Unix Firewall with DSL
I have a dsl modem that we use to get internet at office. Recently we acquired a 16 block of ip that we will use for our test servers. I suggested a unix ipfilter firewall. I just want to ask how can i connect this firewall directly to the DSL modem/router. Do i have to change the DSL modem/router settings ?
I have three interfaces on the unix firewall machine. one to connect to internet , one for the servers and one for the rest of the computers.
Some suggestions please..
The simple answer is yes to all of your questions.
Probably the main thing is that with a /28 your ISP will need to route to your firewal/router which then handles the inbound traffic.
I'd guess at the moment that your modem is acting like a router & providing NAT for your internal network. You'll be better off changing this so that your modem bridges the connection & depending on the network operation you run either ppp or a static IP to connect to the ISP.
You can then run a DMZ for your public block & a private internal network with NAT on the other IF.
If you're not a regular linux/routing/iptables user yopu might be best off looking at an opensource firewall solution such as IPCop & Smoothwall. I don't use them for this setup but pretty sure they'll do what you need & there's lots of forums for them.
Thank you very much for the answer.
Yes i will have to run the router in bridge mode. If its running in bridge mode do i have to assign it one of the public addresses ? and then when it conncets to the firewall on the internal interface would i need to use public ips there or private ?
I am implementing freeBSD with IPFilter.
Since we have no security in place at the moment and no one seems really bothered i thought i can only enable nat at first and then add on other rules. this way every one is happy.
In bridged mode a modem simply passed the packets through. The static IP from your ISP gets applied at the Firewall.
Your current DSL modem/router is probably providing your security at the moment & to be honest, whilst no one else might be worried about it, I would be if I were you.
I've not played with freeBSD or IPFilter, but the principles are the same across the board & there looks to be good community resources & info on both. What I can help you with are the principles, & I'd suggest specific freeBSD & IPFilter FAQ's, user boards, etc for the rest.
So, since you are running an internal network, a public addressed "test" network and a connection to the internet, I'd recommed physical separation & therefore suggest you install three NIC's in the Firewall. This way you have private secure NATed network, public test (DMZ) network and Internet interface.
To start with, your router in bridge mode provides a bridge between DSL & Ethernet. At a guess I assume you are currently running it in router mode & you will need to record the settings off the current modem in order to apply them to your Internet Interface. I'd guess that it's running PPP, or maybe IPoA/IPoE.
Record the current settings then change the modem to bridged mode.
If the settings were PPP then you'll need to look up setting up PPP on a BSD system & apply these settings to the system in order to get Internet online. Note that when you start to apply IPFilter rules, the PPP interface you set up will be your Internet interface, not the NIC.
If the settings were IPoA/IPoE then you just set up the NIC with the IP.
In both cases the IP should be static from your ISP as they will need to route your /28 into that IP.
You then set up your two other networks NAT & DMZ as normal networks.
Apply IPFilter rules such that:
Allow all from the NAT network to the DMZ
Allow all from NAT to Internet
Allow specific from Internet to DMZ
Allow established & related (return connections) from Internet to NAT
I usually set ALL of my defaults to drop & then build up what I allow through. Don't forget to allow loopback interface if you do this
I assume the IPFilter has a start/stop process. I also recommend adding up a PANIC ruleset which will block everything except ssh from a couple of trusted systems & the console. In 10 years ip iptables/linux I've had to use it only twice but it was damned handy.
Hope that helps a bit.
Thank you Stu,
I have already purchased a machine with 3 nic cards and was thinkin to keep the lan and servers seperate. I have looked up the DSL bridging mode and how to set it up.
I am rebuilding the kernel to support NAT. I have done most of the things that you have told and since you confirmed these steps i know i am on the right track.
Thank you for taking time out and replying in detail...much appreciated.
Just one more thing i would like to ask. When running the firewall should i create a different user or a jail !
Sorry I posted a reply to your Q but obviously my session had timed out.
Your question relates specifically to freeBSD & IPFilter which I haven't used, so I simply don't know the best answer there.
I tend to use netfilter/iptables under RH/Centos/etc which is in the kernel & there's no jailing that.
Actually mate, to be blunt, unless you have a specific reason to use freeBSD & ipfilter (ie a complex requirement) then I suggest you simply download something like IPCop or Smoothwall or similar. You're likely to have everything working within a couple of hours of download & with nice web interfaces to use & a few very good plugins for both of the products I mentioned, you get what you need plus more.