For our example, the computer is a 486-DX66, 8 megs of memory, 500 megs Linux partition, with a PPP connection to it internet provider over a 14.4 modem. This setup is your basic Linux box. To make it a firewall, we add one NE2000 Ethernet card. It is then connected to 3 PC's running Windows 3.1 with Trumpet Winsock and 2 Suns running SunOS 4.1. This setup was chosen because it is a fairly common and they are both platforms that I am familiar with. I imagine much of the same stuff that I am talking about here is doable with Macs, but since I don't use Macs frequently enough, I don't really know.
So, you have one Linux box connected to the net via a 14.4 PPP line. You
then have a Ethernet network connected to the Linux box and all the other
computers. First, you must recompile the Linux kernel with the
appropriate options. At this point, I would look at the
Kernel HOWTO, the Ethernet HOWTO, and the
NET-2 HOWTO. Then, do a "make config":
Then, we recompile, reinstall the kernel and reboot. The interfaces should show up in the boot-up sequence, and we should be fine. If not, go over the other HOWTOs again until it is working.
This is the real interesting part. Since we do not want the internet to have access, we do not need to use real addresses. One good C Class to use is 192.168.2.xxx, which was set aside as a dummy test domain. Thus, no one uses it, and it will not conflict with any requests for the outside. So, in this configuration, only one real IP address is needed. The others are free for the taking and will not affect the network at all.
Assign the real IP to the serial port used for the PPP. Assign 192.168.2.1
to the Ethernet card on firewall. Assign all the other machines
in the protected network some number in that domain.
First, try to ping the internet from firewall. I used to use
nic.ddn.mil as my test point. It's still a good test, but has
proven to be less reliable than I had hoped. If it doesn't work at
first, try pinging a couple other places that are not connected to your
LAN. If this doesn't work, then your PPP is incorrectly setup. Reread
the Net-2 HOWTO, and try again.
Now, try pinging between hosts within the protected network. All the computers should be able to ping each other. If not, go over the NET-2 HOWTO again and work on the network some more.
Then, every machine in the protected network should be able to ping
firewall. If not, go back again. Remember, they should be able
to ping 192.168.2.1, not the PPP address.
Then, try to ping the PPP address of firewall from inside the
protected network. If you can, then you have not turned off IP
Forwarding and you will have to recompile the kernel. Having
assigned the protected network the 192.168.2.1 domain means that no packets
will be routed to this network anyway, but it is safer to have IP
Forwarding turned off anyway. This leaves the control in your hands, not
in the hands of your PPP provider.
Finally, ping each machine within the protected network from
firewall. By this time, there should be no problems.
Now, you have your basic firewall setup.
The firewall is no good if it is left wide open to attacks. First, look at /etc/inetd.conf. This file is what is called a "super server". It runs a bunch of the server daemons as they are requested. Examples are:
Turn off everything that is not needed. Definitely turn off netstat,
systat, tftp, bootp, and finger. You might also want to turn off telnet,
and only allow rlogin, or vica-versa. To turn a service off, merely put
a # in front of it. Then, send a SIG-HUP to the process by typing kill
-HUP <pid>, where pid is the process number of inetd. This will make
inetd re-read its configuration file (inetd.conf) and restart. Test it
out by telneting to port 15 on firewall, the netstat port. If
you get an output of netstat, you have not restarted it correctly.
Next Chapter, Previous Chapter
Table of contents of this chapter, General table of contents
Top of the document, Beginning of this Chapter