Discussion:
[gentoo-user] Static IP and firewall configuration
(too old to reply)
Amit Bapat
2004-05-22 22:40:10 UTC
Permalink
I have signed up with a new ISP, which offers 2 static IPs with the DSL
package. I am wondering how should I setup my network now.

Here is the setup I currently have:

I have a Wireless Router that is connected to the DSL modem directly,
which also acts as a NAT firewall. I am forwarding 4 ports from this
router (ssh, smtp, http, https) to my linux computer 192.168.0.1 on my
local network. I use dyndns.org's service for DNS server for the dynamic
ip address.

I host my own ssh, mail, web server on my own domain.
I have turned off my router's DHCP server and I am running my own DHCP
server on the linux machine which also runs a dns server for the local
network. The DHCP server and DNS server are both enabled for Dynamic DNS
updates, so that whenever DHCP server assigns a new IP address to a
machine on local network, it's name gets added to the local DNS server
too.

But now somethings are going to change as a result of 2 static IPs
available.
There is currently no firewall on my linux machine(gentoo) as there
already is a firewall on the router.

I no longer need the dyndns.org's service anymore as I now have a static
ip. So how should I reconfigure my network/linux machine/router to take
advantage of the two static IP addresses available to me?

Thanks,
Amit Bapat
---

"We've got a problem, HAL".
"What kind of problem, Dave?"
"A marketing problem. The Model 9000 isn't going anywhere. We're
way short of our sales goals for fiscal 2010."
"That can't be, Dave. The HAL Model 9000 is the world's most
advanced Heuristically programmed ALgorithmic computer."
"I know, HAL. I wrote the data sheet, remember? But the fact is,
they're not selling."
"Please explain, Dave. Why aren't HALs selling?"
Bowman hesitates. "You aren't IBM compatible."
[...]
"The letters H, A, and L are alphabetically adjacent to the letters
I, B, and M. That is a IBM compatible as I can be."
"Not quite, HAL. The engineers have figured out a kludge."
"What kludge is that, Dave?"
"I'm going to disconnect your brain."
-- Darryl Rubin, "A Problem in the Making", "InfoWorld"


--
gentoo-***@gentoo.org mailing list
lukas
2004-05-26 21:50:08 UTC
Permalink
Post by Amit Bapat
I have signed up with a new ISP, which offers 2 static IPs with the
DSL package. I am wondering how should I setup my network now.
I have a Wireless Router that is connected to the DSL modem directly,
which also acts as a NAT firewall. I am forwarding 4 ports from this
router (ssh, smtp, http, https) to my linux computer 192.168.0.1 on
my local network. I use dyndns.org's service for DNS server for the
dynamic ip address.
I host my own ssh, mail, web server on my own domain.
I have turned off my router's DHCP server and I am running my own
DHCP server on the linux machine which also runs a dns server for the
local network. The DHCP server and DNS server are both enabled for
Dynamic DNS updates, so that whenever DHCP server assigns a new IP
address to a machine on local network, it's name gets added to the
local DNS server too.
But now somethings are going to change as a result of 2 static IPs
available.
There is currently no firewall on my linux machine(gentoo) as there
already is a firewall on the router.
I no longer need the dyndns.org's service anymore as I now have a
static ip. So how should I reconfigure my network/linux
machine/router to take advantage of the two static IP addresses
available to me?
If your WLAN-Router is able to act as an ethernet-bridge then you
can set up two of your machines with the static-IP's. One of these
two machines must have a second NIC and act as a NAT-router for your
private network (e.g. 192.168.0.0/16).
But if you have only two machines then you don't need a router. :-)

If your WLAN-Router can't act as a bridge, then replace it with a hub
or a switch.

In both cases you must setup your own firewall-rules on the machines
with the static-IP's because AFAIK in bridge-mode your router can't act
as a firewall.

Maybe there is a better solution, but I don't know. :-)

cu

lukas
James
2004-05-27 17:20:15 UTC
Permalink
Post by lukas
Post by Amit Bapat
I have signed up with a new ISP, which offers 2 static IPs with the
DSL package. I am wondering how should I setup my network now.
I have a Wireless Router that is connected to the DSL modem directly,
which also acts as a NAT firewall. I am forwarding 4 ports from this
router (ssh, smtp, http, https) to my linux computer 192.168.0.1 on
my local network. I use dyndns.org's service for DNS server for the
dynamic ip address.
I host my own ssh, mail, web server on my own domain.
I have turned off my router's DHCP server and I am running my own
DHCP server on the linux machine which also runs a dns server for the
local network. The DHCP server and DNS server are both enabled for
Dynamic DNS updates, so that whenever DHCP server assigns a new IP
address to a machine on local network, it's name gets added to the
local DNS server too.
But now somethings are going to change as a result of 2 static IPs
available.
There is currently no firewall on my linux machine(gentoo) as there
already is a firewall on the router.
I no longer need the dyndns.org's service anymore as I now have a
static ip. So how should I reconfigure my network/linux
machine/router to take advantage of the two static IP addresses
available to me?
If your WLAN-Router is able to act as an ethernet-bridge then you
can set up two of your machines with the static-IP's. One of these
two machines must have a second NIC and act as a NAT-router for your
private network (e.g. 192.168.0.0/16).
But if you have only two machines then you don't need a router. :-)
If your WLAN-Router can't act as a bridge, then replace it with a hub
or a switch.
In both cases you must setup your own firewall-rules on the machines
with the static-IP's because AFAIK in bridge-mode your router can't act
as a firewall.
Um, this last statement is not quite true:
old: http://www.tldp.org/HOWTO/Bridge+Firewall.html
latest:http://ezine.daemonnews.org/200207/transpfobsd.html

There is great hope that the selinux hacks in the 2.6 kernel will
provide the foundation on building an impressive firewall on linux,
but, I have not seen a 'cookbook' on how to do this, yet, on a 2.6 kernel.

Please no OpenBSD vs linux bashing, I'm just pointing out the finess
and ease of using an obsd bridged firewall. 'PF' is your friend, and
a most excellent technology to use to make a firewall transparent.

Can we get an ebuild of Packet Filter, or it's gentoo equivalent?

James
Post by lukas
Maybe there is a better solution, but I don't know. :-)
cu
lukas
--
gentoo-***@gentoo.org mailing list
Ajai Khattri
2004-05-27 17:30:16 UTC
Permalink
Post by James
Can we get an ebuild of Packet Filter, or it's gentoo equivalent?
Its called iptables ;-)
--
Aj.
Sys. Admin / Developer

--
gentoo-***@gentoo.org mailing list
James
2004-05-27 17:40:21 UTC
Permalink
Post by Ajai Khattri
Post by James
Can we get an ebuild of Packet Filter, or it's gentoo equivalent?
Its called iptables ;-)
Dude, iptables in not even close to packet filter. Read up on packet
filter. Iptables is OK, but pf is security that the NSA has tried and
failed to crack.......

Iptables does have it's glitches.....

PS, I like linux and gentoo much more than OpenBSD, but, OpenBSD is
the real-deal in secruity, right out of a newbie installation....
Not much work to install, just load up the pf rules and set NAT,
and bingo....

If you want to get fancy, use pf in bridged-firewall mode. Totally
transparent!

Cheers!

James



--
gentoo-***@gentoo.org mailing list
lukas
2004-05-27 18:00:36 UTC
Permalink
Post by James
Post by lukas
In both cases you must setup your own firewall-rules on the
machines with the static-IP's because AFAIK in bridge-mode your
router can't act as a firewall.
old: http://www.tldp.org/HOWTO/Bridge+Firewall.html
latest:http://ezine.daemonnews.org/200207/transpfobsd.html
I thought that the WLAN-router is a cheap "hardware" WLAN-DSL-router
that one can buy for a few bucks. With this kind of hardware it is
mostly impossible to filter packets in bridging mode.
If it is a linux or BSD Box than you can of course use it as
firewall and bridge.

cu

lukas
James
2004-05-27 19:10:21 UTC
Permalink
Post by lukas
Post by James
Post by lukas
In both cases you must setup your own firewall-rules on the
machines with the static-IP's because AFAIK in bridge-mode your
router can't act as a firewall.
old: http://www.tldp.org/HOWTO/Bridge+Firewall.html
latest:http://ezine.daemonnews.org/200207/transpfobsd.html
I thought that the WLAN-router is a cheap "hardware" WLAN-DSL-router
that one can buy for a few bucks. With this kind of hardware it is
mostly impossible to filter packets in bridging mode.
If it is a linux or BSD Box than you can of course use it as
firewall and bridge.
I agree with your statement about filtering packets.

It's difficult to be secure (successful firewall) on a box built by
others, unless you are going to spend some serious cash. I use old
486s or 586s with 32 meg of ram for openbsd firewalls. These types of
machines cost lets than $10(us) and are often free, so you can
minimize the cost. Avoid logging or stream the logs to another machine
so as to not bog down the cpu and ram resources on an old 486/586. You
can build your firewall behind the router/internet connection provided
by what ever your ISP supplies (or is required).

If you insist on building your security on the "WLAN-router" (I
thought that was a generic term) then you have to have root access,
and you are limited by the OS features of that product. PF and
iptables both have robust capabilities, far beyond most little routers....


James


--
gentoo-***@gentoo.org mailing list

Loading...