requesting feedback on my CORPORATE firewall howto

If it doesn't relate to Debian, but you still want to share it, please do it here

requesting feedback on my CORPORATE firewall howto

Postby drokmed » 2008-05-22 17:54



EDIT: Yet another new location:
https://drive.google.com/file/d/0B6gmrAuCpS-KbVVPTmgwZUZhYUU/view?usp=sharing

old location, file can be retrieved here:

http://www.4shared.com/document/nWMRt60B/abazaba_squeeze_firewall.html


Hi all,

I'd appreciate your feedback on this howto I've been working on. It covers:

Debian Etch (STABLE) GNU/Linux

* shorewall - robust firewall configuration tool
* dnsmasq - simple DNS and DHCP server
* squid - robust web caching server
* dansguardian - robust web content filtering server
* webmin - remote web-based graphical management interface
* psad - port scan attack detection
* fwsnort - iptables-based attack detection and active response
* nmap - robust text-based port scanner
* iftop - real-time network interface traffic monitor
* ntop - web-based network traffic sampling and reporting
* and many other utilities, like ntp, opensshserver, ddclient, etc.

http://www.abazaba.org/debian/firewall.html

You can download it in OOo or pdf format.

It will never be done in my opinion, because I keep adding stuff to it, which is good because it will be up to date. However, as it stands now, it is complete enough to meet my initial requirements. There is a ton of stuff in it. It is written for the novice linux user, but dives into advanced firewall techniques. I hope you find it educational.

I'd be grateful for any feedback. I'm still working on it, filling in some of the details. I'm not ready to provide support for it yet... I'm just looking for feedback on the content at this point.

When I feel the content is done enough, I will post it in this forum's HOWTO section.

Thanks
Last edited by drokmed on 2014-12-01 21:35, edited 3 times in total.
User avatar
drokmed
 
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

Postby drokmed » 2008-05-23 21:01

Nobody?

Damn, I was hoping somebody would take a look at it. It's the culmination of hundreds of hours of research and experience. I will continue to expand on it.
User avatar
drokmed
 
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

Postby MeanDean » 2008-05-23 21:12

I thought the web page was it...didnt see much until I noticed the pdf file. Damn thats a lot of info....looks awesome to me but I am not much of a server/network kind of guy any more. Not really your target audience :)
User avatar
MeanDean
 
Posts: 3953
Joined: 2007-09-01 01:14

Postby saulgoode » 2008-05-24 02:35

I have downloaded it and am in the process of perusing it. I am about a third of the way through it.
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -- Brian Kernighan
User avatar
saulgoode
 
Posts: 1545
Joined: 2007-10-22 11:34

Postby industrialpunk » 2008-05-24 03:26

Awesome Drokmed! I've been waiting for this since you told me about it a few months ago. Downloading right now.
-Josh Willingham
User avatar
industrialpunk
 
Posts: 733
Joined: 2007-03-07 22:30
Location: San Diego, CA, USA

Postby Absent Minded » 2008-05-24 07:19

What a nice read, about the only sudjestions I have would be to add more links to your how-to so when a new user gets a hold of this and isn't firmilyer with some of these things they can read up on them. Also, you have it marked for a beginner and then say that it is for intermediate enthusiests. I think your how-to can be used by a beginner if you add the external links to explain things that you are not covering. Over all it is a nice how-to IMHO. I found it easy to understand and your meanings were clear and presice. I may just have to try it out when you are done just to see how it goes.

Thanks for the preview.
Michael
Serving the community the best way I can.
Spreading the tradition of Community Spirit.
Please read some Basic Forum Philosophy
Give a man a fish, he eats for a day. Teach him how to fish, he eats for life.
Updated Nov. 19, 2012
User avatar
Absent Minded
 
Posts: 3755
Joined: 2006-07-09 08:50
Location: Washington State U.S.A.

Postby drokmed » 2008-05-25 15:19

Absent Minded wrote:What a nice read, about the only sudjestions I have would be to add more links to your how-to so when a new user gets a hold of this and isn't firmilyer with some of these things they can read up on them. Also, you have it marked for a beginner and then say that it is for intermediate enthusiests. I think your how-to can be used by a beginner if you add the external links to explain things that you are not covering. Over all it is a nice how-to IMHO. I found it easy to understand and your meanings were clear and presice. I may just have to try it out when you are done just to see how it goes.

Great feedback, exactly what I'm looking for, thanks.

When I have all of the "meat and potatoes" in place, I do plan to go back and add pictures, illustrations, hyperlinks to references, diagrams (lots of these), and try to make it an "easier to consume" document. It does cover A LOT of information, so making it fun to learn will be a challenge too.

Engineers make lousy artists, so I'm going to have to learn the fancy stuff too! :D
User avatar
drokmed
 
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

Postby saulgoode » 2008-05-25 15:52

drokmed wrote:When I have all of the "meat and potatoes" in place, I do plan to go back and add pictures, illustrations, hyperlinks to references, diagrams (lots of these), and try to make it an "easier to consume" document. It does cover A LOT of information, so making it fun to learn will be a challenge too.


That should be helpful. In particular, a brief overview of the setup at the beginning which delineates the LAN and WAN, mentions how multiple workstations/netdevices are connected to the firewall, and how IP addresses are associated with NICs should prove useful for neophytes.

-----------
As far as specific changes, I would propose that each application's section include a brief reminder of what the app's purpose is. For example,
    Install Webmin (remote web-based graphical management)

    Installing fwsnort (iptables-based attack detection and active response)
------------
The port knocking section should probably include an overall description of the concept.

------------
A couple of typo's (I didn't really proofread the doc, but thought I'd mention the ones I noticed):

On the bottom of page 5 (of PDF), you mention 'file server name' -- perhaps this should be "firewall server name"? (especially since you'd just finished presenting the idea that file servers on a firewall are a Bad Idea)

On page 14 (of PDF), the first "Note" states "will will" where it should be "we will"

----------
As far as I can tell, the only section of your document which seems to be particularly Debian-specific is the part on pages 10-11 about configuring the second NIC (editing '/etc/network/interfaces'). I would propose mentioning how implementers using other distros might accomplish the same task. (For example, the Slackware mechanism for configuring interfaces is by editing '/etc/rc.d/rc.inet#.conf' files.)

Once again, thanks for sharing your document.
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -- Brian Kernighan
User avatar
saulgoode
 
Posts: 1545
Joined: 2007-10-22 11:34

Postby drokmed » 2008-05-25 16:13

Excellent :)

Thanks saulgoode, good feedback. I'll implement all of your suggestions.

I thought I had caught all of the 'server' vs 'firewall' errors. I copied this howto from my other server howto, then modified it to be a firewall howto. I've read this 'firewall' howto too many times, and things like that don't register in my brain as easily.

I'll release the other 'server' howto later this year.
User avatar
drokmed
 
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

Postby codge » 2008-06-14 12:54

I've implemented most of your firewall How to into a fresh install of lenny, i haven't yet configured snort but will be doing so in the near future. It's nice to see a clear easy to understand how to, more than likely to be over kill for my home set-up but you never know! Thanks.
codge
 
Posts: 207
Joined: 2008-03-22 17:35

Postby drokmed » 2008-06-14 15:11

Glad to hear it. Let me know if you find any mistakes, or I missed documenting an important step, etc.

So far, I have only built it on Etch. As Lenny approaches stable, I was going to try it, just to see what the differences are. I already know there will be big differences for shorewall. I'd be grateful for any Lenny-specific feedback you have.

I am still actively working on this document, updating and adding content. Maybe this weekend I'll incorporate all of the new info, and release an update.
User avatar
drokmed
 
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

Postby Xylock » 2009-01-09 08:57

Yo, Drokmed!

I built a server today following your little recipe here - imho its a great piece of work! That must've taken quite a bit of effort, I reckon.

I notice you haven't finished it, and last published an update June last year. I just want to encourage you to finish it if and when you get time - I personally really appreciated it, and would love to see those final chapters explained as meticulously as the existing ones.

Cheers.

PS. I'm using it between a wireless & wired network, and stumbled a lil' on the NORFC1918 bit.. probably not going to effect most people, just thought I'd mention it. Fix was in /etc/shorewall/interfaces if anyone else has this problem.
Using rm -rvf * to remove old backups... lazy.
Realising you were in / as root ... priceless.
Xylock
 
Posts: 43
Joined: 2007-04-11 13:28

Postby drokmed » 2009-01-11 00:31

Hi Xylock,

Xylock wrote:Yo, Drokmed!

I built a server today following your little recipe here - imho its a great piece of work! That must've taken quite a bit of effort, I reckon.


Thanks Xylock, I'm glad somebody actually got some use out of it. You reckon right, it took many months to write, spread over years. I've been building that kind of firewall for a long time now. Started back when opensuse was version 10.x. It's a great setup IMHO.

Xylock wrote:I notice you haven't finished it, and last published an update June last year. I just want to encourage you to finish it if and when you get time - I personally really appreciated it, and would love to see those final chapters explained as meticulously as the existing ones.


I've been waiting for Lenny to go stable before focusing on it again, and of course, update it, and make it more complete. I'll probably die of old age before Lenny goes stable though........

Xylock wrote:PS. I'm using it between a wireless & wired network, and stumbled a lil' on the NORFC1918 bit.. probably not going to effect most people, just thought I'd mention it. Fix was in /etc/shorewall/interfaces if anyone else has this problem.


Great feedback, thanks. I'll add that to it.

You have interesting timing. I picked up a copy of this how-to on Friday, and began reading it again. I would love to start working on it again, but work has me pretty busy. Maybe in a week or so, when I complete my current project, I'll pick this one back up. I'll write it for Lenny. You are welcome to add to it if ya like.

Cheers!
User avatar
drokmed
 
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

Re: requesting feedback on my CORPORATE firewall howto

Postby drokmed » 2009-05-18 13:39

I'm thinking about updating this doc to Lenny, if there's any interest. We still use this firewall build.
Author of the Debian Linux Security Appliance Firewall howto, found here
Thread discussing it is here
User avatar
drokmed
 
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

Re: requesting feedback on my CORPORATE firewall howto

Postby gnudude » 2009-05-18 13:49

I thought I seen you sneaking around the fedora forums...
gnudude
 
Posts: 1712
Joined: 2009-04-05 17:30
Location: gone....

Next

Return to Offtopic

Who is online

Users browsing this forum: No registered users and 1 guest

fashionable