If I were to make a pitch for using CentOS as a firewall, I would point
to:
-enhanced flexibility in creating firewall rules vs commercial
firewalls.
-no charge per # of clients, licensing issues, etc.
-high availability of useful packages and servers (snort, fwlogwatch,
pica, iptraf, squid, privoxy, openSSH, poptop, etc).
-plenty of layered security (remote logging, TCP wrappers, rate
limiting, iptables rules, SE Linux, etc)
If I were to make a pitch against using CentOS as a firewall, I would
point to:
-Very, very bloated compared to other firewall-only distros.
( http://m0n0.ch/wall/ is all of 6.5 MB)
-Its (dangerously) tempting to use yum to get every server/daemon you
can running on the firewall box simply because its free and easy.
-Slower performance compared to streamlined firewall-only products.
-Generally, many beginners won't be able to adequately secure their
CentOS box to make it as secure as a dedicated firewall appliance.
In the end, there is a trade off. I personally run CentOS as a firewall
(I used to run m0n0wall, then IPCop), and love the flexibility it gives
me.
YMMV
On Thu, 2005-03-31 at 02:28 +0100, Miki Vazquez wrote:
> Ok, it's good if you have one Firewall if you have more the best pica
> http://pica.sf.net
>
> I have the script's in one serve .. with cvs for version it.
>
>
> El mi?, 30-03-2005 a las 19:44 -0500, ryanag@xxxxxxxxxxxxxxxx escribi?:
> > I would add the below:
> >
> > -Recommend using CentOS 4.0
> > -Use squid rpm, no tar (this is for new users I'm guessing).
> > -Recommend using etherape and iptraf (available as rpms) for a graphical
> > overview of traffic. http://etherape.sourceforge.net/
> > -Recommend the use of chkrootkit, and TCP Wrappers (at the least put
> > ALL: ALL EXCEPT PARANOID in /etc/hosts.allow) to protect servers.
> > -Provide some information about how to protect the whole network from
> > spyware with the /etc/hosts file (a nice side benefit from doing DNS
> > proxy). http://www.mvps.org/winhelp2002/hosts.htm
> > -A *huge* disclaimer on running squid on a machine with a public
> > interface.
> > -Consider using webmin to manage this outside a GUI.
> > -fwlogwatch can parse log files nicely. http://fwlogwatch.inside-
> > security.de/
> >
> >
> >
> > Biggest issue I have with your setup:
> >
> > -I wouldn't use Guard Dog as the GUI setup - it is very nice, but
> > inflexible and not really meant for what you are doing.
> > Try kmyfirewall instead if you want a GUI for iptables. It offers near
> > complete control of iptables functions.
> > If you can get along with using webmin, try shorewall.
> >
> > *If* this is going to be in a bigger than SOHO (+ 30 PC) network, go
> > with shorewall.
> >
> >
> > Just my $.02, good luck with the site, it'll help a lot of people. :-)
> >
> >
> > On Wednesday 30 March 2005 13:27, Seth Bardash wrote:
> > > To the list:
> > >
> > > HOW-TO on DNS + DHCP + SQUID + Firewall + Router
> > >
> > > Since this seems to be a recurring topic:
> > >
> > > Thought you might be interested in a working set up of
> > > DNS + DHCP + SQUID + Firewall + Router machine that took
> > > quite an effort to get working but now runs flawlessly.
> > >
> > > Don't get discouraged. This takes some time to set up
> > > correctly but once you get through it - it works great!
> > >
> > > Remember: tcpdump is your friend!!!!
> > >
> > > Anyone having a network internally that needs these
> > > features should continue reading:
> > >
> > > We set up a new firewall based on CentOS 3.3. (3.4 should work fine)
> > >
> > > We needed it to serve many protocols internally.
> > >
> > > The specifications for it are:
> > >
> > > NOT Microsoft based
> > > (We are a MS Partner with all the software but I wanted something
> > that
> > was
> > > MS virus proof)
> > >
> > > KDE Graphical Firewall Control
> > > External Internet LAN Port x 1
> > > Internal Networks x 2 (more can be added) -> we used 192.168.0.X and
> > > 192.168.1.X
> > > DNS Name Caching Server - internal and external, forward and reverse
> > > lookups DHCP Server that does ddns-update internally
> > > Squid Server
> > > IP Masqerading
> > > Routing between all networks
> > >
> > > Hardware:
> > >
> > > OLD P3-800 Based System (Only non AMD system we run)
> > > 3 x Intel Pro 100 NIC's (We have a big box of these)
> > > 1GB SDRAM
> > > 40GB IDE Disk
> > > CDROM Drive
> > > Floppy
> > > Standard PC Case with extra cooling and 400 w ps.
> > >
> > > This hardware is overkill as it never runs above 30% load.
> > > Any machine supported by Centos with > 600 MHz CPU and 512M Memory
> > should
> > > do.
> > >
> > > Software:
> > >
> > > Centos 3.3 Full Install (Lessens the chance of missing packages)
> > >
> > > Guarddog Firewall RPM for Centos
> > > (http://centos.hughesjr.com/3/guarddog/RPMS/)
> > > Guidedog router/masqerader RPM for RH9 (works fine)
> > >
> > (http://www.simonzone.com/software/guidedog/guidedog-1.0.0-1_rh9.i386.rpm)
> > >
> > > Squid source tar ball.
> > >
> > > First install Centos and set it for a KDE graphical boot up.
> > > Turn off all services not used
> > > Leave Iptables on but turn off IP6tables
> > >
> > > Then Install Guarddog
> > > Then install Guidedog
> > > Configure both of the above - read the instructions for these
> > carefully.
> > > - questions for these should go to the
> > writer
> > > or his mail forum
> > > - Make sure to enable DHCP for eth1 and
> > eth2
> > > BUT NOT eth0 (external LAN NIC)
> > >
> > > Make sure you can see the internet from the inside LANs with the
> > clients
> > > set to use static IPs.
> > >
> > > NEXT ---
> > >
> > > Please read the instructions on how to set up DHCP and bind(DNS) here:
> > >
> > > http://integratedsolutions.org/downloads/DHCP-DDNS.txt
> > >
> > > Read this multiple times and make sure you understand it!
> > >
> > > Cut and paste can be an enemy. Be careful which editor you use
> > >
> > >
> > > This set up allows us to have any number of machines on our internal
> > > network automagically connected to each other and the internet with
> > all the
> > > IP information coming from our firewall / router / masquerader / squid
> > > server.
> > >
> > > It works for forward and reverse DNS internally for Windows and linux
> > > clients and servers.
> > >
> > > It also speeds up client internet traffic by caching most outside
> > pages.
> > >
> > > Install squid per the INSTALL in the src tar ball and
> > > add a startup entry to either chkconfig or rc.local.
> > > We set it to use 5 GB of disk cache and start
> > > automatically at boot time. We used the standard proxy port.
> > >
> > > We configured squid using webmin and this works fine.
> > >
> > > We added Webmin just to see how well it works:
> > > It can break DNS and DHCP easily if you are not careful but it was
> > helpful
> > > getting squid working.
> > >
> > > Read up on syslogd and change the config file (or use webmin) to
> > rotate
> > > logs every day and keep 7 to 14 old logs for back checking purposes.
> > This
> > > will limit log size and make it easier to find any problems.
> > >
> > > Your milage mary vary.
> > >
> > > Standard software disclaimer applies.
> > >
> > > If this is helpful drop me an email so I know.
> > >
> > > If this needs work drop me an email with specifics.
> > >
> > > We will be adding a knowledgebase to our website with complete
> > instructions
> > > for this in the next few weeks.
> > >
> > > Best
> > >
> > > Seth Bardash
> > >
> > > Integrated Solutions and Systems
> > >
> > > seth@xxxxxxxxxxxxxxxxxxxxxxx
> > >
> > > 719-495-5866
> > >
> > > Failure can not cope with perseverance!
> >
> >
> >
> > _______________________________________________
> > CentOS mailing list
> > CentOS@xxxxxxxxxx
> > http://lists.centos.org/mailman/listinfo/centos
