| View previous topic :: View next topic |
| Author |
Message |
lotas
Tux's lil' helper
Joined: 23 Jul 2002
Posts: 121
Location: Tallaght, Dublin, Ireland
|
 Posted: Tue Oct 29, 2002 2:17 am Post subject: Firewall and mail server questions |
 |
|
Ok. i can put this simply. I need to replace a box, currenty running clarkconnect (www.clarkconnect.org) with gentoo. Clarkconnect is an out of the box solution. It has squid, firewall, web server, mysql server, FTP, SSHD, mail server (smtp, Imap, pop3 and webmail) and various other things, including webmin. I already have apache, sshd, squid, mysql, and webmin installed, but is there a quick and easy to use app for Firewall configuration? I have no X windows installed on said box, but my workstation is running gentoo too. It has X windows. I would like a web based option if posible (ssl would be a must!) and id also like to be able to have internal ports open only for inside. EG on the clarkconnect box i can gain access to port 10000 (webmin) from inside but not outsite, and same with port 81. If theres an option for port forwarding that would be nice, but not 100 % necessart ATM.
Thanks in Advance for any tips, apps, etc.
_________________
Lotas T Smartman
www.lotas-smartman.net
www.the-hairy-one.com
www.lsn-blog.tk
Dual Athlon 2Gz, 1Gb ram, 120Gb hdd, GeForce FX5200, DVD+R/-R/+RW/-RW, CDR/RW |
|
| Back to top |
|
 |
klieber
Bodhisattva
Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
|
| Posted: Tue Oct 29, 2002 2:29 pm Post subject: Re: Firewall and mail server questions |
|
|
| lotas wrote: | | is there a quick and easy to use app for Firewall configuration? |
vim, emacs or any other text editor. The quickest way to edit your firewall config is to write your own script and then maintain that going forward. This will also give you the best understanding of how firewalls really work, etc.
A great, great tutorial for rolling your own iptables script is here. I've used this tutorial as a base for every firewall script I've ever written. Everything is clearly laid out, well-documented and easy to follow.
Assuming you're looking for something with a bit more eye candy, check out fwbuilder. I've never used it, but I've heard other folks say nice things about it.
--kurt
_________________
The problem with political jokes is that they get elected |
|
| Back to top |
|
|
lotas
Tux's lil' helper
Joined: 23 Jul 2002
Posts: 121
Location: Tallaght, Dublin, Ireland
|
| Posted: Tue Oct 29, 2002 6:42 pm Post subject: |
|
|
Kool, thanks! Im reading the thing now and im going to start looking at some stuff in a while. I thank you for your responce!
_________________
Lotas T Smartman
www.lotas-smartman.net
www.the-hairy-one.com
www.lsn-blog.tk
Dual Athlon 2Gz, 1Gb ram, 120Gb hdd, GeForce FX5200, DVD+R/-R/+RW/-RW, CDR/RW |
|
| Back to top |
|
|
lotas
Tux's lil' helper
Joined: 23 Jul 2002
Posts: 121
Location: Tallaght, Dublin, Ireland
|
| Posted: Wed Oct 30, 2002 12:48 am Post subject: |
|
|
Ok. I have just taken the advice from that link and this is what im getting now.
| Code: | alfred netfilter # /sbin/modprobe ipt_state
/lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt
/lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt
/lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_tables.o: insmod ipt_state failed
alfred netfilter #
|
i have modulized all the things the documentation told me to and im not happy!!!  here is the directory its looking in:
| Code: | alfred netfilter # ls
arp_tables.o ipt_MASQUERADE.o ipt_esp.o ipt_tcpmss.o
arptable_filter.o ipt_MIRROR.o ipt_length.o ipt_tos.o
ip_nat_ftp.o ipt_REDIRECT.o ipt_limit.o ipt_ttl.o
ip_nat_irc.o ipt_REJECT.o ipt_mac.o ipt_unclean.o
ip_nat_snmp_basic.o ipt_TCPMSS.o ipt_mark.o iptable_filter.o
ip_tables.o ipt_TOS.o ipt_multiport.o iptable_mangle.o
ipt_LOG.o ipt_ULOG.o ipt_owner.o iptable_nat.o
ipt_MARK.o ipt_ah.o ipt_state.o
alfred netfilter # |
thats the dir listed above (/lib/modules/2.4.19/kernel/net/ipv4/netfilter/) and all the .o files its looking for are there. anyone know what this | Code: | | unresolved symbol nf_unregister_sockopt |
meens?
Thnaks in advance.
_________________
Lotas T Smartman
www.lotas-smartman.net
www.the-hairy-one.com
www.lsn-blog.tk
Dual Athlon 2Gz, 1Gb ram, 120Gb hdd, GeForce FX5200, DVD+R/-R/+RW/-RW, CDR/RW |
|
| Back to top |
|
|
Expiscor
n00b
Joined: 30 Oct 2002
Posts: 2
|
| Posted: Wed Oct 30, 2002 6:14 pm Post subject: May I suggets that you look at the... |
|
|
GPL-veriosn of smoothwall... I like it... Just FYI!...
www.smoothwall.org |
|
| Back to top |
|
|
bluesky
Apprentice
Joined: 14 Aug 2002
Posts: 230
Location: USA
|
| Posted: Wed Oct 30, 2002 6:35 pm Post subject: re: iptables & friewall |
|
|
There is a tutorial of stateful firewall by D. Robbins also quite good. Sorry I can't recall the exact URL but it is published as a ibm developper's works . Gentoo's moderators will surely know about it. It is a very good start for newbies. 
_________________
bluesky
"free as the wind" |
|
| Back to top |
|
|
lotas
Tux's lil' helper
Joined: 23 Jul 2002
Posts: 121
Location: Tallaght, Dublin, Ireland
|
| Posted: Wed Oct 30, 2002 6:45 pm Post subject: |
|
|
tried that smoothwall, but i dont want to have a box just dedicated to being a firewall. Well i dident at the time. things may change soon. I like the all in one box approach. anyway, ill also look at the IBM developer works thingy. Thanks for the replys. now working on getting this all up and running by about friday or saturday. back in college after mid terms on tuesday, and want to have it all working by then.
_________________
Lotas T Smartman
www.lotas-smartman.net
www.the-hairy-one.com
www.lsn-blog.tk
Dual Athlon 2Gz, 1Gb ram, 120Gb hdd, GeForce FX5200, DVD+R/-R/+RW/-RW, CDR/RW |
|
| Back to top |
|
|
klieber
Bodhisattva
Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
|
| Posted: Wed Oct 30, 2002 7:09 pm Post subject: |
|
|
| lotas wrote: | | Code: | alfred netfilter # /sbin/modprobe ipt_state
/lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt
/lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt
/lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.19/kernel/net/ipv4/netfilter/ip_tables.o: insmod ipt_state failed
alfred netfilter #
|
|
Searching for some of those error messages on google suggests that you may need to run 'make mrproper' and recompile your kernel. However, IIRC, mrproper strips out all patches, so if you're running gentoo-sources, you may want to remerge that as well.
Anyway, search on Google to get more suggestions on how to fix the problem.
--kurt
_________________
The problem with political jokes is that they get elected |
|
| Back to top |
|
|
lotas
Tux's lil' helper
Joined: 23 Jul 2002
Posts: 121
Location: Tallaght, Dublin, Ireland
|
| Posted: Wed Oct 30, 2002 7:53 pm Post subject: |
|
|
yep. i found that actually.  So im now wainting on the compile to finish. Im using the vinalla sources, so no patches. Strangly enough, i found out something. It takes 27min to do the make bzImage on my K6-2 450 and 7 minutes to do it on my Athlon 1.0Gz. Its mad. the athlon is only 2.2 times faster in Mhz, but because the memory is 2X faster (66mhz in the k6, 133 in the athlon) and the hdd is faster by about 33% in RPM and a futher 33% in transfer speed, i makes the whole thing about 4X faster! anyone else getting speed increeses like this? Sorry for the off topic thing.
_________________
Lotas T Smartman
www.lotas-smartman.net
www.the-hairy-one.com
www.lsn-blog.tk
Dual Athlon 2Gz, 1Gb ram, 120Gb hdd, GeForce FX5200, DVD+R/-R/+RW/-RW, CDR/RW |
|
| Back to top |
|
|
bluesky
Apprentice
Joined: 14 Aug 2002
Posts: 230
Location: USA
|
| Posted: Tue Nov 05, 2002 12:15 am Post subject: re: terms not the same! |
|
|
>A great, great tutorial for rolling your own iptables script is here.
I agree, it's an excellent article. But, unfortunately, the iptables kernel terms are not the same if you use "make menuconfig" (command line) instead of "make config"(KDE). Although they are SOMEWHAT similar but FAR from similar. Is there a conversion table somewhere? 
_________________
bluesky
"free as the wind" |
|
| Back to top |
|
|
ronmon
Veteran
Joined: 15 Apr 2002
Posts: 1043
Location: Key West, FL
|
| Posted: Tue Nov 05, 2002 12:49 am Post subject: |
|
|
I use Gentoo and Shorewall on my firewall/router/WAP box. It's a text editor type setup, but pretty easy to deal with once you understand their approach. You can contol 'zones' or individual boxen and it's very flexible as to how and on what type of machine you run it (router, server, standalone or whatever). And the documentation is top notch.
It is worth looking into.
(Edit) I just noticed on their site that Shorewall is now in Gentoo. That should really make it easy :)
Last edited by ronmon on Tue Nov 05, 2002 12:53 am; edited 1 time in total |
|
| Back to top |
|
|
lotas
Tux's lil' helper
Joined: 23 Jul 2002
Posts: 121
Location: Tallaght, Dublin, Ireland
|
|
| Back to top |
|
|
Naughtyus
Guru
Joined: 14 Jul 2002
Posts: 463
Location: Vancouver, BC
|
| Posted: Tue Nov 05, 2002 4:24 am Post subject: |
|
|
| Just curious, why are you wanting to get rid of clarkconnect if it was working fine for you? |
|
| Back to top |
|
|
thehyperintelligentslug
n00b
Joined: 30 Jun 2002
Posts: 49
Location: Edinburgh
|
| Posted: Tue Nov 05, 2002 2:48 pm Post subject: |
|
|
Hi,
I am planning on doing this too. (Moving from ClarkConnect to Gentoo).
My reason is because after being a RedHat user (BTW ClarkConnect is based on RedHat), and moving my main machine and my Laptop over to Gentoo I have 'seen the light'!
A big reason is because Gentoo is much easier to keep current.
As for firewall / forwarding scripts, why not modify the ones you have in place on Clark Connect. That is what I was intending on doing when I make 'the move'.
Cheers,
Neil... |
|
| Back to top |
|
|
lotas
Tux's lil' helper
Joined: 23 Jul 2002
Posts: 121
Location: Tallaght, Dublin, Ireland
|
| Posted: Tue Nov 05, 2002 4:29 pm Post subject: |
|
|
im moving for pertty much the same reason as thehyperintelligentslug. On clarkconnect you ware limited to RPMs and Redhat 7.1 based software. I wanted the latest copy of apache (1.3.26 just before i got my new box) and the only one i could get for clarkconnect was 1.3.23. PHP i think was version 4.1.2 and a lot of packages couldent be upgraded because they ware "needed by clarkconnect". Dont get me wrong! the distro was great! worked out of the box, no messing with config files etc, but after about 5 months, and a new server, i just wanted a change. some a bit more powerfull. something customizable. I had run gentoo on my workstation, and when i seen the 1.4 version with the prebuild parts for the K6-2 (whats in the box now) i was sold! Great distro guys!!!
_________________
Lotas T Smartman
www.lotas-smartman.net
www.the-hairy-one.com
www.lsn-blog.tk
Dual Athlon 2Gz, 1Gb ram, 120Gb hdd, GeForce FX5200, DVD+R/-R/+RW/-RW, CDR/RW |
|
| Back to top |
|
|
Naughtyus
Guru
Joined: 14 Jul 2002
Posts: 463
Location: Vancouver, BC
|
| Posted: Tue Nov 05, 2002 6:47 pm Post subject: |
|
|
 Makes sense. I've never used any of the clarkconnect-like packages before, so I wasn't sure on how well they work, etc..
I'm going to have to set up a firewall on my server in the near future - for someone who's never set up iptables (or anything like them) before, would you (anyone) reccomend something like shorewall, or going at it on an individual package basis?
What are the downfalls of using something like shorewall? |
|
| Back to top |
|
|
splooge
l33t
Joined: 30 Aug 2002
Posts: 636
|
| Posted: Tue Nov 05, 2002 6:57 pm Post subject: |
|
|
This is my favorite:
http://projectfiles.com/firewall/
Works right out of the box basically, just configure what external ports you want open to traffic and that's it. |
|
| Back to top |
|
|
lotas
Tux's lil' helper
Joined: 23 Jul 2002
Posts: 121
Location: Tallaght, Dublin, Ireland
|
| Posted: Tue Nov 05, 2002 7:05 pm Post subject: |
|
|
the one i used was this one: http://morizot.net/firewall/gen/index.php. its a script thats run on their servers, but you can download it and run it on your box if you want. It generates a firewall script, and all you have to do is download the text file, chmod it to 755 and then run it. works like a charm!!! I just opened the ports i wanted open, and then everything else is blocked. I would, how ever, like to figure out how to tell it to allow ping and traceroutes. Im having a problem with that. my firewall (running gentoo BTW!) is comming up as * * * 10.0.1.1. i know the next one is, for some reason, ment to do that (NTL's MBR for cable modem) and then everything else works grand. It does slow traceroutes down a lot with the router not working. any ideas on what ports are ment to be open?
_________________
Lotas T Smartman
www.lotas-smartman.net
www.the-hairy-one.com
www.lsn-blog.tk
Dual Athlon 2Gz, 1Gb ram, 120Gb hdd, GeForce FX5200, DVD+R/-R/+RW/-RW, CDR/RW |
|
| Back to top |
|
|
splooge
l33t
Joined: 30 Aug 2002
Posts: 636
|
| Posted: Tue Nov 05, 2002 7:37 pm Post subject: |
|
|
| Sounds like your firewall script has ICMP blocked. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
