Looking for opinion about firewall setup...

[mpblue]

Hi

I would like to know if my firewall is set up correctly.

The situation:

1. The connection to the internet is provided by an external ADSL modem.

2. To the ADSL modem a router with wireless capabilities is connected (IP address of the router from the internal network is 192.168.2.1, netmask 255.255.255.0)

3. Two laptops (SUSE 9.3, WinXP) are connected to the router wirelessly (IPs 192.168.2.101, 192.168.2.102)

4. Third computer is a desktop PC running SUSE 9.3 and is connected to the router via an ethernet cable. IP is 192.168.2.100.

5. A printer is attached to the desktop PC. The printer should be available to laptops via samba (for WinXP laptop) and cups (linux). Also, samba shares should be available.

Is it OK if I put the ethernet card of the desktop PC into firewall's internal zone, enable "protect services from internal network" (so that only explicitly enabled services are allowed), and enable the samba and cups server ports in the firewall's internal zone? Is this a correct and safe setup (from the point of the firewall settings)?


Any opinions would be greatly appreciated.
Thanks

[Roxoff]

Which of these devices is doing the firewalling? Surely that would be done by port filtering inside the ADSL modem/router?

If so, then you can relax the permissions for machines inside the LAN and allow everyone inside the LAN to have access to the services of the SuSE machine. You dont normally need to protect machines behind the firewall from each other unless you have problems with specific users on the LAN.

[mpblue]

Yes, filtering is done by the wireless router (my isp has locked settings of the adsl modem, so it is not possibly to make any settings there).

[davebardsley]

You can never be too careful when implementing LAN security, ideally you should implement a certain amount of fire walling on every machine. "Border guard" style security would not adequately protect your network since two of the machines are laptops and are free to connect to other LANs and hence act as potential carrier links back to the "safe LAN" thus easily bypassing the "strong" outer shell.

The first most important security task is to decide on your threat model. Most probably you're not overly concerned with physical access to your machine: that twenty dollar lock on your front door is probably good enough. You're most probably concerned with a remote user/worm or Trojan app gaining access to a vulnerable service/data on your local machines. In this case enable the highest level of cryptography and set static IP addresses in you wireless router, only install/enable the minimum number of services required, and implement some sort of fire walling on every machine.

I would think very carefully about setting any sort of "safe" zone. Never trust the network, even your own. "Just because you're paranoid doesn't mean that they aren't out to get you" - Fox Mulder, X-Files

No one can fully understand your particular security needs or risk threshold except you.