requesting feedback on my CORPORATE firewall howto

If it doesn't relate to Debian, but you still want to share it, please do it here
Message
Author
User avatar
drokmed
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

requesting feedback on my CORPORATE firewall howto

#1 Post by drokmed »



EDIT: Yet another new location:
https://drive.google.com/file/d/0B6gmrA ... sp=sharing

old location, file can be retrieved here:

http://www.4shared.com/document/nWMRt60 ... ewall.html


Hi all,

I'd appreciate your feedback on this howto I've been working on. It covers:

Debian Etch (STABLE) GNU/Linux

* shorewall - robust firewall configuration tool
* dnsmasq - simple DNS and DHCP server
* squid - robust web caching server
* dansguardian - robust web content filtering server
* webmin - remote web-based graphical management interface
* psad - port scan attack detection
* fwsnort - iptables-based attack detection and active response
* nmap - robust text-based port scanner
* iftop - real-time network interface traffic monitor
* ntop - web-based network traffic sampling and reporting
* and many other utilities, like ntp, opensshserver, ddclient, etc.

http://www.abazaba.org/debian/firewall.html

You can download it in OOo or pdf format.

It will never be done in my opinion, because I keep adding stuff to it, which is good because it will be up to date. However, as it stands now, it is complete enough to meet my initial requirements. There is a ton of stuff in it. It is written for the novice linux user, but dives into advanced firewall techniques. I hope you find it educational.

I'd be grateful for any feedback. I'm still working on it, filling in some of the details. I'm not ready to provide support for it yet... I'm just looking for feedback on the content at this point.

When I feel the content is done enough, I will post it in this forum's HOWTO section.

Thanks
Last edited by drokmed on 2014-12-01 21:35, edited 3 times in total.

User avatar
drokmed
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

#2 Post by drokmed »

Nobody?

Damn, I was hoping somebody would take a look at it. It's the culmination of hundreds of hours of research and experience. I will continue to expand on it.

User avatar
MeanDean
Posts: 3953
Joined: 2007-09-01 01:14

#3 Post by MeanDean »

I thought the web page was it...didnt see much until I noticed the pdf file. Damn thats a lot of info....looks awesome to me but I am not much of a server/network kind of guy any more. Not really your target audience :)

User avatar
saulgoode
Posts: 1545
Joined: 2007-10-22 11:34

#4 Post by saulgoode »

I have downloaded it and am in the process of perusing it. I am about a third of the way through it.
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -- Brian Kernighan

User avatar
industrialpunk
Posts: 733
Joined: 2007-03-07 22:30
Location: San Diego, CA, USA

#5 Post by industrialpunk »

Awesome Drokmed! I've been waiting for this since you told me about it a few months ago. Downloading right now.
-Josh Willingham

User avatar
Absent Minded
Posts: 3761
Joined: 2006-07-09 08:50
Location: Washington State U.S.A.

#6 Post by Absent Minded »

What a nice read, about the only sudjestions I have would be to add more links to your how-to so when a new user gets a hold of this and isn't firmilyer with some of these things they can read up on them. Also, you have it marked for a beginner and then say that it is for intermediate enthusiests. I think your how-to can be used by a beginner if you add the external links to explain things that you are not covering. Over all it is a nice how-to IMHO. I found it easy to understand and your meanings were clear and presice. I may just have to try it out when you are done just to see how it goes.

Thanks for the preview.
Michael
Serving the community the best way I can.
Spreading the tradition of Community Spirit.
Please read some Basic Forum Philosophy
Give a man a fish, he eats for a day. Teach him how to fish, he eats for life.
Updated Nov. 19, 2012

User avatar
drokmed
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

#7 Post by drokmed »

Absent Minded wrote:What a nice read, about the only sudjestions I have would be to add more links to your how-to so when a new user gets a hold of this and isn't firmilyer with some of these things they can read up on them. Also, you have it marked for a beginner and then say that it is for intermediate enthusiests. I think your how-to can be used by a beginner if you add the external links to explain things that you are not covering. Over all it is a nice how-to IMHO. I found it easy to understand and your meanings were clear and presice. I may just have to try it out when you are done just to see how it goes.
Great feedback, exactly what I'm looking for, thanks.

When I have all of the "meat and potatoes" in place, I do plan to go back and add pictures, illustrations, hyperlinks to references, diagrams (lots of these), and try to make it an "easier to consume" document. It does cover A LOT of information, so making it fun to learn will be a challenge too.

Engineers make lousy artists, so I'm going to have to learn the fancy stuff too! :D

User avatar
saulgoode
Posts: 1545
Joined: 2007-10-22 11:34

#8 Post by saulgoode »

drokmed wrote:When I have all of the "meat and potatoes" in place, I do plan to go back and add pictures, illustrations, hyperlinks to references, diagrams (lots of these), and try to make it an "easier to consume" document. It does cover A LOT of information, so making it fun to learn will be a challenge too.
That should be helpful. In particular, a brief overview of the setup at the beginning which delineates the LAN and WAN, mentions how multiple workstations/netdevices are connected to the firewall, and how IP addresses are associated with NICs should prove useful for neophytes.

-----------
As far as specific changes, I would propose that each application's section include a brief reminder of what the app's purpose is. For example,
  • Install Webmin (remote web-based graphical management)

    Installing fwsnort (iptables-based attack detection and active response)
------------
The port knocking section should probably include an overall description of the concept.

------------
A couple of typo's (I didn't really proofread the doc, but thought I'd mention the ones I noticed):

On the bottom of page 5 (of PDF), you mention 'file server name' -- perhaps this should be "firewall server name"? (especially since you'd just finished presenting the idea that file servers on a firewall are a Bad Idea)

On page 14 (of PDF), the first "Note" states "will will" where it should be "we will"

----------
As far as I can tell, the only section of your document which seems to be particularly Debian-specific is the part on pages 10-11 about configuring the second NIC (editing '/etc/network/interfaces'). I would propose mentioning how implementers using other distros might accomplish the same task. (For example, the Slackware mechanism for configuring interfaces is by editing '/etc/rc.d/rc.inet#.conf' files.)

Once again, thanks for sharing your document.
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -- Brian Kernighan

User avatar
drokmed
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

#9 Post by drokmed »

Excellent :)

Thanks saulgoode, good feedback. I'll implement all of your suggestions.

I thought I had caught all of the 'server' vs 'firewall' errors. I copied this howto from my other server howto, then modified it to be a firewall howto. I've read this 'firewall' howto too many times, and things like that don't register in my brain as easily.

I'll release the other 'server' howto later this year.

codge
Posts: 207
Joined: 2008-03-22 17:35

#10 Post by codge »

I've implemented most of your firewall How to into a fresh install of lenny, i haven't yet configured snort but will be doing so in the near future. It's nice to see a clear easy to understand how to, more than likely to be over kill for my home set-up but you never know! Thanks.

User avatar
drokmed
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

#11 Post by drokmed »

Glad to hear it. Let me know if you find any mistakes, or I missed documenting an important step, etc.

So far, I have only built it on Etch. As Lenny approaches stable, I was going to try it, just to see what the differences are. I already know there will be big differences for shorewall. I'd be grateful for any Lenny-specific feedback you have.

I am still actively working on this document, updating and adding content. Maybe this weekend I'll incorporate all of the new info, and release an update.

Xylock
Posts: 43
Joined: 2007-04-11 13:28

#12 Post by Xylock »

Yo, Drokmed!

I built a server today following your little recipe here - imho its a great piece of work! That must've taken quite a bit of effort, I reckon.

I notice you haven't finished it, and last published an update June last year. I just want to encourage you to finish it if and when you get time - I personally really appreciated it, and would love to see those final chapters explained as meticulously as the existing ones.

Cheers.

PS. I'm using it between a wireless & wired network, and stumbled a lil' on the NORFC1918 bit.. probably not going to effect most people, just thought I'd mention it. Fix was in /etc/shorewall/interfaces if anyone else has this problem.
Using rm -rvf * to remove old backups... lazy.
Realising you were in / as root ... priceless.

User avatar
drokmed
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

#13 Post by drokmed »

Hi Xylock,
Xylock wrote:Yo, Drokmed!

I built a server today following your little recipe here - imho its a great piece of work! That must've taken quite a bit of effort, I reckon.
Thanks Xylock, I'm glad somebody actually got some use out of it. You reckon right, it took many months to write, spread over years. I've been building that kind of firewall for a long time now. Started back when opensuse was version 10.x. It's a great setup IMHO.
Xylock wrote:I notice you haven't finished it, and last published an update June last year. I just want to encourage you to finish it if and when you get time - I personally really appreciated it, and would love to see those final chapters explained as meticulously as the existing ones.
I've been waiting for Lenny to go stable before focusing on it again, and of course, update it, and make it more complete. I'll probably die of old age before Lenny goes stable though........
Xylock wrote:PS. I'm using it between a wireless & wired network, and stumbled a lil' on the NORFC1918 bit.. probably not going to effect most people, just thought I'd mention it. Fix was in /etc/shorewall/interfaces if anyone else has this problem.
Great feedback, thanks. I'll add that to it.

You have interesting timing. I picked up a copy of this how-to on Friday, and began reading it again. I would love to start working on it again, but work has me pretty busy. Maybe in a week or so, when I complete my current project, I'll pick this one back up. I'll write it for Lenny. You are welcome to add to it if ya like.

Cheers!

User avatar
drokmed
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

Re: requesting feedback on my CORPORATE firewall howto

#14 Post by drokmed »

I'm thinking about updating this doc to Lenny, if there's any interest. We still use this firewall build.
Author of the Debian Linux Security Appliance Firewall howto, found here
Thread discussing it is here

gnudude
Posts: 1712
Joined: 2009-04-05 17:30
Location: gone....

Re: requesting feedback on my CORPORATE firewall howto

#15 Post by gnudude »

I thought I seen you sneaking around the fedora forums...

BillyduhKid
Posts: 2
Joined: 2009-05-18 15:52

Re: requesting feedback on my CORPORATE firewall howto

#16 Post by BillyduhKid »

I contacted Mr Rash as you suggested. Thought I'd share his reply in case it is helpful...

"I will check with the Debian package maintainer for fwsnort - his name is [Edited - is there a limitation on showing names here?], and he will know if fwsnort is ready for Lenny (I'm not sure since I don't maintain the packages for Debian). I'll let you know what he says. If not, you can always install from the fwsnort sources, but I understand that you probably want to do this with the normal Debian packaging system instead."

User avatar
drokmed
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

Re: requesting feedback on my CORPORATE firewall howto

#17 Post by drokmed »

:wink:

Fedora, Slackware, and CentOS mostly.
Author of the Debian Linux Security Appliance Firewall howto, found here
Thread discussing it is here

User avatar
drokmed
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

Re: requesting feedback on my CORPORATE firewall howto

#18 Post by drokmed »

Thanks Bill, hopefully there is a current or near current version of psad and fwsnort packages available.

I have this funny feeling I will be building current Debian packages for quite a few of the applications installed on this firewall. I just don't want to maintain them! :shock:
Author of the Debian Linux Security Appliance Firewall howto, found here
Thread discussing it is here

User avatar
Absent Minded
Posts: 3761
Joined: 2006-07-09 08:50
Location: Washington State U.S.A.

Re: requesting feedback on my CORPORATE firewall howto

#19 Post by Absent Minded »

drokmed wrote:I'm thinking about updating this doc to Lenny, if there's any interest. We still use this firewall build.
Well hello there my friend,

I would be delighted to have the updated version of your How-to. I occationally upload your old one to my server for those who request it or are in need of a good Firewall How-to.
Serving the community the best way I can.
Spreading the tradition of Community Spirit.
Please read some Basic Forum Philosophy
Give a man a fish, he eats for a day. Teach him how to fish, he eats for life.
Updated Nov. 19, 2012

User avatar
drokmed
Posts: 1167
Joined: 2007-10-03 19:24
Location: Saint Petersburg, FL

Re: requesting feedback on my CORPORATE firewall howto

#20 Post by drokmed »

Hi Michael, good to see you man.

I'm building a new box now. I've set up a test lab, to test what has changed. Updating the doc is only a part of it. I need to document what changed as well, not just for me, but for others who have used this doc.

I'm also going to try an "upgrade" from Etch to Lenny on one of my live firewall boxes :shock: and see what happens. I'll have a replacement box ready to go just in case.
Author of the Debian Linux Security Appliance Firewall howto, found here
Thread discussing it is here

Post Reply