Dan Beimborn hoon@celticmusic.com wrote:
Oo, lucky you. There are a couple ways to manage it. Are you planning a separate firewall machine eg
adsl -- firwall -- desktops, servers
Nope.
If so, the short version of your design goal is to turn off everything on the firewall except reply packets, then forward ports from the outside to the inside only for what you need. Example:
firewall has a "real" IP of 1.1.1.1, and an "inside" IP of 10.1.1.1
You sould make your gateway 10.1.1.1 on the machines inside the firewall, and set the firewall up to NAT packets from the lan to the outside.
if you have a web server that you want to host at 1.1.1.1 port 80, you would port forward 1.1.1.1 port 80 to 10.1.1.2 port 80, for example.
Whoa! This is a little over my head I'm afraid. I understood the bit up to 'If so'.
If you are just surfing the web, reading email, and not running any servers, that's dead easy. You can even just ensure that a single desktop machine isn't running any unwanted services and run without a firewall.
The best ways to check what ports you have open are the following:
nmap localhost (this portscans yourself) lsof -i (this lists any open TCP/IP ports) chkconfig --list | grep :on (this shows what daemons are running on many linux distros)
you can also man iptables to see the built-in firewall commands..
iptables -nvL will list any firewall rules in place
packet mangling is really only necessary if you want to create some fancy custom rules to allow stateful protocols through, to do complex packet tracking, or other stuff outside the realm of a normal home firewall.
Right so I probably don't need packet mangling. The only reason I asked is that I have seen a message in the logs something along the lines of 'can't load module iptables_mangle'.
If you would like more detail on any of those options, or some sample iptables rule pop up another message and I'm sure that many of us will be able to help!
Bastille seems to set up a good firewall in a very easy manner (for me anyway).
Somebody mentioned Andrews and Arnold who certainly seem to offer a very good service from the remarks I've seen on Usenet but are a little expensive for me. I'm thinking of Plusnet.
I'm not actually desperate to have ADSL but I have worked out that as I currently have two lines, one for the telephone and one for the computer, if I can get ADSL I can then get rid of the second line and my current ISP. The saved cost of those will then mean I will pay only a few pounds extra per month for ADSL if I can get it for around 27 pounds including VAT.
Thanks again for all the replies.
Barry Samuels http://www.beenthere-donethat.org.uk The Unofficial Guide to Great Britain