protect tab and your OS can't be rewritten even if cracked. More feature-rich CD-based versions are available, I believe. I'd recommend getting a port scan detector that has the ability to write to /etc/hosts.deny like portsentry from psionic. Portscanning isn't particularly evil, but an excessive port scan or one targeting trojan/worm/backdoor ports, is usually indicative of an impending attack of some kind. By dropping those folks into ect.hosts.deny for a day you can remain relatively secure, assuming you check your logs and apply any relevant patches based on those logs. I use a cron job to replace etc/hosts.deny and hosts.allow every night so I don't block too much of dynamic IP pools from my web servers. I forget which worm it was, but one time I ended up having a couple hundred AOL ip addresses blocked in my hosts.deny. Poor uneducated saps. Enjoy, James _______________________________________________ Seawolf-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/seawolf-list
