Searching \ for '[EE] Medium Small Firewall Routers...' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page: www.piclist.com/techref/index.htm?key=medium+small+firewall
Search entire site for: 'Medium Small Firewall Routers...'.

Exact match. Not showing close matches.
PICList Thread
'[EE] Medium Small Firewall Routers...'
2007\03\22@201846 by James Newton, Host

face picon face
Is there a router that is bigger than a SOHO (e.g. Linksys, Netgear) and
smaller than a full on Cisco rack mount $K monster? Or does anyone have a
Cisco monster just "laying about"? Yeah right! ;)

Another of my little linksys boxes (a BEFSR41) has fried and I would like to
be able to run 2 or 3 IP addresses off of one more professional router at
the office. The current Cisco boxes are a bit more expensive that what I can
get the boss to swing for.
http://www.pcuniverse.com/product.asp?pid=3858385&m_id=32 ASA 5505 firewall
at $600

Is there a low hundreds DSL Firewall Router that will support 2 or more IP
addresses on the WAN side and NAT and port forwarding on the LAN side?

This one looks interesting but I've never heard of the company. Any
experiences with PeP link?
http://www.peplink.com/products/balance-30/

Another thing that looks interesting is this CISCO PIX-501-BUN-K9:
http://www.newegg.com/Product/Product.aspx?Item=N82E16833120312 $400 But I
understand that it is a firewall, not a router, and it requires some real
know how to set up. Any CCNA's out there that want to help support the
PICList? Or just work cheap?

Just for general information, I have a DSL connection with 5 IP's of which 2
are currently used. The DSL modem connects via a small hub to two Linksys
BEFS boxes one for one IP and one for the other. Those gateways connect into
an old 3COM SS 3300 switch. The switch connects the gateways, servers, a few
high-speed workstations and an 8 port hub that serves our "farm" of
workstations and printers.

One BEFS manages NAT for the users, blocks ports they should not be
accessing out side our net (e.g. 25,445), reports all port scans and other
illicit access to dshield.org and port forwards 80, 21, 110, and 25 to the
web / ftp / backup email server. That server is piclist.com as well as the
web site for my boss / day job (and a few others).

The other BEFS allows no traffic, but just port forwards 110 and 25 to the
primary email server. That one is the one that took a dump. We are on the
back up email server now.

The boss is putting in a new Win 2003 Small Business Pro server (Dell 840,
groan!) with some part of Exchange and SQL server which I can't wait to play
with. Since it has Exchange (supposedly) that might take over for our email
service with some sort of spam proxy in front (probably ASSP since that
seems to work well on the old email server). Since that will also have all
the financial, etc... Records on it, I'm scared to death to let it serve
email as well. I want it on its own firewall / router and that would mean
having 3 separate little linksys boxes. At some point it becomes a better
idea to have one professional firewall, huh?

---
James Newton: PICList webmaster/Admin
spam_OUTjamesnewtonTakeThisOuTspampiclist.com  1-619-652-0593 phone
http://www.piclist.com/member/JMN-EFP-786
PIC/PICList FAQ: http://www.piclist.com


2007\03\22@202851 by peter green

flavicon
face
part 1 709 bytes content-type:text/plain; (unknown type 8bit not decoded)


> One BEFS manages NAT for the users, blocks ports they should not be
> accessing out side our net (e.g. 25,445), reports all port scans and other
> illicit access to dshield.org and port forwards 80, 21, 110, and 25 to the
> web / ftp / backup email server. That server is piclist.com as well as the
> web site for my boss / day job (and a few others).
I think the BEFS units can run openwrt, with openwrt installed you should be able to configure the interfaces however you like.
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.17/730 - Release Date: 22/03/2007 07:44




part 2 35 bytes content-type:text/plain; charset="us-ascii"
(decoded 7bit)

2007\03\22@204213 by Rolf

face picon face
James Newton, Host wrote:
> Is there a router that is bigger than a SOHO (e.g. Linksys, Netgear) and
> smaller than a full on Cisco rack mount $K monster? Or does anyone have a
> Cisco monster just "laying about"? Yeah right! ;)
>
> Another of my little linksys boxes (a BEFSR41) has fried and I would like to
> be able to run 2 or 3 IP addresses off of one more professional router at
> the office. The current Cisco boxes are a bit more expensive that what I can
> get the boss to swing for.
> http://www.pcuniverse.com/product.asp?pid=3858385&m_id=32 ASA 5505 firewall
> at $600
>
>  

[snip]

Hi James, I am surely not going to be the only one to suggest it, but
what you are describing is the perfect fit for a Linux box. Take the
plunge... Us that old pentium box you were about to throw out, and
borrow a friend to help get you bootstrapped in to the Linux world....
(How about creating a [Linux] tag on PIClist ... ;-)

Rolf

2007\03\22@204436 by Jake Vickers

flavicon
face
James Newton, Host wrote:
> Is there a router that is bigger than a SOHO (e.g. Linksys, Netgear) and
> smaller than a full on Cisco rack mount $K monster? Or does anyone have a
> Cisco monster just "laying about"? Yeah right! ;)
>
> Another of my little linksys boxes (a BEFSR41) has fried and I would like to
> be able to run 2 or 3 IP addresses off of one more professional router at
> the office. The current Cisco boxes are a bit more expensive that what I can
> get the boss to swing for.
> http://www.pcuniverse.com/product.asp?pid=3858385&m_id=32 ASA 5505 firewall
> at $600
>
> Is there a low hundreds DSL Firewall Router that will support 2 or more IP
> addresses on the WAN side and NAT and port forwarding on the LAN side?
>
>  
You may want to look at something like IPCop (ipcop.org). Runs on
ordinary PC hardware, and you can get a pretty small machine from
somewhere like mini-itx.com

2007\03\22@205805 by Alan Brumley

flavicon
face
part 1 1467 bytes content-type:text/plain; (decoded 7bit)

Have you looked at the Linksys RV082?  

I love mine and it supports two external WAN connections and does
loadbalancing and more.  It's also elegible for the "trade up" program if
you need more later on.


{Original Message removed}

2007\03\22@210147 by Jake Anderson

flavicon
face
Take a look at PFsense it should do all that with nice GUI type interfaces.

James Newton, Host wrote:
{Quote hidden}

2007\03\22@210412 by Jake Anderson

flavicon
face
Jake Vickers wrote:
{Quote hidden}

I like IPCop, I'm using it for my firewall now.
It doesn't work (well) with multiple "red" IP's though. I have a PFsense
install on a client premises and it seems to be working well. I am going
to move my firewall to it.

2007\03\22@211910 by James Newtons Massmind

face picon face
> Hi James, I am surely not going to be the only one to suggest
> it, but what you are describing is the perfect fit for a
> Linux box. Take the plunge... Us that old pentium box you
> were about to throw out, and borrow a friend to help get you
> bootstrapped in to the Linux world....

Been there, done that, got the disconnect notice from my ISP for allowing a
cracker to turn the box into a spam relay. In fact, I've been there 3 times:
twice by myself (after reading the recommended books and having friends over
to help) and once with a freaking professional solaris hurder remotely
admining the box. ALL THREE TIMES: crACKED.

Since then, a total of 5 M$ servers. Starting with, and I'm NOT kidding: A
Windows 98 box running Personal Web Server. Which. Did. Not. Get. cracked.
For the year or more that it was up. Not one NT box has EVER been cracked.
Go ahead, prove me wrong: 66.13.172.18 crack away.

Fool me once (twice, thrice..)? I will run a *nix box when pigs fly out my
butt.

> (How about creating a [Linux] tag on PIClist ... ;-)

Yeeeeaaaaaahhhhhh.....

After all that free publicity, you would think M$ could cut me a deal on an
updated version of SQL Server.

Sorry, I should have thought to put the kibosh on the *nix thing before I
posted the question.

I want something that I can't mess up.

---
James.


2007\03\22@213848 by James Newtons Massmind

face picon face

> Have you looked at the Linksys RV082?  

I had not, and thanks for pointing it out.

> I love mine and it supports two external WAN connections and
> does load balancing and more.  It's also eligible for the
> "trade up" program if you need more later on.
>


The only thing I'm a bit concerned about on this one is that one reviewer at
newegg says "You can enable 1 to 1 NAT to allow multiple IP addresses, but
there is absolutely no security in those. "
http://www.newegg.com/Product/Product.aspx?Item=N82E16833124127

I can't seem to find any documentation that says it will actually forward
e.g.:
port 25 from ip 66.13.172.18 to 192.168.1.14 AND
port 25 from ip 66.13.172.19 to 192.168.1.5

Maybe that can be done with "Static Routing" setup? Described on page 36 of
the users manual...

---
James.



2007\03\22@215505 by Peter P.

picon face
Afaik to run multiple IPs on one DSL account you must use a DSL modem in bridge
mode and a router or two after that. Most soho routers can handle multiple
connections but not multiple NATs. So the second router would have to be
daisy-chained from the first (which would not do NAT and serve the DMZ with the
server and the workstations directly) and run as afixed IP on the input and NAT
and DHCP on the output to serve the 'inner' network. This will cause the power
workstations in the DMZ to be invisible to the local net. What you are trying to
do fully mandates setting up a dedicated BSD or linux box with 2-3 NICs just to
do the routing and firewalling imho.

Peter P.


2007\03\22@221852 by Peter P.

picon face
James Newtons Massmind <jamesnewton <at> massmind.org> writes:

> admining the box. ALL THREE TIMES: crACKED.

I think that you have a chip on your shoulder from that experience. You have a
problem and you want to solve it. A soho router is not enough for what you need.
A cisco will likely work but it needs to be set up professionally. That costs $.
You don't have that. So using a cheap firewall with fancy options almost always
means *nix. And these things very seldomly get cracked. You had some bad luck
and likely inexperienced (in security at least) admins. Most people who run*nix
do not get hacked.

Peter P.


2007\03\22@221957 by Gerhard Fiedler

picon face
Peter P. wrote:

> Afaik to run multiple IPs on one DSL account you must use a DSL modem in bridge
> mode and a router or two after that. Most soho routers can handle multiple
> connections but not multiple NATs.

I have an old SMC Barricade 7004FW, and it allows the mapping of up to 10
public IP addresses into 10 ranges of the local address space. I have never
used this feature, though.

Gerhard

2007\03\22@222702 by James Newton, Host

face picon face
> What you are trying
> to do fully mandates setting up a dedicated BSD or Linux box
> with 2-3 NICs just to do the routing and firewalling imho.
>

Ok then. I'll stick with my...

DSL Modem
   |
  hub
,--'--,
FW1   FW2
'--,--'
 Switch


...setup where FW = Linksys BEFRxxx Firewall/Routers; one for .18 and one
for .19.

---
James Newton: PICList webmaster/Admin
jamesnewtonspamKILLspampiclist.com  1-619-652-0593 phone
http://www.piclist.com/member/JMN-EFP-786
PIC/PICList FAQ: http://www.piclist.com


2007\03\23@015104 by Jake Anderson

flavicon
face

> Been there, done that, got the disconnect notice from my ISP for allowing a
> cracker to turn the box into a spam relay. In fact, I've been there 3 times:
> twice by myself (after reading the recommended books and having friends over
> to help) and once with a freaking professional solaris hurder remotely
> admining the box. ALL THREE TIMES: crACKED.
>  
Were any of those running a "firewall" distribution though?
or were they fully featured OS's?

For a firewall/router use a firewall/router that a bunch of other people
who really know their stuff have built for you and made it nice and easy
to use.

2007\03\23@063142 by Byron A Jeff

face picon face
On Thu, Mar 22, 2007 at 08:44:35PM -0400, Jake Vickers wrote:
> James Newton, Host wrote:
> > Is there a router that is bigger than a SOHO (e.g. Linksys, Netgear) and
> > smaller than a full on Cisco rack mount $K monster? Or does anyone have a
> > Cisco monster just "laying about"? Yeah right! ;)
> >
> > Another of my little linksys boxes (a BEFSR41) has fried and I would like to
> > be able to run 2 or 3 IP addresses off of one more professional router at
> > the office. The current Cisco boxes are a bit more expensive that what I can
> > get the boss to swing for.
> > http://www.pcuniverse.com/product.asp?pid=3858385&m_id=32 ASA 5505 firewall
> > at $600
> >
> > Is there a low hundreds DSL Firewall Router that will support 2 or more IP
> > addresses on the WAN side and NAT and port forwarding on the LAN side?
> >
> >  
> You may want to look at something like IPCop (ipcop.org). Runs on
> ordinary PC hardware, and you can get a pretty small machine from
> somewhere like mini-itx.com

I second that recommendation. I originally had a full Slackware system as
my firewall/router. It was rootkitted about 5 years ago. I switched to
Smoothwall. I haven't had a problem since.

I'll post a message on my local Linux user's group E-mail list about your
specs and concerns. One of the members is a nationally recognized security
expert and author (Bob Toxen)

http://search.barnesandnoble.com/booksearch/isbnInquiry.asp?isbn=0130464562

I'm pretty sure I can get some sound recommendations.

BAJ

2007\03\23@063737 by Hector Martin

flavicon
face
James Newtons Massmind wrote:
> Been there, done that, got the disconnect notice from my ISP for allowing a
> cracker to turn the box into a spam relay. In fact, I've been there 3 times:
> twice by myself (after reading the recommended books and having friends over
> to help) and once with a freaking professional solaris hurder remotely
> admining the box. ALL THREE TIMES: crACKED.

That's a pretty unusual experience. Either way, this would be a firewall
box, which is pretty hard to crack from the outside unless you've
screwed it up bigtime (read: allowed passwordless telnets from the
outside or something equally stupid). Any properly configured firewall
should leave zero open ports to the internet (easily tested and
confirmed), which pretty much guarantees it won't get hacked, ever. You
could go with an old Pentium box and an x86 firewall distro, or use
openwrt or dd-wrt and use actual router hardware (Linksys WRT54G and
friends).

FWIW, I've had a Linux firewall run at my parent's office for years now,
with no reboots and no problems. There are two further Linux machines
under that, one of them with open ports to the Internet. Again, zero
problems, and definitely no getting cracked. I run a VM
web/mail/list/etc server (which is what I'm using as an SMTP server to
send this message, among other things), and the only problem I've ever
had (even though I haven't been keeping up with updates, and I have a
ton of open services because I use them all) is a phpbb forum board
getting hacked because I didn't care to update it (read: would have
happened the same on windows, and the only changes were some moron
renamed my forum account, changed the password, and messed with one of
the forum titles to inject HTML and do some stupid stuff with the page -
took about 5 minutes to revert and update, and there was no damage or
even notice outside of that particular forum - I never even noticed
since I had pretty much abandoned it anyway).

I've heard of very few properly set-up Linux boxes hacked. Much less
firewall distros - unless there's some mysterious bug in the networking
stack, they are pretty much impossible to crack into.

Whatever your previous experience with mail/web servers under
UNIX/Linux, I think you should seriously consider it as a firewall if
nothing else. The application is totally different, it is trivial to
check if there is anything open, it is a great option, you don't need
any special hardware, and it rivals Cisco stuff in features and quality.

If you want to, I could help you set it up :)

--
Hector Martin (.....hectorKILLspamspam.....marcansoft.com)
Public Key: http://www.marcansoft.com/marcan.asc

2007\03\23@064022 by Hector Martin

flavicon
face
Oh, I forgot. If you want a box that will never, ever, ever get cracked,
get OpenBSD :)

--
Hector Martin (EraseMEhectorspam_OUTspamTakeThisOuTmarcansoft.com)
Public Key: http://www.marcansoft.com/marcan.asc

2007\03\23@111230 by Martin Klingensmith

picon face
I've run several linux servers, some high profile ones, for 6 years and I've
only been "cracked" once. All they were able to do was to overwrite public
user space and say "wE hAx0rEd YoU" anyway. This was when I ran an IRC
server and there was probably SOMEONE port scanning me at any point during
the day.
Since I've eliminated ftp and irc altogether and run only trusted software,
I've never had one problem.
I've recommended these things to James before, I know he's not interested.
How about FreeBSD, James? It's the old cool thing. (OpenBSD is the new cool
thing)
--
Martin Klingensmith

On 3/22/07, Peter P. <plpeter2006spamspam_OUTyahoo.com> wrote:
{Quote hidden}

> -

2007\03\23@113750 by William Chops Westfield

face picon face

On Mar 23, 2007, at 3:40 AM, Hector Martin wrote:

> If you want a box that will never, ever, ever get cracked, get
> OpenBSD..

I had a coworker, a real unix wizard (contributed to kernel, etc), who
one day found that his home unix system (I *think* some BSD variant)
had become a distribution point for assorted copyrighted material by
assorted people that he wasn't at all associated with.  Ie cracked, in
a sort of low profile way.

It's not how good you are, it's whether you're paying attention to
every little thing that could go wrong.  Use windows and you get to
yell at microsoft for issues.  Use a real router, and you trust the
router sw vendor.  Use linux, and you're on your own!  (yeah, you
do a lot better if you can find a distribution that installs ONLY
the bits and pieces that you're interesting in, rather than a
windows-like "install the world" distribution.  Except that those
limited distributions tend to have more limited support as well.)

There's a big market for used cisco gear on eBay.  I'm not sure
you'll find the sort of features you're looking for in old SW on
old platforms, though.  I'd be very inclined to separate my routing
functionality from firewall-type functions into separate boxes, but
I'm pretty old-school.

BillW

2007\03\23@114557 by Yigit Turgut

picon face
I prefer you to use OpenBSD.I had set a box for a client of mine about
3 years ago.The box was running a mail server,sshd and a tiny
webserver which is an interface for tne mail server.Another system
that I had set up for them gave some kind of an error and they called
me.When I went there for crashed pc I checked out the boxrealized that
this machine running OpenBSD is a rock solid.Total size of IDS log and
IPS log was about (no exaggeration) was about 1350~MB.Lots of
intrusion attempts,bad password tries and etc.But the point is when I
went there recently,system was the same when I left 3 years ago.Firm
is a plastic manufactorer and they have only 50-60 clients.

OpenBSD is way too better that the other operating systems.Unless you
can use a netserver running AIX or hp server running HP-UX,you should
listen to me.There are small-sized embedded-like x86 systems.I had
used soekris engineerings products.Recently we switched to an other
product but performance/price of soekris will work out for you.They
are stable and resistive to environment effects.

You can create miracles with ipfilter.

On 3/23/07, Martin Klingensmith <@spam@martin.klingensmithKILLspamspamgmail.com> wrote:
{Quote hidden}

2007\03\23@122244 by Peter P.

picon face
Yigit Turgut <y.turgut <at> gmail.com> writes:

> this machine running OpenBSD is a rock solid.Total size of IDS log and
> IPS log was about (no exaggeration) was about 1350~MB.Lots of

There exists a thing called log rotation. There should be no 1.3GB logs unless
you are collecting data for a study or something imho.

> miracles with ipfilter

I don't think that a reasonably secured box is a 'miracle' in 2007 (after 37
years of *nix). It should be the state of the art.

Peter P.


2007\03\23@123809 by Peter P.

picon face
James Newton, Host <jamesnewton <at> piclist.com> writes:

>
> > What you are trying
> > to do fully mandates setting up a dedicated BSD or Linux box
> > with 2-3 NICs just to do the routing and firewalling imho.
> >
>
> Ok then. I'll stick with my...
>
> DSL Modem
>     |
>    hub
>  ,--'--,
> FW1   FW2
>  '--,--'
>   Switch

I thought you wanted something more like:


DSL------FW1----===HUB1===-----FW2+ROU+HUB2==
               |   |    |           |  
              www pwr  pwr        local ...
              srv dsk1 dsk2

FW1 passes everything for pwr users and www but filters internal network, FW2
NATs the local net onto an external IP and allows it to see dsk1 and dsk2 (and
www if you want to). dsk1 and dsk2 see the local net as one IP (not good, they
can't print etc - for that you'd have to attach printers etc on HUB1 - unless
FW2 is not soho but *nix and then you can forward what you need between them.

Your setup I don't understand. You seem to run a mixed net on the inside,
negating the effect of both firewalls (they are ORed together).

The rules needed to make this setup work are rather advanced for any SOHO box
(the second router can be a soho). A (*nix) router box with 3 or 4 nics would
solve everything nicely (yes, I know, you don't want that).

Peter P.


2007\03\23@130517 by Byron A Jeff

face picon face
On Fri, Mar 23, 2007 at 04:37:26PM +0000, Peter P. wrote:
> James Newton, Host <jamesnewton <at> piclist.com> writes:

> The rules needed to make this setup work are rather advanced for any SOHO box
> (the second router can be a soho). A (*nix) router box with 3 or 4 nics would
> solve everything nicely (yes, I know, you don't want that).

I don't think that it's the fact that James doesn't want it. I think that James
has been burned before. I believe that if I tried using something on three
different occasions and it didn't work any of the three times, I'd be put off
trying it for a fourth time, even when others are saying that it's been no
problem for them.

You then couple that with the fact that James isn't an accomplished Unix
admin, and that Unix boxes certainly can leave other avenues for access
open, and I believe his concerns are justified.

What I didn't get from James' failed post was whether or not he and his
consultant were using specialized firewall distributions or a generic
Unix/Linux distribution configured as a firewall. I think that from both a
security and usability standpoint, that a specialized firewall distribution
(IPCop, Smoothwall, Endian, Monowall, and Wolverine Firewall) offer a much
higher chance of getting a secure, successful installation.

BAJ

2007\03\23@131807 by Yigit Turgut

picon face
> There exists a thing called log rotation. There should be no 1.3GB logs
> unless
> you are collecting data for a study or something imho.

Really ?

Most of the cases if it's not configured that way log rotation is not
an automatically done process.And on the other hand, server softwares
*must* be restarted in order to scripts to rotate the log files
because while the server is on the air it will be writing to the files
and when a file is in use its permission are restricted.There are
multiple approaches to this problem such as piping logs or coding
custom scripts (notice that not all of the platforms support even
reading from a file while it's in use by a task).In a multinational
big-size company consisting of 1000+ employees connected through a
mono-platform data exchange software, due to GMT time differences, the
server software may not be restarted until the next upgrade.

> I don't think that a reasonably secured box is a 'miracle' in 2007 (after 37
> years of *nix). It should be the state of the art.

The boxes you consider *secure* have multiple vulnerabilities. And
believe me,there are lots and lots of 0-days running in the wild
underground.Building a secured box requires lots of hard work.Hard
work is what creates miracles.

2007\03\23@132215 by John

flavicon
face
Why dont they just use a Cisco Pix. Its cheap and a very good piece of kit.

Byron A Jeff wrote:
{Quote hidden}

2007\03\23@151743 by James Newton, Host

face picon face
> I thought you wanted something more like:
>
>
> DSL------FW1----===HUB1===-----FW2+ROU+HUB2==
>                 |   |    |           |  
>                www pwr  pwr        local ...
>                srv dsk1 dsk2
>
> FW1 passes everything for pwr users and www but filters
> internal network, FW2 NATs the local net onto an external IP
> and allows it to see dsk1 and dsk2 (and www if you want to).
> dsk1 and dsk2 see the local net as one IP (not good, they
> can't print etc - for that you'd have to attach printers etc
> on HUB1 - unless
> FW2 is not soho but *nix and then you can forward what you
> need between them.

No, it's not about controlling users. I don't want them able to send email
via servers outside our net so port 25 out is blocked, and 445 is also.
Other than that, I don't care.

> Your setup I don't understand. You seem to run a mixed net on
> the inside, negating the effect of both firewalls (they are
> ORed together).

Neither firewall will allow accesses from outside to inside EXCEPT: if
someone inside made a request outside and this is the reply (NAT) or for
certain ports that get forwarded to servers inside. Since neither firewall
allows general outside access, they do not negate each other. One manages
one IP address from the DSL modem, the other manages the other IP address.

Port 25 requests from IP"A" go to Server"A" via FW1 and port 25 requests
from IP"B" go to Server"B" via FW2.

The original post on this thread was asking for a firewall that could manage
two ( or more ) IP addresses in that same way.

> The rules needed to make this setup work are rather advanced
> for any SOHO box (the second router can be a soho).

I'm amazed to hear that. It seems simple as heck to me.

> A (*nix)
> router box with 3 or 4 nics would solve everything nicely
> (yes, I know, you don't want that).

What I have works, I was just hoping for something better.

---
James.


2007\03\23@152112 by James Newton, Host

face picon face
> What I didn't get from James' failed post was whether or not
> he and his consultant were using specialized firewall
> distributions or a generic Unix/Linux distribution configured

We were using generic distros, but we (I at first) did do what we could find
and understand to harden them. E.g. there was NO telnet port open on the
first two Red Hat boxes. I never logged in as root, but always as a minor
user and then SU for root access. I closed all ports that were not in use
leaving only web, email, and ftp open.


> as a firewall. I think that from both a security and
> usability standpoint, that a specialized firewall
> distribution (IPCop, Smoothwall, Endian, Monowall, and
> Wolverine Firewall) offer a much higher chance of getting a
> secure, successful installation.

You may well have a point. I just don't have that great a need so I will not
try again at this point.

---
James.


2007\03\23@154915 by Philip Pemberton

face
flavicon
face
Byron A Jeff wrote:
> I second that recommendation. I originally had a full Slackware system as
> my firewall/router. It was rootkitted about 5 years ago. I switched to
> Smoothwall. I haven't had a problem since.

I'm doing some server admin work for a friend who's running a webhosting
company. Updates are set to fully-automatic, and if there's a kernel update, I
get an email to tell me to reboot the server. So far we've never been hacked,
except the one time I turned all the security off on the old server after I
decommissioned it. Took about eight hours before a spammer hacked it (I did
block just about all outbound traffic from the server at the firewall though -
I'm not quite that stupid).

99% of the problems people seem to have with Linux boxen are solely down to
not keeping up to date with security patches. With Fedora, you have to set
'yum update' to run at a sane time (IIRC the default is 3AM), or remember to
run it manually.

I also ended up taking over a server that got well and truly hacked
black-and-blue a few weeks ago - I transferred the user accounts over to our
server, spent two days figuring out how the hacker got in, then powered down
the hacked server for the last time and called the hosting company to have it
pulled from the rack.

Turns out a user had a vulnerable copy of phpBB installed, which was used to
upload a PHP-based 'grabber' script. That script downloaded and compiled a
local-root exploit that got the attacker a root shell. The attacker then used
the root shell to change the root password and create himself an account.
Finally, he SSH'd in, took root, defaced every single page on the server and
set the thing up as a porn/MP3/warez FTP site.

The really annoying part of the whole thing? The kernel patch had installed.
It just didn't take effect because the former sysadmin ignored the "REBOOT
YOUR SYSTEM ASAP!" warning in the Update Manager (the server had a web-admin
interface set up for doing basic admin tasks like updating software without
pulling up a shell)...

The same applies to Windows though - install XP (even SP2) and put it on the
Internet, and it'll be hacked in seconds, even with the Windows firewall...

I'm not trying to start a holy war here - all I'm saying is that for any OS,
you need to know what you're doing. Linux is better than Windows for some
things, but other things (read: ASP hosting) are better done on Windows.

I'll also admit that the Linux IPTables firewall, while powerful, is an utter
pain in the ass to set up. Fedora's defaults are nice and secure ('block
everything unless the local machine initiated the connection') but $DEITY help
you if you actually want to make it do something else...

--
Phil.                         |  (\_/)  This is Bunny. Copy and paste Bunny
RemoveMEpiclistTakeThisOuTspamphilpem.me.uk         | (='.'=) into your signature to help him gain
http://www.philpem.me.uk/     | (")_(") world domination.

2007\03\23@161215 by Martin Klingensmith

picon face
Modern distro's have "high security" settings. James Newton says that his
first two distros were RedHat. RedHat used to get a LOT of booing from the
Linux crowd for being the "dumbed down" Linux distro. that used to leave
holes open by default. Byron A. Jeff says he had a slackware machine that
was root-kitted. So did I, probably the same amount of time ago. Slackware
was great in it's day for people who liked to use ifconfig and iptables to
see what was going on, instead of a vendor config. tool. It's wildly
outdated now.
What I would do if I was going to build a new Linux router would be to run a
stripped debian-stable installation and explicitly enable what I wanted -
nothing but NAT and port forwarding. Maybe some state-based filtering.
If I was going to run FreeBSD I'd do the same thing. I've run more than one
Soekris net4501 for literally years without rebooting and no problems. It
was never remotely hacked or rooted because it was merely firewalling
traffic. I tend to believe it played a part in keeping the servers behind
the router from being hacked because people couldn't find an antiquated
service I accidentally left running or some similar issue.
--
Martin Klingensmith

2007\03\23@171753 by Herbert Graf

flavicon
face
On Fri, 2007-03-23 at 16:50 +1100, Jake Anderson wrote:
> > Been there, done that, got the disconnect notice from my ISP for allowing a
> > cracker to turn the box into a spam relay. In fact, I've been there 3 times:
> > twice by myself (after reading the recommended books and having friends over
> > to help) and once with a freaking professional solaris hurder remotely
> > admining the box. ALL THREE TIMES: crACKED.
> >  
> Were any of those running a "firewall" distribution though?
> or were they fully featured OS's?
>
> For a firewall/router use a firewall/router that a bunch of other people
> who really know their stuff have built for you and made it nice and easy
> to use.

Agreed. Let me add that this problem was MUCH worse in the past. Only a
few years ago it was common for linux distros to have a TON of stuff
"on" by default. Boxes with telnet/rlogin enabled were common.

The reason was it was ASSUMED that the people installing those distros
knew what they were doing and would shut off what wasn't needed. Of
course, then Linux started to get a little more mainstream, more and
more people who simply heard the word "linux" installed it and put it
online, and all kinds of problems happened.

These days, most common distros are quite tight, often either disabling
pretty much everything, limiting features to the localhost only, or only
enabling things considered "safe".

TTYL

2007\03\23@172326 by James Newton, Host

face picon face
> Why dont they just use a Cisco Pix. Its cheap and a very good
> piece of kit.

Your definition of cheap may not match mine. I'm seeing the lowest cost
versions at around $600.

---
James.


2007\03\23@173840 by Peter P.

picon face
Yigit Turgut <y.turgut <at> gmail.com> writes:

> Really ?

http://www.debian-administration.org/articles/117

If company policy dictates that mandatory server restarting is not allowed, then
you are right, it can't be done with plain logrotate. Instead, one uses a socket
for logging and a script listening on it is sent a signal to close and reopen
the logfile.

Peter P.


2007\03\24@133205 by Darrell Bellerive

flavicon
face
On March 22, 2007 04:42 pm, Rolf wrote:
{Quote hidden}

Take a look at floppyfw: http://www.zelow.no/floppyfw/


--
Darrell Bellerive
Amateur Radio Stations VA7TO and VE7CLA
Grand Forks, British Columbia, Canada

More... (looser matching)
- Last day of these posts
- In 2007 , 2008 only
- Today
- New search...