Mark Skinner wrote:
Has any setup Suse on a pc to just be a firewall? one ethernet in and one ethernet out? or is there a faq for firewalling out there.. thanks Mark Skinner
The most famous firewalls for Linux are the buildin capabilities managed with ipfwadm - no additional tools required - and FWTK and SOCKS. 1. SuSE Linux has the first type of firewall support buildin, which is usually maintained with - see: man ipfwadm * correct me, if I'm wrong * - - - But this is a type of packet filtering router and is suitable for dividing subnets or as a simple firewall, if the connection with internet is NOT 24 hours AND with a dynamic IP. If in use 24 hours with a leased line and a static IP - it's not secure enough. Two application level firewalls are 2. FWTK This is the most famous kit in the Linux community 3. SOCKS The other Application level Firewall (exactly: circuit level), called SOCKS5, look here: <A HREF="http://www.socks.nec.com/"><A HREF="http://www.socks.nec.com/</A">http://www.socks.nec.com/</A</A>> and <A HREF="http://www.socks5toolkit.nec.com/"><A HREF="http://www.socks5toolkit.nec.com/</A">http://www.socks5toolkit.nec.com/</A</A>> Performance diff.: Type 1 does not need as much computing power as type 2 or 3. The SOCKS5 package compiles and runs *smooth* on Linux (ELF) without any problems, it's easy of use and has features which gives you the ability for VPN. Now any apps can be socksified - not the restrictions as FWTK. The FWTK has some advantage in that there can be a setup more restrictive for the office staff, but both (SOCKS5 and FWTK) give high protection from outside. But SOCKS5 is much more flexible and user friendly. Additionally as I know from many other mailings, the SOCKS has a better performance than FWTK. The machine we use for SOCKS5 is a EPoX-mainboard, P166+ CyRIX, 32 MB RAM, AHA-2940 + 2 GB SCSI (one GIGA is enough also), two NE-2000 compatible cards and if 10 - 15 ? people are mailing and surfing, the load on the machine is pretty high sometimes... so for a bigger office I would consider a 200 Pro + and 64 MB RAM. The bastion host is dual homed with different IP on both network cards. To setup/install the cards, I reserved a small DOS- partition for the DOS tools of the cards, in Linux then, since Linux recognizes only one card alone, I enter parameters into lilo.conf (see HowTos for multiple ethernet...) Even it's a server, I recommend to install X-windows for the first time, you have a good control in several windows and SOCKS5 has additional abilities of graphical statistics... It'a good to be able to watch both cards and the output of the SOCKS5 server (debugging mode) plus machine load. (NOTE: X-Windows has vulnerabilities concerning security !!! - so the bastion host should run later without X. SOCKS5 has tools for logging and statistics running on another machine) Additionally on such a firewall can be installed a proxy server, wich caches content for your users. But with that I have no practical experience yet. Squid is famous and by reading mailings maybe best. SuSE comes with Squid preinstalled ! Very nice. I highly recommend to take a good book on firewalling ! Best Regards, Lu PS. I choosed SOCKS5 as bastion host for a company and we run it on top of Caldera OpenLinux Base, but there should be no difference in modern distributions today (SuSE, Caldera, RedHat, etc...) -- Ludwig Richter CGI consult <A HREF="http://www.cgicon.com/"><A HREF="http://www.cgicon.com/</A">http://www.cgicon.com/</A</A>> Lu@cgicon.com With Acknowledge: richter@cgicon.com _________________________________________________________ Sent with Netscape Communicator 4.04 on S.u.S.E.Linux 5.2 -- To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e