| Author |
Message |
Gearoid
Guest
|
 Posted:
Mon Dec 05, 2005 5:21 pm Post subject:
Cascading firewalls |
|
|
Hello
I'm running Smoothwall Express 2 and would like to run a second "firewall"
or proxy server behind it, mainly to filter out inappropriate content for
children. I am using a separate Linux box (SuSE 10) with Squid and
DansGuardian (www.dansguardian.org) for this purpose.
I think the normal way of connecting this lot is to have the second
Smoothwall NIC running to a switch and to have all the other PCs on the LAN,
*including* the proxy, running to the same switch, with redirecting going on
in the firewall to restrict outward access to proxy only. I don't
understand much about redirecting, and I was wondering if it is possible to
connect the machines another way, like this:
|
|
|
Smoothwall External Interface (DHCP assigned IP from ISP)
|
Smoothwall Internal NIC (Static, eg. 192.168.0.1)
|
|
[[[Crossover cable]]]
|
|
Squid\DG box External NIC (DHCP from Smoothwall eg. 192.168.0.200)
|
Squid\DG box Internal NIC (Static, eg. 192.168.40.1)
|
|
[[[24-port switch]]]
|
|
Clients (DHCP from Squid\DG eg. 192.168.40.100, 192.168.40.99, etc.)
Would this work, and would it be considered more secure than having
firewalling and proxying on the one machine?
I understand I need to enable IP masquerading on the Squid\DG box to route
traffic from the LAN to Smoothwall. How do I go about this, and do I need
to enable the firewall on the Squid\DG box as well, at least for the
internal network? And finally, besides the static IP on the internal NIC of
the Squid\DG box do I need to assign a gateway statically as well, and if
so, what gateway? The Smoothwall internal NIC, or the Squid\DG external
NIC?
Thank you for taking the time to read this. My apologies if it isn't
entirely firewall-related.
Gearoid O Maolallaigh
--
"Truth's a dog must to kennel; he must be whipped out when the Lady Brach
may stand by the fire and stink" -- The Fool |
|
| Back to top |
|
 |
Guest
|
| Posted:
Mon Dec 05, 2005 5:21 pm Post subject:
Re: Cascading firewalls |
|
|
Gearoid <gp_lally@o2.ie> wrote:
| Quote: | Hello
I'm running Smoothwall Express 2 and would like to run a second "firewall"
or proxy server behind it, mainly to filter out inappropriate content for
children. I am using a separate Linux box (SuSE 10) with Squid and
DansGuardian (www.dansguardian.org) for this purpose.
I think the normal way of connecting this lot is to have the second
Smoothwall NIC running to a switch and to have all the other PCs on the LAN,
*including* the proxy, running to the same switch, with redirecting going on
in the firewall to restrict outward access to proxy only. I don't
understand much about redirecting, and I was wondering if it is possible to
connect the machines another way, like this:
|
|
|
Smoothwall External Interface (DHCP assigned IP from ISP)
|
Smoothwall Internal NIC (Static, eg. 192.168.0.1)
|
|
[[[Crossover cable]]]
|
|
Squid\DG box External NIC (DHCP from Smoothwall eg. 192.168.0.200)
|
Squid\DG box Internal NIC (Static, eg. 192.168.40.1)
|
|
[[[24-port switch]]]
|
|
Clients (DHCP from Squid\DG eg. 192.168.40.100, 192.168.40.99, etc.)
Would this work, and would it be considered more secure than having
firewalling and proxying on the one machine?
I understand I need to enable IP masquerading on the Squid\DG box to route
traffic from the LAN to Smoothwall. How do I go about this, and do I need
to enable the firewall on the Squid\DG box as well, at least for the
internal network? And finally, besides the static IP on the internal NIC of
the Squid\DG box do I need to assign a gateway statically as well, and if
so, what gateway? The Smoothwall internal NIC, or the Squid\DG external
NIC?
Thank you for taking the time to read this. My apologies if it isn't
entirely firewall-related.
|
This would work, yes. And not having firewall and proxy on the same
machine is a good thing, as the firewall will still protect you
somewhat.
However, it would be better to have the proxy server segmented from the
LAN, as a compromised proxy server - and, let's face it, Squid is not
unbreakable - would grant total access to the LAN, no matter if the
firewall is 'in front of' the proxy server or the same machine. In fact,
in the first scenario, only egress filtering would continue to work
somewhat, and even then, a skilled attacker can always open some form of
tunnel into your network.
You are proposing this:
The net
|
FW
|
Proxy
|
LAN
Which is better than
The net
|
FW+Proxy
|
LAN
but not quite as good as
The net
|
FW---- Proxy
|
LAN
(mainly because in the latter case, connections between proxy and LAN
can be checked much better, which makes both attacking the proxy and
attacking the LAN harder).
However, presuming you go with the configuration as planned, and with
the disclaimer that I do not know the Smoothwall, I am fairly certain it
can do the NAT itself. That would mean there's no compelling reason to
do anything on the proxy server but forward traffic.
(Of course, the proxy server *can* do the NAT as well. This makes it
more likely to take lots of stuff with it if failing, but will also
reduce the load on your firewall. On the third hand, it's not unlikely
the proxy server will come under more load...)
For the proxy server, you'd assign the firewall as gateway. In your
configuration, you'd assign the proxy server as gateway to pretty much
everything else.
In the third proposed configuration, the firewall is the gateway for
everything on the network, with a separate proxy configuration for the
web-enabled clients.
Hope this was helpful. As a last point, here's the iptables line for
NAT:
iptables -t nat -A POSTROUTING -j MASQUERADE
- or -
iptables -t nat -A POSTROUTING -j SNAT --to-source $MY_IP
The first is used for dynamic addresses. Since this is not the case, go
with second - but I'll have to admit to never having actually tested
that one.
Joachim |
|
| Back to top |
|
|
Gearoid
Guest
|
| Posted:
Tue Dec 06, 2005 12:09 am Post subject:
Re: Cascading firewalls |
|
|
<jKILLSPAM.schipper@math.uu.nl> wrote in message
news:43945748$0$84738$dbd49001@news.wanadoo.nl...
| Quote: | Gearoid <gp_lally@o2.ie> wrote:
Hello
I'm running Smoothwall Express 2 and would like to run a second
"firewall"
or proxy server behind it, mainly to filter out inappropriate content for
children. I am using a separate Linux box (SuSE 10) with Squid and
DansGuardian (www.dansguardian.org) for this purpose.
I think the normal way of connecting this lot is to have the second
Smoothwall NIC running to a switch and to have all the other PCs on the
LAN,
*including* the proxy, running to the same switch, with redirecting going
on
in the firewall to restrict outward access to proxy only. I don't
understand much about redirecting, and I was wondering if it is possible
to
connect the machines another way, like this:
|
|
|
Smoothwall External Interface (DHCP assigned IP from ISP)
|
Smoothwall Internal NIC (Static, eg. 192.168.0.1)
|
|
[[[Crossover cable]]]
|
|
Squid\DG box External NIC (DHCP from Smoothwall eg. 192.168.0.200)
|
Squid\DG box Internal NIC (Static, eg. 192.168.40.1)
|
|
[[[24-port switch]]]
|
|
Clients (DHCP from Squid\DG eg. 192.168.40.100, 192.168.40.99, etc.)
Would this work, and would it be considered more secure than having
firewalling and proxying on the one machine?
I understand I need to enable IP masquerading on the Squid\DG box to
route
traffic from the LAN to Smoothwall. How do I go about this, and do I
need
to enable the firewall on the Squid\DG box as well, at least for the
internal network? And finally, besides the static IP on the internal NIC
of
the Squid\DG box do I need to assign a gateway statically as well, and if
so, what gateway? The Smoothwall internal NIC, or the Squid\DG external
NIC?
Thank you for taking the time to read this. My apologies if it isn't
entirely firewall-related.
This would work, yes. And not having firewall and proxy on the same
machine is a good thing, as the firewall will still protect you
somewhat.
However, it would be better to have the proxy server segmented from the
LAN, as a compromised proxy server - and, let's face it, Squid is not
unbreakable - would grant total access to the LAN, no matter if the
firewall is 'in front of' the proxy server or the same machine. In fact,
in the first scenario, only egress filtering would continue to work
somewhat, and even then, a skilled attacker can always open some form of
tunnel into your network.
You are proposing this:
The net
|
FW
|
Proxy
|
LAN
Which is better than
The net
|
FW+Proxy
|
LAN
but not quite as good as
The net
|
FW---- Proxy
|
LAN
(mainly because in the latter case, connections between proxy and LAN
can be checked much better, which makes both attacking the proxy and
attacking the LAN harder).
However, presuming you go with the configuration as planned, and with
the disclaimer that I do not know the Smoothwall, I am fairly certain it
can do the NAT itself. That would mean there's no compelling reason to
do anything on the proxy server but forward traffic.
(Of course, the proxy server *can* do the NAT as well. This makes it
more likely to take lots of stuff with it if failing, but will also
reduce the load on your firewall. On the third hand, it's not unlikely
the proxy server will come under more load...)
For the proxy server, you'd assign the firewall as gateway. In your
configuration, you'd assign the proxy server as gateway to pretty much
everything else.
In the third proposed configuration, the firewall is the gateway for
everything on the network, with a separate proxy configuration for the
web-enabled clients.
Hope this was helpful. As a last point, here's the iptables line for
NAT:
iptables -t nat -A POSTROUTING -j MASQUERADE
- or -
iptables -t nat -A POSTROUTING -j SNAT --to-source $MY_IP
The first is used for dynamic addresses. Since this is not the case, go
with second - but I'll have to admit to never having actually tested
that one.
Joachim
|
Thank you Joachim. I was a little nervous posting this because a couple of
Linux newsgroups basically told me to find out for myself, which I have
tried to do. The first thing I appreciate is your helpfulness, then your
knowledge!
I am going to stick with the configuration as planned, although in a bigger
network I would probably go with your advice to segment the proxy. (Does
this mean a third NIC in the firewall?) I am glad to know that it will
work, but still a bit shaky on the details. Since I am new-ish to Linux,
would it be possible just to enable IP forwarding on eth1 on the Suse\Squid
box, using the GUI for Network Card configuration? Please excuse my
ignorance! I did this but it didn't seem to work. I could get onto the net
from the Linux box but not from a Windows XP client on the LAN.
--
"Truth's a dog must to kennel; he must be whipped out when the Lady Brach
may stand by the fire and stink" -- The Fool |
|
| Back to top |
|
|
Gearoid
Guest
|
| Posted:
Tue Dec 06, 2005 12:10 am Post subject:
Re: Cascading firewalls |
|
|
PS Please remove underscore to reply by mail. Thanks.
--
"Truth's a dog must to kennel; he must be whipped out when the Lady Brach
may stand by the fire and stink" -- The Fool
"Gearoid" <gp_lally@o2.ie> wrote in message
news:dn1c1j$lg3$1@reader01.news.esat.net...
etc. |
|
| Back to top |
|
|
Wolfgang Kueter
Guest
|
| Posted:
Tue Dec 06, 2005 3:20 am Post subject:
Re: Cascading firewalls |
|
|
Am Mon, 05 Dec 2005 15:05:44 +0000 schrieb jKILLSPAM.schipper:
| Quote: | Gearoid <gp_lally@o2.ie> wrote:
Hello
I'm running Smoothwall Express 2 and would like to run a second "firewall"
or proxy server behind it, mainly to filter out inappropriate content for
children. I am using a separate Linux box (SuSE 10) with Squid and
DansGuardian (www.dansguardian.org) for this purpose.
I think the normal way of connecting this lot is to have the second
Smoothwall NIC running to a switch and to have all the other PCs on the LAN,
*including* the proxy, running to the same switch, with redirecting going on
in the firewall to restrict outward access to proxy only. I don't
understand much about redirecting, and I was wondering if it is possible to
connect the machines another way, like this:
|
|
|
Smoothwall External Interface (DHCP assigned IP from ISP)
|
Smoothwall Internal NIC (Static, eg. 192.168.0.1)
|
|
[[[Crossover cable]]]
|
|
Squid\DG box External NIC (DHCP from Smoothwall eg. 192.168.0.200)
|
Squid\DG box Internal NIC (Static, eg. 192.168.40.1)
|
|
[[[24-port switch]]]
|
|
Clients (DHCP from Squid\DG eg. 192.168.40.100, 192.168.40.99, etc.)
Would this work, and would it be considered more secure than having
firewalling and proxying on the one machine?
I understand I need to enable IP masquerading on the Squid\DG box to route
traffic from the LAN to Smoothwall. How do I go about this, and do I need
to enable the firewall on the Squid\DG box as well, at least for the
internal network? And finally, besides the static IP on the internal NIC of
the Squid\DG box do I need to assign a gateway statically as well, and if
so, what gateway? The Smoothwall internal NIC, or the Squid\DG external
NIC?
Thank you for taking the time to read this. My apologies if it isn't
entirely firewall-related.
This would work, yes. And not having firewall and proxy on the same
machine is a good thing, as the firewall will still protect you
somewhat.
However, it would be better to have the proxy server segmented from the
LAN, as a compromised proxy server - and, let's face it, Squid is not
unbreakable - would grant total access to the LAN, no matter if the
firewall is 'in front of' the proxy server or the same machine. In fact,
in the first scenario, only egress filtering would continue to work
somewhat, and even then, a skilled attacker can always open some form of
tunnel into your network.
You are proposing this:
The net
|
FW
|
Proxy
|
LAN
Which is better than
The net
|
FW+Proxy
|
LAN
but not quite as good as
The net
|
FW---- Proxy
|
LAN
|
which is not as good as:
Internet
|
external packet-filter
|
+-------Proxy/ALG with 1 NIC
|
internal packet-filter
|
LAN
which is not is as good as:
Internet
|
external packet-filter
|
Application Lecel Gateway with 2 NIC
|
internal packet-filter
|
LAN
Wolfgang |
|
| Back to top |
|
|
Guest
|
| Posted:
Tue Dec 06, 2005 5:45 am Post subject:
Re: Cascading firewalls |
|
|
Wolfgang Kueter <wolfgang@shconnect.de> wrote:
| Quote: | Am Mon, 05 Dec 2005 15:05:44 +0000 schrieb jKILLSPAM.schipper:
You are proposing this:
The net
|
FW
|
Proxy
|
LAN
Which is better than
The net
|
FW+Proxy
|
LAN
but not quite as good as
The net
|
FW---- Proxy
|
LAN
which is not as good as:
Internet
|
external packet-filter
|
+-------Proxy/ALG with 1 NIC
|
internal packet-filter
|
LAN
which is not is as good as:
Internet
|
external packet-filter
|
Application Lecel Gateway with 2 NIC
|
internal packet-filter
|
LAN
|
Yes, very true. But I figured this would be a little out of budget,
really, as the added security gets very costly quickly.
Joachim |
|
| Back to top |
|
|
Guest
|
| Posted:
Tue Dec 06, 2005 5:57 am Post subject:
Re: Cascading firewalls |
|
|
<excuses for the long quotes!>
Gearoid <gp_lally@o2.ie> wrote:
| Quote: | jKILLSPAM.schipper@math.uu.nl> wrote in message
news:43945748$0$84738$dbd49001@news.wanadoo.nl...
Gearoid <gp_lally@o2.ie> wrote:
Hello
I'm running Smoothwall Express 2 and would like to run a second
"firewall"
or proxy server behind it, mainly to filter out inappropriate content for
children. I am using a separate Linux box (SuSE 10) with Squid and
DansGuardian (www.dansguardian.org) for this purpose.
(...) I was wondering if it is possible
to
connect the machines (...) like this:
|
|
|
Smoothwall External Interface (DHCP assigned IP from ISP)
|
Smoothwall Internal NIC (Static, eg. 192.168.0.1)
|
|
[[[Crossover cable]]]
|
|
Squid\DG box External NIC (DHCP from Smoothwall eg. 192.168.0.200)
|
Squid\DG box Internal NIC (Static, eg. 192.168.40.1)
|
|
[[[24-port switch]]]
|
|
Clients (DHCP from Squid\DG eg. 192.168.40.100, 192.168.40.99, etc.)
Would this work, and would it be considered more secure than having
firewalling and proxying on the one machine?
I understand I need to enable IP masquerading on the Squid\DG box to
route
traffic from the LAN to Smoothwall. How do I go about this, and do I
need
to enable the firewall on the Squid\DG box as well, at least for the
internal network? And finally, besides the static IP on the internal NIC
of
the Squid\DG box do I need to assign a gateway statically as well, and if
so, what gateway? The Smoothwall internal NIC, or the Squid\DG external
NIC?
Thank you for taking the time to read this. My apologies if it isn't
entirely firewall-related.
This would work, yes. And not having firewall and proxy on the same
machine is a good thing, as the firewall will still protect you
somewhat.
However, it would be better to have the proxy server segmented from the
LAN, as a compromised proxy server - and, let's face it, Squid is not
unbreakable - would grant total access to the LAN, no matter if the
firewall is 'in front of' the proxy server or the same machine. In fact,
in the first scenario, only egress filtering would continue to work
somewhat, and even then, a skilled attacker can always open some form of
tunnel into your network.
snip: possible configurations, NAT configurations
Hope this was helpful. As a last point, here's the iptables line for
NAT:
iptables -t nat -A POSTROUTING -j MASQUERADE
- or -
iptables -t nat -A POSTROUTING -j SNAT --to-source $MY_IP
The first is used for dynamic addresses. Since this is not the case, go
with second - but I'll have to admit to never having actually tested
that one.
Joachim
Thank you Joachim. I was a little nervous posting this because a couple of
Linux newsgroups basically told me to find out for myself, which I have
tried to do. The first thing I appreciate is your helpfulness, then your
knowledge!
I am going to stick with the configuration as planned, although in a bigger
network I would probably go with your advice to segment the proxy. (Does
this mean a third NIC in the firewall?) I am glad to know that it will
work, but still a bit shaky on the details. Since I am new-ish to Linux,
would it be possible just to enable IP forwarding on eth1 on the Suse\Squid
box, using the GUI for Network Card configuration? Please excuse my
ignorance! I did this but it didn't seem to work. I could get onto the net
from the Linux box but not from a Windows XP client on the LAN.
|
Segmenting the proxy would likely require another NIC, yes (more exotic
solutions exist, but tend to be more trouble and more expense than it's
worth - at least at small scales, things like VLANs are supposedly very
useful in large installations).
I have never used SUSE, and personally always preferred non-graphical
methods of doing my configuration. So I'm not sure. That being said, I
do know that in Linux you have to enable both packet forwarding (can be
done by 'echo 1 > /proc/sys/net/ipv4/ip_forward' as root) and NAT (via
my iptables command).
Someone with more knowledge of SUSE than myself may be able to tell you
how to do this in SUSE's graphical tools.
All that being said, reading up on networking is never a bad idea, as it
can get you out of a lot of tight spots and will be assumed known by
many groups.
Joachim |
|
| Back to top |
|
|
Gearoid
Guest
|
| Posted:
Tue Dec 06, 2005 5:21 pm Post subject:
Re: Cascading firewalls |
|
|
<jKILLSPAM.schipper@math.uu.nl> wrote in message
news:4394d3d9$0$35269$dbd4d001@news.wanadoo.nl...
<snip>
| Quote: | All that being said, reading up on networking is never a bad idea, as it
can get you out of a lot of tight spots and will be assumed known by
many groups.
|
Yes, and this is part of the process of learning for me! Lots learned, lots
more to learn! I have been watching Ethereal for a while now and it is
fascinating watching how network traffic works!
The gist is that both NAT and packet forwarding have to be enabled on the
Suse\Squid box. I can at least follow the leads here and carry on learning!
Thank you so much.
--
"Truth's a dog must to kennel; he must be whipped out when the Lady Brach
may stand by the fire and stink" -- The Fool |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in