Quick and dirty router/firewall to test something?

After some suggestions on a quick and dirty firewall that can be put on a
box with 2 NICs to test a new leased line.

Both NICs will have public IP addresses but on different subnets, so no NAT
is required, just the ability to have nice simple PIX style "source-
destination-protocol" rules that allow traffic in and out.

Basically we're changing ISPs and the new line is in but I only have 1 PIX
so can't test stuff as well as I would like!

I'm thinking one of these linux firewall ISOs but they seem geared towards
using private IPs and port forwarding for incoming connections..

TIA,
Paul
--
paul <at> spamcop.net

On 8 Jan 2004 11:48:34 GMT, Paul Hutchings <(E-Mail Removed)> wrote:
> After some suggestions on a quick and dirty firewall that can be put on a
> box with 2 NICs to test a new leased line.
>
> Both NICs will have public IP addresses but on different subnets, so no NAT
> is required, just the ability to have nice simple PIX style "source-
> destination-protocol" rules that allow traffic in and out.
>
> Basically we're changing ISPs and the new line is in but I only have 1 PIX
> so can't test stuff as well as I would like!
>
> I'm thinking one of these linux firewall ISOs but they seem geared towards
> using private IPs and port forwarding for incoming connections..

http://www.suse.co.uk
http://www.suse.co.uk/uk/private/pro.../security.html

SuSE Firewall 2 will do everything that you require, easily configurable
via the YaST2 ("Yet Another Setup Tool 2") graphical user administrative
interface.

--
Anthony Edwards
easynet Ltd - Manchester
http://www.uk.easynet.net
(E-Mail Removed)

Anthony Edwards <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> http://www.suse.co.uk
> http://www.suse.co.uk/uk/private/pro.../security.html
>
> SuSE Firewall 2 will do everything that you require, easily configurable
> via the YaST2 ("Yet Another Setup Tool 2") graphical user administrative
> interface.

Now I've engaged my brain I have copies of RH8, RH9 and Fedora Core sat
here.. I don't know a fat lot about iptables but I do know where to
download webmin :-)

Any idea whether this would be an option?

It's just that Suse isn't freely downloadable.. for what I'm doing I don't
care about being able to set it up securely as it's purely for testing
connectivity so quick n dirty is fine until we do the moved which is when
the pix will get rebuilt..

Paul
--
paul <at> spamcop.net

On 8 Jan 2004 13:45:06 GMT, Paul Hutchings <(E-Mail Removed)> wrote:

> Now I've engaged my brain I have copies of RH8, RH9 and Fedora Core sat
> here.. I don't know a fat lot about iptables but I do know where to
> download webmin :-)
>
> Any idea whether this would be an option?

I am not personally familiar with Webmin, however that product does
appear to include a standard module designed to "Configure a Linux
firewall using iptables. Allows the editing of all tables, chains,
rules and options":

http://www.webmin.com/standard.html
http://www.webmin.com/download/modules/firewall.wbm

> It's just that Suse isn't freely downloadable.. for what I'm doing I don't
> care about being able to set it up securely as it's purely for testing
> connectivity so quick n dirty is fine until we do the moved which is when
> the pix will get rebuilt..

SuSE ISOs are not available online, however an ftp install can be
carried out:

ftp://ftp.suse.com/pub/suse/i386/current/README.FTP
http://www.suse.co.uk/uk/private/dow...nux/index.html

Probably the quickest ftp install for a UK user is likely to be an
install from the UK Mirror Service:

ftp://ftp.mirror.ac.uk/sites/ftp.sus...suse/i386/9.0/

--
Anthony Edwards
easynet Ltd - Manchester
http://www.uk.easynet.net
(E-Mail Removed)

On 8 Jan 2004 11:48:34 GMT, Paul Hutchings <(E-Mail Removed)> wrote:


>Both NICs will have public IP addresses but on different subnets, so no NAT
>is required, just the ability to have nice simple PIX style "source-
>destination-protocol" rules that allow traffic in and out.

That makes it easy then,

if you can hack a pix config, this is a no brainer

http://www.openbsd.org/faq/pf/index.html


Download and burn the boot ISO for 3.4 from here

ftp://ftp.plig.org/pub/OpenBSD/3.4/i386/cd34.iso


Takes about 20 mins to install it over a 512k internet connection, the
above site is one of the UK mirrors.

Make 3 changes to enable routing, packet filtering and firewall logging
reboot and you're ready to knock up a config in /etc/pf.conf.



greg



--
You do a lot less thundering in the pulpit against the Harlot
after she marches right down the aisle and kicks you in the nuts.

On 8 Jan 2004 11:48:34 GMT, Paul Hutchings <(E-Mail Removed)> wrote:
> After some suggestions on a quick and dirty firewall that can be put on a
> box with 2 NICs to test a new leased line.
>

smoothwall, see www.smoothwall.org there are gpl and commercial
versions, the new gpl is first class and the iso is not that big

> Both NICs will have public IP addresses but on different subnets, so no NAT
> is required, just the ability to have nice simple PIX style "source-
> destination-protocol" rules that allow traffic in and out.
>
> Basically we're changing ISPs and the new line is in but I only have 1 PIX
> so can't test stuff as well as I would like!
>
> I'm thinking one of these linux firewall ISOs but they seem geared towards
> using private IPs and port forwarding for incoming connections..
>
> TIA,
> Paul


--
Martin Smith