Fedora and Snort HW firewall

[ss2chef]

Originally posted here by customwebman
Their IP pings at TTL=246
But the website navigation is like waiting for paint to dry
is this perhaps the Firewall in action?
Are you experiencing the same delays?

Have a delay here too

Smoothwall is a fine firewall for getting feet wet

Your supposition is just silly. Smoothwall is in wide use and is known to work quite well.
Could be many reasons for slowness but hey...There is always google which will net a ton
of hits on "linux firewall"

[ss2chef]

Originally posted here by customwebman
ss2chef
Router is managed by provider of T1, it is open.

I thought I could put a FW box upstream of router between it and t1
input.

Well you would have to get a card to add to your box to terminate your T1
It's not simply Ethernet
Then your firewall is really a router now which will provide an interesting session or two
of rules configuration. All very messy when you can just let your routers route and
then pass to your firewall.

In front of your router is the wrong place IMO.

[customwebman]

Linux firewall on Google I have tried, that is why I am asking my peers for advice.

I'l keep my humor to myself in future.

[customwebman]

ss2chef

I take your point, so I should place the hardware between the router and the switch.
Excuse my ignorance but I have two feeds from router going to different switches.
Does it follow that I should place another box between second outlet from router
to second switch? Or is there an easier or better way?

Thank you

[SirDice]

I'l keep my humor to myself in future.

Always difficult. Please keep in mind that some (if not most) of us don't speak english as a native language. What might be funny in one language maybe offensive in an other.
Also note that written (text) humor is quite different from spoken humor. It's all to do with the way you say it. Correct punctuation and/or smileys can help

It doesn't work so it must be crap. This can be funny when pronounced with some cynicism but that's hard to put on paper

[customwebman]

Should this be my plan?

Install Smoothwall to PC with two nics and place between router and switch.

Is there anything else I should consider at this stage?

[ss2chef]

SirDice makes a good point about the DMZ.
Is it possible to put the servers open to the UNTRUSTED public on a seperate segment?

I'm cool with humor..really

Most Linux will provide an IPTABLES offering to you but I like the canned stuff for newer users
as the rulesets can be a pain with multiple interfaces for users new to netfilter.

Is an off the shelf product an option?

[ss2chef]

Originally posted here by customwebman
Should this be my plan?

Install Smoothwall to PC with two nics and place between router and switch.

Is there anything else I should consider at this stage?

3 NICS might be better.

NIC1 = public untrusted interface
NIC2 = DMZ with both servers behind it
NIC3 = LAN Workstations and whatnot

How you configure can depend on what IP structure you have.
Do you only have a single public IP to work with or do you have a block to use?

Smoothwall is one of many canned options.
I like it cause it has other features like snort, proxy, and basic bandwith monitoring for
each interface. It's also managed via a web page interface which is nice if you are new to
commandline on Linux.

[customwebman]

Cisco router feeds to eth0 with about a dozen ip's in one block and
about 120 ip's in another

Second or eth1 feeds about 20 ips

It would be a lot of work to move servers to one block because
we added as we needed. But it might be possible to isolate most
on eth0.

Still need to get physical layout clear in my mind.

Servers all within 50 feet.

Revised plan


T1 -- router -- smoothwall -- (eth0) webserver, dns, Internet based servers.
| |
(eth1) (local net)
non critical




How does this fit in with your suggestions?

[ss2chef]

Am I mistaken? It looks like in your diagram that localnet is outside any firewall.

Maybe you need:

router -- (eth0)smoothwall1(eth1)webserver, dns, Internet based servers.
|
|
(eth0)Smoothwall2(eth1) Localnet



Okay now I see your edit..
Seems we are on the same page now.