2/15 I manage the network of a small company. 10 workstations, 10 PCs.
They are hooked to the internet via a DSL line. We're thinking of
putting in a firewall. Is there a DSL modem with built-in firewall?
Or am I better off using an el-cheapo PC as firewall? Recommendations?
Thanks.
\_ run free/openbsd; use ipf. nat with ipnat, redirect: ipmasqadm.
if you run nameservice for internal and external, you want to
have the external one chrooted, and point the /etc/resolv.conf
to the internal nameserver (this file is outside the chrooted dir).
make sure you get the securest copy of bind - there was a recent
exploit. if you chose linux, you might want to consider using
iptables with real nat and real state. with freebsd, you can use
mpd-netgraph should you later want a vpn. with linux, you can use
poptop. Running the nameserver in a chrooted section in linux is a
little bit more effort but doable. - paolo ps, point the internal
one to some trusted nameserver.
\_ If you are worried about dns, check out djbdns. It is much
better and much more secure than bind.
I would recommend running OpenBSD over FreeBSD. OpenBSD is
much better audited, and has more frequent fixes for security
holes. Also in a locked down firewall setup (turn of httpd,
inetd, etc) there have been no remote exploits in 3 years.
Other options include NetBSD. You can get it to boot and
run on almost anything. If you are worried about the form
factor (noise, etc) get a IPX or a Qube2 with NetBSD. Its
pretty secure and fast.
\_ ipx's are kind of noisy. at least the one i have is.
\_ are you using the stock Hawk drive? If so that
is your problem. Replace with a Quantum Fireball,
and noise goes down by 75%.
\_ Highly recommend FreeBSD running ipf/ipnat (if you have to
NAT) Config syntax is pretty straightforward once you start
looking at it, and is well documented. It's very fast, and
it will be good on a P166. A colleague is a great fan of
running it on the sort of embedded, fanless PCs that
advantech (<DEAD>www.advantech.com<DEAD> make. Mail me if you
want some help. -John
\_ if you're not into optimizing and configuring things and
running external services like www, there is a linksys
dsl modem/hub product that has a webserver configuration
interface, and address translation, so you can set that
up and then plug a hub into that and connect your office.
or spend a couple of hours bringing up a unix box
with two interfaces and turn on ip masqeraduing and dhcp to
connect your office.
\_ by your description, it sounds like you already have a dsl modem,
and just need a firewall/hub box. There are plenty on the market.
just look around.
\_ in other words, you have no recommendations. fuck off
\_ Cisco PIX. It is the standard firewall.
\_ Is Cisco PIX any better than a typical OpenBSD/ifp setup?
\_ Oh yeah. The PIX is pretty damn secure. It has a custom
OS (not IOS) that has many layers of security and it is
completely audited. Every patch/upgrade is hand checked
and then a horribly complex set of attacks are executed
agaist it. PIX defends banks, enterprises, governments
in thier most secure locations. If someone tells you
they can get past a PIX, its probably because they
paided someone to unplug it from the network.
\_ MegaPath DSL had me buy a Netopia R3100 (IDSL) which seems to
have pretty decent NAT/Firewalling/PPTP functionality (I don't
actually use any of it, but it's there...) --dbushong |
http://csua.com/feed/