Re: Linux Firewall Suggestion

From: Jack Masters (jackm.abc_at_starplace.com)
Date: 05/04/05 

Date: Wed, 04 May 2005 08:44:22 +0200

Mike wrote:
> KP wrote:
>
>> I work for a company that has no firewall. We are 20 person company
>> whose connection to the Internet is via Cisco 1610 router - T1.
>>
>> The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External
>> Address (our mail, web site, and FTP) to 3 of the Internal Servers.
>> It does a one to map mapping.
>>
>> Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip
>> 100.100.100.100 to private 192.168.1.10);
>> Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443) -
>> (public ip 100.100.100.101 to private 192.168.1.11);
>> Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip
>> 100.100.100.102 to private 192.168.1.12);
>>
>> My GOALis to get a Linux firewall that is SIMPLE to use to place
>> between the internal network and our Internet router. Also, it has to
>> be able to route traffic destined on public ip xxx.xxx.xxx.xxx to
>> private ip xxx.xxx.xxx.xxx- same as 1 to 1 NAT mapping but more locked
>> down due to firewall features. Because multiple servers have port 80
>> and 443, I can't just do port forwarding. It must be intelligent
>> enough to see the URL/URI to forward to the right box.
>>
>> Hope this made sense.
>>
>> What would you guys suggest in terms in the Linux distro with this
>> capability, and how I should set it up?
>>
>> Thank you!
>>
>
> If you are not sure what you are doing, don't play with your company
> network. This is not the place to start learning about Linux firewalls.
> Invest your money in a hardware solution such as a Watchguard Firebox.
> You will find it easier to implement as it has a Windows front end and
> you will get all the benefits of a Linux/Iptables box as that is what it
> uses. You will also get first rate support (They can even configure the
> box remotely for you) and upgrades.
>
> I'm not affiliated to Watchguard in any way. I just use their boxes and
> also build Linux firewalls using IPCOP and Smoothwall or just plain old
> IPtables.
>
> Mike

Any firewall, even a badly configured one, would be better than leaving
the network wide open. Playing with the firewall on a live network may
open one up to (physical) abuse from users that see their lunchtime
surfing/IM interrupted, but starting off with one of the many example
scripts available would be difficult to create a FW that opens the
network up further than it already is.

J

Relevant Pages

  • RE: can ping but not browse
    ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
    (Fedora)
  • Re: Wireless clients, 2 SSIDs and SBS - need recommendations
    ... Mike> Hadn't really thought of a separate IP network. ... You could buy or build a dedicated firewall, ... filtering rule set that only allows access from the guest network to ...
    (microsoft.public.windows.server.sbs)
  • Re: Wireless clients, 2 SSIDs and SBS - need recommendations
    ... Mike> Hadn't really thought of a separate IP network. ... You could buy or build a dedicated firewall, ... filtering rule set that only allows access from the guest network to ...
    (microsoft.public.windows.server.sbs)
  • Re: Why not use NETBEUI on Windows XP ??
    ... Trusted zones means that firewall rules will be bypassed for any or certain ... not count on netbeui being a defense for such as long as smb connectivity ... while the connection is open. ... > Microsoft Networking components on my network. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Why not use NETBEUI on Windows XP ??
    ... Trusted zones means that firewall rules will be bypassed for any or certain ... not count on netbeui being a defense for such as long as smb connectivity ... while the connection is open. ... > Microsoft Networking components on my network. ...
    (microsoft.public.win2000.networking)