Sign in with
Sign up | Sign in
Your question

Using another computer networked as a Firewall

Last response: in Networking
Share
Anonymous
a b 8 Security
April 27, 2004 3:09:07 PM

Archived from groups: comp.security.firewalls (More info?)

I am trying to figure out a way of using another machine as a firewall
then networking it to the machine i actually want to use. What is the
most sucure way of doing this?
Anonymous
a b 8 Security
April 27, 2004 5:11:49 PM

Archived from groups: comp.security.firewalls (More info?)

"SteadyEddie" <edd_edwards@yahoo.com> wrote in message
news:c6lf0g$n20$1@hercules.btinternet.com...
> I am trying to figure out a way of using another machine as a firewall
> then networking it to the machine i actually want to use. What is the
> most sucure way of doing this?

Spend the > $100 on Linksys product and be done with it.
April 27, 2004 5:17:32 PM

Archived from groups: comp.security.firewalls (More info?)

> I am trying to figure out a way of using another machine as a firewall
> then networking it to the machine i actually want to use. What is the
> most sucure way of doing this?

http://www.ipcop.org details also on http://ipcop.hopto.org
Related resources
Anonymous
a b 8 Security
April 27, 2004 5:17:33 PM

Archived from groups: comp.security.firewalls (More info?)

That looks good but im using a windows based system. I dont have linux.

>>I am trying to figure out a way of using another machine as a firewall
>>then networking it to the machine i actually want to use. What is the
>>most sucure way of doing this?
>
>
> http://www.ipcop.org details also on http://ipcop.hopto.org
>
>
>
Anonymous
a b 8 Security
April 27, 2004 5:34:22 PM

Archived from groups: comp.security.firewalls (More info?)

SteadyEddie <edd_edwards@yahoo.com> wrote in message news:<c6lf0g$n20$1@hercules.btinternet.com>...
> I am trying to figure out a way of using another machine as a firewall
> then networking it to the machine i actually want to use. What is the
> most sucure way of doing this?

As ObiWan suggested, IPCop is one choice. Another is Smoothwall
(www.smoothwall.com). Neither of these will work on a Windows-based
machine, but that shouldn't be an issue. Both firewalls install from
a bootable CD, and they will take care of installing the necessary
bits on your target machine, wiping away anything currently on the
hard drive. You don't need to know Linux or Unix to install these.
And once installed you don't need a keyboard, mouse, or monitor
because all the remaining configuring and maintenance is done remotely
via web interface.

What hasn't been mentioned; that may be overlooked; you will need to
install a second NIC into your firewall machine regardless of which
solution you choose.
April 27, 2004 5:50:24 PM

Archived from groups: comp.security.firewalls (More info?)

"SteadyEddie" <edd_edwards@yahoo.com> wrote in message
news:c6lf0g$n20$1@hercules.btinternet.com...
> I am trying to figure out a way of using another machine as a firewall
> then networking it to the machine i actually want to use. What is the

Define what you mean by "networking".
A firewall that is not connected to the network it is protecting is about as
useful as a chocolate teapot.
Anonymous
a b 8 Security
April 27, 2004 6:00:59 PM

Archived from groups: comp.security.firewalls (More info?)

we have a small business network. and im trying to put a computer in
between the network and the internet to act as the firewall. but all the
web has to offer is sollutions for Linux and I dont have linux


Mike wrote:

> Define what you mean by "networking".
> A firewall that is not connected to the network it is protecting is about as
> useful as a chocolate teapot.
Anonymous
a b 8 Security
April 27, 2004 6:01:00 PM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 27 Apr 2004 14:00:59 +0000 (UTC), SteadyEddie spoketh

>we have a small business network. and im trying to put a computer in
>between the network and the internet to act as the firewall. but all the
> web has to offer is sollutions for Linux and I dont have linux
>

Symantec Enterprise firewall
Checkpoint Firewall 1
Microsoft ISA server

Or, simply get a firewall appliance like a Sonicwall or Watchguard ...


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
April 27, 2004 7:27:04 PM

Archived from groups: comp.security.firewalls (More info?)

> >>I am trying to figure out a way of using another machine as a firewall
> >>then networking it to the machine i actually want to use. What is the
> >>most sucure way of doing this?
> >
> > http://www.ipcop.org details also on http://ipcop.hopto.org

> That looks good but im using a windows based system. I dont have linux.

Well ... you were asking for a "separate machine" (see above)
so there shouldn't be problems in installing linux on the machine
which acts like a firewall/nat/router, also, a windows machine
sitting behind such a firewall won't have problems using it to surf
the net; btw, if you want a windows based solution you may as
well have a look at http://www.idrci.net just pick the packet filter
along with the NAT and you'll be up and running in minutes


--

* ObiWan

DNS "fail-safe" for Windows 2000 and 9X clients.
http://ntcanuck.com

Support and discussions forum
http://ntcanuck.com/net/board

408 XP/2000 tweaks and tips
http://ntcanuck.com/tq/Tip_Quarry.htm
Anonymous
a b 8 Security
April 27, 2004 10:42:14 PM

Archived from groups: comp.security.firewalls (More info?)

On 27 Apr 2004 13:34:22 -0700, google@n1pop.cjb.net (N1POP) wrote:

>SteadyEddie <edd_edwards@yahoo.com> wrote in message news:<c6lf0g$n20$1@hercules.btinternet.com>...
>> I am trying to figure out a way of using another machine as a firewall
>> then networking it to the machine i actually want to use. What is the
>> most sucure way of doing this?
>
>As ObiWan suggested, IPCop is one choice. Another is Smoothwall
>(www.smoothwall.com).

I think that should be http://www.smoothwall.org. :) 
Anonymous
a b 8 Security
April 28, 2004 1:02:07 AM

Archived from groups: comp.security.firewalls (More info?)

In article <c6lp2o$7j6$1@sparta.btinternet.com>, edd_edwards@yahoo.com
says...
> we have a small business network. and im trying to put a computer in
> between the network and the internet to act as the firewall. but all the
> web has to offer is sollutions for Linux and I dont have linux

If you don't already know of a PC based solution I suspect that you will
be better off using an appliance based solution - there are many
Firewall Appliances under $1000 for small businesses.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
April 28, 2004 1:26:58 AM

Archived from groups: comp.security.firewalls (More info?)

http://www.zelow.no/floppyfw/

Use Floppyfw...Take an old PC with 2 NIC's ,a floppydrive and 12MB RAM, no
need for a harddisk because your booting from that floppy.

Floppyfw is a complete linux distribution finetuned for firewall/router that
fits on a single floppy 1.44Mb.

I'm using this now for a while and it is great. Saw some messages on the
FoppyFW forum from pepole using this piece of software for networks with
+400 conputers connected





"SteadyEddie" <edd_edwards@yahoo.com> wrote in message
news:c6lf0g$n20$1@hercules.btinternet.com...
> I am trying to figure out a way of using another machine as a firewall
> then networking it to the machine i actually want to use. What is the
> most sucure way of doing this?
>
>
April 28, 2004 1:38:11 PM

Archived from groups: comp.security.firewalls (More info?)

"SteadyEddie" <edd_edwards@yahoo.com> wrote in message
news:c6lp2o$7j6$1@sparta.btinternet.com...
> we have a small business network. and im trying to put a computer in
> between the network and the internet to act as the firewall. but all the
> web has to offer is sollutions for Linux and I dont have linux

Most firewalls operate on the data packets that are passing through them so
don't give a toss about wether the network pcs are windows, Linux or Mickey
Mouse OS v2.331

For example, I have an IPCOP box as a firewall which happens to run Linux.
The network it protects has a mixture of Windows 9x, NT4, 2000,XP and Linux
(Three flavours) and the occasional Mac

Please don't take this the wrong way, but having gauged your level of
expertise from your postings I would recommend that you choose something
from the Watchguard range like a SOHO and buy it from a company that can
install it properly for you. You see, a badly installed firewall is almost
as bad as no firewall and you don't strike me as being knowledgable enough
to do it properly. Sorry :-)
Anonymous
a b 8 Security
April 28, 2004 5:16:44 PM

Archived from groups: comp.security.firewalls (More info?)

SteadyEddie wrote:
> That looks good but im using a windows based system. I dont have linux.
>
>>> I am trying to figure out a way of using another machine as a firewall
>>> then networking it to the machine i actually want to use. What is the
>>> most sucure way of doing this?
>>
>>
>>
>> http://www.ipcop.org details also on http://ipcop.hopto.org
>>
>>
>>
>

You don't need Linux. IPCop is a complete installation, it just happens to
be based on Linux.

If you mean that you want to keep Windows on that system, what on earth for?
Also, in your original post you said "What is the most sucure way of doing
this?", and keeping Windows on it most certainly isn't.

--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
Anonymous
a b 8 Security
April 28, 2004 6:23:21 PM

Archived from groups: comp.security.firewalls (More info?)

Mike wrote:
> "SteadyEddie" <edd_edwards@yahoo.com> wrote in message
> news:c6lp2o$7j6$1@sparta.btinternet.com...
>
>>we have a small business network. and im trying to put a computer in
>>between the network and the internet to act as the firewall. but all the
>> web has to offer is sollutions for Linux and I dont have linux
>
>
> Most firewalls operate on the data packets that are passing through them so
> don't give a toss about wether the network pcs are windows, Linux or Mickey
> Mouse OS v2.331
>
> For example, I have an IPCOP box as a firewall which happens to run Linux.
> The network it protects has a mixture of Windows 9x, NT4, 2000,XP and Linux
> (Three flavours) and the occasional Mac
>
> Please don't take this the wrong way, but having gauged your level of
> expertise from your postings I would recommend that you choose something
> from the Watchguard range like a SOHO and buy it from a company that can
> install it properly for you. You see, a badly installed firewall is almost
> as bad as no firewall and you don't strike me as being knowledgable enough
> to do it properly. Sorry :-)
>
>

Actually, I'd say that a badly installed firewall is actually *worse* than
no firewall.

At least with no firewall you know you are not protected and should be much
more careful with every machine. With a faulty firewall you think you are
protected, when in fact you are not, and may well be more lax in protecting
machines behind the "firewall".

--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
April 28, 2004 7:44:18 PM

Archived from groups: comp.security.firewalls (More info?)

> If you mean that you want to keep Windows
> on that system, what on earth for?

Well ... if windows is the way he wants to go...
well, he can go for windows as well, no prob

just download the CHX-I packet filter and NAT
from www.idrci.net install and configure it and
let it go .. btw in either case (Linux or Windows)
the machine MUST be used as a DEDICATED
firewall, otherwise you can say goodbye to any
security you want to achieve

Regards
Anonymous
a b 8 Security
April 29, 2004 6:05:40 AM

Archived from groups: comp.security.firewalls (More info?)

The Great Cornholio <cornholio@cluelessweasels.com> wrote in
news:bu2u805ilac6vkbbmlp2ae9ko84138jo3i@4ax.com:

>>As ObiWan suggested, IPCop is one choice. Another is Smoothwall
>>(www.smoothwall.com).
>
> I think that should be http://www.smoothwall.org. :) 

Well, for the free one, yes. I should have been more clear.
Anonymous
a b 8 Security
April 29, 2004 6:05:41 AM

Archived from groups: comp.security.firewalls (More info?)

On 29 Apr 2004 02:05:40 GMT, N1POP <google@n1pop.cjb.net> wrote:

>The Great Cornholio <cornholio@cluelessweasels.com> wrote in
>news:bu2u805ilac6vkbbmlp2ae9ko84138jo3i@4ax.com:
>
>>>As ObiWan suggested, IPCop is one choice. Another is Smoothwall
>>>(www.smoothwall.com).
>>
>> I think that should be http://www.smoothwall.org. :) 
>
>Well, for the free one, yes. I should have been more clear.

And http://www.smooothwall.net for the commercial version I believe.
The .com site has some very insteresting information on partition
walls, sheetrock and plastering! :) 
Anonymous
a b 8 Security
April 29, 2004 6:30:33 PM

Archived from groups: comp.security.firewalls (More info?)

ObiWan wrote:
>>If you mean that you want to keep Windows
>>on that system, what on earth for?
>
>
> Well ... if windows is the way he wants to go...
> well, he can go for windows as well, no prob

Except it doesn't meet his "most secure" criteria...

The other problem is closing down all those ports which MS like to open for
you without asking first. Unless the OP is experienced at hardening Windows,
the Linux IPCop route should be much more secure out-the-box.

> just download the CHX-I packet filter and NAT
> from www.idrci.net install and configure it and
> let it go .. btw in either case (Linux or Windows)
> the machine MUST be used as a DEDICATED
> firewall, otherwise you can say goodbye to any
> security you want to achieve

But that would cost him, IPCop is free. CHX-I is only free for personal use,
and securing a "small business network" is most definitely not personal use.

--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
Anonymous
a b 8 Security
April 29, 2004 6:30:34 PM

Archived from groups: comp.security.firewalls (More info?)

On Thu, 29 Apr 2004 14:30:33 +0100, Nigel Wade spoketh

>ObiWan wrote:
>>>If you mean that you want to keep Windows
>>>on that system, what on earth for?
>>
>>
>> Well ... if windows is the way he wants to go...
>> well, he can go for windows as well, no prob
>
>Except it doesn't meet his "most secure" criteria...
>
>The other problem is closing down all those ports which MS like to open for
>you without asking first. Unless the OP is experienced at hardening Windows,
>the Linux IPCop route should be much more secure out-the-box.
>

Any professional grade firewall installed on a Windows platform are as
secure as any other firewall installed on any other platform. And, with
regards to the "ports MS likes to open for you", they are closed by the
firewall by default, and you'll have to create specific rules to allow
access to them.

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
a b 8 Security
April 30, 2004 4:43:14 PM

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen wrote:
> On Thu, 29 Apr 2004 14:30:33 +0100, Nigel Wade spoketh
>
>
>>ObiWan wrote:
>>
>>>>If you mean that you want to keep Windows
>>>>on that system, what on earth for?
>>>
>>>
>>>Well ... if windows is the way he wants to go...
>>>well, he can go for windows as well, no prob
>>
>>Except it doesn't meet his "most secure" criteria...
>>
>>The other problem is closing down all those ports which MS like to open for
>>you without asking first. Unless the OP is experienced at hardening Windows,
>>the Linux IPCop route should be much more secure out-the-box.
>>
>
>
> Any professional grade firewall installed on a Windows platform are as
> secure as any other firewall installed on any other platform. And, with
> regards to the "ports MS likes to open for you", they are closed by the
> firewall by default, and you'll have to create specific rules to allow
> access to them.
>

It's just my natural cynisism showing through. I don't trust Windows, and I
most certainly don't trust Windows to run a boundary firewall.

I don't know enough about how a firewall operates in Windows to know what
it's failure modes are and what the implications for the security of that
machine and any others it is protecting are. Is it just a "user land"
application? If so, what happens if it crashes, does it crash "safe" with
all ports left protected, or does it crash and leave the system in the same
state as it would be if the firewall hadn't started?

In Linux, iptables is in the kernel. If the kernel crashes the machine goes
down and the system isn't vulnerable. It most definitely fails safe
(although I've never yet come across an example of iptables failing). If
it's a router/bridge everything behind it is safe.

--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
Anonymous
a b 8 Security
April 30, 2004 4:43:15 PM

Archived from groups: comp.security.firewalls (More info?)

In article <c6te4i$s57$1@south.jnrs.ja.net>, nmw@ion.le.ac.uk says...
> It's just my natural cynisism showing through. I don't trust Windows, and I
> most certainly don't trust Windows to run a boundary firewall.

Nigel, While I can understand your mistrust of Windows platforms, the
Unix platforms have gaping holes in their basic security structure too.
It's simply a matter of knowing what holes for what platforms and how to
fix them.

I've seen Unix boxes compromised as easily as Windows boxes, I've seen
firewalls compromised (non-appliance onces more than appliance) and I've
also seen IIS servers dating back to IIS 4 that are still running and
never been compromised (and run corporate sites).

I like the firewall appliance approach myself, I don't trust any OS or
PC to run as well as an appliance designed for a single purpose.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
April 30, 2004 5:39:03 PM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 30 Apr 2004 12:43:14 +0100, Nigel Wade spoketh

>
>It's just my natural cynisism showing through. I don't trust Windows, and I
>most certainly don't trust Windows to run a boundary firewall.
>
>I don't know enough about how a firewall operates in Windows to know what
>it's failure modes are and what the implications for the security of that
>machine and any others it is protecting are. Is it just a "user land"
>application? If so, what happens if it crashes, does it crash "safe" with
>all ports left protected, or does it crash and leave the system in the same
>state as it would be if the firewall hadn't started?
>
>In Linux, iptables is in the kernel. If the kernel crashes the machine goes
>down and the system isn't vulnerable. It most definitely fails safe
>(although I've never yet come across an example of iptables failing). If
>it's a router/bridge everything behind it is safe.

I can't speak for all firewalls, but at least the Symantec Enterprise
Firewall (formerly Axent Raptor) uses a "wedge" to insert itself into
the IP stack. Without the firewall software running, nothing will ever
happen on the IP stack. So, when the computer is booting, the IP stack
will be dead until the firewall daemons are started. In the event that
the firewall software suffers a full crash, the IP stack goes back to
being fully disabled. Since the firewall consists of a number of daemons
(ie httpd, smtpd, dnsd), the failure of one does not affect the state of
the others (unless the daemon that failed are the main process).

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
April 30, 2004 8:11:24 PM

Archived from groups: comp.security.firewalls (More info?)

<huge snippage>
> In Linux, iptables is in the kernel. If the kernel crashes the machine
goes
> down and the system isn't vulnerable. It most definitely fails safe
> (although I've never yet come across an example of iptables failing). If
> it's a router/bridge everything behind it is safe.

No intention to start or aliment a flame here, but; first of all,
when I proposed IPCop the original poster wrote that he'd
like to use Windows, so; Ok, let's go for windows, and the
CHX NAT+PF I proposed works (imvho) very well; now,
about the "linux kernel" ... maybe you didn't know this but
Windows 2000 and up (XP, 2003) has a builtin firewall and
packet filter API which resides _in_the_kernel_ so there's
no point in the statement you made above (notice also that
those APIs were _already_ there in NT4 too although they
were undocumented and some functions didn't exist)

Here's the Microsoft reference

http://msdn.microsoft.com/library/default.asp?url=/libr...

and here's an interesting diagram

http://www.ndis.com/papers/winpktfilter.htm

All the best
April 30, 2004 8:48:20 PM

Archived from groups: comp.security.firewalls (More info?)

> > Well ... if windows is the way he wants to go...
> > well, he can go for windows as well, no prob
>
> Except it doesn't meet his "most secure" criteria...

Uh .. where's the "unsecure" in a _dedicated_
machine running a packet-filter and a NAT
and properly locked down ?!?

Btw it someone here thinks to use a firewall
to run some application then we may just
give up since at that point we won't be talking
about security anymore :-)

> The other problem is closing down all those ports

The CHX pf will do that (and more) w/o problems

> But that would cost him, IPCop is free.

Well .. the OP never asked for a "free" solution, also,
my first idea was to use IPCop, but since the OP did
ask for a windows solution I tried to give him the one
with the best quality/price ratio (the CHX won't cost
him an arm and a leg)

Regards
April 30, 2004 9:33:54 PM

Archived from groups: comp.security.firewalls (More info?)

> A firewall that is not connected to the network
> it is protecting is about as useful as a chocolate
> teapot.

Well .. but a chocolate teapot *IS* useful !!

You can always eat it :-) !!!
April 30, 2004 11:55:34 PM

Archived from groups: comp.security.firewalls (More info?)

"Nigel Wade" <nmw@ion.le.ac.uk> wrote in message
news:c6te4i$s57$1@south.jnrs.ja.net...
> Lars M. Hansen wrote:
> > On Thu, 29 Apr 2004 14:30:33 +0100, Nigel Wade spoketh
> >
> >
> >>ObiWan wrote:

> In Linux, iptables is in the kernel. If the kernel crashes the machine
goes
> down and the system isn't vulnerable. It most definitely fails safe
> (although I've never yet come across an example of iptables failing). If
> it's a router/bridge everything behind it is safe.

Personally I would have thought a kernel crash in *any* operating system
would be enough to make it secure :-)
Anonymous
a b 8 Security
May 4, 2004 8:15:45 PM

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:
> In article <c6te4i$s57$1@south.jnrs.ja.net>, nmw@ion.le.ac.uk says...
>
>>It's just my natural cynisism showing through. I don't trust Windows, and I
>>most certainly don't trust Windows to run a boundary firewall.
>
>
> Nigel, While I can understand your mistrust of Windows platforms, the
> Unix platforms have gaping holes in their basic security structure too.
> It's simply a matter of knowing what holes for what platforms and how to
> fix them.

I know. It's just that I know about the UNIX/Linux ones, and how to fix
them. Also, I trust the UNIX vendors, and Linux as Open Source, to publise
and fix the holes, more than I trust Microsoft. Microsoft still seem to be
firmly in the "security by obscurity" camp.

>
> I've seen Unix boxes compromised as easily as Windows boxes, I've seen
> firewalls compromised (non-appliance onces more than appliance) and I've
> also seen IIS servers dating back to IIS 4 that are still running and
> never been compromised (and run corporate sites).
>
> I like the firewall appliance approach myself, I don't trust any OS or
> PC to run as well as an appliance designed for a single purpose.
>

An appliance would be preferable, but on fixed budget you get more with a
Linux firewall than with either Windows or an appliance. What you get with
Linux is purely hardware limited, whereas Windows and appliance firewalls
are generally software/firmware limited.

When I was looking around a couple of years ago the entry level appliances
were around twice what a PC base unit cost. IIRC that didn't even support
VPN and limited the number of stateful connections to around 100 or so, and
suggested a network throughput of ~20MB/s. To get the support we required
the price would have started around £1500-£2000. The £300 base unit we have
running Linux has no limit on VPN, bandwidth or stateful inspection, and
occasionaly reaches 2-3% CPU utilization when someone is doing an FTP
transfer at 100% of the 100MB link.

--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
!