Flexbeta.net has got an extensive look at setting up Mandrake Linux as a firewall. The article goes deep inside the setup process from setting the firewall rules to testing and enhancing the firewall.
Setting up Mandrake 10.1 as a Firewall
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
There dedicated distros that do this, and with a lot less bloat.
I agree. Or better use FreeBSD.
Those would both be good, but the article seems to go more in-depth into the idea of what is called Multi-Network-Firewall. I don’t know anything about it really, but apparently it releases a nice interface with the firewall itself. Who knows though. Maybe it is a rather nice firewall.
It’s basically an article about hacking the main distro into using all the MNF functionality. MNF is an enterprise-class product which people pay for, so they must have some use for it.
I don’t know why you’d do this, though, given that you can get MNF as a free download and save yourself the hassle. Maybe just because 10.1 has some newer versions?
Security is their life, how about letting them do the firewalling while these desktop distros do something else? Why use Mandrake as a firewall when this option exist free of charge???
Maybe downloading and learning another OS is just not an attractive option for most people…
Windows XP comes with a firewall. If you’re using Windows 2000, you can download ZoneAlarm. It’s simple, quick and painless. Why the hell would you install a whole OS (and a crappy one at that) just to get a stinking firewall?
I think you’re misunderstanding a slight bit. The purpose is not to use a whole OS for a single computer with a firewall attached, it’s designed for making a firewall for an entire network, similar to how your router would work. Sure, Windows XP and other solutions have firewalls included, but they’re not going to be a first-choice to defend an entire network. They don’t have the extensiveness that other firewall tools use. Also, when you use an OS such as a BSD or Linux variant, you can cut your resources to a minimum by taking out components like a GUI, additional/exsessive services and so on. Some of this is also possible in Windows, but not quite the ideal scenareo I would suspect. Something like Windows 2003 Server might be an option, though.
See, it’s not about FreeBSD, Gentoo, OpenBSD, i’m more tough n’ stuff, bla bla bla .. its all about WHAT YOU CAN DO with it.. whether ipf iptables sunscreen or whatev.
So if you ain’t got no clue about HOW YOU DEFINE THE RULES… could be mandrake netbsd… it’s not gonna work (as it should be)
better grabs some books yo!
Regards,
jay_of_today
Didn’t they already download and learn a new operating system anyways? What’s an other going to hurt?
Why would you go with this and not something like IPCop/Smoothwall/ClarkConnect (To name 3 of the more popular router/firewall distros)?
I’ve not used MNF so maybe I’m missing something, but the article didn’t really mention anything MNF has that those products don’t (Plus I was kind of disturbed to see “Don’t forget to register your firewall to receive your free updates for 6 months” on one of the screenshots”).
Windows XP comes with a firewall. If you’re using Windows 2000, you can download ZoneAlarm. It’s simple, quick and painless. Why the hell would you install a whole OS (and a crappy one at that) just to get a stinking firewall?
Possibly because some people, especially companies, have these things called networks and they need something suited for the task to be able to protect them? Zonealarm and especially the Windows XP firewall are a joke for such a task.
Thanks for the heads up @ article and posts.
Posts: Very valid concerning using this method at the enterprise level.Seems inappropiate.
Article: I think its valid for someone like me who is running a small SOHO network and recent convert to Linux.
Peace
Why use Mandrake as a firewall when this option exist free of charge???
A web interface versus a CLI for less technical users, perhaps.
Crappy external firewalls will only protect you from outside attacks. If someone connects an infected Linux laptop to the internal network, you’re screwed.
All firewalls only protect from what’s outside, though you can also control outbound connections.
As far as an “infected Linux laptop” goes, you know that no such things exist, as there are currently no Linux viruses in the wild. You probably meant to say “infected Windows laptop”, as there are hundreds of Windows viruses currently in the wild.
And anyways, there are a lot of better, easier to use hardware firewalls that companies can install seamlessly and quickly.
Such hardware firewalls are usually built around Linux.
No company wants to spend hundreds of dollars paying some tech to dick around with Linux.
Actually, plenty of companies do. You might not have noticed, but Linux servers are one of the fastest-growing markets in the IT industry.
That said, a Linux firewall is a no brainer to set up. I personally use the firestarter front-end to manage iptables an old Pentium 166. That PC would be considered useless by most people, but it makes an excellent firewall/NAT gateway. I can easily manage it from any Linux machine (or Cywin-enable Windows machine) on my home network. Setup was a breeze, and using nessus (another great open-source *nix tool) to test the security means I’ve got a pretty secure network.
How about you take a moment to do some critical thinking about the crap you read on Slashdot, instead of mindlessly swallowing it down like a dingbat.
One could say the same thing about you and MS press releases.
Crappy external firewalls will only protect you from outside attacks. If someone connects an infected Linux laptop to the internal network, you’re screwed. And anyways, there are a lot of better, easier to use hardware firewalls that companies can install seamlessly and quickly. No company wants to spend hundreds of dollars paying some tech to dick around with Linux.
So you’re saying you ought not to protect your lan from outside attacks? Anyway, crappy is definitely debatable. If you want something extemely secure and highly customizable then a Linux firewall is a great way to go I say. Set it up without an ip address and it’s virtually untouchable by someone trying to break into it.
And sure if you’re at an very large orginization you’ll probably go with a specialized hardware firewall, you’ll need to just to keep up with the traffic. And yes the hardware is probably highly customized to handle the high traffic load, but I’ll give you three guesses what OS’s you’ll find on a lot of the things when you crack them open and mess with them. Hint: it’s not Windows.
And one more thing. With distros like Clark Connect and others people have mentioned, setting up a Linux firewall can be quite a simple task. But then if you’re saying that with a hardware firewall you can just plug it in and forget about it, or that setting them up is always just some simple task, well, have fun when some leet fellas break into your network.
I’ll be wasting my time trying to explain myself to someone with such low reading comprehension. So why don’t we end the conversation right here.
Uh…right. Guess you forgot about posting this little bit:
Windows XP comes with a firewall. If you’re using Windows 2000, you can download ZoneAlarm. It’s simple, quick and painless. Why the hell would you install a whole OS (and a crappy one at that) just to get a stinking firewall?
Or is it more along the lines of what A nun, he moos is saying?
Right…
Mathman typed my reply to your post. Weird.
As Mandrake’s firewall is based on the shorewall ip-tables script it’s quite easy to get an restrictive desktop firewal by editing respectively interfaces,zones,policy,rules in /etc/shorewall.the interfaces files looks like this:
net eth0 $broadcast
zones:
net NET
policy:
all all DROP
rules:
ACCEPT fw net:$gateway udp 53 #dns (static asigned #ip-address)
ACCEPT fw net tcp 21 #ftp#
ACCEPT fw net tcp 25 #sending e-mails#
ACCEPT fw net tcp 80 #browse the web or im via port 80#
ACCEPT fw net tcp 110 #receive mail (pop3) #
ACCEPT fw net tcp 443 # “secure” http via ssl#
gives you an statefull firewall that blocks everything not listed in /etc/shorewall/rules as default.
Windows XP comes with a firewall. If you’re using Windows 2000, you can download ZoneAlarm. It’s simple, quick and painless. Why the hell would you install a whole OS (and a crappy one at that) just to get a stinking firewall?
Because some people have needs that are not met by simple firewalls like XP’s or ZoneAlarm. These are designed to be easy to use, and as a result are deliberately limited in what you can do with them.
I always use IPCop
http://www.ipcop.org/
to make linux firewalls. It has a nice web interface and it is a specialized linux distribution for this purpose.
Mandrake as firewall? Buahahahahahahahaaaa.
You must be kidding, plain install takes a few hundred megabytes alone!
I’d be willing to pay to not be able to see some of the zealot comments made by “A nun he moose” for instance?
Send me a check and I’ll see what I can do…
Seriously, dude, if you think what I write is off-topic or contravenes in any other ways to the terms of use, just report my posts for abuse. However, I find it quite strange that you would comment on my posts when you’ve got Octavian’s in the same thread.
Solutions?
Try to come up with good arguments instead of whining. Though I will once again reiterate my call for registered accounts and an option to hide anonymous postings (though I guess you wouldn’t be too much in favor of that, even if it would solve some of the trolling problems).
Heh. The current Something Awful update (http://www.somethingawful.com/) is really relevant and funny. Just replace ‘game’ with ‘OS’.
That’s kind of strange coming from someone who never misses an opportunity to barge in a comment section and claim that Linux and “Open Sores” suck.
I think you should take a long, hard look in the mirror.
I *am* the mirror.
Uh, no. For that you’d have be able to reflect, and obviously that’s out of youre reach.
If you can’t see that you’re exactly the kind of person being ridiculed in the Something Awful editorial, then there’s not much more to say…