requesting feedback on my CORPORATE firewall howto

[lbm]

Coo, Thanks

[Ahtiga Saraz]

@ drokmed:

Hope you found employment and stability. When you are able to return to the abazaba project, I urgently request updating to including ipv6. Turns out that CUPS (recently acquired by Apple) is apparently now using ipv6, so if you use a networked printer and do NOT use a firewall which is ipv6 capable, you could be in real trouble!

[drokmed]

Hi all,

Anyone still following this? I'm still off-line, but checking in here. I still care about this project, and would love to have a good reason to dive into it again. I know, it needs updating. I'm re-reading it now, and thinking about updating it.

Personally, I'm still struggling, and no longer have the resources I once had, but might be able to beg, borrow or steal, so to speak. Secondly, last I heard, the dansguardian author basically quit the project, I've been out of touch since then, so don't know the fate of dansguardian.

Is there still any interest in building custom dansguardian-based linux firewalls?

[Ahtiga Saraz]

Hullo, drokmed!

Is there still any interest in building custom dansguardian-based linux firewalls?

Heck, yes!

I know, it needs updating. I'm re-reading it now, and thinking about updating it.

In a word (four letters. four syllables, how quaint): ipv6.

I was about to rededicate the low-end old used PC I purchased for this project, but now I think I'll wait a few days for your response.

Very sorry to hear your employment situation has not improved.

I am not a business, just a citizen who desires a modest, boring and private life, and could say more about why I think a dedicated firewall/IDS might increasingly be suitable for everyone, particularly if one can build such a thing on an old box which would otherwise be recycled.

I'd probably also like to see more security (so, less emphasis on problematic graphical interfaces). The Dansguardian stuff (parental controls and such) doesn't interest me much, I think, since I have no children or employees, although I can see that businesses need something like that.

The capability I most desire is probably the ability to monitor packets on my (tiny) LAN, something like iftop (and at will wireshark) for more than one PC. As I understand it, your project offers that plus firewalling. I have a printer which has decided to use ipv6 and I worry that my current firewall has no ipv6 capability at all. That's a huge problem and so far it seems that very few open source resources are addressing it.

Independently of my own needs, I'd like to see you come up with something which volunteers can use locally to help local nonprofit organizations (e.g. local legal aid, free medical clinics, small government services, political advocacy groups) improve their network security.

[Absent Minded]

Actually, this how-to already helps some several not for profit agencies. Is understandable enough to be used by many average users of GNU/Linux (cant say the same for "average users" of MS products though).

[62chevy]

I used your Howto to create my home firewall/router but I don't need a proxy or net-nanny as it's just me and the wife. Since putting up the firewall my network has become more responsive and has one flat line when not using the internet. Shorewall could have easily filled a land fill with paper with dropped net2loc and net2fw IP #s. As I don't have any Microsoft Windows$ installed on any of my computers I have to wonder why they keep probing my hardware or at least trying now.

[SeanR]

I'm trying to use your tutorial to set up a firewall for my school.
So far, I found the need for transparent, which let me get squid working.
I'm currently stymied by DansGuardian. I've gotten it to work once before, but now it seems to be running, but nothing is happening.

The session of iceweasel I have running on a second machine returns a connection was reset message.
the access.log for squid gets the following appended to it.
1321760396.482 0 172.18.0.2 TCP_DENIED/400 1959 GET NONE:// - NONE/= text/html
the access.log for dansguardian is still empty.

Due to several factors, I've had to leave things out when encountering them in your tuturial.

NetworkManager 0.8.1 is active, so I didn't do any alterations to the interfaces file. (Or rather, I reversed the ones I did make, that blocked it from working.)
I skipped most of the optional components at this point.
Everything worked, (once I added the word 'transparent'), through Squid, and I can still remove the proxy settings in IceWeasel and get it to load pages, (and get proper responses in the access log for Squid.)
The only alterations I've made to DansGuardian.conf SO far are the ones you've directed, and uncommenting daemonuser = 'dansguardian' and daemongroup = 'dansguardian'...in an attempt to get it working.
Though I did notice that dansguardian now uses a slightly different directory layout. /etc/dansguardian/contentscanners/clamav.conf versus /etc/dansguardian/clamav.conf
Same with bannediplist and exceptioniplist


I'm sorry to hear about your job situation. I hope you find good paying work soon.

[SeanR]

Well, I've not solved my problem yet, but I did find one interesting and unpleasant bit of behavior for squid.
I hand-erased the contents of the access.log for squid and it quit working. At all. It loaded without throwing an error, but basically refused all connections.
erasing, or rather renaming the access.log file freed it up so it worked again.

[SeanR]

I'm up.
I'm not sure of what all changes applied to getting this to work.

The following changes seem important.

in squid.conf
before you can test DansGuardian in NON-TRANSPARENT mode, you need to comment out the following line
# http_port [filter ip address]:3128 transparent
and UNCOMMENT out the following line
http_port [loopback ip address]:3128

I don't know if uncommenting the daemonuser and daemongroup lines did anything at all, but it appears to work with them uncommented, so I'm leaving it as is.

P.S. Don't forget to restart squid

[dnecro]

Hey drokmed I just found your how to and I love it but I want to ask why some headers has only "**I need add this". Are you planning add these later when update your guide? and Yes we still here and following

[drokmed]

Thanks, glad to hear people still find it useful. Yes, my original intent was to keep updating it. However, I'm in no position to right now. Someday hopefully I'll dive back into this project.

Cheers

[dnecro]

Then we will eagerly waiting you. Thanks drokmed.

[drokmed]

Greetings fellow Debian Enthusiasts!

I am now in a position to devote time to updating this project!

I have been on a long journey, kind of like our little friend Bilbo Baggins did when leaving Hobbiton. Like Bilbo, I have been there and back again. And like Bilbo, my experiences have introduced to me a different aspect of this world. I still have a fondness for Linux, but my eyes have also been opened to other levels of existence, mainly sunshine, tilling earth and growing plants, slightly different lifestyle

Okay, lets dive in. Over two years ago (26 months), I released this document on then was considered the frozen "soon to be stable" version of Debian called "Squeeze".

Today, twenty six months later, gee, what a surprise... "Squeeze" is still the stable version. Any need to update my how-to document?

Honestly, I don't know yet. Last time I heard, the dansguardian author quit on us, and reached out to the community, hoping somebody else would pick up the mantle. At this point, I do not know what has become of that.

Other than that, I'm not aware of any major changes. If anyone is aware of anything worth mentioning, I'd appreciate a response to this. Otherwise, except for the future plans I had laid out within the document, it's current status remains current and accurate.

On a side note, sorry for being away a while, life takes you where you least expect it. I'm back here for a while, hoping I see some old friends from years past.

As always, cheers,

Daryl

edit: last posted pdf version is available for download from here: http://www.4shared.com/office/nWMRt60B/ ... ewall.html

[dilberts_left_nut]

Welcome back drokmed!

Congrats on the foray into open source food

[62chevy]

Welcome back drokmed!

Congrats on the foray into open source food

+1

I've doing a bit of that myself.

[jbudd0649]

This was a great guide. Very easy to follow, I'm pretty new to Debian and the command line so it took me the better part of the day to complete but the end product works great. I would like to see a captive portal section added to this guide. I have started google bombing to find a guide but I haven't found anything concise yet. Thanks again for the hard work.

[dnecro]

We are still here and follow it You can add at least missing parts even other parts stay how they are (which I have no problem with it). Thanks for great work again by the way

[dnecro]

Turret: "Are you still there?"

For dansguardian there is fork for it: e2guardian
or
You can look for another: NxFilter

For now thats all I got.