# Firewall and mail server questions

## lotas

Ok. i can put this simply. I need to replace a box, currenty running clarkconnect (www.clarkconnect.org) with gentoo. Clarkconnect is an out of the box solution. It has squid, firewall, web server, mysql server, FTP, SSHD, mail server (smtp, Imap, pop3 and webmail) and various other things, including webmin. I already have apache, sshd,  squid, mysql, and webmin installed, but is there a quick and easy to use app for Firewall configuration? I have no X windows installed on said box, but my workstation is running gentoo too. It has X windows. I would like a web based option if posible (ssl would be a must!) and id also like to be able to have internal ports open only for inside. EG on the clarkconnect box i can gain access to port 10000 (webmin) from inside but not outsite, and same with port 81. If theres an option for port forwarding that would be nice, but not 100 % necessart ATM. 

Thanks in Advance for any tips, apps, etc.

----------

## klieber

 *lotas wrote:*   

> is there a quick and easy to use app for Firewall configuration?

 

vim, emacs or any other text editor.  The quickest way to edit your firewall config is to write your own script and then maintain that going forward.  This will also give you the best understanding of how firewalls really work, etc. 

A great, great tutorial for rolling your own iptables script is here.  I've used this tutorial as a base for every firewall script I've ever written.  Everything is clearly laid out, well-documented and easy to follow.

Assuming you're looking for something with a bit more eye candy, check out fwbuilder.  I've never used it, but I've heard other folks say nice things about it.

--kurt

----------

## lotas

Kool, thanks! Im reading the thing now and im going to start looking at some stuff in a while. I thank you for your responce!

----------

## lotas

Ok. I have just taken the advice from that link and this is what im getting now.

```
alfred netfilter # /sbin/modprobe ipt_state

/lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt

/lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt

/lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_tables.o failed

/lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_tables.o: insmod ipt_state failed

alfred netfilter # 

```

i have modulized all the things the documentation told me to and im not happy!!!  :Sad:  here is the directory its looking in: 

```
alfred netfilter # ls

arp_tables.o        ipt_MASQUERADE.o  ipt_esp.o   ipt_tcpmss.o

arptable_filter.o    ipt_MIRROR.o      ipt_length.o   ipt_tos.o

ip_nat_ftp.o        ipt_REDIRECT.o    ipt_limit.o   ipt_ttl.o

ip_nat_irc.o        ipt_REJECT.o      ipt_mac.o   ipt_unclean.o

ip_nat_snmp_basic.o  ipt_TCPMSS.o      ipt_mark.o   iptable_filter.o

ip_tables.o        ipt_TOS.o          ipt_multiport.o   iptable_mangle.o

ipt_LOG.o        ipt_ULOG.o        ipt_owner.o   iptable_nat.o

ipt_MARK.o        ipt_ah.o          ipt_state.o

alfred netfilter # 
```

 thats the dir listed above (/lib/modules/2.4.19/kernel/net/ipv4/netfilter/) and all the .o files its looking for are there. anyone know what this 

```
unresolved symbol nf_unregister_sockopt
```

 meens? 

Thnaks in advance.

----------

## Expiscor

GPL-veriosn of smoothwall... I like it... Just FYI!...

www.smoothwall.org

----------

## bluesky

There is  a tutorial of stateful firewall by D. Robbins also quite good.  Sorry I can't recall the exact URL but it is published as a ibm developper's works .  Gentoo's moderators will surely know about it.  It is a very good  start for newbies.    :Very Happy: 

----------

## lotas

tried that smoothwall, but i dont want to have a box just dedicated to being a firewall. Well i dident at the time. things may change soon. I like the all in one box approach. anyway, ill also look at the IBM developer works thingy. Thanks for the replys. now working on getting this all up and running by about friday or saturday. back in college after mid terms on tuesday, and want to have it all working by then.

----------

## klieber

 *lotas wrote:*   

> 
> 
> ```
> alfred netfilter # /sbin/modprobe ipt_state
> 
> ...

 

Searching for some of those error messages on google suggests that you may need to run 'make mrproper' and recompile your kernel.  However, IIRC, mrproper strips out all patches, so if you're running gentoo-sources, you may want to remerge that as well.

Anyway, search on Google to get more suggestions on how to fix the problem.  

--kurt

----------

## lotas

yep. i found that actually.   :Embarassed:  So im now wainting on the compile to finish. Im using the vinalla sources, so no patches. Strangly enough, i found out something. It takes 27min to do the make bzImage on my K6-2 450 and 7 minutes to do it on my Athlon 1.0Gz. Its mad. the athlon is only 2.2 times faster in Mhz, but because the memory is 2X faster (66mhz in the k6, 133 in the athlon) and the hdd is faster by about 33% in RPM and a futher 33% in transfer speed, i makes the whole thing about 4X faster! anyone else getting speed increeses like this? Sorry for the off topic thing.

----------

## bluesky

>A great, great tutorial for rolling your own iptables script is here.

I agree, it's an excellent article. But, unfortunately, the iptables kernel terms are not the same if you use "make menuconfig" (command line) instead of  "make config"(KDE).  Although they are SOMEWHAT similar but FAR from similar.  Is there a conversion table somewhere?   :Wink: 

----------

## ronmon

I use Gentoo and Shorewall on my firewall/router/WAP box. It's a text editor type setup, but pretty easy to deal with once you understand their approach. You can contol 'zones' or individual boxen and it's very flexible as to how and on what type of machine you run it (router, server, standalone or whatever). And the documentation is top notch.

It is worth looking into.

(Edit) I just noticed on their site that Shorewall is now in Gentoo. That should really make it easy :)Last edited by ronmon on Tue Nov 05, 2002 12:53 am; edited 1 time in total

----------

## lotas

Ill try it out! thanks

----------

## Naughtyus

Just curious, why are you wanting to get rid of clarkconnect if it was working fine for you?

----------

## thehyperintelligentslug

Hi,

I am planning on doing this too. (Moving from ClarkConnect to Gentoo).

My reason is because after being a RedHat user (BTW ClarkConnect is based on RedHat), and moving my main machine and my Laptop over to Gentoo I have 'seen the light'!

A big reason is because Gentoo is much easier to keep current.

As for firewall / forwarding scripts, why not modify the ones you have in place on Clark Connect. That is what I was intending on doing when I make 'the move'.

Cheers,

Neil...

----------

## lotas

im moving for pertty much the same reason as    thehyperintelligentslug. On clarkconnect you ware limited to RPMs and Redhat 7.1 based software. I wanted the latest copy of apache (1.3.26 just before i got my new box) and the only one i could get for clarkconnect was 1.3.23. PHP i think was version 4.1.2 and a lot of packages couldent be upgraded because they ware "needed by clarkconnect". Dont get me wrong! the distro was great! worked out of the box, no messing with config files etc, but after about 5 months, and a new server, i just wanted a change. some a bit more powerfull. something customizable. I had run gentoo on my workstation, and when i seen the 1.4 version with the prebuild parts for the K6-2 (whats in the box now) i was sold! Great distro guys!!!

----------

## Naughtyus

 :Smile:  Makes sense.  I've never used any of the clarkconnect-like packages before, so I wasn't sure on how well they work, etc..

I'm going to have to set up a firewall on my server in the near future - for someone who's never set up iptables (or anything like them) before, would you (anyone) reccomend something like shorewall, or going at it on an individual package basis?

What are the downfalls of using something like shorewall?

----------

## splooge

This is my favorite:

http://projectfiles.com/firewall/

Works right out of the box basically, just configure what external ports you want open to traffic and that's it.

----------

## lotas

the one i used was this one:  http://morizot.net/firewall/gen/index.php. its a script thats run on their servers, but you can download it and run it on your box if you want. It generates a firewall script, and all you have to do is download the text file, chmod it to 755 and then run it. works like a charm!!! I just opened the ports i wanted open, and then everything else is blocked. I would, how ever, like to figure out how to tell it to allow ping and traceroutes. Im having a problem with that. my firewall (running gentoo BTW!) is comming up as * * * 10.0.1.1. i know the next one is, for some reason, ment to do that (NTL's MBR for cable modem) and then everything else works grand. It does slow traceroutes down a lot with the router not working. any ideas on what ports are ment to be open?

----------

## splooge

Sounds like your firewall script has ICMP blocked.

----------

