Linux Networking & Security


IPTables Application Engineering Environment

http://www.spirentcom.com/documents/atp/BCIT-presentation-599.pdf

An interesting presentation. Firewalling based on traffic patterns, and not just individual packets makes a lot more sense to me.


Looking for a good Firewall/VPN solution

I'm trying out Astaro's free-for-home-use product (http://www.astaro.com/) which looks really sweet. I'm also going to see how usable the FreeS/WAN stuff that comes in Knoppix-STD is.

What prompted this is that one of my firewalls that I maintain, a Gateway Guardian VPN (2 floppies) running on a P100, is near dead. So, need to find a good low-maintenance replacement for it.

AlanBailward mentioned http://www.thenetworkadministrator.com/HowToBuildACheapNOC.htm

IPCop (http://www.ipcop.org) looks interesting.


Firewall/VPN

A Gateway Guardian VPN edition (build 1909, with 2 floppies, on a p100) that I set up several years ago has been slowly degrading over the last while. So today I finally built a Debian based firewall to replace it. Hardware is AMD K6-2 @ 350Mhz w/196 MB, so it's quite a bit faster. I used dual PCI NICs, since the P100 had some oddball ISA cards that were a nuisance to get going way back when. Software is Debian Sid, LinuxKernel 2.4.24, FreeS/WAN 2.0, and so on. The 'freeswan' package actually works quite well, since it uses the IPSec stuff that comes with the kernel nowadays, versus KLIPS. Just don't forgot to install the ipsec-tools package as well.

Eventually I got FreeS/WAN 2.0 talking to FreeS/WAN 1.98b which is what my FireCard Plus (or whatever Netmaster calls it now) at home uses. Was getting Pluto problems about proposals until I added authby=secret to ipsec.conf. Apparently the default is rsakeys.

For firewalling, I tried Bastille and Shorewall but couldn't get them going properly. Eventually I discovered a really nice (and simple) firewall script and config file from Asgard's Realm:

http://asgardsrealm.net/linux/firewall/

It's been a while since I built a firewall from scratch, so I wanted to give it another whirl. The last time I really did this (that is, figure out what packages are required, set up a script, research HOWTOs, etc) was pre-Netmaster/pre-Merilus, when I was on dialup. During the Netmaster/Merilus days I always used GG since I was working on it and understood how it worked.

I'm not sure if I'm going to do a similiar thing at home. That is, decommision the Firecard and set up a dedicated PC. The problem with setting up another PC for a dedicated Linux firewall is that it's Yet Another System to update/maintain/fix/troubleshoot. I maintain dozens of systems as it is. The Firecard has been pretty low maintaince for me.

One thing I need to test yet is PPTP/OpenVPN. I did some basic host <-> host tests and it works, but I want them to work when I'm on the road. IPSec is to troublesome for road warriors.


See also Linux, LinuxApplications, or Networking