suggested network topography

(I think that's the right word.)

Here's what I've got, what I would like to end up being able to do,
and I'm hoping I can get some advice on what's the best way to lay it
out.

We have a DSL connection with a DSL modem/router that's unfortunately
off limits to us by our ISP. =/ We can call them and have ports opened
and forwarded to a specific internal IP and that's about it.

An inexpensive Netgear switch.

A simple PC with Fedora Core 2 that is serving as a Web server and has
Snort/ACID and Firestarter firewall tool.

About 20 PC's, mostly with Windows XP, a Mac OS X, and another Linux
box as workstations.

What I'd like to do is have the Web server (which as to remain visible
to the public) also utilize Snort/ACID to motitor traffic coming
to/from the outside. Watch for portscans, intrusion attempts, as well
as any excessive traffic coming FROM an internal PC out to the Net on
a suspicious port, etc.

Now, I don't know just how good the DSL router our ISP installed is.
Supposedly they have all ports except 80 and 22 filtered, and those
two parts forwarded to the Fedora machine. But I can portscan our
public IP from a remote server, and the Firestarter can see the scans
on each additional port.

So, here's a question. Should I do something like this?

Internet/DSL router --> Cheap Linksys router filtering all but 22 & 80
--> Fedora box with Apache/Snort/Firestarter --> switch --> PC's.

In that situation, it'd be the Linksys assigning the internal IP's
(that's NAT, right?) or the Fedora box?

Or this:
Internet/DSL router --> Fedora w/Apache/Snort/Firestarter --> cheap
Linksys router with ALL ports filtered --> switch --> PC's?

I'm kind of thinking that might be the best route?

Anyway, we don't have the money to buy a GOOD router/switch. We have
to make do with what we have, and spend as little extra as possible.

Well, thanks for any suggestions and recommendations!
Liam

> We have a DSL connection with a DSL modem/router that's unfortunately
> off limits to us by our ISP. =/ We can call them and have ports opened
> and forwarded to a specific internal IP and that's about it.

Unacceptable. That knocks out protocols like IPSec. At a minimum they
should alow you to place one machine with a public IP and let you do what
you want with your ports.

> An inexpensive Netgear switch.
>
> A simple PC with Fedora Core 2 that is serving as a Web server and has
> Snort/ACID and Firestarter firewall tool.

Nice. Except after that description I don't think "simple PC" is applicable
any more. ;-)

> Or this:
> Internet/DSL router --> Fedora w/Apache/Snort/Firestarter --> cheap
> Linksys router with ALL ports filtered --> switch --> PC's?

I like this one the best. But here's what I think is optimum:

Internet
|
New PC (see below)
| |
DMZ Internal Net


In the dmz you put your hosting/ssh server. Internal Net is a non-routable
private IP range (192.168 is good).

The new PC is a PII (you could go with just a pentium if you wanted) with
256M ram tops (less than that if you wanted to try it). Put a minimal
install linux on there without X (I like slackware myself). Re-build the
kernel for your CPU (so that it will run optimally for your equipment).
DNAT your 80/22 coming in from the Internet to your DMZ box, SNAT outgoing
ports from your Internal Net. To catch those internal boxes that may be
doing something funky you only snat the known ports that you want to snat
and watch for things that get dropped off the firewall, then go back and
research why that internal machine is doing what it's doing.

If your ISP will give you two public IPs, have the new PC take one and do
proxy_arp and ip_forward and put the other IP on the DMZ box. Then setup
your iptables rules to only route 80 and 22 to the dmz IP.

> Anyway, we don't have the money to buy a GOOD router/switch. We have
> to make do with what we have, and spend as little extra as possible.

A PII on ebay would be about $50 - $60 and would be a nice toy as well as
learning experience for you.

I agree with /null . Good setup, and very safe to your dmz out there
isolated. I have an old PIII? (hell, it was a gift) running my
firewall. I'm running Devil-Linux on mine, which is cool because it
runs off a cd, and saves it's configuratoin on a floppy, which you can
write-protect.

Though if the running configuration is hacked, it will be compromised,
it won't be altered permanently.

I just have all my logs sent back inside with syslog-ng. So, it's a
pretty stable setup.
It was great learning setting up everything. Most fun!
Enjoy!

-Anthony