Linux Today: Linux News On Internet Time.

GBdirect: Firewalling with Linux

Apr 09, 2000, 05:26 (0 Talkback[s])

"Using a configuration like this it is simple to set up and control web access for staff inside the firewall - they simply point their browsers at the proxy on the inner firewall machine. This setup also provides an excellent email service if wanted. ... Some organisations also choose to run the Samba software so that the inner system can provide file and print sharing services for Windows PCs."

"The external connection to the Internet can be via ISDN dial-up, using either a slot-in card on the outer proxy host or a separate external router. If the usage grows to the point where a permanent connection is required, there is no need to go to the extra expense of purchasing a leased-line router; an X.21 card can be plugged into the host instead."

"The system is based on two machines running Linux from Red Hat (Release 5.1). Each machine contains two Ethernet cards, and runs both sendmail and Squid. The inner of the two machines will accept only telnet, FTP, mail and web requests (via Squid). It will only accept such connections from the machines on the internal network or (optionally) from the outer machine. Telnet and FTP requests are handled by the standard Linux telnet and FTP daemons. Web requests are only accepted if they are directed to the squid proxy on the inner machine. ... Since the outer firewall machine is not visible to any of the machines on the internal network web requests are forced to go through the squid on the inner machine. ... The outer of the two machines will accept only mail delivery requests from the outside world, thus providing protection against unwanted connections. It will accept FTP and telnet connections from the inner firewall machine, allowing remote maintenance of the machine. It will also handle web requests via its own copy of squid, thus providing web access. Mail is handled in a similar waterfall fashion. The proxy (sendmail) on the outer machine accepts mail for the relevant domains, but simply forwards it to the proxy running on the inner firewall machine. In turn, this sends the mail on to the machine(s) on the internal network that actually handle the mail."

Complete Story

Related Stories: