Re: Creating a 6.2 home firewall

Muffin wrote:
I am trying to figure out what ports and programs would be useful for a home family firewall. I am looking for suggestions of what others have found helpful to have on their home firewall/gateway. My firewall needs to ware a few different hats due to $ reasons. I am trying to do this as safely as possible while still effectively increasing the rolls of this firewall. I am probability building neither a the best firewall nor the best general purpose server but something in between.

To give an idea of what I have installed, working and documented so far:
6.2 minimal install
python 2.5
pf
ftp-proxy
squid
squidguard
dansguardian
dnsmasq
lockdown
scponly (for chrooted sftp file sharing access)

Any suggestions or comments would be welcome.

Thx



My configuration of a firewall is best suited to the "firewall only" view - with DNS and DHCP thrown in. However, you may find the following interesting:

I have FreeBSD 6.1 on a FreeSBIE on an old AMD K6-2 350. It has two ethernet interfaces (both Digital 21160). First goes to the cable modem. The other serves the internal network.

The box serves as my DNS server and DHCP server for my internal network. I can ssh to the box from only the internal network. I've set SSH to allow only NON-ROOT login. However, I have "su" setup for after I login using a normal user account. No account has the same password as any other. This way, if my primary user account is hacked somehow from external, the hacker will still need to guess the root password.

My IP rules disallow any incoming pings from either the external or internal networks. Basically, the machine hides from the external world. I had to make the DNS thing not respond to zone listings.

The cable modem will occasionally change IP address (dynamic vs. static) from Comcast. To deal with that, I have some ancient script to rewrite the DNS forwarding file and restart DNS.

The machine is on a cheap ups. I installed and got "nut" running, but access to remote nut for monitoring is disabled by the firewall rules.

Essentially, any and all administration of the box occurs through ssh - it has no keyboard, mouse, or monitor, not even a serial console ;) It hides in my basement along with the cable modem and household 10/100 switch.

All-in-all, the thing is very low management / maintenance. Once the CD-ROM drive broke. I simply replaced it with another super-cheapy, put the FreeSBIE in, and rebooted - no backups / restores needed.

One thing to watch for: my DNS configuration for the internal network is burned into the FreeSBIE - makes adding new machines extremely difficult in that I have to burn a new FreesBIE - I would strongly suggest, if you go the FreeSBIE route, to put a floppy disk or SM card in - you can write-protect the media, but change the files off-line when your configuration changes. Any sort of configuration file can then go onto the floppy - such has DHCP server and DNS server configuration files.

I wanted a machine with extremely low maintenance, on all the time, very easy to get back running when hardware broke, secure.

I've taken off all compiler tools, etc. If someone does get into the box, the lack of a compiler may be a slight hindrence (they'll have some type of rootkit) - but why make it any easier?

Of course, your requirements may differ - I would suggest though that any internal web server, samba server, etc. be moved off the firewall and onto an internal machine - and that the firewall provide NO access to any internal machine (like redirecting to an internal web server). Remember - if any machine inside the firewall gets hacked, then you might as well not have a firewall to start with. But that's just my extreme paranoid view.

Chuck

This is root's plan: to root out all other roots.
.

Relevant Pages

  • Re: For Microsoft Partners and Customers Who Cant Download or Access
    ... to reconfigure the firewall, but to use a static IP on your client ... and to make sure that the DNS server entries on the client are ... Microsoft for msdn2.microsoft.com. ... use a static IP and set the DNS server addresses to the DNS ...
    (microsoft.public.dotnet.general)
  • Re: loss of SOME connectivity
    ... I "think" it is DNS. ... Yes, I can ping the router, AND the ISP DNS. ... I cannot connect the inet cable directly to the server because the inet is ... MS firewall not started. ...
    (microsoft.public.windows.server.sbs)
  • Re: E-Mail Address Cant Receive E-Mail from *Some* External Organizations
    ... The fact that _some_ messages are delivered is because they are sent from different IPs, so double-check your firewall settings. ... So, that looks right to me, anyway; both resolve to the proper IP address of the external interface for our firewall, and the only difference is that for "company.org" our ISP's mail server acts as a backup server in case our internal mail server is down. ... However, if I send a message to "me@xxxxxxxxxxxxxxxx" from my Yahoo e-mail account, I get an NDR returned to my Yahoo account. ... I have checked with our ISP who handles our DNS settings, and they indicate that all appears to be in order with our DNS and MX records. ...
    (microsoft.public.exchange.admin)
  • RE: Firewall Rule Set not allowing access to DNS servers?
    ... I changed the DNS rules as you suggested, and the firewall works perfectly - ... > # Allow out access to my ISP's Domain name server. ... > so your udp packets never match this rule and default to ...
    (freebsd-questions)
  • Re: What can make DNS lookups slow? [semi-solved]
    ... >DLM> You have a ADSL connection to the Internet. ... >DLM> your firewall as eth0. ... >DLM> server machine. ... >DLM> want an authoritative DNS server for this subnet. ...
    (Debian-User)