Linux Firewall Suggestion - Linux

This is a discussion on Linux Firewall Suggestion - Linux ; I work for a company that has no firewall. We are 20 person company whose connection to the Internet is via Cisco 1610 router - T1. The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External Address ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Linux Firewall Suggestion

  1. Linux Firewall Suggestion

    I work for a company that has no firewall. We are 20 person company whose
    connection to the Internet is via Cisco 1610 router - T1.

    The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External
    Address (our mail, web site, and FTP) to 3 of the Internal Servers. It does
    a one to map mapping.

    Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip
    100.100.100.100 to private 192.168.1.10);
    Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443) -
    (public ip 100.100.100.101 to private 192.168.1.11);
    Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip
    100.100.100.102 to private 192.168.1.12);

    My GOALis to get a Linux firewall that is SIMPLE to use to place between the
    internal network and our Internet router. Also, it has to be able to route
    traffic destined on public ip xxx.xxx.xxx.xxx to private ip xxx.xxx.xxx.xxx-
    same as 1 to 1 NAT mapping but more locked down due to firewall features.
    Because multiple servers have port 80 and 443, I can't just do port
    forwarding. It must be intelligent enough to see the URL/URI to forward to
    the right box.

    Hope this made sense.

    What would you guys suggest in terms in the Linux distro with this
    capability, and how I should set it up?

    Thank you!



  2. Re: Linux Firewall Suggestion

    KP wrote:
    > I work for a company that has no firewall. We are 20 person company whose
    > connection to the Internet is via Cisco 1610 router - T1.
    >
    > The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External
    > Address (our mail, web site, and FTP) to 3 of the Internal Servers. It does
    > a one to map mapping.
    >
    > Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip
    > 100.100.100.100 to private 192.168.1.10);
    > Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443) -
    > (public ip 100.100.100.101 to private 192.168.1.11);
    > Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip
    > 100.100.100.102 to private 192.168.1.12);
    >
    > My GOALis to get a Linux firewall that is SIMPLE to use to place between the
    > internal network and our Internet router. Also, it has to be able to route
    > traffic destined on public ip xxx.xxx.xxx.xxx to private ip xxx.xxx.xxx.xxx-
    > same as 1 to 1 NAT mapping but more locked down due to firewall features.
    > Because multiple servers have port 80 and 443, I can't just do port
    > forwarding. It must be intelligent enough to see the URL/URI to forward to
    > the right box.
    >
    > Hope this made sense.
    >
    > What would you guys suggest in terms in the Linux distro with this
    > capability, and how I should set it up?
    >


    Any Linux distibution will contain iptables. And no offence meant, but
    you will need to master iptables yourself. Most Linux admins can and
    will offer you example iptables scripts, but you must know what is going
    on, as you will certainly have to alter things from time to time. You
    will need to set up temporary logging rules, and the odd troubleshooting
    chain, and you really need to know exactly what you are doing. When
    users cannot connect to some service, the firewall is one of the main
    troubleshooting tools.

    And I'm sure you have already had plenty of advice about what you are
    running. There is no need to open port 80, as the services you mention
    can be accessed on https, and even Microsoft people do not advise
    opening unencrypted web access to the Internet. As for FTP from a
    Microsoft box.... unless you really desperately need to upload, use
    https for this as well. Oh, and PPTP needs IP protocol 47 (*not* port
    47) open as well as 1721.

    Best of luck, and in future do not post IP addresses on Usenet,
    especially just after a statement that they are not firewalled.

  3. Re: Linux Firewall Suggestion

    Joe wrote:

    > Best of luck, and in future do not post IP addresses on Usenet,
    > especially just after a statement that they are not firewalled.


    Look closer.

    --
    Ruurd
    ..o.
    ...o
    ooo

  4. Re: Linux Firewall Suggestion

    On Sun, 01 May 2005 22:35:01 +0100, Joe wrote:

    > Any Linux distibution will contain iptables. And no offence meant, but
    > you will need to master iptables yourself. Most Linux admins can and
    > will offer you example iptables scripts, but you must know what is going
    > on, as you will certainly have to alter things from time to time. You
    > will need to set up temporary logging rules, and the odd troubleshooting
    > chain, and you really need to know exactly what you are doing. When
    > users cannot connect to some service, the firewall is one of the main
    > troubleshooting tools.


    Something like Shorewall can take a lot of the pain out of this process.

    http://www.shorewall.net/

    > As for FTP from a Microsoft box.... unless you really desperately need
    > to upload, use https for this as well.


    Using WebDAV and XP's 'webfolders' feature may be an option here?

    > in future do not post IP addresses on Usenet, especially just after a
    > statement that they are not firewalled.


    Hello 80.177.211.93!

    --
    Mommy, what happens to your files when you die?


  5. Re: Linux Firewall Suggestion

    On Sun, 01 May 2005 20:41:30 GMT, "KP" wrote:

    >I work for a company that has no firewall. We are 20 person company whose
    >connection to the Internet is via Cisco 1610 router - T1.
    >
    >The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External
    >Address (our mail, web site, and FTP) to 3 of the Internal Servers. It does
    >a one to map mapping.
    >
    >Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip
    >100.100.100.100 to private 192.168.1.10);
    >Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443) -
    >(public ip 100.100.100.101 to private 192.168.1.11);
    >Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip
    >100.100.100.102 to private 192.168.1.12);
    >
    >My GOALis to get a Linux firewall that is SIMPLE to use to place between the
    >internal network and our Internet router. Also, it has to be able to route
    >traffic destined on public ip xxx.xxx.xxx.xxx to private ip xxx.xxx.xxx.xxx-
    >same as 1 to 1 NAT mapping but more locked down due to firewall features.
    >Because multiple servers have port 80 and 443, I can't just do port
    >forwarding. It must be intelligent enough to see the URL/URI to forward to
    >the right box.
    >
    >Hope this made sense.
    >
    >What would you guys suggest in terms in the Linux distro with this
    >capability, and how I should set it up?
    >
    >Thank you!
    >


    Shorewall is the best compromise I've seen between having to learn
    iptables (which is NOT for the new user) and one of those useless
    linksys boxes. It's as flexible as your ability to configure it.
    I've been using it here and installing it at client sites for several
    years. I haven't had anything that it coldn't do yet, and it really
    is uch simpler than native iptables.

    http://www.shorewall.net

    Mike-

    --
    Mornings: Evolution in action. Only the grumpy will survive.
    --

    Please note - Due to the intense volume of spam, we have installed site-wide spam
    filters at catherders.com. If email from you bounces, try non-HTML, non-encoded,
    non-attachments.

    ----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----

  6. Re: Linux Firewall Suggestion

    KP wrote:
    > I work for a company that has no firewall. We are 20 person company whose
    > connection to the Internet is via Cisco 1610 router - T1.
    >
    > The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External
    > Address (our mail, web site, and FTP) to 3 of the Internal Servers. It does
    > a one to map mapping.
    >
    > Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip
    > 100.100.100.100 to private 192.168.1.10);
    > Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443) -
    > (public ip 100.100.100.101 to private 192.168.1.11);
    > Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip
    > 100.100.100.102 to private 192.168.1.12);
    >
    > My GOALis to get a Linux firewall that is SIMPLE to use to place between the
    > internal network and our Internet router. Also, it has to be able to route
    > traffic destined on public ip xxx.xxx.xxx.xxx to private ip xxx.xxx.xxx.xxx-
    > same as 1 to 1 NAT mapping but more locked down due to firewall features.
    > Because multiple servers have port 80 and 443, I can't just do port
    > forwarding. It must be intelligent enough to see the URL/URI to forward to
    > the right box.
    >
    > Hope this made sense.
    >
    > What would you guys suggest in terms in the Linux distro with this
    > capability, and how I should set it up?
    >

    I think you forgot port 25 (SMTP).

    Consider setting up proxies on the boundary box, especially
    a mail proxy for the Exchange box.

    Cheers,

    Cliff

    --

    Barzoomian the Martian - http://barzoomian.blogspot.com

  7. Re: Linux Firewall Suggestion

    Geoff King wrote:

    >
    > Hello 80.177.211.93!
    >


    Hello yourself. This is my IP address, not a client's. You'll find no
    Microsoft servers here...

  8. Re: Linux Firewall Suggestion

    m wrote:

    >> What would you guys suggest in terms in the Linux distro with this
    >> capability, and how I should set it up?
    >>
    >> Thank you!
    >>
    >>

    >
    > In my opinion you should choose OpenBSD
    > as firewall it is great,and easy to setup
    > pf can do everything what you want and it is quite secure
    >


    Of course all of this can be said for Linux.

  9. Re: Linux Firewall Suggestion

    In comp.os.linux.security KP wrote:
    > connection to the Internet is via Cisco 1610 router - T1.


    Is it Cisco 160x, or 2610?
    Anyway, for a small company it should have enough horsepower
    to serve as firewall, not just an address-translating device.
    You just need proper IOS image ("IP FW", a.k.a. Firewall
    Feature Set).

    --
    andrei

+ Reply to Thread