Bits & Pieces for Linux firewall?

[AirWolf]

Hi all

At work I have the following bits and pieces from 2 old machines:
Machine 1:
20Gb HDD

Machine 2:
512MB Ram
3GHz Intel Pentium4
MotherBoard
PSU
DVD ROM
CD Writer

Putting the bits together I can make one complete machine. I was wondering if perhaps I could use this for a linux firewall (ie. smoothwall etc) on the network?

Our current configuration on our network is:
2 machines connected by cable to ADSL router.
1 Wireless APN connected by cable to ADSL router.
6 machines connected to Wireless APN.

We do not host our own website / mail server, but is there any way to send internal emails via the network, instead of uploading and downloading via the internet?

Thanks.

 

[sn3rd]

Firstly, that machine should be enough to handle the tasks you describe, provided you aren't looking at expanding to anything hectic. The speed of the hard drive may be a deciding factor about how responsive the server is to multiple users utilising multiple services.

With regards to internal mail, you should look at something like Postfix. Sendmail is an alternative (although, to be honest, if you're asking about this, you should rather go for Postfix: Sendmail has caused me many grey hairs)

 

[sn3rd]

Oh, and:
http://www.sendmail.org
&
http://www.postfix.org

 

[Asha'man X]

Hi Saule

This is perfect for a Smoothwall or IpCop or even pfSense firewall. With the 20 gig, you can also implement the web caching service Squid, which can help reduce bandwidth consumption on frequently used websites.

To send and receive internal mail without going through your internet connection, you need a mail server and a way to administer the users who will be needing it. Unfortunately I'm not clued up in this area, my main expertise is in MS Exchange.

Maybe try looking at ClarkConnect, which is an all in one server that also serves as a firewall.

Hope this helps

 

[Kasyx]

eugh. Smoothwall.

Build it yourself:

Hardened Gentoo + iptables.

As for mail, use postfix (sendmail is outdated and crappy), and possibly fetchmail to have the server automatically collect all external mail as well.

 

[AirWolf]

Thanks to everyone for all the suggestions - much appreciated.

Hi Saule

This is perfect for a Smoothwall or IpCop or even pfSense firewall. With the 20 gig, you can also implement the web caching service Squid, which can help reduce bandwidth consumption on frequently used websites.

To send and receive internal mail without going through your internet connection, you need a mail server and a way to administer the users who will be needing it. Unfortunately I'm not clued up in this area, my main expertise is in MS Exchange.

Maybe try looking at ClarkConnect, which is an all in one server that also serves as a firewall.

Hope this helps

I'm planning on installing Hardy on this machine first.

For the new network configuration I would need this server to be connected directly to the ADSL router and then broadcast the internet signal from this machine via the wireless APN to all other network machines?

Or

Connect the 2 wired machines, the wireless APN and this server to the ADSL router?

Pardon my noob questions as I never set up a "server" before. Also all the other machines excepts one is running XP. The last one is running 98 (old lap with 6GB Harddrive).

Thanks.

 

[AirWolf]

Put the machine together and installed Hardy. The hard drive is 10 Gb and not 20 Gb as I initially thought.

Will look in Smoothwall tomorrow. I hope it is not too difficult to configure . Tips in this regard would be great .

 

[Ryder_JHB]

pfSense is worth a look too!

I used to swear by IPCop / Smoothwall until I discovered the joys of pfSense...

Don't hate me Libs!

 

[AirWolf]

Hi all

I got Smoothwall today. After reading installation instructions, I see that it cleans out the hard drive - so that Hardy install was a waste of time.

I have to get a second network card on Monday before I can proceed further.

A couple of questions:
So will I still be able to install postfix on the machine?
With one network port on this machine connected directly via cable to the ADSL router (Red) and the wireless APN connected on the other network port (Green) there won't be any problem broadcasting wirelessly via the APN to the other pcs that will be protected by Smoothwall?
Can Smoothwall log internet activity per user?
Can Smoothwall block specific sites / unsavoury sites?
Will the one pc that is going to outside Smoothwall still be accessible from the protected pcs for file sharing and vice versa?

Thanks you to everyone for all the helpful comments. Much appreciated.

 

[koffiejunkie]

Machine 1:
20Gb HDD

Machine 2:
512MB Ram
3GHz Intel Pentium4
MotherBoard
PSU
DVD ROM
CD Writer

Putting the bits together I can make one complete machine. I was wondering if perhaps I could use this for a linux firewall (ie. smoothwall etc) on the network?

Yes, comfortably.

We do not host our own website / mail server, but is there any way to send internal emails via the network, instead of uploading and downloading via the internet?

Yes, you can. If you still want to host your mail off-site, and just route mail within the domain internally, then it gets a bit more complex, especially if you have people who work outside the office too.

Firstly, that machine should be enough to handle the tasks you describe, provided you aren't looking at expanding to anything hectic. The speed of the hard drive may be a deciding factor about how responsive the server is to multiple users utilising multiple services.

Did you read the part about how many machines he's running? You can service that network with a PII-300 with 128mb RAM and a 5400rpm disc. I had boxes like that with 50 users behind them.

As for mail, use postfix (sendmail is outdated and crappy), and possibly fetchmail to have the server automatically collect all external mail as well.

I agree with you on Postfix, but be fair. A heck of a lot of work has gone into Sendmail and the current version performs pretty well. And it's still the most configurable mailer out there.

Just stay away from qmail, please. The internet is a bad enough place without it.

I got Smoothwall today
....
A couple of questions:
So will I still be able to install postfix on the machine?

No. Well, yes, if you know what you're doing. But if you have to ask, probably not.

With one network port on this machine connected directly via cable to the ADSL router (Red) and the wireless APN connected on the other network port (Green) there won't be any problem broadcasting wirelessly via the APN to the other pcs that will be protected by Smoothwall?

I can't remember how smoothwall does it, but it's likely to be similar IP-COP (based on the same code). You really need two network cards when you install. It will set up the one interface as RED and one as GREEN. Green should get an IP address like 192.168.1.1 or 10.0.0.1 - this is your internal interface. Assuming your modem is set to dumb mode (i.e. the firewall will do the dialling), RED should be set to PPPOE.

As for the rest of the network, plug the GREEN interface into a switch, and hang everything off that.

Can Smoothwall log internet activity per user?
Can Smoothwall block specific sites / unsavoury sites?

Again, YMMV with Smoothwall. For IPCOP there is a host of plugins over at http://www.ipcopaddons.org/ that can do those kind of things.

Will the one pc that is going to outside Smoothwall still be accessible from the protected pcs for file sharing and vice versa?

From outside the network? No. Unless you use the openvpn plugin

 

[AirWolf]

I got the second network card yesterday, but didn't have a chance to work on it until today.

On the web page control panel it only sees the red interface as connected when I use a static IP address, but Smoothwall is unable to connect to the internet.

I didn't want to disrupt the entire network so I've got Smoothwall connected directly to the ADSL router and one workstation. The workstation receives an IP address in the relevant range. The ADSL router assigns IPs via DHCP mode. When I use DHCP for the red interface, it doesn't receive an IP at all unlike any pc that is plugged in the ADSL router and receives and IP/DNS automatically.

Any tips on this?

 

[koffiejunkie]

The "connected" only means it has an IP address for the RED interface. This is where it becomes tricky. How you set up the RED interface depends on how your router is set up.

Do you have the router set up as a dumb modem, i.e. the router doesn't handle the connection?

Or does the router handle the dialling?

 

[AirWolf]

The "connected" only means it has an IP address for the RED interface. This is where it becomes tricky. How you set up the RED interface depends on how your router is set up.

Do you have the router set up as a dumb modem, i.e. the router doesn't handle the connection?

Or does the router handle the dialling?

The router handles the dialling - once the ADSL light is on the a ADSL works on any pc.

 

[koffiejunkie]

OK, so what is the router's address? Let's suppose it's 192.168.1.1, you have to set up your RED interface with an IP of 192.168.1.2/255/255/255.0 and set the gateway to 192.168.1.1.

Then set the GREEN interface to be some on other network, say 10.0.0.1/255.255.255.0

 

[koffiejunkie]

This, of course, gives you a double-NAT, which some applications don't like. Early SIP software comes to mind, although I haven't followed that particular industry.

 

[AirWolf]

The router's ip 10.0.0.2 with subnet 255.0.0.0 and all pcs are on that network range.

 

[koffiejunkie]

OK, well, you'll have to change either the router or the network. They won't be on the same network any more.

 

[The_Unbeliever]

pfSense is worth a look too!

I used to swear by IPCop / Smoothwall until I discovered the joys of pfSense...

Don't hate me Libs!

Use what you are familiar with, and which does the job.

I have no issues with that

 

[The_Unbeliever]

Hi all

I got Smoothwall today. After reading installation instructions, I see that it cleans out the hard drive - so that Hardy install was a waste of time.

I have to get a second network card on Monday before I can proceed further.

A couple of questions:
So will I still be able to install postfix on the machine?
With one network port on this machine connected directly via cable to the ADSL router (Red) and the wireless APN connected on the other network port (Green) there won't be any problem broadcasting wirelessly via the APN to the other pcs that will be protected by Smoothwall?
Can Smoothwall log internet activity per user?
Can Smoothwall block specific sites / unsavoury sites?
Will the one pc that is going to outside Smoothwall still be accessible from the protected pcs for file sharing and vice versa?

Thanks you to everyone for all the helpful comments. Much appreciated.

Postfix - recommend that you look at SME server (www.contribs.org) or ClarkConnect if you want to have a multipurpose firewall.

It is suggested (and strongly recommended) to put your wireless AP on a different segment of the network (for example purple or orange).

Yes, Smoothie can log internet activity per user.

With Dansguardian (www.dansguardian.org) it is possible to filter web pages deemed not suitable (pr0n, hate speech and the such). You can also block the downloads of certain attachments as well.

Should you want to access the specific PC which's outside the Smoothwall, you can do so, but bear it in mind that will be a security risk should said PC be allowed access to your protected network. Suggestion is to use VPN instead, and harden said PC against external attacks.

 

[AirWolf]

My Smoothwall experience has been a bit of a stuff up so far.

Firstly I had both network cards on Smoothwall on the same network. I had the Smoothwall connected to the ADSL router and the pc closest to the ADSL router and I was working on the web page CP (red and green connected). Something went wrong while changing some IPs and couldn't log back into Smoothwall from that machine even after reinstalling Smoothwall and disabling all firewalls/AV software on the machine I was using for the web page CP. It was however receiving an IP in the correct range from the Smoothwall DHCP server. When I connected Smoothwall to another machine (only green connected) I was able to access the web page CP again.

The IPs that I was originally using were:

• ADSL router - 10.0.0.2; 255.0.0.0
• Red interface - 10.0.0.100; 255.0.0.0
• Gateway - 10.0.0.2
• Dns server - 10.0.0.2
• Green interface - 10.0.0.101; 255.0.0.0
• Other pcs to be assigned from 102 to 200.

[Any pc connected directly to router or on wireless network received gateway and primary DNS 10.0.0.2 before Smoothwall install]

At that stage I hadn't brought the wireless APN into the picture.

On the Smoothwall itself it was unable to connect to get update list and to register.

After following Koffiejunkie's advice I changed the IPs so that there were now 2 network ranges, as follows:

• ADSL router - 10.0.0.2; 255.0.0.0
• Red Interface - 10.0.0.50; 255.0.0.0
• Gateway - 10.0.0.2
• DNS server - 10.0.0.2
• Green interface - 192.168.0.1; 255.255.255.0
• Wireless APN - 192.168.0.2; 255.255.255.0
• Other pcs to be assigned from 3 to 255

The pc closest to the ADSL router still wasn't allowing me access to the web page CP and smoothwall was still unable to connect/register with red and green plugged in.

I just took the plunge and hooked Smoothwall up to to the wireless APN while connected to the ADSL router. The machines on wireless were able to access the internet (even though the Smoothwall machine itself was still giving the unable to connect message) and I did the update of Smoothwall from one of the machines on wireless.

That's where I hit more problems. After the reboot of Smoothwall after the update none of the wireless machines could access the internet anymore. In the web page CP I noticed that the red interface wasn't receiving a MAC address.

I needed to get the wireless network up again, so I had to take Smoothwall out again. Now when I tried to access the wireless APN's CP to change the IP address back to what it was previously, I could not get in either wirelessly or while connected via cable. So I had to reset that APN. Luckily I had a second APN with the correct settings already plugged in I didn't have to redo it on the first one.

So that is my Smoothwall experience gone wrong.

Edit:
Smoothwall will only be protecting the wireless network. So if I choose RED (ADSL) + GREEN (Local network) + PURPLE (Wireless network) when doing the initial config will it allow me not to have a NIC assigned to green as this machine only has two NICs?