Shorewall users - Aug 2002 - am i on the right track? - please give some feedback

Hello all.

I am in the process of setting up a firewall, and since I am on my own here, I
would really appreciate some feedback of the firewall guru''s here on
the list. I have been doing a lot of reading on the internet lately, and using
what i learned, drafted the following basic ideas. Please tell me if i am on the
right track or not, since i am on my own here.. :)

The situation as it IS:
We own a whole subnet xx.xx.xx.0 - xx.xx.xx.255, and each computer is directly
connected to internet, without a firewall of any sort. I reserved certain ranges
to certain equipment types. (1=gateway, 3-25 is for server systems, 25-50 for
printers, and the rest for workstations) Currently we have approx. 5 servers,
and 10 printers and 50 workstations. I guess this could be called a small
corporate network.

Feeling more and more uncomfortable about not having a firewall AT ALL, and
having some spare time right now, I thought this is the time to actually setup
something. After looking at several solutions, (IP-Cop, Smoothwall, some graphic
iptable frontends, Shorewall) I''ve decided to go for Shorewall. One of
the reasons is this mailing list. I''ve been lurking here for two weeks
now, and like what I read.

ANYWAY. Now for the situation, as it should (or could) become. _THIS_ is where I
would like to get feedback on.

The first decision: Do I need a DMZ? I''ve read in several docs that for
a small network like ours, and plenty of ip addresses available, a DMZ might not
really be necessary. So, for now: no DMZ. Also, normally a fileserver would not
be placed in the DMZ. But since our mailserver (would be placed in the DMZ, i
guess) also does (some) file serving, i would have to split that up, and
don''t want to do that, as we are abandoning NT4 anyway.

Then. Make decision: Do we want to use public ip addresses on all workstations,
or use nat, and give workstations private ip''s? Not really sure here. I
know that, in case of lack of available addresses this would be the way to go.
But in our case? Giving each ws a public ip doesn''t make your network
more secure, as far as I know,  or am i missing something here? (as all traffic
goes through the firewall anyway)

MEANING:  could setup a linux system with two network cards, (thinking SuSE,
since we are running that on more servers already), install Shorewall. But then.
Currently, our gateway is IP address 1 from our range. This is a system that is
not locally, here, but on our provider''s end of the wire. Would it be
the best way to ask them to route all traffic to us and from us through the
newly installed server? And then tell all my systems that their gateway is to be
the new firewall machine?

I''ve really done quite a lot of reading, and understand a lot of
iptables, nat, connection tracking, what rules to setup, etc... but I
can''t seem to find many examples or howto''s that help me
through these decisions here. (specially how to change the situation as it is
now (with ip address 1 being the gateway) into one where all the traffic would
go through a firewall. It does not necessarily mean physical changes, i
understood that much..)

Hope you''re not offended by these (rather basic) questions, and I
_really_ would appreciate any pointers to this kind of info, or comments.

Thanks very much.

Mourik Jan



Join 18 million Eudora users by signing up for a free Eudora Web-Mail account at
http://www.eudoramail.com

Hello all.

I am in the process of setting up a firewall, and since I am on my own here,
I would really appreciate some feedback of the firewall guru''s here on
the
list. I have been doing a lot of reading on the internet lately, and using
what i learned, drafted the following basic ideas. Please tell me if i am on
the right track or not, since i am on my own here.. :) 

The situation as it IS:
We own a whole subnet xx.xx.xx.0 - xx.xx.xx.255, and each computer is
directly connected to internet. I reserved certain ranges to certain
equipment types. Currently we have approx. 5 servers, and 10 printers and 50
workstations. I guess this could be called a small corporate network.

After looking at several solutions, (IP-Cop, Smoothwall, some graphic
iptable frontends, Shorewall) I''ve decided to go for Shorewall. One of
the
reasons is this mailing list. I''ve been lurking here for two weeks now,
and
like what I read.

ANYWAY. Now for the situation, as it should (or could) become. _THIS_ is
where I would like to get feedback on.

The first decision: Do I need a DMZ? I''ve read in several docs that for
a
small network like ours, and plenty of ip addresses available, a DMZ might
not really be necessary. So, for now: no DMZ. Also, normally a fileserver
would not be placed in the DMZ. But since our mailserver (would be placed in
the DMZ, i guess) also does (some) file serving, i would have to split that
up, and don''t want to do that, as we are abandoning NT4 anyway.

Then. Make decision: Do we want to use public ip addresses on all
workstations, or use nat, and give workstations private ip''s? Not
really
sure here. I know that, in case of lack of available addresses this would be
the way to go. But in our case? Giving each ws a public ip doesn''t make
your
network more secure, as far as I know,  or am i missing something here? (as
all traffic goes through the firewall anyway)

MEANING:  could setup a linux system with two network cards, (thinking SuSE,
since we are running that on more servers already), install Shorewall. But
then. Currently, our gateway is IP address 1 from our range. This is a
system that is not locally, here, but on our provider''s end of the
wire.
Would it be the best way to ask them to route all traffic to us and from us
through the newly installed server? And then tell all my systems that their
gateway is to be the new firewall machine?

I''ve really done quite a lot of reading, and understand a lot of
iptables,
nat, connection tracking, what rules to setup, etc... but I can''t seem
to
find many examples or howto''s that help me through these decisions
here.
(specially how to change the situation as it is now (with ip address 1 being
the gateway) into one where all the traffic would go through a firewall. It
does not necessarily mean physical changes, i understood that much..)

Hope you''re not offended by these (rather basic) questions, and I
_really_
would appreciate any pointers to this kind of info, or comments.

Thanks very much.

Mourik Jan

Mourik,

I was faced with a similar situation as you about 6 months ago.
I tried all the firewalls that you mentioned and none of them even came
close to what shorewall offers.
The only thing we at the time had was a ACL on our Cisco router. 

We have a full Class "c" with web servers, mail servers, file servers,
PDC\BDC, Linux, Unix boxes, etc
One of the requirements was that we had to continue to use our public
IP''s
and we could not use Nat or Masq.

I setup a baseline redhat 7.1 with Three (3) nic cards.
Ran Bastille hardening script http://www.bastille-linux.org/ on it to lock
it down
and then installed Shorewall 1.3 on our network. 
We only use proxyarp because we need to maintain the public ip''s and
according to 
Tom proxyarp is so much better than nat or masq.
Plus you don''t have to change any TCP\IP settings on your workstations
and\or servers. All of my systems are still using the original gateway on
our router.

I looked at Tom''s configuration files
http://www.shorewall.net/myfiles.htm
and setup my firewall with most of those rules and policies that he uses. 
The only things I changed was the interface file, rules file, the proxyarp
file and the init file
I did not use the three interface sample.
I did some testing in a lab environment and everything seemed to work great.

I would setup a DMZ and put your web servers and vulnerable servers in this
zone. I would also install a mail relay server to relay mail 
between your primary mail server in the local zone and the internet. 
I would then put your primary mail server and file server on the internal
network, (local)
along with the rest of your servers and workstations that you don''t
want the
outside (external users) hitting.

I went live one weekend with this configuration and it''s been running
great
every since.

The only thing that really happened was that I had to re-set (power cycle)
all of our routers and switches to clear all arp tables.
Once I did that we were off and running.

Hope this helps.
Mike





 

-----Original Message-----
From: Heupink, Mourik Jan C. [mailto:Heupink@INTECH.UNU.EDU]
Sent: Wednesday, August 28, 2002 11:52 AM
To: shorewall-users@shorewall.net
Subject: [Shorewall-users] am i on the right track? - please give some
feedback


Hello all.

I am in the process of setting up a firewall, and since I am on my own here,
I would really appreciate some feedback of the firewall guru''s here on
the
list. I have been doing a lot of reading on the internet lately, and using
what i learned, drafted the following basic ideas. Please tell me if i am on
the right track or not, since i am on my own here.. :) 

The situation as it IS:
We own a whole subnet xx.xx.xx.0 - xx.xx.xx.255, and each computer is
directly connected to internet. I reserved certain ranges to certain
equipment types. Currently we have approx. 5 servers, and 10 printers and 50
workstations. I guess this could be called a small corporate network.

After looking at several solutions, (IP-Cop, Smoothwall, some graphic
iptable frontends, Shorewall) I''ve decided to go for Shorewall. One of
the
reasons is this mailing list. I''ve been lurking here for two weeks now,
and
like what I read.

ANYWAY. Now for the situation, as it should (or could) become. _THIS_ is
where I would like to get feedback on.

The first decision: Do I need a DMZ? I''ve read in several docs that for
a
small network like ours, and plenty of ip addresses available, a DMZ might
not really be necessary. So, for now: no DMZ. Also, normally a fileserver
would not be placed in the DMZ. But since our mailserver (would be placed in
the DMZ, i guess) also does (some) file serving, i would have to split that
up, and don''t want to do that, as we are abandoning NT4 anyway.

Then. Make decision: Do we want to use public ip addresses on all
workstations, or use nat, and give workstations private ip''s? Not
really
sure here. I know that, in case of lack of available addresses this would be
the way to go. But in our case? Giving each ws a public ip doesn''t make
your
network more secure, as far as I know,  or am i missing something here? (as
all traffic goes through the firewall anyway)

MEANING:  could setup a linux system with two network cards, (thinking SuSE,
since we are running that on more servers already), install Shorewall. But
then. Currently, our gateway is IP address 1 from our range. This is a
system that is not locally, here, but on our provider''s end of the
wire.
Would it be the best way to ask them to route all traffic to us and from us
through the newly installed server? And then tell all my systems that their
gateway is to be the new firewall machine?

I''ve really done quite a lot of reading, and understand a lot of
iptables,
nat, connection tracking, what rules to setup, etc... but I can''t seem
to
find many examples or howto''s that help me through these decisions
here.
(specially how to change the situation as it is now (with ip address 1 being
the gateway) into one where all the traffic would go through a firewall. It
does not necessarily mean physical changes, i understood that much..)

Hope you''re not offended by these (rather basic) questions, and I
_really_
would appreciate any pointers to this kind of info, or comments.

Thanks very much.

Mourik Jan

_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users

"Heupink, Mourik Jan C." schrieb:
> 
> Hello all.
> 
> I am in the process of setting up a firewall, and since I am on my own
here,
> I would really appreciate some feedback of the firewall guru''s
here on the
Sorry, I''m not one of the gurus, but maybe I can give you useful ideas
anyway.
> list. I have been doing a lot of reading on the internet lately, and using
> what i learned, drafted the following basic ideas. Please tell me if i am
on
> the right track or not, since i am on my own here.. :)
Many of us have the same problem, I think.
> 
> The situation as it IS:
> We own a whole subnet xx.xx.xx.0 - xx.xx.xx.255, and each computer is
> directly connected to internet. I reserved certain ranges to certain
> equipment types. Currently we have approx. 5 servers, and 10 printers and
50
> workstations. I guess this could be called a small corporate network.
> 
> After looking at several solutions, (IP-Cop, Smoothwall, some graphic
> iptable frontends, Shorewall) I''ve decided to go for Shorewall.
One of the
> reasons is this mailing list. I''ve been lurking here for two weeks
now, and
> like what I read.
> 
> ANYWAY. Now for the situation, as it should (or could) become. _THIS_ is
> where I would like to get feedback on.
> 
> The first decision: Do I need a DMZ? I''ve read in several docs
that for a
> small network like ours, and plenty of ip addresses available, a DMZ might
> not really be necessary. So, for now: no DMZ. Also, normally a fileserver
> would not be placed in the DMZ. But since our mailserver (would be placed
in
> the DMZ, i guess) also does (some) file serving, i would have to split that
> up, and don''t want to do that, as we are abandoning NT4 anyway.
While it''s possible to go without a DMZ, from a security point of view
you don''t want to go without DMZ. It''s always a good idea to
put those
system communicating with the internet into a DMZ. I recommend you to
put at least one server into DMZ with SMTP server, Squid Proxy and
whatever you like.  It''s also a good place to do virus scanning of
email
and such. The main mailserver can remain in the local net. It''s also
difficult to put fileservers into the DMZ because of the complicated
protocols used there.
> 
> Then. Make decision: Do we want to use public ip addresses on all
> workstations, or use nat, and give workstations private ip''s? Not
really
> sure here. I know that, in case of lack of available addresses this would
be
> the way to go. But in our case? Giving each ws a public ip doesn''t
make your
> network more secure, as far as I know,  or am i missing something here? (as
> all traffic goes through the firewall anyway)
I stongly recommend using private ip''s for local net. What if your
network grows and you don''t get more public ip''s or you get
them in
another range? I don''t see any real benefit using public ip''s.
> 
> MEANING:  could setup a linux system with two network cards, (thinking
SuSE,
> since we are running that on more servers already), install Shorewall. But
> then. Currently, our gateway is IP address 1 from our range. This is a
> system that is not locally, here, but on our provider''s end of the
wire.
> Would it be the best way to ask them to route all traffic to us and from us
> through the newly installed server? And then tell all my systems that their
> gateway is to be the new firewall machine?
> 
> I''ve really done quite a lot of reading, and understand a lot of
iptables,
> nat, connection tracking, what rules to setup, etc... but I can''t
seem to
> find many examples or howto''s that help me through these decisions
here.
> (specially how to change the situation as it is now (with ip address 1
being
> the gateway) into one where all the traffic would go through a firewall. It
> does not necessarily mean physical changes, i understood that much..)
If you change to private ip''s, you have to change adressing in you
local
net anyway. Don''t you use DHCP for your client machines?

Simon
> 
> Hope you''re not offended by these (rather basic) questions, and I
_really_
> would appreciate any pointers to this kind of info, or comments.
> 
> Thanks very much.
> 
> Mourik Jan
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users

On Wednesday 28 August 2002 12:52 pm, you wrote:
> Hello all.
>
> I am in the process of setting up a firewall, and since I am on my own
> here, I would really appreciate some feedback of the firewall
guru''s here
> on the list. I have been doing a lot of reading on the internet lately, and
> using what i learned, drafted the following basic ideas. Please tell me if
> i am on the right track or not, since i am on my own here.. :)
>
> The situation as it IS:
> We own a whole subnet xx.xx.xx.0 - xx.xx.xx.255, and each computer is
> directly connected to internet. I reserved certain ranges to certain
> equipment types. Currently we have approx. 5 servers, and 10 printers and
> 50 workstations. I guess this could be called a small corporate network=2E
>
> After looking at several solutions, (IP-Cop, Smoothwall, some graphic
> iptable frontends, Shorewall) I''ve decided to go for Shorewall.
One of the
> reasons is this mailing list. I''ve been lurking here for two weeks
now, and
> like what I read.
>
> ANYWAY. Now for the situation, as it should (or could) become. _THIS_ is
> where I would like to get feedback on.
>
> The first decision: Do I need a DMZ? I''ve read in several docs
that for a
> small network like ours, and plenty of ip addresses available, a DMZ might
> not really be necessary. So, for now: no DMZ.
Well this depends on if you are providing services to the Internet.  This=20
could be a DNS server for your domain, Mail server for your domain, Web=20
server for your Domain, etc...  If you will be handling this kind of=20
services for yourself, USE A DMZ!! for these servers. =20

One network that I admin has a connection to the Internet, but it is strictly=20
a pull connection.  We send email, but our domain is handled by a Web=20
Provider.  In this case I do not have a need for a DMZ.

> Also, normally a fileserver
> would not be placed in the DMZ. But since our mailserver (would be placed
> in the DMZ, i guess) also does (some) file serving, i would have to split
> that up, and don''t want to do that, as we are abandoning NT4
anyway.
You are right, it should be split up.  If this data is critical, it should=20
not be on the mail server anyway.  If it is not critical data, you could=20
problably make it work from the DMZ, but this increases the possability of a=20
security breach.
>
> Then. Make decision: Do we want to use public ip addresses on all
> workstations, or use nat, and give workstations private ip''s? Not
really
> sure here. I know that, in case of lack of available addresses this would
> be the way to go. But in our case? Giving each ws a public ip
doesn''t make
> your network more secure, as far as I know,  or am i missing something
> here? (as all traffic goes through the firewall anyway)
My advice is to use private IP''s on your lan, and use masqurating.  So
all=20
request traffic from you lan heading to the Internet will be seen as coming=20
from the servers IP. =20

The only computers that should have public IP''s are servers that
provide a=20
service to the Internet, and all such server should be in the DMZ.  Just good=20
security pollicy IMHO. =20

Also, I would not use NAT.  As I have found out the hard way (I have many=20
post on this list trying to figure out problems that came along with NAT)=2E =20
For simple situations, NAT has its place, but not in your situation. You=20
should use Proxy ARP to route the traffic request from the Intenet into your=20
DMZ, and in this situation you will have Public IP''s in your DMZ.

There is lots of info on the at www.shorewall.net.  Take a look in the=20
quickstart guides at section 5.2.3 Proxy ARP.
>
> MEANING:  could setup a linux system with two network cards, (thinking
> SuSE, since we are running that on more servers already), install
> Shorewall. But then. Currently, our gateway is IP address 1 from our range.
> This is a system that is not locally, here, but on our provider''s
end of
> the wire. Would it be the best way to ask them to route all traffic to us
> and from us through the newly installed server? And then tell all my
> systems that their gateway is to be the new firewall machine?
>
> I''ve really done quite a lot of reading, and understand a lot of
iptables,
> nat, connection tracking, what rules to setup, etc... but I can''t
seem to
> find many examples or howto''s that help me through these decisions
here=2E
> (specially how to change the situation as it is now (with ip address 1
> being the gateway) into one where all the traffic would go through a
> firewall. It does not necessarily mean physical changes, i understood that
> much..)
>
With Proxy ARP you will have no need to have your provider do anything=20
special.  The Linux Box running shorewall will route the traffic accross by=20
itself, and the rest of the network will not even know that it is realy=20
divided.

> Hope you''re not offended by these (rather basic) questions, and I
_really_
> would appreciate any pointers to this kind of info, or comments.
>
We all start somewhere, hope this helps!
> Thanks very much.
>
> Mourik Jan
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
--=20
Regards

Joseph =09                      http://www.datakota.com