Firewall for my home network

Save yourself a lot of mess and just get a packet filtering FW router that's ICSA certified that meets the specs for *What does and FW do?*. It's plug it up and go with little or no configuration on your part.

However, I did trial the FW the makers in the link have for an NT based server that uses two NIC(s) that I would suspect is just as powerful as any Linux based solution.

In setting up an NT based solution as a gateway FW solution, one has got to secure the O/S and harden it to attack, like shutting down services, remove programs O/S or whatnot, user accounts, and the registry, etc, to make NT a viable FW solution as a gateway to face the Internet. If you didn't do that, then why bother. And I would suspect you would have to do something similar with a Linux based solution

Duane :)

on the old box. Use the addons system with dansguardian, set it to block all executable downloads to the kids PC's.

The main solution here will be human, not technical. If the small humans have open slather to install crud then no technical solution will work

100%. Is the PC in an open area where it can be monitored? Do the kids have admin rights? (many kids games require admin rights to run unfortunately)

From knowing next to nothing about Linux (a couple Debian installs, bit od Red Hat and Mandrake) I was able to get IPCop working properly in under an hour.

Still think educating the kids on risks and having them ask before installing things would do more for your situation. Cheers, E.

Who cares for executable download content? Just don't give them exec rights to anything expect some whitelisted executables.

Huh? Most games don't require admin rights for anything but installation. I'd worry much more about privilege escalation through totally defective copy protection drivers.

When money was a problem here I set up a linux router using the linux router project and coyote linux. Easily configured, no linux to learn if you don't want to. It ran on a 486-25 with 12 megs ram, and 2 ancient isa 3com 509b cards. No hard drive needed, boots from a copy protected floppy. Various speed tests showed that it did not affect throughput at all.

I now use a $50 d-link, as there are more complex things I need to do here.

I don't know if the l r p (linux router project) still exists.

If you want more options, I suggest mandriva linux, which I use on two machines, a file/print server and a web server. The graphical version will run on a p400, 128 meg ram and a 10 gig hard drive. Non graphical ( you have to learn some linux) will run on less.

Stuart

Anything steam based seems to need full admin rights (half-life, counter strike etc) as well as many others due to badly written install routines/rights assignments. E.

No, it doesn't. I've been reported that a short glimpse with Regmon and Filemon sows up the problems.

What CPU? 32 Megs implies at least an 80386DX, but that's all.

Running a firewall? That's more than enough. Mine is running in 8 Megs.

Well, yeah. A 3C509B is a ten megabit card, and even two cards are well within the capability of the 16 bit ISA buss. A third card will start to push things, but should work in practical situations. I'm still using what started life as a 386SX-16 laptop of unknown origin. There is no case, no display, and no keyboard (admin it over the net via SSH with a backup of the serial port).

Such as?

Web Results 1 - 10 of about 11,800,000 for Linux Router Project. (0.49 seconds) The LRP is dead, although still available. There are quite a few other choices.

I would NEVER use a "popular" Linux (or full *BSD) distribution for a firewall. That is a complete waste of capability, as well as a security issue. On your firewall, you should be running the firewall application and NOTHING else. Running any other application opens the possibility (however remote) of exploits. "If it ain't there, it can't be b0rked".

As for having to "learn some linux" - how is that different from having to "learn some windoze"? Despite lots of crap applications to the contrary, security is not some slider on a GUI, or a radio button you click for "Low", "Medium", or "High" which (without knowing what you are trying to use your network connection for) is quite meaningless.

Learning what your applications are doing is going to be much more useful than learning all of the little tricks of an operating system. The Internet is a vast collection of independent networks that offer some services to all. The world is a lot more than some toy web browser looking for your favorite pr0n site, or a place to download viruses.

Old guy

Sebastian wrote on Mon, 24 Jul 2006 14:42:15 +0200:

Punkbuster however does require admin rights, and that's in a number of games (although none I'd let my kids play).

Dan

I'm with you 100%. If one is going to use a *real* firewall solution whether that be something Linux-based or a commercial box like Cisco, Checkpoint, Watchguard, NetScreen, etc. one is going to have to do some learning. None of these things power up to a solitary "Enable Protection? [Y/N]" prompt.

Thanks for all your advice. I'm diving in to Linux in general now. I've pieced together another Pentium class computer (with 384 mb RAM) and have tried a couple of platforms. Mandriva, Ubuntu, and Kubunto. Mandriva let me de-select everything but the firewall so it's my leading candidate. But I understand I should look at a few more distributions. I'll keep watching the thread in case you have other insights to different distributions.

Thanks for your help! I hear from you that if you're going to use a computer to be your firewall (and not a specialized device), it should be a single-purpose computer and have nothing on it but the firewall component. Presumably, that means I should stick to the command line interface and all desktop-related functionality and additional networking components should be disabled.

-David

snipped-for-privacy@moria.m> >

Well put.

A problem that many have with Linux is choice. Unlike microsoft, there are literally hundreds of different distributions. Some, like 'LRP' or 'Coyote' or 'floppyfirewall' or 'One-Diskette-Router' are highly specialized (in this case, firewalls), while others like the more popular 'Debian', 'Fedora', 'Mandrake', 'SuSE' or 'Ubuntu' (among _many_ others) are general purpose creations that include a minimum of three choices of everything _including_ the kitchen sink in six colors (and stainless steel). Sites like distrowatch will help you choose what you want. If you don't want to download everything (you can do so for free, but a distribution may include 7 or more CDs and some are going to be on _two_ DVDs), you can buy a "Linux Sampler" containing several versions on 22 CDs for US$35.

Also be aware that "which Linux is best" is exactly the same as asking which beer/car/cola/sports_team/you_name_it is better. All you are going to hear is individual opinions. The answer is "the one you like".

If the exploitable application isn't installed, it can't be exploited. The problems occur when the user gets involved. No firewall can totally protect a user from doing stupid things - and that's true no matter what firewall you use, or what operating system. As far as command line verses GUI, in *nix, nearly all configuration files are human readable text. Some of the text may seem bewildering, but it _is_ understandable. The other problem with a GUI is that it can only do what the GUI author built it to do. If that doesn't exactly match what you are doing, the GUI becomes a hindrance, rather than a helper.

Old guy

This all makes perfect sense to me. So I'm in that wonderful situation in which I know exactly what to do but no clue how to do it. Lots of great exploring to do.

By the way, one of the threads in this message says that the "author has requested this thread not be archived" or something like this. I think the thread has good info for people like me. Do you know what is blocking the archive? Just curious...

-David

Moe Tr> On 26 Jul 2006, in the Usenet newsgroup comp.security.firewalls, in article

'man -f' (or 'whatis'), 'man -k' (or apropos)

[compton ~]$ whatis whatis whatis (1) - search the whatis database for complete words [compton ~]$ apropos whatis apropos (1) - search the whatis database for strings whatis (1) - search the whatis database for complete words [compton ~]$ whatis man man (1) - format and display the on-line manual pages man (7) - macros to format man pages man [manpath] (1) - format and display the on-line manual pages man.config [man] (5) - configuration data for man [compton ~]$

Another wonderful tool to use is 'grep' (also 'zgrep' and 'bzgrep'). You would be astonished to see the clues and enlightenment they can turn up. Pagers like 'less' and many web browsers also have a built in search function. See the man page for 'less' and look for '/pattern'.

You're reading the news via google. They have been archiving postings to the newsgroups for a few years (they bought deja-news.com that actually started this in 1991). This allows searching articles posted as long as 16 years ago. Some people want to post, but don't want their words recorded for posterity. This has no effect on the posts that are _quoted_ or included in other posts (as you did here). This also has no effect on the retentivity on regular news servers, and private archives (at work, we permanently archive several important [to us] newsgroups). This also has no effect on internal usage of the articles by the archiver. Lessee...

[compton ~]$ grep comp.security.firewalls .newslog | egrep '^07/(1[6-9]|2)' | grep killed | cut -d' ' -f4 | awk 'BEGIN { FS="/" } ; { total += $1 } ; END { print total }' 388 [compton ~]$ ^-f4 | awk 'BEGIN { FS="/" } ;^ -f5 | tr -d '(' | awk ' grep comp.security.firewalls .newslog | egrep '^07/(1[6-9]|2)' | grep killed | cut -d' ' -f5 | tr -d '(' | awk ' { total += $1 } ; END { print total }' 11 [compton ~]$ grep -i '^X-No-Archive:' /var/spool/news/comp/secur*/fire*/* | wc -l 39 [compton ~]$

My local spool has articles from the past 11 days. There were 388 in this newsgroup, of which 11 were dropped as trash. So, of the remaining 377, 39 had the header that google use to block archiving. You'd have to ask those posters why they use the header.

For google, it's the inclusion of that 'X-No-Archive: yes' header in the posting (you need to know how to use your news reader to do this) or including that as the very first line of text in the article.

Old guy