l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
June 4: Social gathering 		Next Installfest:
Saturday, January 26th 		Latest News:
Mar. 22: Slides from "Making Predictions Using Linux and R" talk 		Page last updated:
2001 Dec 30 16:59

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

 Report this post as spam:

(Enter your email address)
Re: [vox-tech] Firewall
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Firewall

On Wed, 10 Jan 2001, Jay wrote:

> Yeah, based on Pete's post I started looking at LRP (even saw your
> name (Mr. Newmiller) in a link).  I think I'd like to build one, but
> the project seems a little disarrayed, and misleading.

The original developer (Dave Cinege) has lost a lot of support because he
has his own ideas about how things should proceed but apparently only 
a limited amount of time to devote to the project.  At this point I think
he has pretty much left LRP alone and is working on his dream
distribution, oriented more toward embedded development than re-using old
PCs.  I find his distribution the simplest because it doesn't attempt to
do everything for you... others have modified it with lots of
shellscripts.

My own name appears fairly often there because in the absence of more
knowledgeable people to explain things, I have endeavored to figure them
out through discussion on the LRP list.

> I'd like to build 2 (both without hard drives and bootable off a
> single floppy):
> 
> Home:
> 2 NICs, DHCP server, able to get a dynamic IP (external) from my ISP

How do you get the external IP? DHCP or PPPoE?

> 
> Office:
> 3 NICs (External, DMZ, Internal), DHCP Server, fixed IP
> 
> Where should I start?

>From what I have seen, assuming you just want it to work as soon as
possible you should use an image from http://lrp.steinkuehler.net/ that
nearest matches your needs.  I have only setup one system like this... I
tend to prefer to assemble the parts I want starting with LRP, because
there are a LOT of configuration variables in EigerStein config files that
I am not interested in using.

Home
 if dhcp...
  http://lrp.steinkuehler.net/DiskImages/Eiger/EigerStein2BETA.htm 
  and from recent posts on the linux-router mailing list you probably
  ought to replace the dhclient.lrp on that image with the one on his
  "packages" page... http://lrp.steinkuehler.net/Packages.htm

 if pppoe...
  http://lrp.steinkuehler.net/contrib/disk_images.htm and look for Kenneth
  Hadley's pppoe image

 In every case, you need to know what kind of NICs you have and download
modules from http://lrp.steinkuehler.net/kernel/Eiger/modules/net/.  The
standard 2.9.8 distribution uses kernel/module tarballs along with image
files.

For the office setup, you can start with the DHCP image above and disable
dhclient.lrp in the syslinux.cfg file on the floppy.  This may be easier
to setup than the home system because of the fixed address.

One stumbling block many people have is understanding what they need to
know to fill in the blanks... and I don't really have a cookbook for that
problem.  
http://lrp.c0wz.com/dox/sf/lrp-e2e-subsec-EtherToEtherInstructions.html#1
applies to an older LRP version, but gives some pointers on gathering
information from existing
setups. http://linuxdoc.org/HOWTO/Net-HOWTO/index.html is another good
resource.
 
> 
> BTW, I don't understand the 2 firewall setup.

http://www.oreilly.com/catalog/fire2/chapter/ch13.html

In Figure 13-2, if the external and internal routers are packet filtering
firewalls like LRP, then you may allow a single port to connect through to
the "bastion host", through which a weakness _may_ be exploited if it
exists.  If no such holes exist in the interior router, then in theory the
internal network should be much safer than the perimeter network
(DMZ).

The two routers can be combined into one router with 3 NICs, but if the
router is cracked then both networks are exposed at once.  This doesn't
prevent it from being used fairly often.

> If you guys will help me get it working, I'll try to write a HOW-TO

That is a good way to learn.  You will often find that similar
documentation has already been written, but the author will assume a few
things you don't know, or technology will have changed since they wrote
theirs so that their instructions won't work quite right anymore, even
though the theoretical things they write about may still be true.

There are a lot of ways different networks can be setup, and
unfortunately, few people have experience in all of them to be able to
warn you about the problems you will face.

That said, I think what you are asking for can be setup easily with
an EigerStein image, or with a little more work using the base 2.9.8.

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
Work:<JeffN@endecon.com>              Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------
LinkedIn
LUGOD Group on LinkedIn 		Sign up for LUGOD event announcements
Your email address: 		facebook
LUGOD Group on Facebook

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

 Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.