I''m thinking of converting an old 386 with 32megs of memory into a firewall, using RedHat 7.3 and Shorewall. This will be a 3 interface type deal with net, loc, and dmz. It will be connected to the Net by cable modem, with max upload speeds of about 500k and max download at about 1500k I think. My question is, can this hardware handle all the traffic my cable modem can throw at it? I''m sure it can saturate the line uploading, but will this firewall be the bottleneck on incoming (valid) traffic? What if it''s getting a pipe full of incoming junk that I''ve got it set to reject AND outgoing is maxed out at the same time? Is that a recipe for meltdown with this hardware? On a different network, I already have a Shorewall firewall/router set up, been working great for months now. When I run Bearshare (gnutella) on a windows box inside the firewall, ZoneAlarm has to block lots of "ICMP time exceeded" and "ICMP unreachable" hits. What can I do at my router to stop this nonsense without breaking Bearshare? BTW, be sure to check your website if you just upgraded apache using Redhat''s up2date. The upgrade puts a new index.html in /var/www/html which apache will load instead of your index.htm. Boy did I feel dumb. Anyway, just rename the new file. Sincerely, Jim Hubbard jimh@xlproject.com Visit my website at www.XLProject.com ---------------------------------------------------------------------------- ----
Jim Hubbard wrote:> I''m thinking of converting an old 386 with 32megs of memory into a > firewall, using RedHat 7.3 and Shorewall. This will be a 3 > interface type deal with net, loc, and dmz. It will be connected to > the Net by cable modem, with max upload speeds of about 500k and max > download at about 1500k I think. My question is, can this hardware > handle all the traffic my cable modem can throw at it? I''m sure it > can saturate the line uploading, but will this firewall be the > bottleneck on incoming (valid) traffic? What if it''s getting a pipe > full of incoming junk that I''ve got it set to reject AND outgoing is > maxed out at the same time? Is that a recipe for meltdown with this > hardware?FWIW, my main firewall is a 486/100 w/- 32 Mb. It never seems to choke on the load. A 386 might be a bit different - i dunno. I think your main problem will likely be getting LAN cards old enough to work with the 386. On my other 486 (133 MHz), the PCI chipset is so old that it can''t cope with the load of a 100 Mbit LAN card, even if it''s NOT being pushed hard.> ... > BTW, be sure to check your website if you just upgraded apache using > Redhat''s up2date. The upgrade puts a new index.html in > /var/www/html which apache will load instead of your index.htm. Boy > did I feel dumb. Anyway, just rename the new file.Suggestion: use the same filename as Red Hat does. This is not a symptom of using up2date, it''s a symptom of using the apache RPM. If you use index.html, rpm will not touch it, since it''s marked as a config file. (Run ''rpm -qlc package'' on any package to find out which files it considers configs.) PDG
On Wed, 26 Jun 2002, Jim Hubbard wrote:> > On a different network, I already have a Shorewall firewall/router set up, > been working great for months now. When I run Bearshare (gnutella) on a > windows box inside the firewall, ZoneAlarm has to block lots of "ICMP time > exceeded" and "ICMP unreachable" hits. What can I do at my router to stop > this nonsense without breaking Bearshare? >I assume that ZoneAlarm is running on the "windows box inside the firewall"? In any event, my first question would be "Why is ZoneAlarm complaining about these packets in the first place?". You DON''T want to block them in your Shorewall box and they are a normal part of doing business with IP. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> -----Original Message----- > > On Wed, 26 Jun 2002, Jim Hubbard wrote: > > > > > On a different network, I already have a Shorewall > firewall/router set up, > > been working great for months now. When I run Bearshare (gnutella) on a > > windows box inside the firewall, ZoneAlarm has to block lots of > "ICMP time > > exceeded" and "ICMP unreachable" hits. What can I do at my > router to stop > > this nonsense without breaking Bearshare? > > > > I assume that ZoneAlarm is running on the "windows box inside the > firewall"? > > In any event, my first question would be "Why is ZoneAlarm > complaining about these packets in the first place?". You DON''T want to > block them in your Shorewall box and they are a normal part of doing > business with IP. > > -Tom > --Yes, ZoneAlarm is on the windows box inside the firewall, the one running BearShare. My only guess would be that the offending packets originate from improperly configured systems with rfc1913 addresses which are behind a firewall that doesn''t translate the packet''s ip to an actual internet address. If that sounds possible, then maybe I just need a rule to drop those? -Jim
On Wed, 26 Jun 2002, Jim Hubbard wrote:> > Yes, ZoneAlarm is on the windows box inside the firewall, the one running > BearShare.You''re a real belt and suspenders guy aren''t you? :-)> My only guess would be that the offending packets originate from > improperly configured systems with rfc1913 addresses which are behind a > firewall that doesn''t translate the packet''s ip to an actual internet > address.I''ve seen that happen (such a case was reported to me privately just this morning).> If that sounds possible, then maybe I just need a rule to drop > those? >The RFC is 1918 (not 1913). If you have "norfc1918" on your external interface in your Shorewall configuration, such packets will be trapped by Shorewall. If you don''t have that option currently and turning it on gives you a flood of messages from Netfilter (when you are using BearShare) then you can install Shorewall 1.3.1 or later and modify the /etc/shorewall/rfc1918 to silently drop RFC1918 addresses (the default file that I release logs and drops). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net