[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sheflug] Firewalls, routers, gateways (was kernel on other machine)
>>>>> "Barrie" == Barrie Bremner <TheEnglishman [at] ecosse.net> writes:
Barrie> I assumed that a firewall is a system to keep the great
Barrie> unclean from getting at my network?
That's the usual purpose. However, people talk about running a
firewall on a single host; you have to think carefully about inside
and outside (and know a little about how the TCP/IP stack is
implemented).
Most firewalls are intended to keep information from getting out (eg,
the internal number of hosts and their allocation could be
strategically valuable as such in industrial espionage, not to mention
their value in cracking the network).
Barrie> A router obviously is a system to route traffic, including
Barrie> ip masq'ing, and this also covers gateways.
Not precisely. A router is a component of a single network, just
passing packets according to address, while a gateway connects two
networks, processing the packets in some way. The functions can be
combined, and things get confusing in an Ethernet where everything is
connected to everything else.
A firewall may use routers (routing "evil" packets to /dev/null)
and/or gateways (Web proxies, port redirectors).
Barrie> to have noodles as the modem server
If you really want a firewall, the firewall must come _between_ the
outside networks and the inside networks. It is possible to have flux
be the modem server, and then route _all_ ppp traffic over the LAN to
noodles, which turns around and routes everything to where it's
supposed to end up (after filtering out Evil)... but I think you
already see that it makes more sense to put noodles physically between
your ISP and your local net. :-)
Barrie> to run mserver (the MasqDialer server), so I can bring
Barrie> the modem up and down, rather than ssh'ing in each time.
Probably a good idea. Make sure you keep logs and stuff, maybe even
run a tail on the log, until you understand your usage patterns (and
to make sure the link is not eating your budget while you sleep).
Barrie> Stupid question - Can I keep the modem attached to flux,
Barrie> whilst having noodles as the gateway/router/whatever?
You can, but it's conceptually confusing and technically difficult.
The concept is that _all_ traffic must be vetted by the firewall
before any other machine tries to process it. But that basically
means that all routes out of ppp0 must go to noodles. This is
confusing to think about and fragile to set up.
There's really not much point as long as you have a good autodial
daemon.
Barrie> I expect that the gateway should have two interfaces -
Barrie> eth0 and ppp0 - correct me if I'm wrong.
Yes.
Barrie> Could I get all this onto the 300Mb drive? I should hope
Barrie> so.
I believe the Linux Router Project distro fits into about 10MB,
Debian's minimal distro into 25MB. Add the dialer stuff if it's not
already there and sshd etc, you're still not going to be over 30MB.
Barrie> Once I do get all this setup, should I just drop the
Barrie> ipchains rules on flux? (My guess: Yes)
No, at least not if you're serious about security (or learning about
it). You should decide what gets through from noodles to flux, and
block everything else, especially telnet, ftp, etc, etc. The idea is
to make penetrating the network like peeling an onion, layer after
layer after layer.
--
University of Tsukuba Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences Tel/fax: +81 (298) 53-5091
_________________ _________________ _________________ _________________
What are those straight lines for? "XEmacs rules."
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.