لطفا منتظر باشید ...
Hack 81. Build a Custom Firewall Computer
Turn an old, underpowered computer into a lean,mean, firewall machine.As more and more computers are getting plugged into the Internet, the
risk factor associated with an online presence has also risen. The
increase in hours online combined with the propagation of always-on
broadband and high-speed cable/DSL Internet access has resulted in
the need to secure even simple, one-computer home networks. As a
result, the humble firewall has become a must-have item as opposed to
a could-have item in a network.The basic aim of a firewall is
to
keep unwanted people off of your network. The virtual wall of fire is
essential in keeping out crackers who want to invade your security,
as well as blocking the growing armies of worms, viruses, and other
Internet nasties that crawl the Web looking for computers to exploit.
The situation is very bad; an unprotected Windows machine can become
infected in as little as four minutes after it is put on the
Internet. If you are considering a firewall but are uncertain you
want to put the effort into it, ask a friend who has one for a list
of attempted intrusions on his network. You will probably be
surprised by the frequency of attacks. My own firewall logged more
than 100 attempted intrusions in the first few hours after I put it
up.Both software and hardware firewalls are available. Software
firewalls are installed on each desktop on the network, and they
protect that single machine. The hardware approach is to use a
dedicated machine to protect the entire network from malicious
traffic. This hack explores a dedicated firewall Linux distribution
called SmoothWall, which you can install on an aging computer to
provide a dedicated firewall appliance to protect your entire
network. After the initial setup, you will find your SmoothWall box
to be invaluable.
9.13.1. Gather the Ingredients
To create a SmoothWall
firewall
appliance, you need a computer to use. Anything from a
`486 with 16MB of RAM on up is fine, but if you want
to keep several days' worth of log files, I
recommend you use at least a 4GB disk. You also need at least two
Linux-supported network cards in the computer. Here is how you will
use your network cards:If you have a cable/DSL modem that plugs into a network card, you
need a card for this. This card is referred to as the RED
interface.You need a network card to connect to the internal network. If you
have more than one computer on your internal network, this interface
is usually plugged into a hub, switch, or wireless access point. This
card is referred to as the GREEN interface.If you have any computers that need to be accessed publicly, you need
another network card for these. This card is referred to as the
ORANGE interface and also is known as the
snazzily titled De-Militarized Zone (DMZ),
because it exists in a sort of no man's land between
the public Internet and your private network.
You should install the cards you need in the computer, download the
SmoothWall ISO from http://www.smoothwall.org, and then burn the
ISO to CD.The next step is to boot from the CD and install the SmoothWall
software. If you cannot boot from the CD, try using the Smart Boot
Manager discussed in [Hack #1]. If
this does not work, you can create a series of boot floppies from the
files found in the images directory on the
SmoothWall CD. There you'll find two boot floppy
images called bootdiskone-x.x.img and
bootdisktwo-x.x.img. Use dd
to create the floppies (unmounting and changing the floppy between
images, of course):
foo@bar:~$ dd if=bootdiskone-x.x.img of=/dev/fd0 bs=1024 conv=sync ; syncIf you need to create the floppies on a Windows system, you can use
foo@bar:~$ dd if=bootdisktwo-x.x.img of=/dev/fd0 bs=1024 conv=sync ; sync
the rawrite program (http://uranus.it.swin.edu.au/~jn/linux/rawwrite)
to create the disks.Installing SmoothWall is a fairly simple process, but you need to
know how you want your network to be set up in terms of IP addresses.
Within the setup routine are a Networking section and an Addresses
subsection. You set the IP addresses for each interface here. For
example, a common setting for the GREEN interface is the IP address
192.168.0.1 and the network mask 255.255.255.0. The RED interface is
typically set to DHCP to grab your Internet IP address from the cable
modem, but you should check with your ISP to see how the cable modem
gets its IP address. The other setting to configure is in the
"DNS and Gateway settings" section.
Set this to 192.168.0.1. Now you have your firewall set up as your
Internet gateway that other machines can refer to when requiring
Internet access.
9.13.2. Configure the Firewall
Once the SmoothWall firewall is
installed,
you can access it in two main ways. The most common and popular way
is to access its special web-based interface, which is available on
port 81. So, if your firewall's IP address is
192.168.0.1, you can access the web interface at http://192.168.0.1:81.
SmoothWall's default configuration does not allow
access from outside your internal network, so you cannot make changes
to it from work or while traveling.When you access the web interface, you are asked for the
administrator password for the machine (which you created when you
installed SmoothWall) and then you can configure it. Within the web
panel is a huge range of options and features that you can configure.
These options are grouped into categories which are visible at the
top of the page.If you need to do something that is not accessible in the web
interface, you can use the included Java SSH applet to log in to the
machine and type in commands to an SSH shell.
9.13.3. Enable Port Forwarding
A common requirement when
running
a network of machines is the need to have a connection from outside
the firewall serviced by a machine inside the firewall (usually in
the DMZ). This is the scenario for those who run a web or email
server and need to have the relevant ports accessible to the outside
world. When a computer connects to your IP address/domain, the first
computer that receives the connection is the firewall. Because it is
unlikely you are running a web or email server on the firewall itself
(if you are, you really shouldn't be because bugs in
these programs can compromise the security of the firewall) you need
a method to get that request to the computer that can handle it. This
is where port forwarding comes in. Its purpose is to take the request
for a service and forward it to the specific machine on the network
that can service the request.To do this with SmoothWall, access the web interface and select
Networking
Port Forwarding. You can leave the externalsource IP box blank if you want to accept all connection requests for
the port in question (this is commonly the case for a public service
such as web serving). In the Source Port box, specify the port you
want to forward (such as port 80 for a web server). Finally, you can
enter the destination computer IP address and its port number in the
other two boxes. This is quite useful if you want to forward a normal
port 80 connection to a machine with a different port number, such as
port 8080; a common request with Apache virtual hosts. Once you have
forwarded your ports, you need to select the External Services Access
page and add the ports you have forwarded to that page. This enables
access to the ports from outside the network.SmoothWall is proven to be an incredibly capable and flexible
firewall. Because of this a lot of organizations and homes use it to
protect their networks. Although the GPL version of the firewall is
very capable, the commercial version and its included support can be
really useful for commercial organizations. Both versions give you
the flexibility of a powerful and supported firewall that can protect
a network of Linux, Windows, or Mac OS X machines.
