If I were to make a pitch for using CentOS as a firewall, I would point to: -enhanced flexibility in creating firewall rules vs commercial firewalls. -no charge per # of clients, licensing issues, etc. -high availability of useful packages and servers (snort, fwlogwatch, pica, iptraf, squid, privoxy, openSSH, poptop, etc). -plenty of layered security (remote logging, TCP wrappers, rate limiting, iptables rules, SE Linux, etc) If I were to make a pitch against using CentOS as a firewall, I would point to: -Very, very bloated compared to other firewall-only distros. ( http://m0n0.ch/wall/ is all of 6.5 MB) -Its (dangerously) tempting to use yum to get every server/daemon you can running on the firewall box simply because its free and easy. -Slower performance compared to streamlined firewall-only products. -Generally, many beginners won't be able to adequately secure their CentOS box to make it as secure as a dedicated firewall appliance. In the end, there is a trade off. I personally run CentOS as a firewall (I used to run m0n0wall, then IPCop), and love the flexibility it gives me. YMMV On Thu, 2005-03-31 at 02:28 +0100, Miki Vazquez wrote: > Ok, it's good if you have one Firewall if you have more the best pica > http://pica.sf.net > > I have the script's in one serve .. with cvs for version it. > > > El mié, 30-03-2005 a las 19:44 -0500, ryanag at zoominternet.net escribió: > > I would add the below: > > > > -Recommend using CentOS 4.0 > > -Use squid rpm, no tar (this is for new users I'm guessing). > > -Recommend using etherape and iptraf (available as rpms) for a graphical > > overview of traffic. http://etherape.sourceforge.net/ > > -Recommend the use of chkrootkit, and TCP Wrappers (at the least put > > ALL: ALL EXCEPT PARANOID in /etc/hosts.allow) to protect servers. > > -Provide some information about how to protect the whole network from > > spyware with the /etc/hosts file (a nice side benefit from doing DNS > > proxy). http://www.mvps.org/winhelp2002/hosts.htm > > -A *huge* disclaimer on running squid on a machine with a public > > interface. > > -Consider using webmin to manage this outside a GUI. > > -fwlogwatch can parse log files nicely. http://fwlogwatch.inside- > > security.de/ > > > > > > > > Biggest issue I have with your setup: > > > > -I wouldn't use Guard Dog as the GUI setup - it is very nice, but > > inflexible and not really meant for what you are doing. > > Try kmyfirewall instead if you want a GUI for iptables. It offers near > > complete control of iptables functions. > > If you can get along with using webmin, try shorewall. > > > > *If* this is going to be in a bigger than SOHO (+ 30 PC) network, go > > with shorewall. > > > > > > Just my $.02, good luck with the site, it'll help a lot of people. :-) > > > > > > On Wednesday 30 March 2005 13:27, Seth Bardash wrote: > > > To the list: > > > > > > HOW-TO on DNS + DHCP + SQUID + Firewall + Router > > > > > > Since this seems to be a recurring topic: > > > > > > Thought you might be interested in a working set up of > > > DNS + DHCP + SQUID + Firewall + Router machine that took > > > quite an effort to get working but now runs flawlessly. > > > > > > Don't get discouraged. This takes some time to set up > > > correctly but once you get through it - it works great! > > > > > > Remember: tcpdump is your friend!!!! > > > > > > Anyone having a network internally that needs these > > > features should continue reading: > > > > > > We set up a new firewall based on CentOS 3.3. (3.4 should work fine) > > > > > > We needed it to serve many protocols internally. > > > > > > The specifications for it are: > > > > > > NOT Microsoft based > > > (We are a MS Partner with all the software but I wanted something > > that > > was > > > MS virus proof) > > > > > > KDE Graphical Firewall Control > > > External Internet LAN Port x 1 > > > Internal Networks x 2 (more can be added) -> we used 192.168.0.X and > > > 192.168.1.X > > > DNS Name Caching Server - internal and external, forward and reverse > > > lookups DHCP Server that does ddns-update internally > > > Squid Server > > > IP Masqerading > > > Routing between all networks > > > > > > Hardware: > > > > > > OLD P3-800 Based System (Only non AMD system we run) > > > 3 x Intel Pro 100 NIC's (We have a big box of these) > > > 1GB SDRAM > > > 40GB IDE Disk > > > CDROM Drive > > > Floppy > > > Standard PC Case with extra cooling and 400 w ps. > > > > > > This hardware is overkill as it never runs above 30% load. > > > Any machine supported by Centos with > 600 MHz CPU and 512M Memory > > should > > > do. > > > > > > Software: > > > > > > Centos 3.3 Full Install (Lessens the chance of missing packages) > > > > > > Guarddog Firewall RPM for Centos > > > (http://centos.hughesjr.com/3/guarddog/RPMS/) > > > Guidedog router/masqerader RPM for RH9 (works fine) > > > > > (http://www.simonzone.com/software/guidedog/guidedog-1.0.0-1_rh9.i386.rpm) > > > > > > Squid source tar ball. > > > > > > First install Centos and set it for a KDE graphical boot up. > > > Turn off all services not used > > > Leave Iptables on but turn off IP6tables > > > > > > Then Install Guarddog > > > Then install Guidedog > > > Configure both of the above - read the instructions for these > > carefully. > > > - questions for these should go to the > > writer > > > or his mail forum > > > - Make sure to enable DHCP for eth1 and > > eth2 > > > BUT NOT eth0 (external LAN NIC) > > > > > > Make sure you can see the internet from the inside LANs with the > > clients > > > set to use static IPs. > > > > > > NEXT --- > > > > > > Please read the instructions on how to set up DHCP and bind(DNS) here: > > > > > > http://integratedsolutions.org/downloads/DHCP-DDNS.txt > > > > > > Read this multiple times and make sure you understand it! > > > > > > Cut and paste can be an enemy. Be careful which editor you use > > > > > > > > > This set up allows us to have any number of machines on our internal > > > network automagically connected to each other and the internet with > > all the > > > IP information coming from our firewall / router / masquerader / squid > > > server. > > > > > > It works for forward and reverse DNS internally for Windows and linux > > > clients and servers. > > > > > > It also speeds up client internet traffic by caching most outside > > pages. > > > > > > Install squid per the INSTALL in the src tar ball and > > > add a startup entry to either chkconfig or rc.local. > > > We set it to use 5 GB of disk cache and start > > > automatically at boot time. We used the standard proxy port. > > > > > > We configured squid using webmin and this works fine. > > > > > > We added Webmin just to see how well it works: > > > It can break DNS and DHCP easily if you are not careful but it was > > helpful > > > getting squid working. > > > > > > Read up on syslogd and change the config file (or use webmin) to > > rotate > > > logs every day and keep 7 to 14 old logs for back checking purposes. > > This > > > will limit log size and make it easier to find any problems. > > > > > > Your milage mary vary. > > > > > > Standard software disclaimer applies. > > > > > > If this is helpful drop me an email so I know. > > > > > > If this needs work drop me an email with specifics. > > > > > > We will be adding a knowledgebase to our website with complete > > instructions > > > for this in the next few weeks. > > > > > > Best > > > > > > Seth Bardash > > > > > > Integrated Solutions and Systems > > > > > > seth at integratedsolutions.org > > > > > > 719-495-5866 > > > > > > Failure can not cope with perseverance! > > > > > > > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > http://lists.centos.org/mailman/listinfo/centos