Linux Firewalling...opinions desired....

[Need4Speed]

I'll start with my current setup:

Cable Mode -- Netgear RT311 NAT Router -- switches -- Several Linux Macines (Caching DNS & local DNS Server, Mail, HTTP) and a couple workstations

I've been toying with pulling the netgear out and replacing it with an iptables box of somekind. I know there are a ton of drop inplace nix firewall,s but I prefer the challange of learing it myself. I'll more than likely use debian for the firewall.

I know that I want a trusted and untrusted (DMZ for servers) zone behind the firewall. Being that I already have a router, I could set someting like this up:

Netgear -- Switch (setup dmz here) -- attach firewall here --- switch --- workstations.

This way I could use a plain old 2 nic iptables config.

or should I use a three nic firewall and not bother using the netgear router? If i decide to use the 3 nic version, how can I still allow my local workstations to send and retrieve mail through the DMZ?

Is the three nic version more difficult to configure? any advice would be appreciated.

 

[Barnaby W. Füi]

Honestly, learning iptables was very very hard for me, in fact I pretty much never learned it very well. It is very difficult for me to read. ipf, pf, and ipfw are all much, much nicer in syntax, IMO, but then again I don't know if you want to run a BSD.

 

[Need4Speed]

is bsd that much easier for firewalling? id be willing to run whatever i need to...id rather run bsd and understand it 100% then iptables and leave a hole open

 

[Barnaby W. Füi]

ipf syntax:

pass in quick on xl0 proto udp from any to 20.20.20.2/32 port=53 keep state
pass in quick on xl0 proto tcp from any to 20.20.20.2/32 port=53 flags S keep state
pass in quick on xl0 proto tcp from any to 20.20.20.3/32 port=25 flags S keep state
pass in quick on xl0 proto tcp from any to 20.20.20.7/32 port=80 flags S keep state

iptables syntax:

/sbin/iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
/sbin/iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
/sbin/iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
/sbin/iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

Just some snippets I grabbed on google, feel free to look for more. A lot of people use iptables and like it just fine, but I grew a very strong distaste for it. Just MO though.

 

[Soybomb]

I agree with bbwf, I use to do ipchains and iptables, now I use freebsd with ipf and I think I was dumb for not doing it this way all along.

Some sample IPF rules:
block in quick on xl0 from 192.168.0.0/16 to any #RFC 1918 Private IP
block in quick on xl0 from 172.16.0.0/12 to any #RFC 1918 Private IP
block in quick on xl0 from 10.0.0.0/8 to any #RFC 1918 Private IP
pass in quick proto icmp from any to any icmp-type 0
pass in quick on xl0 proto tcp from any to asok/32 port = 80 flags S keep state keep frags

I can't even remember what that would like like in iptables...thankfully

 

[cleverhandle]

While I love Linux for many things, I really like OpenBSD's PF for firewalls. If you haven't looked into that, I'd highly recommend it. The concepts are identical, so the following applies either way. Also, you don't specify what your IP addressing situation is. I'm assuming that you've got one public IP on the external interface of the Netgear, and everything is NAT'ed to private space inside. If not, that could change things considerably.

Your first example is

Netgear Router --> Switch (DMZ) --> Firewall --> Switch --> LAN

You say this would get you both a trusted and untrusted zone behind the firewall, but this is not true. Anything on the DMZ switch, while still NAT'ed, is not being filtered by the firewall. Maybe I'm misunderstanding you, though. In any event, you could set things up according to the above diagram. As far as routing goes, it would be easiest if the firewall were a bridge - no IP addresses, just passing traffic across the interfaces and filtering. The downside is that you need either a real console or a serial console to admin the box - you can't SSH to a box with no IP address. However, a better setup IMO would be...

Netgear Router --> Firewall (Bridge) --> Switch --> LAN/DMZ

That lets you filter traffic to the public machines. Even if their servers, there's no reason to let every single packet hit them unless there's no other choice (like with a passive FTP server, maybe). Give the servers static IP's outside the DHCP range, and give those IP's different rules than the workstations. Except for the lack of SSH, this is a pretty nice setup - easy to write rules for, and quite flexible in what it can do. For example, you can have a server offer internal-only services by blocking those services on the firewall, since LAN traffic won't pass through the firewall at all. As a variant of the above, you could set up the firewall as a NAT router and DHCP server instead of a bridge - then you configure the Netgear to pass everything through to the firewall and let it sort things out. That a bit more configuration, but gives you an IP for the firewall and full control over DHCP.

As you mention, you could probably ditch the Netgear altogether - I don't know cable modems, but I assume you can hook it direct to a machine, and get a public IP on that interface via PPPoE or DHCP? If so, then you could do...

Modem --> Firewall (Router, NAT, DHCP) --> Switch --> LAN

That would be a simpler version of the variant mentioned above. This is just a bit more complicated than the bridging scenarios to set up, and would be the most flexible and powerful in your situation. Unless you've got multiple public IP's, I don't see why you would need a three legged firewall. Any traffic you would distinguish by interface could be identified by IP just as well, provided your servers have static (private) IP's. You would only need a third interface if you needed to split traffic between public IP's and private NAT space.

 

[cleverhandle]

Hehe, I see the PF followers jumped right in.

 

[Barnaby W. Füi]

Originally posted by: cleverhandle
Hehe, I see the PF followers jumped right in.

Actually we both use ipf thank you very much

 

[skyking]

allow log logamount 100 tcp from any 3783 to any via ed0
deny ip from any to 192.0.2.0/24via ed0
allow log logamount 100 tcp from 24.24.24.24 to any 22 in recv ed0

Those are some examples of rc.firewall.dynip in FreeBSD's IPFW
Changes made there require a reboot to take affect.

You can open ports on the fly without booting, AND edit rc.firewall.dynip, and at the next boot, the changes will be permanent.

For adding a rule or opening a port without a reboot:
ipfw add <some number here> allow log logamount 100 tcp from 24.24.24.24 to any 22 in recv ed0 setup
I find it very straightforward to use, especially when using yy p in VI. I can do the instant change in ipfw add so someone can log in, then I go to rc.firewall.dynip and make it permanent if i wish.

 

[Need4Speed]

well, sounds like bsd it is...ill have to do some reading up on this over the next couple days..

 

[Barnaby W. Füi]

Originally posted by: skyking
allow log logamount 100 tcp from any 3783 to any via ed0
deny ip from any to 192.0.2.0/24via ed0
allow log logamount 100 tcp from 24.24.24.24 to any 22 in recv ed0

Those are some examples of rc.firewall.dynip in FreeBSD's IPFW
Changes made there require a reboot to take affect.

You sure about that?

You can open ports on the fly without booting, AND edit rc.firewall.dynip, and at the next boot, the changes will be permanent.

For adding a rule or opening a port without a reboot:
ipfw add <some number here> allow log logamount 100 tcp from 24.24.24.24 to any 22 in recv ed0 setup
I find it very straightforward to use, especially when using yy p in VI. I can do the instant change in ipfw add so someone can log in, then I go to rc.firewall.dynip and make it permanent if i wish.

There is *no* way to stop and restart ipfw? That can't be true.

 

[skyking]

It is so deep in the kernel, there is no way to do it. I have looked into it, but it is really is not an issue. any temp changes can be handled with ipfw add, along with editing the rc.firewall.dynip file. It will do as you ask until next reboot, an continue to do so if you remember to edit the file accordingly.

 

[Barnaby W. Füi]

Originally posted by: skyking
It is so deep in the kernel, there is no way to do it. I have looked into it, but it is really is not an issue. any temp changes can be handled with ipfw add, along with editing the rc.firewall.dynip file.

Damn, that is crazy. One more reason to use NetBSD and ipf

 

[skyking]

Right, it is a bad thing for a firewall box to have it's primary function sooo integrated......

I prefer the language to ipf, thank you

 

[Barnaby W. Füi]

Originally posted by: skyking
Right, it is a bad thing for a firewall box to have it's primary function sooo integrated......

Integration != "you have to reboot to reload a config file"

I prefer the language to pf, thank you

Who said anything about pf?

 

[skyking]

i ran out of iiiiiiii's
it is edited now
It works for me, and the syntax of the config file looks more "plain language" to me. Proto, quick, keep state? what is up with that?

 

[Barnaby W. Füi]

Originally posted by: skyking
i ran out of iiiiiiii's
it is edited now

Ah, my bad.

It works for me, and the syntax of the config file looks more "plain language" to me. Proto, quick, keep state? what is up with that?

proto is protocol, quick means "finish matching at this rule" (vs matching the last rule that applies), keep state...keeps state. Dunno how to explain that one.

 

[skyking]

There is no analog to it in IPFW, that is why I asked. I am going to try a multi-nic box, with 3 inside interfaces. Have you ever done one of those? I have a tulip 4 port nic i was going to try, and use it to subnet off wireless with only internet access, and one for the normal lan, and a server nic for http kinds of things.

 

[Barnaby W. Füi]

Nope, never used 3 nics in one machine.

 

[Nothinman]

That's what fwbuilder is for.

And if ipfw really needs an OS restart for changes things are f'd up, even OpenBSD has the pfctl command to test, reload, etc the pf.conf file.

 

[Barnaby W. Füi]

Originally posted by: Nothinman
That's what fwbuilder is for.

Originally posted by: Need4Speed
but I prefer the challange of learing it myself. I'll more than likely use debian for the firewall.

 

[Nothinman]

but I prefer the challange of learing it myself. I'll more than likely use debian for the firewall.

As much as I like Linux iptables annoys me, but if he's up for it more power to him.

Oh and fwbuilder produces really clean, commented scripts. It wouldn't be a bad place to start.

 

[Soybomb]

One more reason to use NetBSD and ipf

Or FreeBSD and ipf

 

[n0cmonkey]

Originally posted by: BingBongWongFooey

Originally posted by: cleverhandle
Hehe, I see the PF followers jumped right in.

Actually we both use ipf thank you very much

There is a port of PF for NetBSD.

 

[n0cmonkey]

Originally posted by: skyking
There is no analog to it in IPFW, that is why I asked. I am going to try a multi-nic box, with 3 inside interfaces. Have you ever done one of those? I have a tulip 4 port nic i was going to try, and use it to subnet off wireless with only internet access, and one for the normal lan, and a server nic for http kinds of things.

I currently have a 3 nic firewall machine at home. I have the outside nic, the "dmz" nic, and a wireless nic. It works just fine.