Re: Help for a secure Firewall

From: Wolfgang Kueter (wolfgang@shconnect.de)
Date: 10/05/02 

From: Wolfgang Kueter <wolfgang@shconnect.de>
Date: Sat, 05 Oct 2002 01:33:02 +0200

osolemio wrote:

> I'm buying an ADSL connection with static-IP: I have to choose between
> an ISP-already-configured router (Alcatel Speed Touch Pro) and the same
> router with static NAT to a Linux Box Server.
> For ISP-already-configured I mean that the router is configured by the ISP
> to connect my private LAN (192.168.1.x) to internet by a hub. I would have
> to do nothing else that connect it.
>
> Obviously with NAT I could build a web-server! So I'm considering to make
> configure the router with NAT to my linux box (all ports,!? you never know
> what I will need!)

You might do that but I do not recommend it. If you want to allow incoming
connections the normal way is to forward only specific wanted services.
Besides that you might run into problems with a global NAT to the Linux
box, since the outgoing connections have to be hidden (natted) to. What is
possible in this field depends a lot on the NAT capabilities of the router.

> Well, assuming I can trust my lan, could I set an UNbreakable Firewall
> with kernel 2.2.22 and Ipchains?

You can install ipchains on that box but a locked down box will only
specific services, so a packet-filter on the box itself is of litte value.
If the machine is cracked and the attacker was able to get root access it
is too late for ipchains, he can just switch it off.

> I would just need POP3 (to download
> mail), SMTP (to deliver mail out with Qmail that is already my internal
> mail server), and of course web-surfing and web-server (80/8080?).
>
> Is there ANY method for a hacker to get in, with such a situation? Hope
> not! I would shut down telnet, ssh, and everything!

Might be possible, it depends on the versions of the daemons you run on
that Linux Box. The better place for the Linux box (public servers) would
certainly be some kind of DMZ.

> Is Apache a danger used also as a Proxy server?

There are some vulnerabilities in older versions and certain modules of
Apache, the latest versions are patched against these attacks, but new
vulnerabitilities might be found in any daemon in the future. When you run
public services it is essential to take a look at availibale updates
regularely.

Concerning smtp qmail is a good choice.

> Is samba, activated only for my internal LAN, a danger?

Normally not, but I'd recommend setting up a separate machine that cannot
be reached from the outside for that service, since you never know, what
security holes might be found tomorrow.

Wolfgang