# gentoo firewall box advise

## dol-sen

I want to set up my gentoo box to temporarily act as my firewall/router so I can take my firewall box offline to install gentoo and firewall programs.   I am and have been using Mandrake SNF 7.2., but I love gentoo's ease of updates, etc.    I have been learning quite a lot more about linux since switching to gentoo, but I am far from an expert.

Anyway my system is a:   P200MMX, 96 meg ram, 20gig HD, 1 3com 3c905c nic, gnome, etc.

Internet = ADSL - dhcp - requires mac address of nic to be registered  with ISP ( i was going to remove from firewall box and install temp. in my machine. ( I have another ident. nic for install purposes then swap out when finnished)

What do you recomend as must haves for a basic firewall ( should only need to run for 1 week to build a dedicated gentoo box).   I have emerged dynfw,  tried, but snort failed (posted in portage & programming).   My lan is static addressed now but also want dhcp on the final box.

My needs are basic, Am not using proxy's now but would like to filter ads, etc..   I want to add cron jobs to deny lan=>wan access at scheduled times, squid dosen't block most IM's (except my machine.   I have late night teens that could & would stay up most of the night, chatting on the net).    I was thinking of adding a dmz & small web/ftp/mail server/ obtain my own domain name, etc.

Firewall box is a P133, 64meg ram, 1.2gig HD, I have a 540meg HD with SNF 7.2 currently running,  I was thinking of using my machine as an nfs server for the /usr/portage/distfiles to the firewall box ( saves space & hopefully more secure)

I noticed that shorewall, dansgaurdian do not yet have ebuilds.

Thanks in advance,   Brian

----------

## rac

 *dol-sen wrote:*   

> What do you recomend as must haves for a basic firewall

 

Apologies if this is too obvious to mention, but iptables.

----------

## dol-sen

Thanks rac,   I think iptables was installed with the basic gentoo system, so I didn't mention it.   Anyway it is installed & I believe just updated a few days ago.

Thanks...     Brian

----------

## rizzo

I don't believe iptables is installed by default, and you also have to enable it in the kernel.

You'll also need rp-pppoe for the ADSL connection.

Those are really the only things you need.  All traffic redirection and filtering are done by iptables.

----------

## dol-sen

rp-ppoe has now been emerged,  thanks.

Now to reconfigure & compile the kernel to accept the other nic.   I think I'll up the security level as well.

For the firewall box is there a number/any of the base system build that I should unmerge after its all bootstrapped.   It has been said that you want to have the minimum functionality on a firewall box to provide a hacker the least amount of tools possible.    Or would I be crazy to eleiminate any of the base system?

Thanks ...  Brian

----------

## rac

 *dol-sen wrote:*   

> For the firewall box is there a number/any of the base system build that I should unmerge after its all bootstrapped.   It has been said that you want to have the minimum functionality on a firewall box to provide a hacker the least amount of tools possible.

 

That advice applies primarily to network daemons, and Gentoo's core system is very minimal already as far as network daemons go.  If you are willing to forego the convenience of using ssh to administer the firewall, you could take sshd out, but I can't think of anything else I would remove.

Maybe a better idea, once you have ip filtering working, is to restrict connections to the ssh port from the interface to your internal network, which would mean that even if a vulnerability was found in sshd, it would be unexploitable from the outside.  Downside of this is inability to administer your firewall when travelling, but security and convenience are often at odds.

----------

## Zu`

For me, the Gentoo Security Guide was a good start. It also explains how to set up a fairly basic but secure firewall using iptables: http://www.gentoo.org/doc/gentoo-security.html#doc_chap6

If you want to read up more about it, I suggest reading these:

 Linux 2.4 Packet Filtering HOWTO

 Iptables Tutorial

 Lots of other documentation in several languages from iptables.org

If you want internet-sharing (enabling other computers in the Local Area Network to access the internet aswell), read up about NAT/masquerading.

----------

## TuxFriend

It seems that you want to configure your firewall with GUI-tools. The less software you have on your firewall the better. My advise is to follow ONLY these steps: 

- build a system described on http://www.gentoo.org/doc/build.html

- emerge iptables

- configure kernel to add support for netfilter and remove everything that wont be neccesary to run your firewall (e.g. serial port, USB, sound, etc.)

- create your firewall rules by hand and run "iptables-save > /var/lib/iptables/rules-save"

- run "rc-update add iptables boot"

Advise on creating firewall-rules:

- change policy to drop everything

- log all dropped packages

- do the things you normally do (it will not work because all network-traffic gets dropped)

- check the log and see what was dropped.

- create rules that accept ONLY what was in your log (and what you want to get trough)

If you need more help please let me know.

TuxFriend

----------

## dol-sen

Thanks for the info, it confirms what I thought I needed to do, it has given me a lot to work thru.   Yes, I am somewhat of a GUI person, but, I am learning my way around gentoo.   I was thinking of using webmin (restricted to lan access only, I never get away from here anyway, for most checking & config changes).    I knew I had seen something about Gentoo Security somewhere, but hadn't had the chance to look for it yet.   Thanks for the link Zu.   Rac, thanks again, I figured the base install was fairly minimal, but as I am relatively new (2.5 years now, Mandrake mostly, it's all preconfiged) to linux, I needed to ask.   I don't have the time to break things more than the norm figuring it all out in between painting my daughter's room, etc.,etc., you know what I mean.

I have some work ahead of me, but I'll probably get stuck somewhere along the way.

Brian

----------

