[Courses] [Security] Firewalls: Ipchains syntax and implementation
Raven, corporate courtesan
raven at oneeyedcrow.net
Wed Apr 10 01:33:30 EST 2002
Heya --
Quoth Hamster (Sun, Apr 07, 2002 at 11:20:09PM +0200):
> I'd like to try to formulate an answer to the firewall/network design
> question. I must however admit that I know zilch about ipchains, as I
> have been busy the last few days reading all the iptables doco :)
Take out the connection tracking stuff, and it's basically the
exact same thing. Just say "ipchains -A INPUT -p tcp blah" rather
"iptables -A INPUT -p tcp blah". [grin] Really. That's all there is
to it, connection tracking and state options missing in ipchains.
> I started by drawing a diagram of the current layout. Now this is the
> funny thing. As soon as I'd drawn it, I recognised it instantly as
> being a DMZ drawing, even though my understanding of DMZ is only
> basic.
You are correct, a DMZ is what you were thinking of, and will be
the best design for them.
> So to sum up my waffle in some ascii art :)
> {internet}--[FW1]--{DMZ}--[FW2]--{client computers}
Very much what we are collectively coming up with, it seems. I
declare great minds to think alike. [grin]
> The DMZ will contain the FTP, Web/Mail, DNS servers.
Perfect.
> I have left off the file server from this list, and that will be the
> basis of my first question to the company about their network. I
> believe though that the fileserver could be put on the internal
> network - remote access to it (should the need arise) could be given
> by a vpn solution. A change in IP address shouldnt be a problem here
> as the box is probably being found via wins. That would be the basis
> for question two :) But as long as the name stays the same there
> should be little interruption in connectivity if my assumption is
> correct.
They're fine with that, and I think it would work with little
service interruption.
> I would recommend that the internal network be put on DHCP (if it isnt
> already). For the linux users to be able to ssh to their boxes
> remotely, I would set up mac-address based client reservations on the
> dhcp server. I would then setup portforwarding on FW1 so that the ssh
> session can get passed though to the linux boxes. say your private
> linux box has the address 10.1.1.1. On FW1 I would setup, so that if
> you wanted to get to 10.1.1.1 you would ssh to port 10111 on FW1 (to
> pick any port number) and that FW1 would have forwarding and a routing
> table setup to pass traffic from port 10111 to the internal box
> 10.1.1.1. A private box on 10.1.1.2 would ssh to FW1:10112 and have
> that traffic forwarded on to 10.1.1.1 and so on.
This would also work, and would save the expense of a bastion
host. Your solution is cheaper, Jenny's provides for a little extra
logging. It's a tossup as to which is preferable.
> But as I said I am not too clear on the DMZ part, and quite fuzzy on
> the different roles the two FW's play.
Check Kai's post and my reply for a good take on that.
> The other questions I would like to ask about the setup are concerning
> the rules for the firewalls, ie are employees allowed to irc, icq, etc
> etc.
If it works with the rules we've set up here, sure, but they're
not going to make a specific breach in the firewall rules just for that.
With the ipchains rules we've set up here, most of the clients like that
should work okay.
> Sorry that I've probably been a bit vague here, but I'm still learning :)
So are we all, me included.
Cheers,
Raven
Ben says "WAR IS PEACE FREEDOM IS SLAVERY BACKSPACE IS DELETE"
More information about the Courses
mailing list