Find the answer to your Linux question:
Results 1 to 10 of 10
Hello every body, today, i need everybody have experiences for helping to build a firewall for my compnay. My company have about 200 users. The server farm : Webserver, maiserver, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2011
    Posts
    11

    Need the advices to build a firewall system


    Hello every body,
    today, i need everybody have experiences for helping to build a firewall for my compnay.
    My company have about 200 users.
    The server farm : Webserver, maiserver, DC, database, sharepoint..
    Can i use iptables for this case or other appropriate solutions?
    Thanks
    Last edited by lamletoi; 08-10-2012 at 12:28 AM.

  2. #2
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    881
    It's likely going to be more cost effective to get an entry level dedicated firewall (firewalls really, you should have more than 1 to create DMZ) for that many systems, if you care at all about performance.

    Eitherway, iptables is pretty capable as a firewall solution, and if:
    1) Hardware costs are a concern
    2) You are re-purposing older equipment (not spending any money at all)
    3) Throughput is not important

    Then it will be fine.

    Modern firewalls also have a host of other features, such as VPN, IPSec, etc that will be harder to implement on a standard linux distro, though there are dedicated distros with the aim of being a production firewall.

  3. #3
    Just Joined!
    Join Date
    Apr 2011
    Posts
    11
    Can you tell me about the weak points of iptables in this case when Throughput is important.
    Thanks

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Weak point I would be interested in knowing also. Throughput would depend on the type of hardware you are using. Bottom line is IPTABLES is a good solution for a firewall and can split your DMZ off the same box with multiple interfaces.

    Modern firewalls also have a host of other features, such as VPN, IPSec, etc that will be harder to implement on a standard linux distro, though there are dedicated distros with the aim of being a production firewall.
    Not true. What the modern firewalls do is make it easier because they do everything in the background which doesn't allow you to trouble shoot issues if you don't understand how things work and were put together. Bottom line is if you what to know how things work and are put together a Linux distro you will never beat.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    881
    Quote Originally Posted by Lazydog View Post
    Weak point I would be interested in knowing also. Throughput would depend on the type of hardware you are using. Bottom line is IPTABLES is a good solution for a firewall and can split your DMZ off the same box with multiple interfaces.
    This was about in regards to using older hardware, not iptables.
    Dollar for Dollar, you're going to get much better hardware in a dedicated firewall device than you are going to get in another device. If you want to play around and put a massive bottleneck on your network, go for iptables. If you care about throughput, put a cisco firewall on the edge of your LAN, and move on with your life.

    Quote Originally Posted by Lazydog View Post
    Not true. What the modern firewalls do is make it easier because they do everything in the background which doesn't allow you to trouble shoot issues if you don't understand how things work and were put together.
    Yes, they make common, more complicated tasks easier. Which is why I said it would be harder, not impossible.

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by mizzle View Post
    This was about in regards to using older hardware, not iptables.
    Dollar for Dollar, you're going to get much better hardware in a dedicated firewall device than you are going to get in another device. If you want to play around and put a massive bottleneck on your network, go for iptables. If you care about throughput, put a cisco firewall on the edge of your LAN, and move on with your life.
    Dollar for Dollar I assure you I can build a better firewall then a Cisco Firewall using iptables. The difference between an appliance and a computer is the appliance is focused on one task where the computer isn't. It isn't hard to turn a computer into an appliance and optimize it. In-fact that is all an appliance is and dollar for dollar I can buy better hardware for the price I pay for a Cisco appliance. so your comment about iptables being a bottleneck doesn't hold water.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Just Joined!
    Join Date
    Mar 2011
    Posts
    67
    Well as far as hardware goes, make sure you have some solid NICs. Most "dedicated" firewalls only really have Pentium III processors. Networking hardware does use a special kind of memory that is not only extremely good at flinging packets down the wire but it is extremely expensive. Put money into your NICs though and you shouldn't have to worry about memory speed hurting you too much.

    As for software, you need to think about the network, the users, the services. Is this just going to be a firewall? Or one of those fancy network gateways that handles VPN, routing, firewalling, NTP, ect. ect.
    The most secure but not always cost effective method is separate each service so your firewall just firewalls.

    It seems like you are pretty new in the firewall world, so either get ready to learn a lot or just buy a pre-baked solution that isn't as flexible (and isn't as secure as a DIY firewall in the hands of someone skilled)
    As far as iptables rules go: always make sure everything is blocked by default and that you are opening ports as you need them. Make sure you are tracking the state of the transmission/port not just throwing up a stateless firewall with the same ports open and closed under different situations.

    Putting the system together should mean having the absolute bare minimum. No xorg, nothing frivolous at all. If it will be headless or you'd like remote access, use SSH. Make sure that SSH is using certificate authentication and does not allow password authentication.
    Make sure the system is hardened; SELinux is a good idea, building a static kernel binary and disabling loadable kernel modules and rip everything except what you absolutely need out of the kernel. Get rid of as many setuid and setgid files as possible, make sure all files have owners. And I'd put a rkhunter script in cron too.

    That is a bare minimum, there are lots of other things you might want to do like configuring an IDS such as Snort.

    I like to use Gentoo Linux or FreeBSD to build firewalls. But I can see Debian and CentOS being good candidates after a bit of stripping down.
    Last edited by bleedingsamurai; 08-18-2012 at 01:16 PM. Reason: additional info

  8. #8
    Just Joined! jonniemuk's Avatar
    Join Date
    Jul 2009
    Location
    E.Africa
    Posts
    59
    Wow wow man, bleedingsamurai has got really lots of info on firewalls thumbs up to him. Now i don't want to start a new thread but mine is related to Lamletoi's. I want to setup a gateway/ fire wall that will distribute internet to about 30 devices, So i added another PCI NIC to my linux box. When i run lspci i can see both cards; the on board and pci and their HW ADDRes but when i ifconfig i only see eth0, lo and some thing like virb0 and not anything eth1 and beyond for thr pci nic.

    Some help.

  9. #9
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    You should really start a new thread for this as it isn't firewall related at all but a configuration issue. You need to configure the new interface and then start it in order for ifconfig to see it. If you run ifconfig -a you should see it. Use the man pages to see what the difference is between the two commands.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  10. #10
    Linux Newbie amithad's Avatar
    Join Date
    Sep 2006
    Location
    Sri Lanka
    Posts
    160
    Hi,

    I'm also planing to implement a firewall at my company.

    I guess your setup as follows

    gateways(gateway1,2..etc) ---------> firewall( DMZ (mailserver,webserver)) ----------> LAN (comprises 200 workstations includes Sharepoint,DC)



    You can use

    1. Smoothwall
    2. pfSense ( haven't try with multiple WANs)
    3. fwbuilder ( haven't try with multiple WANs)
    4. Shorewall (multiple WANs)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •