gentoo firewall box advise

[dol-sen]

I want to set up my gentoo box to temporarily act as my firewall/router so I can take my firewall box offline to install gentoo and firewall programs. I am and have been using Mandrake SNF 7.2., but I love gentoo's ease of updates, etc. I have been learning quite a lot more about linux since switching to gentoo, but I am far from an expert.

Anyway my system is a: P200MMX, 96 meg ram, 20gig HD, 1 3com 3c905c nic, gnome, etc.
Internet = ADSL - dhcp - requires mac address of nic to be registered with ISP ( i was going to remove from firewall box and install temp. in my machine. ( I have another ident. nic for install purposes then swap out when finnished)
What do you recomend as must haves for a basic firewall ( should only need to run for 1 week to build a dedicated gentoo box). I have emerged dynfw, tried, but snort failed (posted in portage & programming). My lan is static addressed now but also want dhcp on the final box.

My needs are basic, Am not using proxy's now but would like to filter ads, etc.. I want to add cron jobs to deny lan=>wan access at scheduled times, squid dosen't block most IM's (except my machine. I have late night teens that could & would stay up most of the night, chatting on the net). I was thinking of adding a dmz & small web/ftp/mail server/ obtain my own domain name, etc.

Firewall box is a P133, 64meg ram, 1.2gig HD, I have a 540meg HD with SNF 7.2 currently running, I was thinking of using my machine as an nfs server for the /usr/portage/distfiles to the firewall box ( saves space & hopefully more secure)
I noticed that shorewall, dansgaurdian do not yet have ebuilds.


Thanks in advance, Brian

[rac]

[dol-sen]

Thanks rac, I think iptables was installed with the basic gentoo system, so I didn't mention it. Anyway it is installed & I believe just updated a few days ago.

Thanks... Brian

[rizzo]

I don't believe iptables is installed by default, and you also have to enable it in the kernel.

You'll also need rp-pppoe for the ADSL connection.

Those are really the only things you need. All traffic redirection and filtering are done by iptables.

[dol-sen]

rp-ppoe has now been emerged, thanks.

Now to reconfigure & compile the kernel to accept the other nic. I think I'll up the security level as well.


For the firewall box is there a number/any of the base system build that I should unmerge after its all bootstrapped. It has been said that you want to have the minimum functionality on a firewall box to provide a hacker the least amount of tools possible. Or would I be crazy to eleiminate any of the base system?

Thanks ... Brian

[rac]

[Zu`]

For me, the Gentoo Security Guide was a good start. It also explains how to set up a fairly basic but secure firewall using iptables: http://www.gentoo.org/doc/gentoo-security.html#doc_chap6

If you want to read up more about it, I suggest reading these:

• Linux 2.4 Packet Filtering HOWTO
  
• Iptables Tutorial
  
• Lots of other documentation in several languages from iptables.org
  

If you want internet-sharing (enabling other computers in the Local Area Network to access the internet aswell), read up about NAT/masquerading.

[TuxFriend]

It seems that you want to configure your firewall with GUI-tools. The less software you have on your firewall the better. My advise is to follow ONLY these steps:
- build a system described on http://www.gentoo.org/doc/build.html
- emerge iptables
- configure kernel to add support for netfilter and remove everything that wont be neccesary to run your firewall (e.g. serial port, USB, sound, etc.)
- create your firewall rules by hand and run "iptables-save > /var/lib/iptables/rules-save"
- run "rc-update add iptables boot"

Advise on creating firewall-rules:
- change policy to drop everything
- log all dropped packages
- do the things you normally do (it will not work because all network-traffic gets dropped)
- check the log and see what was dropped.
- create rules that accept ONLY what was in your log (and what you want to get trough)


If you need more help please let me know.

TuxFriend

[dol-sen]

Thanks for the info, it confirms what I thought I needed to do, it has given me a lot to work thru. Yes, I am somewhat of a GUI person, but, I am learning my way around gentoo. I was thinking of using webmin (restricted to lan access only, I never get away from here anyway, for most checking & config changes). I knew I had seen something about Gentoo Security somewhere, but hadn't had the chance to look for it yet. Thanks for the link Zu. Rac, thanks again, I figured the base install was fairly minimal, but as I am relatively new (2.5 years now, Mandrake mostly, it's all preconfiged) to linux, I needed to ask. I don't have the time to break things more than the norm figuring it all out in between painting my daughter's room, etc.,etc., you know what I mean.

I have some work ahead of me, but I'll probably get stuck somewhere along the way.

Brian