Help Me Firewall My Network!

Hello,

So I have an old P3 box I want to turn into a firewall. In my network, I have a few computers, 2 servers, and then some notebooks that come in and out. Now my ISP gave me five static IPs. They gave me a wired modem/router combo. That is what's giving out all the static IPs. Now I went and got a Linksys Wireless Router for all my DHCP needs. I set it up to one of the IPs and the two servers have IPs so that's three. Now I want to protect my whole network but I have a DHCP environment and a static environment. What is the best way to accomplish this? Do I need two boxes? Two/Three NICS on the boxes? What's the best way? Also what's the best software and any tutorials? Thanks.

Quote:

Hello,

So I have an old P3 box I want to turn into a firewall. In my network, I have a few computers, 2 servers, and then some notebooks that come in and out. Now my ISP gave me five static IPs. They gave me a wired modem/router combo. That is what's giving out all the static IPs. Now I went and got a Linksys Wireless Router for all my DHCP needs. I set it up to one of the IPs and the two servers have IPs so that's three. Now I want to protect my whole network but I have a DHCP environment and a static environment. What is the best way to accomplish this? Do I need two boxes? Two/Three NICS on the boxes? What's the best way? Also what's the best software and any tutorials? Thanks.
[/b]

for dhcp, simply set the static ip adress at 192.168.1.101 ~ 105 or whatever, and then tell the dhcp starting adress to be 192.168.1.106, this will prevent conflicts, as for a firewall, im not entirely sure, but for me, disabling DMZ seems to block all attacks, and on the computer side, yast firewall or firestarter will do, also check to see if your modem has a firewall, most do.

Well one of my servers is public (A web server). I had a NAT on my modem but it blocked outsiders from viewing my website (or any external access which made SSH hard to do). I turn off the NAT, external works. It's not the best configuration. Anyway, I want to be able to forward the IPs to the specific device(s) for external access and then the stuff that doesn't need a static IP have DHCP. Any ideas on how to make that happen?

Quote:

Well one of my servers is public (A web server). I had a NAT on my modem but it blocked outsiders from viewing my website (or any external access which made SSH hard to do). I turn off the NAT, external works. It's not the best configuration. Anyway, I want to be able to forward the IPs to the specific device(s) for external access and then the stuff that doesn't need a static IP have DHCP. Any ideas on how to make that happen?
[/b]

for dhcp, simply set the static ip adress of the servers at 192.168.1.101 ~ 105 or whatever, and then tell the dhcp starting adress to be 192.168.1.106, that way the dhcp computers wont be sharing ip addres of static machines.
thats the solution.

okay, well I am not sure how to do that. I mean, the statics I have are the ones the ISP gave me, not 192.168.1.x or whatever. I am sure I have to do something on the firewall that I am setting up but I am not sure HOW to do that. So let's say my ISP gave me the IP of 43.123.47.930 or whatever, would I tell the firewall/router I am setting up to translate that as 192.168.1.1? From there I set my webserver to 192.168.1.1 and then hopefully, when someone goes to type www.blah.net from their web browser, they still get my web server? I am sorry, I am just trying to make sure this works properly. i want to have access to my servers from outside the network.

As an alternaltive, consider m0n0wall - a FreeBSD-based firewall with a tiny footprint - very good. I run this on a P3, using a CF card for hard drive. Provides a nice web-based GUI, and lots of support is available through documentation and user forum.

Set up the box with 3 nics and your should be good to go. Before installing, just make sure you know the MAC id numbers for each nic - makes life easier.

Paul

Yo, THanks for the idea. I was looking at Vyatta and Openwall, and just using a regular distro and moding it.

So let's see if I understand this, anyone correct me if I am wrong or you see a better way.

I take my modem and have only one thing connecting to it, my firewall. The modem connects to one NIC on the firewall box. I install a second NIC on the firewall box that connects to the Linksys Wireless Router. On the Linksys, I turn of DHCP and allow the firewall to give out DHCP addresses via that second NIC. Third NIC is my static IPs. I use this NIC to forward all five IPs my ISP gave me. This NIC connects to a router or switch or something to where I can connect all my servers onto it.

Now do I set my IP for the firewall as all five statics or do I set it for just one or how does it work? I don't know if I can set a device with more than one IP address from the ISP. Also, as you know, my big thing is ensuring that I can have my web server and stuff. Do I just forward the IPs or do I use a local one like 192.168.1.3 and then anytime someone types 12.345.67.890 they get my interal IP of 192.168.1.3? I hope I am making some kind of sense here.

Your description looks sound.

You can set up your servers on a separate NIC as a DMZ, assigning them private static IPs. On the server boxes, set their default gateway to the address of the DMZ nic on the firewall.

Your firewall will be set up to do IP masquerading, so all incoming requests will be directed to the one public IP (which you assign to your WAN nic) and then redirected to the DMZ. You set up port forwarding as required to direct requests to the appropriate server on the DMZ.

You should set up the DMZ on one private lan eg 192.168.1.x and your LAN on another eg 192.169 0.x

For boxes on the LAN, the default gateway needs to be set to the LAN nic address of the firewall. (A DHCP server running on the firewall can be setup to provide this).

So, a possible set-up

WAN Public IP (set up with ISP parameters).

DMZ 192.168.1.1 Servers 192.168.1.2 +, Default Gateway 192.168.1.1

LAN 192.168.0.1 Client PCs 192.168.0.2 +, Default Gateway 192.168.0.1

Note: you will (I think) need to run your modem in half-bridge mode and / or turn off NAT /firewall otherwise you'll have open ports and set up forwards in the modem as well. (OF course, I don't know what hardware you have).

If you are doing this with the Suse firewall, you can set up things mostly from YAST. You might have to set up some routing table information on the firewall box if you want to access the servers from the LAN.

Hope this is some help.

Paul

Ya paul, it makes sense. Thanks bro. I do have a few questions.

So my ISP gave me five IPs. Do I just use one of these IPs when I set up my firewall? I mean when I am used to setting up any box, I usually have to put in my IP. Or do I like make some kind of passthrough. Then when I have this DMZ setup, it refers back to any one of these five statics?

Ya, that's my concern. I am not an expert on this, so I just want to figure it out. I mean I have five IPs and I'd like to use all of them for various reasons. Making five firewalls just seems tedious. Plus where will I get five boxes lol. Maybe you know of a way, who knows. Thanks man.

Quote:

Ya paul, it makes sense. Thanks bro. I do have a few questions.

So my ISP gave me five IPs. Do I just use one of these IPs when I set up my firewall? I mean when I am used to setting up any box, I usually have to put in my IP. Or do I like make some kind of passthrough. Then when I have this DMZ setup, it refers back to any one of these five statics? [/b]

Well, you can use just one public IP and get everything to work.

That said, you _may_ be able to just use public IPs on the servers - but I dont know for certain.

Perhaps you could just get a basic setup working first - that is, just a firewall between internet and your LAN. WHen that is up, you can add in the DMZ and set up your port forwarding. THen you could experiment with public IPs.

Once again, do check out m0n0wall - it's well set up with lots of documentation available.

Paul