[CentOS] [OT maybe] netcafe firewall

Neil Jolly neil at jollycom.ca
Mon Mar 20 15:57:34 UTC 2006


On 20-Mar-06, at 8:43 AM, Alexandru E. Ungur wrote:

>>>> sender: "Craig White" date: "Mon, Mar 20, 2006 at 07:50:24AM  
>>>> -0700" <<<EOQ
>> On Mon, 2006-03-20 at 13:33 +0200, Alexandru E. Ungur wrote:
>>> Hi all,
>>>
>>> I appologise in advance if this is a little OT, but I am building
>>> a box that will serve as firewall and router for a small 'internet
>>> cafe / netcafe' and am using CentOS...
>>>
>>> So here it is:
>>> What are the best tools to be used for keeping the potential
>>> script kiddies from 'harming the Internet' :) ? I specifically want
>>> to be able to detect and prevent portscans from LAN to Internet, and
>>> any other malware activity the clients might think of.
>>>
>>> I am particularily interested in 'the CentOS way'. For example I
>>> know there is psd module in patch-o-matic for iptables to be able
>>> to do the portscan detection in firewall... but, that doesen't
>>> feel like 'CentOS way' (because I have to build a cusom kernel)
>>> unless there is some kernel (even 3rd part, unsuported/etc.) that
>>> already has this in...
>>>
>>> Also I know of the portsentry tool, but the project seems pretty  
>>> much
>>> dead after Cisco bought Psyonic... and again is not on up2date's  
>>> list...
>>>
>>> I intend to use Snort, though I hope that it won't share  
>>> portsentry's
>>> fate and become extinct after Check Point's acquisition of  
>>> Sourcefire
>>> will be completed. No FUD intended on this, optimistic views are  
>>> always
>>> highly welcomed :)
>>>
>>> Luckily denyhosts has no plans of selling itself to anyone so that's
>>> one project I can safely use :)
>>>
>>> So, Open Source portscaner for CentOS... anyone... ? :)
>>>
>>>
>>> Thank you for your time and help,
>> ----
>> why not just use a proxy server like squid?
> Thank you for the suggestion. Yep, Squid/Oops + Dansguardian, is  
> very good
> ideea and I'll probably use it.
>
> However how can that stop a kid to download the latest/coolest  
> 'hacking
> script' and start doing portscans & co. ? I don't want to limit  
> what they
> can access via web, but to limit what they can 'do to Internet'  
> from their
> Windows boxes through the gateway I am setting up.

Secure the Windows boxes with soomething like: http:// 
www.mycafecup.com/eng_index.html, or better yet replace them with  
linux boxes like: http://www.linuxjournal.com/article/2339

> I just don't like to have nobody messing on my FORWARD chains  
> that's all ;)
>
> Thanks again,
> Alex
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Neil Jolly






More information about the CentOS mailing list