Firewalls-Make Your own.

Hi All,

I see a lot of posts here on commercial firewalls. I dunno from where all have the money to spend on the expensive commercial products. Especially, I am refering atleast for the personal use, yep for corporates this is a totally different perspective.

Guys, why cant people use the great Linux, BSD (lets not talk flavours here) to build our own for the home network atleast. Next time, we think of buying the new mahcine, why cant people think of using the old one to handle the perimeter defense. And that too when it can do great, secure stuff.

I am not against the cisco or anyother commerical stuff, but I am with the 'value for money' concept here.

Hi firewall.cx team, I think its time that we need to have a document here on 'how to build a secure firewall' kinda article here. Dont you think so?

Since the time I encountered this site, I was going through all those neat articles and tutorials here. Its need less to say, there was a lot of effort behind that, and lot of great work here.

Lets brainstorm on that, if you all saya big 'YES'.

Regards
Cheetah.

I had actually tried to initiate something similar a long time ago. My suggestion was that everyone trade firewall tricks and iptables / ipchains rules so that everyone could learn something from everyone else. Unfortunately it never really took off.

I think why you see a lot of commercial firewall posts here is because a large number of .cx visitors are enterprise network admins who are just looking for a quick opinion. Most of them couldn't be bothered with how the damn thing works especially if they can just plug in a black box and everything works (its also nice to show the people who paid for it). Firewall configuration is a time consuming art.. you have to work out what services you are providing both externally and to your users, and then you have to block everything else.... invariably some user will come to you to poke holes in the firewall... but thats just how these things work.

Anyway I'm not getting into IPtables here, but I'll drop some very basic cisco configuration in to (hopefully) get things started :

First, lets block anyone telneting to the router other than from our box (we'll say its 192.168.10.5). We'll also log all connections (success and failure). The last two lines show you how to apply the access list.

[code:1]
access-list 101 permit tcp host 192.168.10.5 any eq 23 log
access-list 101 deny ip any any log
line vty 0 4
access-class 101 in

[/code:1]

The next set of rules is very useful. It prevents any incoming packets that have a private IP as the source address. Those IPs can only come from your internal LAN and if they come in from the Internet, they are spoofed addresses :

[code:1]
access-list 102 deny ip <your internal network address> any log
access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
access-list 102 deny ip 10.0.0.0 0.255.255.255 any log
access-list 102 deny ip 0.0.0.0 0.255.255.255 any log
access-list 102 deny ip 172.16.0.0 0.15.255.255 any log
access-list 102 deny ip 192.168.0.0 0.0.255.255 any log
access-list 102 permit ip any IP <internet network>
[/code:1]

Now lets block anyone from pinging us or using traceroute...
Apply this to the inbound interface

[code:1]
access-list 103 deny icmp any any echo log
access-list 103 deny icmp any any redirect log
access-list 103 deny icmp any any mask-request log
access-list 103 permit icmp any xx.yz.y.z 0.0.0.255
access-list 103 deny udp any any range 33400 34400 log
[/code:1]

and to allow us to ping out as well as traceroute out, this should be set for outbound traffic. (we also have to allow source quench and max MTU):
[code:1]
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any packet-too-big
access-list 110 permit icmp any any parameter problem
access-list 110 permit icmp any any source-quench
access-list 110 deny icmp any any log
[/code:1]

There all you people studying for your CCNA, go through those rules.. those are the sort of access-lists you'll see in the real world. They're really easy to understand and they act as a first line of defence in your border security. If you're wondering why we're doing so much logging (on every deny) thats just the way I think it should be done.. its pointless to log it if you don't look at the logs.

Perhaps we can get an article on this up when time permits.

I believe that Cheetah's suggestion is one that we have tried to implement a while ago, just like Sahir explained.

After years of hard work we have managed to create a wonderful community of people that are keen on learning new exciting concepts and network technologies, while sharing their knowledge by helping others.

The team here at Firewall.cx exist to help guide the effort and expand upon it as much as possible but its success relies on our visitors and members.

As far as Firewalls concern, Linux/Unix oriented solutions are simply great and cost nothing but your time. We will be covering technologies such as IPTables very soon and at the same time create new opportunities for members that are willing to help in the process by writing their own tutorials and making them available through Firewall.cx!

Be sure Cheetah that we are looking seriously into suggestions likes yours, simply because we are open to whatever will help our community benefit.

Thank you for posting your thoughts!

I have to say however, that very few people really seem to take the time to contribute which is sad, considering there is such a wealth of information available here absolutely free, and answers for pretty much anything under the sun.. it would really be nice if more members started using the forum to share ideas and suggestions rather than making it a purely question / answer based setup.

We've been brainstorming on how to make the site content more dynamic.. and there are a couple of new articles that will be up very shortly, perhaps we'll work out some changes on how we can get the members more involved with the site.. if you notice, the sites that really prosper and give you the best information have a very vocal and committed user base (like slashdot). It would be really nice to see that community spirit build up here.

After all, everyone benefits from such cooperation.

Cheers all,

Hi

Thanks for a lot of encouraging and positive posts. Its been good, since I found this site. Let me be very honest, I have also learned a lot from this site. (for example the reverse trojans.)

Little busy these days, travelling. Let me be back to my base location, and I am gonna start one docu, with whatever little knowledge I have been setting up Linux Firewalls and VPNs for some years.

You chief guys can edit/enhance/security check (Sahirh did you hear it?) for sharing it to the community.

I have only woked with Linux Firewalls/VPNs, no idea on these comercial Cisco/Checkpoint stuff, except that I know, I can use it as a router :lol: I will prefer a Linux router instead.

If someone still needs comercial, I recommend sometimes Netmax. That has a neat web front end.


Regards
Cheetah

Ai, will be nice to read a paper submitted by a member ! That might even kickstart a section where members can post material or something similar.. would that be interesting ?

I'm a little wary about web interfaces to firewalls (or for that matter to anything). The fact remains that webservers are fragile things.. look at how often the production level IIS and Apache webservers and you can well imagine what some minimalistic webserver has to deal with.

Even if you encrypt traffic to and from the web interface, the fact remains that HTTP is a protocol with a very high amount of user interaction.. that leaves tremendous scope for exploitation.

For example, the Cisco IOS webserver interface was vulnerable to such a trivial bug, to bypass the password protection, you just changed your access level in the URL and it would let you in, no questions asked.

Call me an old schooler, but I feel the only way to configure something as critical as network infrastructure is via a direct console connection, where you can see the physical cable going into the back of the device.