Any "Setting up a tri-homed firewall in 24 hours for Dummies" guides around? (longish)

Morning all....

Feel somewhat lazy today and plan to stay home the entire day

Instead of doing an "Andy Cap" on the sofa I'd like to work on setting up my
dream home network.

Currently I have broadband with Zen internet with a /29 netblock (5 usable
addresses). I use a 4 port EN5861 router with its built in firewall and NAT
enabled. My PCs (12) are connected to a 24 port managed switch which is
connected with a cross-over cable to one of the ports on the EN5861. I have
a smaller 8 port unmanaged switch which is lying spare.

Now this setup works fine but is rather wasteful of the /29 netblock as it
doesn't utilize any of the 5 additional IPs.

Now I'd like to end up with a dream setting looking like the bottom diagram
at:

http://www.zensupport.co.uk/ADSL/eth...URL=samplenets

which revolves around a tri-homed firewall with 1 NIC connected to the 5861,
1 connected to the spare switch hosting the DMZ (containing a web server,
ftp server etc) and the final NIC connected to tee managed switch hosting my
"protected" home network pcs.

To do this I know I need to switch off the NAT and firewall on my 5861 and
configure the tri-homed firewall PC appropriately.

Now I have all the necessary equipment but what I don't have is the
knowledge to pull this all together I am a fast learner though and
ideally I'd like to have a reasonably secure setup in and working by end of
play today. Time permitting I'd like to setup a VPN solution as well

Firstly is the home network design I'm looking at sound? Is my goal of
having a reasonably secure setup by end of play workable?

Secondly does anyone know of any guides around that are capable of
kick-starting me on my way? I have the choice of using either Linux, Solaris
or a 365 day evaluation of Windows 2003 server I have knocking around. What
solution would you gurus recommend?

Tia

--
Peter <X-Files Fan>
Please Note: Emailed replies cc'd / bcc'd , containing HTML or attachments
auto-binned as spam

"Trust No One®" wrote:

> Now I'd like to end up with a dream setting looking like the bottom diagram
> at:
>
> http://www.zensupport.co.uk/ADSL/eth...URL=samplenets
>
> which revolves around a tri-homed firewall with 1 NIC connected to the 5861,
> 1 connected to the spare switch hosting the DMZ (containing a web server,
> ftp server etc) and the final NIC connected to tee managed switch hosting my
> "protected" home network pcs.
>
> To do this I know I need to switch off the NAT and firewall on my 5861 and
> configure the tri-homed firewall PC appropriately.
>
> Now I have all the necessary equipment but what I don't have is the
> knowledge to pull this all together I am a fast learner though and
> ideally I'd like to have a reasonably secure setup in and working by end of
> play today. Time permitting I'd like to setup a VPN solution as well
>
> Firstly is the home network design I'm looking at sound? Is my goal of
> having a reasonably secure setup by end of play workable?

It certainly looks sound. Pretty ambitious to get it done in a day I
would say.

> Secondly does anyone know of any guides around that are capable of
> kick-starting me on my way? I have the choice of using either Linux, Solaris
> or a 365 day evaluation of Windows 2003 server I have knocking around. What
> solution would you gurus recommend?

Out of those use Linux, it has by far the best firewall incorporated.
You could read the various howtos at http://www.tldp.org/, especially
the masquerading and firewall ones (although the latter is looking a bit
dated) but that would be unlikely to get you running in a day.

Have a look at http://www.ipcop.org/cgi-bin/twiki/view/IPCop/WebHome and
http://www.smoothwall.org/. These are probably the easiest ways to
achieve what you want. Whichever you choose, use one with a 2.4 kernel
as the iptables firewall is much better than the ipchains one in 2.2. It
is stateful which means it can recognise response packets without having
to guess. This suggests that IPCop may be a better choice, as its latest
stable release uses 2.4 whereas Smoothwall's doesn't. I've also been
seeing more favourable comments about it recently.

Regards, Ian

Ian Northeast wrote:
>
> Out of those use Linux, it has by far the best firewall incorporated.
> You could read the various howtos at http://www.tldp.org/, especially
> the masquerading and firewall ones (although the latter is looking a
> bit dated) but that would be unlikely to get you running in a day.
>
> Have a look at http://www.ipcop.org/cgi-bin/twiki/view/IPCop/WebHome
> and http://www.smoothwall.org/. These are probably the easiest ways to
> achieve what you want. Whichever you choose, use one with a 2.4 kernel
> as the iptables firewall is much better than the ipchains one in 2.2.
> It
> is stateful which means it can recognise response packets without
> having
> to guess. This suggests that IPCop may be a better choice, as its
> latest stable release uses 2.4 whereas Smoothwall's doesn't. I've
> also been
> seeing more favourable comments about it recently.
>
Ian,

Thanks for the reply including the links. IPCop seems like exactly what I'm
looking for with a relatively simple initial setup, and the ability to
customize it to be as complex as one wishes.

I've revised my rather optimistic target of end of play today, and hope to
have this all up and working by the end of play Monday. Better safe than
sorry - I'd hate to leave a gaping security hole in my system due to
hastiness.

There's still life in P233MMX base units yet You can get them for a song
and they make superb firewalls/routers.


--
Peter <X-Files Fan>
Please Note: Emailed replies cc'd / bcc'd , containing HTML or attachments
auto-binned as spam