swb dsl

James Hall JHALL at waddell.com
Fri Dec 8 23:34:04 CST 2000 

I used  RedHat 6.2 to do exactly what you just described, and I don't think that I used one actual 
RedHat "power tool".  Therefore I believe that 5.2 should be perfectly adequate.  (Although, it 
does require that you rebuild your kernel with certain routing options enabled.) You can set up 
your ethernet card with ifconfig, your firewall and IP masqing with IP-chains, and a 486 is perfect 
for the job (as long as you're not overloading it with packets.)  I pretty much just used the 
how-to for IP-Chains that I found by searching on Google.  (I can't quite remember the link and 
it's been a very long time ago since I set that up.)  I did however modify it's design into one 
that fit my network.

Essentially you need to write a config script that sets up IP Chains every time you boot the 
server.  (The logical chains reside in memory only, and disappear when you power off your server.)  
I placed this in my /etc/rc.d/rc3.d directory.  The way you set up the chains is where the artistry 
comes in.  This is the hardest part of setting up this type of a Linux firewall.  This is the 
logical structure of my chains, for the most part...

Incoming packet
   1 where from?
      a) from inside?  (go to good queue)
      b) from outside?    (go to bad queue)
      c) other?  (probably not, but just in case destroy it)

   2 Good queue
      a) packet spoofed?  (if not, continue  or  if so, deny it)
      b) sent from approved?  (if so then forward out and masq  OR  if not then deny)
      c) other?  (probably not, but just in case drop it without return)

   3 Bad queue
      a) packet spoofed?  (if not, continue  or if so, destroy it)
      b) packet headed for approved internal dest and port?  (If yes then, forward it to dest  OR  
if not then deny it)
      c) other?  (probably dangerous packet so we should destroy it)

All in all, it is mainly a time consuming task rather than difficult. But by taking some time and 
being thorough, you can optimize it to run very fast and pretty damn secure.  There is a lot more 
to it than I have illustrated here, I just thought it would help to have an example chain structure 
to start with.

Remember that Linux is the hacker's playground, so it is really best to make your firewall machine 
standalone without any extra toys or tools for anyone to make use of against you.. Though the 
firewall is running in the kernel,  any unnecessary services or daemons may render your firewall 
completely worthless.

Good luck
-James

On Fri, 8 Dec 2000, J.J. Kramer wrote:

> Has anyone setup a connection with SWBELL using DSL, IP-masq, and a
> firewall.  I have an older PC (486) running Red Hat 5.2 and want to use
> it primarily for my firewall and IP-masq.
>
> For ease of configuration should I go to a new version of Red Hat or
> some other install?
>
> Thanks,
>
> J.J.
>

More information about the Kclug mailing list