Relating to the VNUML setup mentioned in the previous post, I’ve been tinkering with IP tables to write firewall and routing rules for our new network.
I’ve tried to ‘learn’ IP tables several times, and repeatedly find myself thinking that I’ve got it sussed only to realise that I’ve misunderstood something really critical. I am currently in the “I’ve got this sussed” state and hopefully it’s for real this time. One of the ways I managed to simplify my re-introduction to the process was to work with a subset of the IP tables rules. Specifically, if I assume (for the sake of argument) that the firewall will only be doing routing, filtering and port forwarding, then I don’t need to worry about the INPUT and OUTPUT rules at all. It’s all basically FORWARD and NAT, which is easier to grasp. Then, I realised that if you’re doing ‘outgoing’ NAT, that’s always a POSTROUTING SNAT rule (i.e. you change the source address after you’ve routed the packet out of your network); if you’re doing incoming port forwarding, it’s always a PREROUTING DNAT rule (since you’re changing the destination of the packets before you route them). I expect I will re-introduce some INPUT and OUTPUT rules soon, so that a very minimal degree of remote admin of the firewall will be possible, e.g. allow SSH access from the IPs of the systems administrators on the local network only.
If none of this makes sense to you, then don’t let it worry you; you can probably survive in this world without understanding the intricacies of firewall rulesets.
However, a question does arise as to the best operating system to use for running a ‘home grown’ firewall. I’d choose Debian Stable like a shot, but if we plan to actually stop the firewall making its own connections, or hosting any of its own services, even Debian Stable might be more than I really need. If it isn’t ‘allowed’ to contact the internet itself, it won’t be able to download its own security updates (whether it needs them or not is debatable in this situation too, since it isn’t presenting any services). So, to those of you out there who have done this before: What OS have you used for a dedicated home-made firewall? I know that a bare OpenBSD is well thought of for this job, but are there any Debian-related or Debian-derived setups that you’ve used?
The only firewalls I’ve ever run have been run on Smoothwall…..
PermalinkSmoothwall
I quite like the look of Smoothwall, and in fact have tested it out once or twice. However, it doesn’t (easily) support filtering outgoing traffic, which is A Must.
PermalinkOpenBSD, go on go on go on 😉
No seriously the PF interface is much easier to undertand than IPFW/tables and gives ability to use shaping/guaranteed bandwidth as well..nice.
PermalinkI know some who are quite happy with bandwidth shaping under IP Tables. The only downside with OpenBSD is that my admin experience of it is almost non-existent. I’m reluctant to drop in our most critical system running something that’s not fully understood 🙂
Permalinkalternate build machine?
With the *BSD’s you can build your OS on one machine and install on another very easy (nfs mounts needed, but only during the install/update).
So you can have one machine to do the builds/tests on and then deploy to the others as needed..
I guess you can go something similar with Debian??
It would get around the problem of the f/w machine requiring access to the BBI (Big Bad Internet) for it’s own use.
PermalinkIt would get around the problem of the f/w machine requiring access to the BBI (Big Bad Internet) for it’s own use.
I might just make temporary arrangements to allow some stuff through the firewall’s outgoing interface for doing ‘apt-get …’ – one option would be to allow it to speak to our local web proxy for that, meaning that there’s no direct external exposure …
Permalink