requesting feedback on my CORPORATE firewall howto

If it doesn't relate to Debian, but you still want to share it, please do it here

Re: requesting feedback on my CORPORATE firewall howto

Postby lbm » 2011-05-28 12:14

Coo, Thanks
User avatar
lbm
 
Posts: 494
Joined: 2009-05-16 09:24
Location: Denmark

ipv6 firewalling?

Postby Ahtiga Saraz » 2011-07-19 17:58

@ drokmed:

Hope you found employment and stability. When you are able to return to the abazaba project, I urgently request updating to including ipv6. Turns out that CUPS (recently acquired by Apple) is apparently now using ipv6, so if you use a networked printer and do NOT use a firewall which is ipv6 capable, you could be in real trouble!
Ahtiga Saraz

Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Ahtiga Saraz
 
Posts: 1015
Joined: 2009-06-15 01:19

Re: requesting feedback on my CORPORATE firewall howto

Postby drokmed » 2011-11-16 04:32

Hi all,

Anyone still following this? I'm still off-line, but checking in here. I still care about this project, and would love to have a good reason to dive into it again. I know, it needs updating. I'm re-reading it now, and thinking about updating it.

Personally, I'm still struggling, and no longer have the resources I once had, but might be able to beg, borrow or steal, so to speak. Secondly, last I heard, the dansguardian author basically quit the project, I've been out of touch since then, so don't know the fate of dansguardian.

Is there still any interest in building custom dansguardian-based linux firewalls?
Author of the Debian Linux Security Appliance Firewall howto, found here
Thread discussing it is here
User avatar
drokmed
 
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

Here's one reason!

Postby Ahtiga Saraz » 2011-11-16 20:40

Hullo, drokmed!

Is there still any interest in building custom dansguardian-based linux firewalls?


Heck, yes!

I know, it needs updating. I'm re-reading it now, and thinking about updating it.


In a word (four letters. four syllables, how quaint): ipv6.

I was about to rededicate the low-end old used PC I purchased for this project, but now I think I'll wait a few days for your response.

Very sorry to hear your employment situation has not improved.

I am not a business, just a citizen who desires a modest, boring and private life, and could say more about why I think a dedicated firewall/IDS might increasingly be suitable for everyone, particularly if one can build such a thing on an old box which would otherwise be recycled.

I'd probably also like to see more security (so, less emphasis on problematic graphical interfaces). The Dansguardian stuff (parental controls and such) doesn't interest me much, I think, since I have no children or employees, although I can see that businesses need something like that.

The capability I most desire is probably the ability to monitor packets on my (tiny) LAN, something like iftop (and at will wireshark) for more than one PC. As I understand it, your project offers that plus firewalling. I have a printer which has decided to use ipv6 and I worry that my current firewall has no ipv6 capability at all. That's a huge problem and so far it seems that very few open source resources are addressing it.

Independently of my own needs, I'd like to see you come up with something which volunteers can use locally to help local nonprofit organizations (e.g. local legal aid, free medical clinics, small government services, political advocacy groups) improve their network security.
Ahtiga Saraz

Le peuple debout contre les tyrans! De l'audace, encore de l'audace, toujours l'audace!
Ahtiga Saraz
 
Posts: 1015
Joined: 2009-06-15 01:19

Re: requesting feedback on my CORPORATE firewall howto

Postby Absent Minded » 2011-11-19 16:09

Actually, this how-to already helps some several not for profit agencies. Is understandable enough to be used by many average users of GNU/Linux (cant say the same for "average users" of MS products though).
Serving the community the best way I can.
Spreading the tradition of Community Spirit.
Please read some Basic Forum Philosophy
Give a man a fish, he eats for a day. Teach him how to fish, he eats for life.
Updated Nov. 19, 2012
User avatar
Absent Minded
 
Posts: 3757
Joined: 2006-07-09 08:50
Location: Washington State U.S.A.

Re: requesting feedback on my CORPORATE firewall howto

Postby 62chevy » 2011-11-19 16:47

I used your Howto to create my home firewall/router but I don't need a proxy or net-nanny as it's just me and the wife. Since putting up the firewall my network has become more responsive and has one flat line when not using the internet. Shorewall could have easily filled a land fill with paper with dropped net2loc and net2fw IP #s. As I don't have any Microsoft Windows$ installed on any of my computers I have to wonder why they keep probing my hardware or at least trying now.
Debian Squeeze
Debian Sid
SalineOS 1.5
User avatar
62chevy
 
Posts: 1585
Joined: 2009-10-25 01:09
Location: West Virginia

Re: requesting feedback on my CORPORATE firewall howto

Postby SeanR » 2011-11-20 04:15

I'm trying to use your tutorial to set up a firewall for my school.
So far, I found the need for transparent, which let me get squid working.
I'm currently stymied by DansGuardian. I've gotten it to work once before, but now it seems to be running, but nothing is happening.

The session of iceweasel I have running on a second machine returns a connection was reset message.
the access.log for squid gets the following appended to it.
1321760396.482 0 172.18.0.2 TCP_DENIED/400 1959 GET NONE:// - NONE/= text/html
the access.log for dansguardian is still empty.

Due to several factors, I've had to leave things out when encountering them in your tuturial.

NetworkManager 0.8.1 is active, so I didn't do any alterations to the interfaces file. (Or rather, I reversed the ones I did make, that blocked it from working.)
I skipped most of the optional components at this point.
Everything worked, (once I added the word 'transparent'), through Squid, and I can still remove the proxy settings in IceWeasel and get it to load pages, (and get proper responses in the access log for Squid.)
The only alterations I've made to DansGuardian.conf SO far are the ones you've directed, and uncommenting daemonuser = 'dansguardian' and daemongroup = 'dansguardian'...in an attempt to get it working.
Though I did notice that dansguardian now uses a slightly different directory layout. /etc/dansguardian/contentscanners/clamav.conf versus /etc/dansguardian/clamav.conf
Same with bannediplist and exceptioniplist


I'm sorry to hear about your job situation. I hope you find good paying work soon.
SeanR
 
Posts: 4
Joined: 2011-11-20 03:33

Re: requesting feedback on my CORPORATE firewall howto

Postby SeanR » 2011-11-24 04:02

Well, I've not solved my problem yet, but I did find one interesting and unpleasant bit of behavior for squid.
I hand-erased the contents of the access.log for squid and it quit working. At all. It loaded without throwing an error, but basically refused all connections.
erasing, or rather renaming the access.log file freed it up so it worked again.
SeanR
 
Posts: 4
Joined: 2011-11-20 03:33

Re: requesting feedback on my CORPORATE firewall howto

Postby SeanR » 2011-11-24 04:33

I'm up.
I'm not sure of what all changes applied to getting this to work.

The following changes seem important.

in squid.conf
before you can test DansGuardian in NON-TRANSPARENT mode, you need to comment out the following line
# http_port [filter ip address]:3128 transparent
and UNCOMMENT out the following line
http_port [loopback ip address]:3128

I don't know if uncommenting the daemonuser and daemongroup lines did anything at all, but it appears to work with them uncommented, so I'm leaving it as is.

P.S. Don't forget to restart squid
SeanR
 
Posts: 4
Joined: 2011-11-20 03:33

Re: requesting feedback on my CORPORATE firewall howto

Postby dnecro » 2012-04-21 17:37

Hey drokmed I just found your how to and I love it but I want to ask why some headers has only "**I need add this". Are you planning add these later when update your guide? and Yes we still here and following :)
dnecro
 
Posts: 4
Joined: 2012-04-19 05:25

Re: requesting feedback on my CORPORATE firewall howto

Postby drokmed » 2012-04-29 01:04

Thanks, glad to hear people still find it useful. Yes, my original intent was to keep updating it. However, I'm in no position to right now. Someday hopefully I'll dive back into this project.

Cheers
Author of the Debian Linux Security Appliance Firewall howto, found here
Thread discussing it is here
User avatar
drokmed
 
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

Re: requesting feedback on my CORPORATE firewall howto

Postby dnecro » 2012-05-01 08:05

Then we will eagerly waiting you. :mrgreen: Thanks drokmed.
dnecro
 
Posts: 4
Joined: 2012-04-19 05:25

Re: requesting feedback on my CORPORATE firewall howto

Postby drokmed » 2012-12-13 07:27

Greetings fellow Debian Enthusiasts!

I am now in a position to devote time to updating this project!

I have been on a long journey, kind of like our little friend Bilbo Baggins did when leaving Hobbiton. Like Bilbo, I have been there and back again. And like Bilbo, my experiences have introduced to me a different aspect of this world. I still have a fondness for Linux, but my eyes have also been opened to other levels of existence, mainly sunshine, tilling earth and growing plants, slightly different lifestyle :)

Okay, lets dive in. Over two years ago (26 months), I released this document on then was considered the frozen "soon to be stable" version of Debian called "Squeeze".

Today, twenty six months later, gee, what a surprise... "Squeeze" is still the stable version. Any need to update my how-to document?

Honestly, I don't know yet. Last time I heard, the dansguardian author quit on us, and reached out to the community, hoping somebody else would pick up the mantle. At this point, I do not know what has become of that.

Other than that, I'm not aware of any major changes. If anyone is aware of anything worth mentioning, I'd appreciate a response to this. Otherwise, except for the future plans I had laid out within the document, it's current status remains current and accurate.

On a side note, sorry for being away a while, life takes you where you least expect it. I'm back here for a while, hoping I see some old friends from years past.

As always, cheers,

Daryl

edit: last posted pdf version is available for download from here: http://www.4shared.com/office/nWMRt60B/abazaba_squeeze_firewall.html
Last edited by drokmed on 2012-12-13 07:40, edited 1 time in total.
Author of the Debian Linux Security Appliance Firewall howto, found here
Thread discussing it is here
User avatar
drokmed
 
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

Re: requesting feedback on my CORPORATE firewall howto

Postby dilberts_left_nut » 2012-12-13 07:36

Welcome back drokmed!

Congrats on the foray into open source food :)
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 5077
Joined: 2009-10-05 07:54
Location: enzed

Re: requesting feedback on my CORPORATE firewall howto

Postby 62chevy » 2012-12-14 03:24

dilberts_left_nut wrote:Welcome back drokmed!

Congrats on the foray into open source food :)



+1

I've doing a bit of that myself. 8)
Debian Squeeze
Debian Sid
SalineOS 1.5
User avatar
62chevy
 
Posts: 1585
Joined: 2009-10-25 01:09
Location: West Virginia

PreviousNext

Return to Offtopic

Who is online

Users browsing this forum: No registered users and 7 guests

fashionable