Ok, it's good if you have one Firewall if you have more the best pica http://pica.sf.net
I have the script's in one serve .. with cvs for version it.
El mié, 30-03-2005 a las 19:44 -0500, ryanag@zoominternet.net escribió:
I would add the below:
-Recommend using CentOS 4.0 -Use squid rpm, no tar (this is for new users I'm guessing). -Recommend using etherape and iptraf (available as rpms) for a graphical overview of traffic. http://etherape.sourceforge.net/ -Recommend the use of chkrootkit, and TCP Wrappers (at the least put ALL: ALL EXCEPT PARANOID in /etc/hosts.allow) to protect servers. -Provide some information about how to protect the whole network from spyware with the /etc/hosts file (a nice side benefit from doing DNS proxy). http://www.mvps.org/winhelp2002/hosts.htm -A *huge* disclaimer on running squid on a machine with a public interface. -Consider using webmin to manage this outside a GUI. -fwlogwatch can parse log files nicely. http://fwlogwatch.inside- security.de/
Biggest issue I have with your setup:
-I wouldn't use Guard Dog as the GUI setup - it is very nice, but inflexible and not really meant for what you are doing. Try kmyfirewall instead if you want a GUI for iptables. It offers near complete control of iptables functions. If you can get along with using webmin, try shorewall.
*If* this is going to be in a bigger than SOHO (+ 30 PC) network, go with shorewall.
Just my $.02, good luck with the site, it'll help a lot of people. :-)
On Wednesday 30 March 2005 13:27, Seth Bardash wrote:
To the list:
HOW-TO on DNS + DHCP + SQUID + Firewall + Router
Since this seems to be a recurring topic:
Thought you might be interested in a working set up of DNS + DHCP + SQUID + Firewall + Router machine that took quite an effort to get working but now runs flawlessly.
Don't get discouraged. This takes some time to set up correctly but once you get through it - it works great!
Remember: tcpdump is your friend!!!!
Anyone having a network internally that needs these features should continue reading:
We set up a new firewall based on CentOS 3.3. (3.4 should work fine)
We needed it to serve many protocols internally.
The specifications for it are:
NOT Microsoft based (We are a MS Partner with all the software but I wanted something
that was
MS virus proof)
KDE Graphical Firewall Control External Internet LAN Port x 1 Internal Networks x 2 (more can be added) -> we used 192.168.0.X and 192.168.1.X DNS Name Caching Server - internal and external, forward and reverse lookups DHCP Server that does ddns-update internally Squid Server IP Masqerading Routing between all networks
Hardware:
OLD P3-800 Based System (Only non AMD system we run) 3 x Intel Pro 100 NIC's (We have a big box of these) 1GB SDRAM 40GB IDE Disk CDROM Drive Floppy Standard PC Case with extra cooling and 400 w ps.
This hardware is overkill as it never runs above 30% load. Any machine supported by Centos with > 600 MHz CPU and 512M Memory
should
do.
Software:
Centos 3.3 Full Install (Lessens the chance of missing packages)
Guarddog Firewall RPM for Centos (http://centos.hughesjr.com/3/guarddog/RPMS/) Guidedog router/masqerader RPM for RH9 (works fine)
(http://www.simonzone.com/software/guidedog/guidedog-1.0.0-1_rh9.i386.rpm)
Squid source tar ball.
First install Centos and set it for a KDE graphical boot up. Turn off all services not used Leave Iptables on but turn off IP6tables
Then Install Guarddog Then install Guidedog Configure both of the above - read the instructions for these
carefully.
- questions for these should go to thewriter
or his mail forum - Make sure to enable DHCP for eth1 and
eth2
BUT NOT eth0 (external LAN NIC)
Make sure you can see the internet from the inside LANs with the
clients
set to use static IPs.
NEXT ---
Please read the instructions on how to set up DHCP and bind(DNS) here:
http://integratedsolutions.org/downloads/DHCP-DDNS.txt
Read this multiple times and make sure you understand it!
Cut and paste can be an enemy. Be careful which editor you use
This set up allows us to have any number of machines on our internal network automagically connected to each other and the internet with
all the
IP information coming from our firewall / router / masquerader / squid server.
It works for forward and reverse DNS internally for Windows and linux clients and servers.
It also speeds up client internet traffic by caching most outside
pages.
Install squid per the INSTALL in the src tar ball and add a startup entry to either chkconfig or rc.local. We set it to use 5 GB of disk cache and start automatically at boot time. We used the standard proxy port.
We configured squid using webmin and this works fine.
We added Webmin just to see how well it works: It can break DNS and DHCP easily if you are not careful but it was
helpful
getting squid working.
Read up on syslogd and change the config file (or use webmin) to
rotate
logs every day and keep 7 to 14 old logs for back checking purposes.
This
will limit log size and make it easier to find any problems.
Your milage mary vary.
Standard software disclaimer applies.
If this is helpful drop me an email so I know.
If this needs work drop me an email with specifics.
We will be adding a knowledgebase to our website with complete
instructions
for this in the next few weeks.
Best
Seth Bardash
Integrated Solutions and Systems
seth@integratedsolutions.org
719-495-5866
Failure can not cope with perseverance!
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos