Is this thing on?

[mdlbear]

After a lot of jumping up and down and screaming, I appear to have a crude firewall (using Shorewall on my Debian laptop, which was conveniently at hand) on my new DSL line that I can route through. I can traceroute to google.com and read lj -- that's a good sign. Yes, it's faster. Much faster. Ship it.

Total debug time: about 4 hours. Apparently the Debian version of shorewall.conf is missing the crucial line:

  IP_FORWARDING=On

... so of course it wouldn't forward packets. Grump. There were a dozen or so other assorted things to fix in the example config, but that was the big one.

About the only other things I've done today was getting the assorted receipts organized for data entry, and taking a 2.5 mile walk.

Now I'll have to change the DNS entries for my assorted domains, and -- most importantly -- fix my mail configuration so that it will relay through sonic's mail server.

Comments

[technoshaman.livejournal.com]

Oh, no! Funny, I'd forgotten it was missing that... and I think it only took me about an hour to figure it out myself. But then, I remember being rather meticulous about setting up Shorewall when I had it...

Shorewall is far from crude, and any ancient laptop you can convince to have two NICs (virtual or otherwise) would make a darn fine firewall. The only reason I was wasting a K6-233 on the shorewall I had instead of the P-133 was I was too impatient, and apt-get update took too darn long on the slow box.

You know what would be fun: One of those little Sparc shoeboxes and a copy of OpenBSD. I dee-devil-dare the skript kiddies to crack that.... and pf is a really nice, intuitive firewall. About five minutes with TFMP and I had a pretty nice little firewall all sketched out, took about 20 lines to do it all... DNS inbound, RELATED rules, everything from soup to nuts.

The other two ways to do it are a WRT54GL with OpenWRT or similar, or something cheap that you can manage to not have a CPU fan on (or if you do, have it be an Arctic Cool or a Zalman, and silicone grommet all the fans including the power supply)... that and a copy of Debian with that Shorewall config you just genned up. Or perhaps Trustix...

[moshez.livejournal.com]

Honestly, how does the "OpenBSD is the best ever for firewalls" myth endures? Googling for iptables vulnerabilities finds me stuff from 2001-2002. That's 6 years without a published vulnerability...and Debian runs just fine on those Sparcs, too :)

[technoshaman.livejournal.com]

1) Theo is... not a pleasant individual, but his people are good at auditing code. I trust Theo to be Theo, and his people to give out good solid code. Tell me when the last bug was in pf?

2) It's *different*. Heterogeny is good for security; it means when a vulnerability does come out, not everyone is vulnerable.

3) pf is really a very sweet little language. It's a lot more readable (to me, anyway) than iptables. And the QOS is built-in; you don't have to use a different tool to do that. Very important if you intend to do VOIP.

So, no, it really does rock, and that's coming from someone who, while he isn't as die-hard a penguinista as, say, rms, *absolutely* *refuses* to run Microshaft on *any* of the machines he owns, even though it irritates She Who Must Be Obeyed just a little. (Not much, though! Between Falconseye, Civilization, and reading about the latest raft of trouble surrounding the cursor bug, she's glad she's *not* running Windows this week!)

Oh, one more thing:

4) Full-house OS (less X, but with compilers), 138mb. Half that if you don't need compilers (bad idea on a firewall box). You can comfortably snarf overnight *at 56k*.

Yes, it's only free as in beer. But it's free as in beer *source code*... which has its advantages.

OK. I'll stop playing advocatus diaboli now.

(There is one advantage to homogenity: maintenance!)

Pardon me while I go apt-get update all my systems... :)

[mdlbear]

Crude because it's actually just a quick-and-dirty (at least, it was meant to be quick) Shorewall install on my main laptop, which was the only machine conveniently at hand running Etch and not doing much of anything else. I'm using the built-in ethernet port plus a PCMCIA card. Having a console I could get to without ssh turned out to be invaluable. Now that I have it running, it's going to be particularly useful in hotel rooms.

I've considered OpenWRT, but haven't reflashed my WRT54G yet, so there would have been an extra learning curve.

The plan is to experiment a little, figure out how to make mail forwarding work properly, and eventually update my existing firewall, which is on a mini-ITX board. Sometime this weekend, though, I'll probably take it off the lappy and copy the config to my fanless mini-ITX X terminal, which isn't being used at the moment. Quieter.

[moshez.livejournal.com]

Personally, I never learned how to use all these firewalls -- I usually just write the iptables rules. Of course, it's impossible to remember them by heart, so I usually have to google for "iptables nat" where I find the iptables command -- and the "echo 1 > /proc/whatever/ip_forward" or some such.

(I usually can't stand to see the rules those "linux firewalls" generate -- a lot like how an assembler programmer would freak out at seeing compiler-produced assembler, I guess...)

[technoshaman.livejournal.com]

What, you don't know this stuff by heart (or have enough installed systems out there that you can't just crib one from another)? :)

Actually, "lokkit" generates fairly clean code. I let it do a first pass and then tweak to suit. If I'm not outright cribbing.

[mdlbear]

I started using Shorewall when I upgraded to iptables when it was still pretty new, and couldn't find a convenient starter script. At this point I should re-learn how to do it myself, but I'm lazy.

[moshez.livejournal.com]

Heh, yeah, sometimes I crib...but no, not a lot of deployed system (none now, that they've all been converted to linksys-based NATing). At work, I let someone else configure the firewalls at the entry points (I am trying to train everyone to not consider me IT guy) and for our product (a linux-based networking appliance) where I did write the iptables rules, I didn't need NAT :)