Security :: Dedicated Firewall - Network Setup With Two Servers In DMZ
Jan 3, 2011
I currently want to set up a network with 2 Ubuntu servers (mail and web) in a DMZ in order to separate them from an internal network. I want to use a dedicated Linux firewall. This firewall will have 3 network interfaces on it. One network interface will connect to the external router/modem (router and modem in one box), one interface will connect to the DMZ and the other interface will connect to the internal network. The router/modem lets you put, I think it's 1 or 2, interfaces in a DMZ.
But, when I think of any of the dedicated firewall's or servers' interfaces it doesn't make sense to me to put any of them in the router/modem's DMZ (I think it would be better for the dedicated firewall's and the servers' interfaces to have static private I.Ps ie 192.168.2.4 etc right?). What I mean is that even if, as far as the router/modem is concerned, none of the interfaces were in a DMZ, the area where the servers are would still effectively be a perimeter network and with such a set up would still be, effectively,a DMZ, right?
Up until recently, as in a few days ago, I was using Ubuntu and had ufw managing the firewall.It's been "recommended" that iptables itself be used. Where do I do the rules go (as in a file) and how do I call those rules at startup?
I am a Linux newbie so please bear with me if I sound stupid. I was checking out how to set up a firewall for my system and landed on this webpage: [URL]. But I am so confused with how this ufw application works. What I understand is that once I set it to "default deny" it prevents unauthorized incoming connection but what does it mean when the author says to add exceptions for services I need? When do I need to do that? Also what's an SSH server?
I am trying to setup a firewall using Centos 5.5. The machine has 2 NICs, one connecting to the ISP/Modem and the other connected to a DIR-655 wireless router. The nic is connecting to the internet port on the router.
I do not want DHCP on the Firewall machine but on the wireless router.
[ISP/Modem]<--->[machine eth0]<--->[machine eht1]<--->[DIR-655 internet port] IP from ISP Dynamic 192.168.1.1 192.168.1.2
IP's on the DIR-655 LAN will be 188.8.131.52/24 network lets say.
I have setup routes on the eth0 192.168.0.0/24 and 184.108.40.206/24 and added 220.127.116.11/24 to eth1.
I can ping eth0 and eth1 but cannot ping 192.168.1.2.
this setup is not actually connected to the internet so I disabled iptables to try testing the ping and still no good.
I got Shorewall firewall all Set-up perfect but I'm stuck at 1 last bit. The aim is to let on 2 clients max onto my server. I have the policy setup in webmin as. Uploaded with ImageShack.us More than 2 clients can get onto the server. The aim is to have it as a ddos protection allowing 100 clients on and a max burst of 10 clients at a time.
Using Windows, I always set a Restrictive firewall policy with a third party firewall. But I also had all ports set to Stealth, something that appears to not offer any security benefits (as I've learned from reading Ubuntu forums). I'd like to learn about best security practices (under Ubuntu) for outgoing firewall protection. I will be using the built-in Ubuntu firewall that is configured via Firestarter. Outgoing filtering offers privacy as well as security benefits. But I thought I needed my ports stealthed to be safe too, so I'm open to learning new things.
I wanted to start a poll to find out how many folks use permissive/restrictive, but no polls allowed here apparently.Could Ubuntu users knowledgeable about firewalls enlighten me on whether I should go Outbound-Restrictive and what applications I will need to allow so Ubuntu "housekeeping" is not affected negatively? I basically just use the internet for software updates, web-surfing and e-mail. One question I have is whether there is something comparable in Ubuntu to Window's "DNS Client" service? I always disabled Window's "DNS Client" and forced each application to request port 53 DNS lookups itself.I only had to allow four programs to accomplish all internet traffic that I engage in. I set all other programs/applications to be either Blocked or to have to Ask for an outgoing connection as needed.Here is my former Windows XP setup:
svchost.exe: allow UDP for ports 53, 67, 68, 123 (time) and TCP for ports 80, 443 Avast: allow UDP for port 53 and TCP for port 80 firefox: allow UDP for port 53 and TCP for ports 80, 443 IE: allow UDP for port 53 and TCP for ports 80, 443
I want some advice for making my system more secure. I want deactivate any network connection that is unnecessary. Only my browser and the update ability of zypper should have access to the internet. On windows there are personal firewalls.
How can I block internetaccess for all other programmes on openSUSE?
I'm trying to get OpenMPI (a parallel programming library) working on my home system. I have just two machines on it now, t61 and quad, connected through a router. (Which is also connected to cable modem for internet.) I can ssh between the machnes, mount directories with NFS, etc. However, I just can't get the OpenMPI to run. The OpenMPI message board suggested that the most probable cause is that the firewall is blocking TCP. I don't know how to tell if that's the problem, and can't find any manual for the SuSE firewall, while the various Wikis &c that pop up in a search don't provide any information that addresses my problem.
I am attempting to set up a firewall in my home network environment. the rest of the environment is windows, sorry I am attempting now so bear with me. what I have is a cable modem coming in, then my fedora 11 box with 2 nics, then the wireless router and the rest of the network.
everything works fine until I put the linux box in. If I put the firwall in the firewall sees the internet but the wireless router directly after does not. I am doing something wrong with the dhcp I am guessing. I dont want the firewall to give the address to the network I want the router to. I tried to get the firewall to do it (yum install dhcp leafnode) but it kept saying something didn't work right.
so I figure I will let the cable modem give the firewall an ip and the router give the rest of the network their ip's but how do I get the firewall and router to see each other and allow passthrough?
I run a small (cabled) network between a desktop with XP with two printers hooked to it and a laptop with Ubuntu 10.04.1 64b. I can approach and use these printers from my laptop and filesharing works also. BUT ... this only works when my Ubuntu firewall (Gufw 10.04.5) is switched off. I am operating behind my router_modem which has a hardware type of firewall switched on at all times so I presume I'm safe. Now my questions:
1. Is this really safe enough? 2. What kind of settings would Gufw need to be able to use it AND use my mini-network for printing? I have no experience whatsoever with firewall rules and settings.
Before I go any further I must admit that I'm pretty rubbish at setting these up, so please be gentle!
Now my problem; I have a normal desktop pc (I don't want to set it up as a server) but when I check the hardness of my set up with Gibson Research Centre, it fails. It can see ports 22,23,80,443 as closed but still visible.....? I have never had this happen to me before and struggling my way through yast firewall tool, I can find no easy way of sorting this out.
I have Ubuntu 8.04 as virtual host. On this host I have installed VirtualBox virtualization software. I have installed Windows XP as virtual machine and installed HTTP server.I would like temporally disable all network connections to host and virtual machine.So on Ubuntu host I have set firewall settings:
Code: sudo iptables -F (to flush - delete all firewall settings) sudo iptables -P INPUT DROP (to disable all input traffic)
I am learning to setup firewall in my home for that i have selected four system(sys1,sys2....sys4) for testing .I have configured sys2 to act as a firewall with two NIC. sys3 and sys4 are inside the firewall . sys1 is not connected to firewall for testing purpose.
the IP assignments are follows :
sys1 : ( fedora, not connected to firewall i am thinking, But i am not sure )
what happened is that sys1(not connected to firewall) can ssh to sys4(connected,inside firewall),since the rules are written not to ssh form sys1 to sys4..
then I came to know whatever the request I give, It directly goes as sys1 --> sys4. Not as sys1-----> sys2(firewall)---> sys4 .and the firewall is not filtering and processing anything for both inbound and outbound (i think it's my mistake some where). the requests are directly going inside without firewall.
I want to rent a (root) linux server to run a vpn service on it. I want to allow people to use this vpn.
My questions are as follows: - What kind of server/service should I rent - dedicated or vps? - Is one IP-Address enough to connect, say, 100 user? (I plan to run IPsec or OpenVPN, maybe PPTP) - What Bandwith and/or traffic limits I need to consider to make the service reasonably fast for the users? - Which Linux-distro should I use? Ubuntu Server, CentOS, FreeBSD, Debian etc? - How much RAM and HDD space is recommended for such an endevour? - Any advice on the processor type the server should have? - Is 100M network ok or better 1000M? - What means 100Mbps shared bandwidth in contrast to 10Mbps dedicated guaranteed per server?
Being on a low budget and I can't afford to buy Redhat would you recommend using Fedora for setting up dedicated servers? I know Fedora is known to be "bleeding edge" in technology, which concerns me with the stability of the server. Would you recommend a more stable Linux distro? I was also wondering if there is any way to know what these web hosting companies are using in their servers: [url]
I suspect this is an initial configuration bug. All firewall logs seem to be going to all three files. That causes a lot of clutter in the log files, and makes it difficult to see whether there are any serious problems being logged.
The Fedora 13 Visualization guide mentions the ability to use "shared physical device" to give virtual guest full access to a network device. Where can I find more info on setting this up. When installing my first guest, the drop down menu didn't supply this as an option. Eth0 and Eth1 were not selectable (e.g. grayed out).Is there a better section to ask KVM related question? If so, I'll move there.
I'm setting up my first KVM guest now, played aroudn with VMware briefly. I did spend a lot of time wtih VM on mainframes (yes, I'm old)... and from my research, KVM is "catching up" with what we could do in the old days.
When you need to change something on the server you can hook up a monitor and a keyboard and do it through the console.
I would like to hook up an external monitor in this fashion for a desktop. The current video card can only support a single display. So I was hoping there was someway to use a second monitor as just a permanent console since simple text shouldn't require a video card?
My workstation is on a network, let's say 10.100.0.0/24. I'm opening up an openVPN Tunnel to a test environment in my company, receiving a lot of routes to this network (address range 172.xx.yy.0). Everything is working fine so far. In this test environment I placed a number of virtual systems having their own private network (10.99.0.0/24). I have one machine in this virtual cluster which is able to forward incoming IP traffic to the others.
When I login to this gateway system, using the 172.xx.yy.zz address, I can logon to the others using the 10.99.aa.bb addresses. Fine so far. But I have to be able to call these machines with the 10.99.0.0/24 addresses from my laptop. So I tried to add a route like: route add -net 10.99.0.0 netmask 255.255.255.0 gw 172.xx.yy.zz
Unfortunately I received an error messages: SIOCADDRT: No such process
According to the entries in other forum articles (Google helps in most cases), I have to add a host route first: route add -host 172.xx.yy.zz gw 172.well.defined.dest
I am trying to setup a DNS server on my local network. When I set linux clients to use it, it works as expected. However, when I set windows clients to it, the root name doesn't resolve. For example, I have a zone called daniel. On linux "anything.daniel" resolves to the correct ip as does "daniel" which is the behavior I want. However, on windows 7, "anything.daniel" resolves correctly, but "daniel" doesn't. I am new to BIND9 so my config is mostly copy and pasted. Here is my zone file for daniel (where #.#.#.# is the ip I want daniel to resolve to):
@ IN SOA ns1.daniel. admin.daniel. ( 2007031001 28800 3600