Earthweb.com Practically Networked Home Earthweb developer.com HardwareCentral earthwebdeveloper CrossNodes Datamation
Welcome to PractiallyNetworked
Product Reviews

 • Routers
 • Hubs/Switches
 • Wireless Gateway
 • Wireless AP
 • Wireless NIC
 • Network Storage
 • Print Servers
 • Bluetooth Adapters
Troubleshooting
& Tutorials

 • Networking
 • Internet Sharing
 • Security
 • Backgrounders
 • Troubleshooting
    Guides

 • PracNet How To's
User Opinions
Practicallynetworked Glossary

 Find a Network Term  
 
Forums
About
Jobs
Home

  Most Popular Tutorials

• Microsoft Vista Home Networking Setup and Options
The most daunting part of upgrading to Windows Vista may be trying to figure out where in the layers of menus the networking and file-sharing options are hidden.

• Do It Yourself: Roll Your Own Network Cables
It may not be something you do everyday, but having the supplies and know-how to whip up a network cable on the spot can be very handy.

• Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router and by extension, your network is as secure as possible.

  Most Popular Reviews

• Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.

• Iomega StorCenter Network Hard Drive
Iomega's fourth generation StorCenter Network Hard Drive brings many of the features found in higher-end storage devices down to an attractive price.

• MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.


Building Network Appliances With Linux, Part 4: Locking Down the Firewall Box


by Carla Schroder

Last time we left off after installing Webmin. Now it's time to configure the two network interfaces, then lock down security. Obviously, a firewall, like any network border device, must be highly secure.

Configuring Networking

Since your firewall box has two network cards, you need to configure one with your WAN IP and one with a LAN IP. Additionally, it's a good idea to label each physical card so you know which one is which, and then use ifrename to ensure that the configurations stick to the correct cards. Please refer to Nail Down Network Interface Names with ifrename for this. You'll need to take two more steps than the article gives, because Debian Stable does not include a startup script. Copy the one in the article to your firewall box and name it /etc/init.d/ifrename. Then make it start at boot by adding it to runlevels 2, 3, 4, and 5 with the update-rc.d command:

firewall1:~# update-rc.d ifrename start 40 2 3 4 5 . stop 0 1 6 .

Login on the firewall box as root. If you successfully initiated a remote Webmin session (last week's installment) then you already know which NIC is your LAN interface. Open the interface configuration file:

firewall1:~# nano /etc/network/interfaces

This example configuration shows how to configure a static LAN IP, and a dynamic WAN IP:

# The loopback network interface
auto lo
iface lo inet loopback

#lan and wan interfaces
auto lan wan

iface lan inet static
     address 192.168.1.26
     netmask 255.255.255.0

iface wan inet dhcp

Build a Linux Appliance

  • Part 1: Introduction and Hardware Requirements
  • Part 2: Install and Configure Linux
  • Part 3: the Firewall
  • If your Internet account gives you a static IP, use your account information. You'll need the address, netmask, and gateway. You'll also need to enter your ISP's DNS servers in /etc/resolv.conf. Note that the interface names "lan" and "wan" are arbitrary. I like to use descriptive names, rather than the default eth0, eth1, etc. so I instantly know what their roles are. These names are assigned with the ifrename program. Reboot, then run ifconfig -a to make sure everything is correct.

    Locking it Down

    Debian Stable installs with a number of services you don't need, so they should be turned off. You can see these with the netstat command:

    firewall1:~# netstat -untap
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address    Foreign Address   State       PID/Program name
    tcp        0      0 0.0.0.0:643      0.0.0.0:*         LISTEN     1733/rpc.statd
    tcp        0      0 0.0.0.0:113      0.0.0.0:*         LISTEN     1616/inetd
    tcp        0      0 0.0.0.0:111      0.0.0.0:*         LISTEN     1340/portmap
    tcp        0      0 0.0.0.0:10000    0.0.0.0:*         LISTEN     1821/perl
    tcp        0      0 0.0.0.0:22       0.0.0.0:*         LISTEN     1726/sshd
    udp        0      0 0.0.0.0:640      0.0.0.0:*                    1733/rpc.statd
    udp        0      0 0.0.0.0:10000    0.0.0.0:*                    1821/perl
    udp        0      0 0.0.0.0:111      0.0.0.0:*                    1340/portmap
    udp        0      0 0.0.0.0:637      0.0.0.0:*                    1733/rpc.statd
    

    That's a whole lot of unnecessary open ports. All that's needed are sshd, for secure remote administration, and port 10000 for Webmin. To fix this, use the update-rc.d command to remove them from the startup directory, /etc/init.d/. Then reboot and run netstat again to verify that it worked:

    firewall1:~# update-rc.d -f nfs-common remove
    firewall1:~# update-rc.d -f portmap remove
    firewall1:~# update-rc.d -f inetd remove

    Next, we need to disable direct root logins over SSH, which is an important basic security measure on any system running an SSH server, and especially on a firewall. We'll also limit SSH access to the LAN only. You can change this later, but for now a stricter policy is a good thing. Open /etc/ssh/sshd_config:

    firewall1:~# nano /etc/ssh/sshd_config

    Change PermitRootLogin yes to PermitRootLogin no, and change ListenAddress 0.0.0.0 to ListenAddress 192.168.1.26, or whatever the LAN IP is. Close out and save your changes, then restart the SSH daemon:

    firewall1:~# /etc/init.d/ssh restart
    Restarting OpenBSD Secure Shell server: sshd.

    Now all future SSH logins will be as an ordinary user, then you'll su to root after establishing an SSH session.

    That locks down the firewall box pretty tightly. Come back next week to learn how to build your actual Internet-connection sharing firewall.

    Resources

    Nail Down Network Interface Names with ifrename
    The Penguin's Practical Network Troubleshooting Guide, Part 1
    The Penguin's Practical Network Troubleshooting Guide, Part 2
    the Linux Cookbook, step-by-step Linux system administration

    For more help, don't forget to try one of our PracticallyNetworked Forums.


    Earthwebnews.com Earthweb developer.com HardwareCentral earthwebdeveloper CrossNodes Datamation


    Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums