[ale] Opinion Call: Firewalls for DSL

Ray Knight - Clientlink rayk at clientlink.com
Mon Jul 3 10:32:49 EDT 2000 


You 
could have used any of the number of Linux based firewall/router distros that 
use a single floppy approach on your original target machine.  The 
following is a list of a few that I have tried.  I am currently using the 
FreeSCO solution, but the others have their advantages as 
well:
<SPAN 
class=374362114-03072000> 
<SPAN 
class=374362114-03072000>ShareTheNet     <A 
href="http://www.ShareTheNet.com/">http://www.ShareTheNet.com/
<SPAN 
class=374362114-03072000>FreeSCO         <A 
href="http://www.linuxsupportline.com/~router/">http://www.linuxsupportline.com/~router/
<SPAN 
class=374362114-03072000>floppyfw           <A 
href="http://www.zelow.no/floppyfw/">http://www.zelow.no/floppyfw/
Coyote 
Linux    <A 
href="http://www.coyotelinux.com/coyote.html">http://www.coyotelinux.com/coyote.html
<SPAN 
class=374362114-03072000>FirePlug           <A 
href="http://edge.fireplug.net/">http://edge.fireplug.net/
<SPAN 
class=374362114-03072000> 
And of 
course there is the Linux Router Project at  <A 
href="http://www.linuxrouter.org">http://www.linuxrouter.org  
<SPAN 
class=374362114-03072000> 
Ray 
Knight
<SPAN 
class=374362114-03072000>audilvr at speakeasy.org       

<BLOCKQUOTE 
style="BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px; PADDING-LEFT: 5px">
  <FONT face=Tahoma 
  size=2>-----Original Message-----From: owner-ale at ale.org 
  [mailto:owner-ale at ale.org]On Behalf Of Jeff HubbsSent: 
  Monday, July 03, 2000 12:51 AMTo: ale at ale.orgSubject: 
  [ale] Opinion Call: Firewalls for DSLA couple of months 
  ago, I made a strategic decision to pop for the NetMax Firewall/Router product 
  from CyberNet. 
  My dangerously optimistic premise was that I had a lot of things to 
  integrate at the house - new computer, firewall, Telocity DSL (no complaints, 
  BTW), old computer - and I thought that the NetMax' "thin server" 
  Web-administered approach would help me get going quicker. 
  My target machine was going to be a VLBus 486DX/33 in which I could put as 
  much as 32MB of RAM, and I had already set myself up with some ISA-bus 
  Ethernet cards to choose from, three of them being NE2000 clones.   
  I also scored a 3Com 3C515 - an ISA-bus 10/100 full-duplex card. 
  The first problem I had was that whereas the NetMax docs said it supported 
  the 3Com 3C515, there appeared to be no way to get it to work, and when I 
  called tech support, the person that answered didn't even seem to understand 
  the question when I tried to find out how.  I finally had to insist to 
  speak to someone who had firsthand experience with the product.  When I 
  finally did, I learned that my question about the 3C515 apparently had no 
  answer and that the cliam of supporting the 3C515 was apparently a lot of 
  hogwash.  I also learned that when the NetMax docs say that a Pentium is 
  the minimum required CPU, they mean it - it is unstable on a 486 (he did not 
  indicate that it was compiled for Pentium that that's my assumption).  
  This fellow offered to set me up with the FreeBSD version in trade for the 
  Linux version that I bought and my address was taken down.  It never 
  arrived. 
  I decided that I would try to soldier ahead with what I had.  I picked 
  up a fairly nice Pentium/75 at MicroSeconds.  It took me a few tries to 
  get anywhere with it, but I eventually got it to work with two interfaces, 
  performing NAT.  One key element to my eventual success was that the only 
  documentation that is usable is a single article on their Web page; the 
  provided documentation is NOT sufficient to figure out the installation. 
  Here is my sack of woes to date: 
  
    At the moment, even after a reboot, the Web interface is not 
    reacting.  It was working fine, but now, zip. 
    The interface, when it did work, is DOG SLOW.  If you make 
    config changes, it takes this Pentium/75 with 256KB of cache and 72MB of RAM 
    *several minutes* to go through the commit/restart services process. 
    The console sometimes fills up with stuff like "Unable to handle kernel 
    NULL pointer dereference at..." or "Out of Memory" errors.  Most of the 
    time, NAT operation seems to continue unabated but the "Out of Memory" stuff 
    got so bad that the machine would only respond to a three-fingered salute. 
    There is nothing documented or nothing I can locate in the Web interface 
    (again, when it worked) or the Web site that gives me the ability to enable 
    or block specific services or even ports - just a rather vaguely labeled set 
    of check boxes. 
    Things like sendmail are running.  I don't want it running.  
    But, to stop it, I have to dig through /etc/rc.d or whatever in the typical 
    fashion. 
    So far, my attempts to configure X have been a total failure.  The 
    video is a supported Cirrus Logic.  All three offered methods of X 
    configuration at the console error out. 
    You log onto the console using the username and password you enter at 
    install time.  It would be nice to su to root so you can run things 
    like fsck but the root password is unknown to me. 
    The Web site support options - the user forum and the knowledge base - 
    have been essentially useless and my one attempt at phone support was 
    horrendous. Before I went though all this, I had read the 
  Firewall-HOWTO and got a fair idea of the theory behind ipchains and I 
  understood that I had a lot to learn and that I would have to be careful to 
  harden the Internet-facing interface and generally be on my toes about 
  it.  I had good reason to believe that the NetMax product was going to 
  help prevent me from having to be quite so down-and-dirty. 
  So, my question to you fine folks is basically this:  should I have 
  bothered?  Would I have been as well off if I had just put on a 
  bare-bones Red Hat 6.2 installation on the 486 and figured out ipchains?  
  Right now I have a marginally unstable firewall that is performing NAT like it 
  should, but when certain Internet functions don't work, it seems I have to 
  "open the hood" anyway and I really don't have a good way to know how well 
  protected my firewall is against the baddies.   I know some of you 
  have done the firewall thing with some success and inasmuch as I would *like* 
  a shortcut to a well-done firewall, I've just about concluded that the NetMax 
  product is not it and my $50 would have been better spent elsewhere. 
  So what do you think I should do? 
  - Jeff  

More information about the Ale mailing list