Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
requesting feedback on my CORPORATE firewall howto
requesting feedback on my CORPORATE firewall howto
EDIT: Yet another new location:
https://drive.google.com/file/d/0B6gmrA ... sp=sharing
old location, file can be retrieved here:
http://www.4shared.com/document/nWMRt60 ... ewall.html
Hi all,
I'd appreciate your feedback on this howto I've been working on. It covers:
Debian Etch (STABLE) GNU/Linux
* shorewall - robust firewall configuration tool
* dnsmasq - simple DNS and DHCP server
* squid - robust web caching server
* dansguardian - robust web content filtering server
* webmin - remote web-based graphical management interface
* psad - port scan attack detection
* fwsnort - iptables-based attack detection and active response
* nmap - robust text-based port scanner
* iftop - real-time network interface traffic monitor
* ntop - web-based network traffic sampling and reporting
* and many other utilities, like ntp, opensshserver, ddclient, etc.
http://www.abazaba.org/debian/firewall.html
You can download it in OOo or pdf format.
It will never be done in my opinion, because I keep adding stuff to it, which is good because it will be up to date. However, as it stands now, it is complete enough to meet my initial requirements. There is a ton of stuff in it. It is written for the novice linux user, but dives into advanced firewall techniques. I hope you find it educational.
I'd be grateful for any feedback. I'm still working on it, filling in some of the details. I'm not ready to provide support for it yet... I'm just looking for feedback on the content at this point.
When I feel the content is done enough, I will post it in this forum's HOWTO section.
Thanks
Last edited by drokmed on 2014-12-01 21:35, edited 3 times in total.
- industrialpunk
- Posts: 731
- Joined: 2007-03-07 22:30
- Location: San Diego, CA, USA
- Absent Minded
- Posts: 3464
- Joined: 2006-07-09 08:50
- Location: Washington State U.S.A.
- Been thanked: 3 times
What a nice read, about the only sudjestions I have would be to add more links to your how-to so when a new user gets a hold of this and isn't firmilyer with some of these things they can read up on them. Also, you have it marked for a beginner and then say that it is for intermediate enthusiests. I think your how-to can be used by a beginner if you add the external links to explain things that you are not covering. Over all it is a nice how-to IMHO. I found it easy to understand and your meanings were clear and presice. I may just have to try it out when you are done just to see how it goes.
Thanks for the preview.
Michael
Thanks for the preview.
Michael
Serving the community the best way I can.
Spreading the tradition of Community Spirit.
Please read some Basic Forum Philosophy
Give a man a fish, he eats for a day. Teach him how to fish, he eats for life.
Updated Nov. 19, 2012
Spreading the tradition of Community Spirit.
Please read some Basic Forum Philosophy
Give a man a fish, he eats for a day. Teach him how to fish, he eats for life.
Updated Nov. 19, 2012
Great feedback, exactly what I'm looking for, thanks.Absent Minded wrote:What a nice read, about the only sudjestions I have would be to add more links to your how-to so when a new user gets a hold of this and isn't firmilyer with some of these things they can read up on them. Also, you have it marked for a beginner and then say that it is for intermediate enthusiests. I think your how-to can be used by a beginner if you add the external links to explain things that you are not covering. Over all it is a nice how-to IMHO. I found it easy to understand and your meanings were clear and presice. I may just have to try it out when you are done just to see how it goes.
When I have all of the "meat and potatoes" in place, I do plan to go back and add pictures, illustrations, hyperlinks to references, diagrams (lots of these), and try to make it an "easier to consume" document. It does cover A LOT of information, so making it fun to learn will be a challenge too.
Engineers make lousy artists, so I'm going to have to learn the fancy stuff too!
That should be helpful. In particular, a brief overview of the setup at the beginning which delineates the LAN and WAN, mentions how multiple workstations/netdevices are connected to the firewall, and how IP addresses are associated with NICs should prove useful for neophytes.drokmed wrote:When I have all of the "meat and potatoes" in place, I do plan to go back and add pictures, illustrations, hyperlinks to references, diagrams (lots of these), and try to make it an "easier to consume" document. It does cover A LOT of information, so making it fun to learn will be a challenge too.
-----------
As far as specific changes, I would propose that each application's section include a brief reminder of what the app's purpose is. For example,
- Install Webmin (remote web-based graphical management)
Installing fwsnort (iptables-based attack detection and active response)
The port knocking section should probably include an overall description of the concept.
------------
A couple of typo's (I didn't really proofread the doc, but thought I'd mention the ones I noticed):
On the bottom of page 5 (of PDF), you mention 'file server name' -- perhaps this should be "firewall server name"? (especially since you'd just finished presenting the idea that file servers on a firewall are a Bad Idea)
On page 14 (of PDF), the first "Note" states "will will" where it should be "we will"
----------
As far as I can tell, the only section of your document which seems to be particularly Debian-specific is the part on pages 10-11 about configuring the second NIC (editing '/etc/network/interfaces'). I would propose mentioning how implementers using other distros might accomplish the same task. (For example, the Slackware mechanism for configuring interfaces is by editing '/etc/rc.d/rc.inet#.conf' files.)
Once again, thanks for sharing your document.
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -- Brian Kernighan
Excellent
Thanks saulgoode, good feedback. I'll implement all of your suggestions.
I thought I had caught all of the 'server' vs 'firewall' errors. I copied this howto from my other server howto, then modified it to be a firewall howto. I've read this 'firewall' howto too many times, and things like that don't register in my brain as easily.
I'll release the other 'server' howto later this year.
Thanks saulgoode, good feedback. I'll implement all of your suggestions.
I thought I had caught all of the 'server' vs 'firewall' errors. I copied this howto from my other server howto, then modified it to be a firewall howto. I've read this 'firewall' howto too many times, and things like that don't register in my brain as easily.
I'll release the other 'server' howto later this year.
Glad to hear it. Let me know if you find any mistakes, or I missed documenting an important step, etc.
So far, I have only built it on Etch. As Lenny approaches stable, I was going to try it, just to see what the differences are. I already know there will be big differences for shorewall. I'd be grateful for any Lenny-specific feedback you have.
I am still actively working on this document, updating and adding content. Maybe this weekend I'll incorporate all of the new info, and release an update.
So far, I have only built it on Etch. As Lenny approaches stable, I was going to try it, just to see what the differences are. I already know there will be big differences for shorewall. I'd be grateful for any Lenny-specific feedback you have.
I am still actively working on this document, updating and adding content. Maybe this weekend I'll incorporate all of the new info, and release an update.
Yo, Drokmed!
I built a server today following your little recipe here - imho its a great piece of work! That must've taken quite a bit of effort, I reckon.
I notice you haven't finished it, and last published an update June last year. I just want to encourage you to finish it if and when you get time - I personally really appreciated it, and would love to see those final chapters explained as meticulously as the existing ones.
Cheers.
PS. I'm using it between a wireless & wired network, and stumbled a lil' on the NORFC1918 bit.. probably not going to effect most people, just thought I'd mention it. Fix was in /etc/shorewall/interfaces if anyone else has this problem.
I built a server today following your little recipe here - imho its a great piece of work! That must've taken quite a bit of effort, I reckon.
I notice you haven't finished it, and last published an update June last year. I just want to encourage you to finish it if and when you get time - I personally really appreciated it, and would love to see those final chapters explained as meticulously as the existing ones.
Cheers.
PS. I'm using it between a wireless & wired network, and stumbled a lil' on the NORFC1918 bit.. probably not going to effect most people, just thought I'd mention it. Fix was in /etc/shorewall/interfaces if anyone else has this problem.
Using rm -rvf * to remove old backups... lazy.
Realising you were in / as root ... priceless.
Realising you were in / as root ... priceless.
Hi Xylock,
You have interesting timing. I picked up a copy of this how-to on Friday, and began reading it again. I would love to start working on it again, but work has me pretty busy. Maybe in a week or so, when I complete my current project, I'll pick this one back up. I'll write it for Lenny. You are welcome to add to it if ya like.
Cheers!
Thanks Xylock, I'm glad somebody actually got some use out of it. You reckon right, it took many months to write, spread over years. I've been building that kind of firewall for a long time now. Started back when opensuse was version 10.x. It's a great setup IMHO.Xylock wrote:Yo, Drokmed!
I built a server today following your little recipe here - imho its a great piece of work! That must've taken quite a bit of effort, I reckon.
I've been waiting for Lenny to go stable before focusing on it again, and of course, update it, and make it more complete. I'll probably die of old age before Lenny goes stable though........Xylock wrote:I notice you haven't finished it, and last published an update June last year. I just want to encourage you to finish it if and when you get time - I personally really appreciated it, and would love to see those final chapters explained as meticulously as the existing ones.
Great feedback, thanks. I'll add that to it.Xylock wrote:PS. I'm using it between a wireless & wired network, and stumbled a lil' on the NORFC1918 bit.. probably not going to effect most people, just thought I'd mention it. Fix was in /etc/shorewall/interfaces if anyone else has this problem.
You have interesting timing. I picked up a copy of this how-to on Friday, and began reading it again. I would love to start working on it again, but work has me pretty busy. Maybe in a week or so, when I complete my current project, I'll pick this one back up. I'll write it for Lenny. You are welcome to add to it if ya like.
Cheers!
Re: requesting feedback on my CORPORATE firewall howto
I'm thinking about updating this doc to Lenny, if there's any interest. We still use this firewall build.
Re: requesting feedback on my CORPORATE firewall howto
I thought I seen you sneaking around the fedora forums...
-
- Posts: 2
- Joined: 2009-05-18 15:52
Re: requesting feedback on my CORPORATE firewall howto
I contacted Mr Rash as you suggested. Thought I'd share his reply in case it is helpful...
"I will check with the Debian package maintainer for fwsnort - his name is [Edited - is there a limitation on showing names here?], and he will know if fwsnort is ready for Lenny (I'm not sure since I don't maintain the packages for Debian). I'll let you know what he says. If not, you can always install from the fwsnort sources, but I understand that you probably want to do this with the normal Debian packaging system instead."
"I will check with the Debian package maintainer for fwsnort - his name is [Edited - is there a limitation on showing names here?], and he will know if fwsnort is ready for Lenny (I'm not sure since I don't maintain the packages for Debian). I'll let you know what he says. If not, you can always install from the fwsnort sources, but I understand that you probably want to do this with the normal Debian packaging system instead."
Re: requesting feedback on my CORPORATE firewall howto
Thanks Bill, hopefully there is a current or near current version of psad and fwsnort packages available.
I have this funny feeling I will be building current Debian packages for quite a few of the applications installed on this firewall. I just don't want to maintain them!
I have this funny feeling I will be building current Debian packages for quite a few of the applications installed on this firewall. I just don't want to maintain them!
- Absent Minded
- Posts: 3464
- Joined: 2006-07-09 08:50
- Location: Washington State U.S.A.
- Been thanked: 3 times
Re: requesting feedback on my CORPORATE firewall howto
Well hello there my friend,drokmed wrote:I'm thinking about updating this doc to Lenny, if there's any interest. We still use this firewall build.
I would be delighted to have the updated version of your How-to. I occationally upload your old one to my server for those who request it or are in need of a good Firewall How-to.
Serving the community the best way I can.
Spreading the tradition of Community Spirit.
Please read some Basic Forum Philosophy
Give a man a fish, he eats for a day. Teach him how to fish, he eats for life.
Updated Nov. 19, 2012
Spreading the tradition of Community Spirit.
Please read some Basic Forum Philosophy
Give a man a fish, he eats for a day. Teach him how to fish, he eats for life.
Updated Nov. 19, 2012
Re: requesting feedback on my CORPORATE firewall howto
Hi Michael, good to see you man.
I'm building a new box now. I've set up a test lab, to test what has changed. Updating the doc is only a part of it. I need to document what changed as well, not just for me, but for others who have used this doc.
I'm also going to try an "upgrade" from Etch to Lenny on one of my live firewall boxes and see what happens. I'll have a replacement box ready to go just in case.
I'm building a new box now. I've set up a test lab, to test what has changed. Updating the doc is only a part of it. I need to document what changed as well, not just for me, but for others who have used this doc.
I'm also going to try an "upgrade" from Etch to Lenny on one of my live firewall boxes and see what happens. I'll have a replacement box ready to go just in case.