I was just wondering.. I have this old PII 400 that I gutted to build up my AMD 1.4.. It's on my home LAN and I was wondering... in addition to a software firewall that I am using..(ZA Pro), maybe I could rig up a hardware firewall.. But I have no idea of how to do it, or weather it really offers added protection. Right now I have this machine, AMD 1.4 / Win 2000 with 1 additional Win 98 machine here (the PII 400) and my neighbours Win98 machine linked up on my home lan. Could I use this PII 400 as a hardware firewall..? Would I need to install a Hub..?
Thanks in advance.
How to set-up a hardware firewall..?
How to set-up a hardware firewall..?
I'd rather be kayaking
MSN/Hotmail: blackjackshelac@hotmail.com
ICQ: 38739650
"Where there's a will... I want to be in it".
Try this for a howto and link to what you will need.
http://www.dubbele.com/
Hope you can use it. I don't, but I hide behind WinRoute Pro (Tiny)
Croc.
http://www.dubbele.com/
Hope you can use it. I don't, but I hide behind WinRoute Pro (Tiny)
Croc.
Croc.
Remember: Wherever you go in life, you take yourself with you.It will be long, it will be hard and there will be no withdrawal.
Winston Churchill
Part of my personal lan consists of a linux router behind a netgear rt314 along with the serving computer running blackice and ethereal as a picket sniffer monitoring suspicious information.
I think If you plan on running any type of server you should have a hF in place ... if you are using your computer for general use software fW generally works great.
regards,
greEd
I think If you plan on running any type of server you should have a hF in place ... if you are using your computer for general use software fW generally works great.
regards,
greEd
http://www.computerglitch.net"I'm doing a (free) operating system (just a hobby, won't be big and professional...) for AT clones... It's not portable and it probably [won't ever] support anything other than AT hard disks, as thats all I have :-(." --Posted on Usenet August 1991 by Linus Trovalds
curiosity builds security | dd if=/dev/zero of=/dev/hda bs=512 count=100
EOF
A dedicated box as a firewall will give you a safer internet experience. At least, that is what I have been told.
Your network has another box that is set up in front to take the shocks. The thing you have to do is trust it enough to use it w/out a monitor if you have to. The thing is you don't have to stop using a software firewall but you will find the inbound will be stopped before anything reaches your H/D.
GreED... If you have this setup then what does BlackIce do? Genuine enquiry here with a need to understand.
Croc.
Your network has another box that is set up in front to take the shocks. The thing you have to do is trust it enough to use it w/out a monitor if you have to. The thing is you don't have to stop using a software firewall but you will find the inbound will be stopped before anything reaches your H/D.
GreED... If you have this setup then what does BlackIce do? Genuine enquiry here with a need to understand.
Croc.
Croc.
Remember: Wherever you go in life, you take yourself with you.It will be long, it will be hard and there will be no withdrawal.
Winston Churchill
GreED... If you have this setup then what does BlackIce do? Genuine enquiry here with a need to understand.
BlackIce is also a packet sniffer with a little more "activity equation matching" then a standard sniffer. BlackIce acts as the middle man to alert me of specfic incoming activities that may (or may not) need addressing.
I can then look up the specific packet in ethereal and get an exact account of what took place and what kinda action I should take.
I know alot of people here like tiny, za, and so forth but I trust packet logs showing me exactly where the packets are coming/going (personal preference).
http://www.computerglitch.net"I'm doing a (free) operating system (just a hobby, won't be big and professional...) for AT clones... It's not portable and it probably [won't ever] support anything other than AT hard disks, as thats all I have :-(." --Posted on Usenet August 1991 by Linus Trovalds
curiosity builds security | dd if=/dev/zero of=/dev/hda bs=512 count=100
EOF
np 
http://www.computerglitch.net"I'm doing a (free) operating system (just a hobby, won't be big and professional...) for AT clones... It's not portable and it probably [won't ever] support anything other than AT hard disks, as thats all I have :-(." --Posted on Usenet August 1991 by Linus Trovalds
curiosity builds security | dd if=/dev/zero of=/dev/hda bs=512 count=100
EOF
All the BSD family have particular areas of focus but all are very similar and robust.
FreeBSD strives to be the performance king on i386, sacrificing platform support to a small degree. Yahoo.com and Microsoft.com use this os for their webservers and many people argue that it has the best thru-put
NetBSD strives to run on any hardware - 'of course it runs NetBSD' is their motto.
OpenBSD prides itself on 'proactive security audits' and strong cryptography throughout - they are constantly reviewing the code for holes, but it doesn't even support SMP. 'four years without a remote hole in the default install'
All in all they are very similar. FreeBSD is probably the newbie friendly and definitely has thed larger following. That translates into more user groups and people to ask for help. On the other hand, when you do find a person who knows OpenBSD well, they are EXPERTS - make sure you do your homework before asking questions to newsgroups
http://www.freebsd.org
http://www.openbsd.org
http://www.netbsd.org
linux can be just as good for a firewall and you have SO many options for support. You just need to be careful of the distro specs. There are so many different people contributing and distros - where BSD development is fairly centralized.
no flames here. all are quality OS's at the kernl.
The thing I like about all of these is that it is easy to configure a 3-leg (or more) firewall. Just plug 3 NICs into one box. NIC1 for the WAN/modem, NIC2 for your private LAN/gaming, NIC3 for your public servers. You set the rules on a per-NIC basis so you can allow server access without exposing your personal machine.
Skye
FreeBSD strives to be the performance king on i386, sacrificing platform support to a small degree. Yahoo.com and Microsoft.com use this os for their webservers and many people argue that it has the best thru-put
NetBSD strives to run on any hardware - 'of course it runs NetBSD' is their motto.
OpenBSD prides itself on 'proactive security audits' and strong cryptography throughout - they are constantly reviewing the code for holes, but it doesn't even support SMP. 'four years without a remote hole in the default install'
All in all they are very similar. FreeBSD is probably the newbie friendly and definitely has thed larger following. That translates into more user groups and people to ask for help. On the other hand, when you do find a person who knows OpenBSD well, they are EXPERTS - make sure you do your homework before asking questions to newsgroups
http://www.freebsd.org
http://www.openbsd.org
http://www.netbsd.org
linux can be just as good for a firewall and you have SO many options for support. You just need to be careful of the distro specs. There are so many different people contributing and distros - where BSD development is fairly centralized.
no flames here. all are quality OS's at the kernl.
The thing I like about all of these is that it is easy to configure a 3-leg (or more) firewall. Just plug 3 NICs into one box. NIC1 for the WAN/modem, NIC2 for your private LAN/gaming, NIC3 for your public servers. You set the rules on a per-NIC basis so you can allow server access without exposing your personal machine.
Skye
anything is possible - nothing is free
Blisster wrote:It *would* be brokeback bay if I in fact went and hung out with Skye and co (did I mention he is teh hotness?)
By the way, a pII400 is way too much horsepower. Not that its a problem, but you could run 100 users behind a pair of T1's with that. Unless your rulesets are EXTREMELY complex, you will never need that many cycles. a 486 with 16MB of RAM would be more that you need.
anything is possible - nothing is free
Blisster wrote:It *would* be brokeback bay if I in fact went and hung out with Skye and co (did I mention he is teh hotness?)
Just use Freesco My friend runs it as a hardware firewall on an old 90mhz Pentium w/ 16mb RAM. It runs and boots off a floppy - so no need for a hard drive! Just needs at least 8mb of RAM.
I probed it with a security scan - no ports open. It works really good
This is definitley not for n00bs though
I probed it with a security scan - no ports open. It works really good
This is definitley not for n00bs though
i'm going to become rich and famous after i invent a device that allows you to stab people in the face over the internet
I'm going to echo cyberskye's response. I would put a copy of FreeBSD(<- only because that's the distro I'm most comfortable with) on the machine. OpenBSD and NetBSD are just as good and in some cases OpenBSD is better because of the default install behavior. But both FreeBSD and NetBSD can be configured to be as safe as OpenBSD.
With that amount of hardware, you could also do it with Windows NT/2000. The difference between doing it with a Windows OS is that your going to have to spend a lot of time "crippling" the built-in functionally of Windows (Disabling IIS5.0, killing it's abliltiy to service logon requests, disabling unused services, editing out the default behavior in the registry, hardening the OS against various forms of DoS attacks, etc.).
With that amount of hardware, you could also do it with Windows NT/2000. The difference between doing it with a Windows OS is that your going to have to spend a lot of time "crippling" the built-in functionally of Windows (Disabling IIS5.0, killing it's abliltiy to service logon requests, disabling unused services, editing out the default behavior in the registry, hardening the OS against various forms of DoS attacks, etc.).
Making windows secure is a challenge indeed - almost easier to write your own os
Remember, tho, that the biggest threat to any of our home LANs is trojans. If you aren't careful what you download, you won't ever have a secure and functional internet connection. Also you really need to understand rulesets - learn your protocols and the apps that use them. It's not rocket science...more like accounting. If you miss one little thing....kinda defeats the purpose to going to all the effort.
What cracker (other than a lonely, bored scrx kitty) would really target even a reasonably secure home pc? There are so many easy targets out there...
Remember, tho, that the biggest threat to any of our home LANs is trojans. If you aren't careful what you download, you won't ever have a secure and functional internet connection. Also you really need to understand rulesets - learn your protocols and the apps that use them. It's not rocket science...more like accounting. If you miss one little thing....kinda defeats the purpose to going to all the effort.
What cracker (other than a lonely, bored scrx kitty) would really target even a reasonably secure home pc? There are so many easy targets out there...
anything is possible - nothing is free
Blisster wrote:It *would* be brokeback bay if I in fact went and hung out with Skye and co (did I mention he is teh hotness?)
-
Stef
- Advanced Member
- Posts: 712
- Joined: Sun Apr 16, 2000 12:00 am
- Location: Edmonton, Alberta, Canada
Don't bother with any BSD os for your firewall.
Statefull packet inspection introduced in the new 2.4 series of Linux kernels (IPTables) is way better then IPFilter used in FreeBSD. Besides, the new Linux kernel has better hardware support, better performance, and more functionality then any BSD kernel.
Things weren't always this way, IPChains (used in the 2.2 series of Linux kernels) really sucked. IPTables blows it away and introduces so many new features like packet mangling and connection state matching.
Stef
Statefull packet inspection introduced in the new 2.4 series of Linux kernels (IPTables) is way better then IPFilter used in FreeBSD. Besides, the new Linux kernel has better hardware support, better performance, and more functionality then any BSD kernel.
Things weren't always this way, IPChains (used in the 2.2 series of Linux kernels) really sucked. IPTables blows it away and introduces so many new features like packet mangling and connection state matching.
Stef
Most of what he state may be true, but for a firewall obscurity can be an advantage. The biggest problem with IIS is that it is microsoft (which makes it a target as a matter of principle for some) and is so widely delpoyed in environments that don't have the most knowledgable IT staff.
Gauging the original post (no offense at all) there doesn't appear to be much knowledge in the area of custom-kernel building. OpenBSD has the most secure default install by far. That is another advantage for those who do not have the time nor desire to go as indepth as that route might require.
Next time an exploit is discovered in anything Linux, go to a BSD board and you will find that it has already been patched in OpenBSD - probably months before). Neither is better than the other, but as a dedicated security appliance on a home LAN for someone who doesn't care to learn C and research all the options required to remove the undesired services and patch all the current exploits, OpenBSD makes the most sense to me.
On the other hand, if I were running a busy network or site thru T3+, I wouldn't disagree that the latest and greatest filtering by Linux would be faster throughput (cuz that is what I have heard too), but I would still use BSD on any exposed host - webserver, mailserver, etc. Exploits are still found in those server apps but the OS is rocksolid by default. If an attacker realizes they are facing BSD they generally look elsewhere. Some folks might see it as a challenge and get even more excited, but people who are that good are getting into any system - regardless of OS.
No flames here. As I said, both are quality OS's. Linux strives to be what Microsoft shoul've been (had they not been so greedy and anti-competitive) by being very user-friendly, supporting the most software of any *nix, and more bells and whistles in general. That is a good thing as many people dont necessarily want to code in c or script in perl to use a pc that has quality (usually free) software - and they shouldn't have to.
My $.02
Gauging the original post (no offense at all) there doesn't appear to be much knowledge in the area of custom-kernel building. OpenBSD has the most secure default install by far. That is another advantage for those who do not have the time nor desire to go as indepth as that route might require.
Next time an exploit is discovered in anything Linux, go to a BSD board and you will find that it has already been patched in OpenBSD - probably months before). Neither is better than the other, but as a dedicated security appliance on a home LAN for someone who doesn't care to learn C and research all the options required to remove the undesired services and patch all the current exploits, OpenBSD makes the most sense to me.
On the other hand, if I were running a busy network or site thru T3+, I wouldn't disagree that the latest and greatest filtering by Linux would be faster throughput (cuz that is what I have heard too), but I would still use BSD on any exposed host - webserver, mailserver, etc. Exploits are still found in those server apps but the OS is rocksolid by default. If an attacker realizes they are facing BSD they generally look elsewhere. Some folks might see it as a challenge and get even more excited, but people who are that good are getting into any system - regardless of OS.
No flames here. As I said, both are quality OS's. Linux strives to be what Microsoft shoul've been (had they not been so greedy and anti-competitive) by being very user-friendly, supporting the most software of any *nix, and more bells and whistles in general. That is a good thing as many people dont necessarily want to code in c or script in perl to use a pc that has quality (usually free) software - and they shouldn't have to.
My $.02
anything is possible - nothing is free
Blisster wrote:It *would* be brokeback bay if I in fact went and hung out with Skye and co (did I mention he is teh hotness?)
Much appreciated people.. You answered my question (and then some). Course, most of it went way over my head ! As a matter of fact, I was amazed to see it still going!
I use the old computer much like everyone else, and with the exception of an ftp server going at time, and P2P file sharing, I don't do anything that exotic. Think I will stick to software firewall..I'd be lost with the technical aspect many of you raised...
Once again..thanks for your help!
I use the old computer much like everyone else, and with the exception of an ftp server going at time, and P2P file sharing, I don't do anything that exotic. Think I will stick to software firewall..I'd be lost with the technical aspect many of you raised...
Once again..thanks for your help!
I'd rather be kayaking
MSN/Hotmail: blackjackshelac@hotmail.com
ICQ: 38739650
"Where there's a will... I want to be in it".