Aaron
Member
Registered: 9th Aug 04
Location: Cottingham, East Riding
User status: Offline
|
Ok..i want to put a firewall into the school i work in. The only firewall we currently have is the one at our ISP...and it isnt good enough IMO.
Our LEA have given us a Class B address and we currently have no natting therefore the addresses on our LAN are 92.20.x.x
My question is would this setup work?
I would like to have got a SonicWall but we can't afford it. I have now looked down the open source avenue and quite like the look of Smoothwall.
This side of networking is quite new to me, i am more used to working with Active Directory etc
Any pointers would be great
|
Aaron
Member
Registered: 9th Aug 04
Location: Cottingham, East Riding
User status: Offline
|
Stupid Visio..its cut off some text. 
Internet----Router-----Firewall-----Web Cache-----LAN
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
I run smoothwall on my home network here and it does web cache/proxy (aslong as you have a decent spec system withplenty of ram) and it works well, so you might be able to kill two birds with one stone there - eg:
Internet----Router-----Smoothwall-----LAN
But yes it should work fine and you can customise it until the cows come home 
p.s - not sure about your ip addresses though, it would be
92.20.0.10 (router) -> (92.29.0.11) Smoothwall -> (192.168.x.x) Lan, that's if you didn't have the seperate web cache server etc
p.p.s - if you need a hand setting up smoothwall, give us a shout. Im not an expert at it but i know my way around it fairly well 
|
Aaron
Member
Registered: 9th Aug 04
Location: Cottingham, East Riding
User status: Offline
|
Excellent
Yeah the cache will need to stay because its a video cache as well as web.
I'll have do some more work on it tomorrow and get in touch with you if i need any help. The caretakers kicked us out early today so couldnt finish what i was doing on it.
Thanks for the offer of help also
[Edited on 12-02-2007 by Aj.]
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
No worries, let us know how you get on
Btw, i would recommend that you sign up to the smoothwall forum, helped me out loads when i didnt have a clue with linux and smoothwall 
Oh, and when you get it up and running have a look > here < and look at the IDS (snort) mods, especially the rules update (+automatic extentsion), as the rules don't get updated on smoothwall as standard.
|
Steve
Premium Member
Registered: 30th Mar 02
Location: Worcestershire Drives: Defender
User status: Offline
|
use a proxy as your firewall, install something like Squid caching proxy with redhat on it
|
Aaron
Member
Registered: 9th Aug 04
Location: Cottingham, East Riding
User status: Offline
|
Our cache is a squid box 
i dont think its designed as a firewall tho
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Steve, you're probably thinking of Snort which is a firewall (IDS), which is another route Aj could go down - installing it on a linux distro (might be worth looking at).
But smoothwall is pretty simple to setup and is capable of doing a lot more that just a basic firewall
|
Aaron
Member
Registered: 9th Aug 04
Location: Cottingham, East Riding
User status: Offline
|
The fact that we have no natting at the moment is a bit of a problem, which is why i've looked at doing it the way in the diagram (with the 192.168.100.1/2 addresses)
I'd like to set our LAN to a private range address during the summer holidays, i dont have enough time to get round everything during this half term.
|
Aaron
Member
Registered: 9th Aug 04
Location: Cottingham, East Riding
User status: Offline
|
Also..
At the moment i have the default gateway for the client machines set to 92.20.0.10 (router)...once i implement this setup i'll need to take that out right?
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
as smoothwall is nat'd, i believe you need to set each system to have the gateway of the smoothwall rather than the router. Im not too sure that smoothwall can just be ran as a firewall without nat'ing the connection etc.
Would be worth asking on the smoothwall forums, as im not 100% to be honest
|
Aaron
Member
Registered: 9th Aug 04
Location: Cottingham, East Riding
User status: Offline
|
Yeah exactly, thats why i've stuck the 192.168.100.X addresses in there.
I was told by a former colleague that in order for a firewall to function properly, the Green and Red sides cannot be on the same range of addresses
My only other option is to change all the internal addresses on my network. I'll have a look round the forums on smoothwall.org
[Edited on 12-02-2007 by Aj.]
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
I know that the red and green sides can't share the same subnet, but thought you could run the same same ip range as long as the subnets were different (though idealy it's seen that you should have different ip addresses and subnets)?
Otherwise like you say, you'll have to change you're internal addresses
|
willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
quote:
Originally posted by Dom
Steve, you're probably thinking of Snort which is a firewall (IDS), which is another route Aj could go down - installing it on a linux distro (might be worth looking at).
But smoothwall is pretty simple to setup and is capable of doing a lot more that just a basic firewall
Snort isnt a firewall at all, its a IDS as stated but that stands for Intrusion detection system. so it will detect you are getting gang fucked by someone but not prevent it.
|
willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
quote:
Originally posted by Dom
I know that the red and green sides can't share the same subnet, but thought you could run the same same ip range as long as the subnets were different (though idealy it's seen that you should have different ip addresses and subnets)?
Otherwise like you say, you'll have to change you're internal addresses
If a device has the same subnet on each side (on both network connections) then its a filtering bridge type device, i.e. its transparent to the user but stis there and filters 
A router by description is a device that forwards packets from one subnet to another.
|
willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
aj - whats the Web Cache box running? What caching software/operating system? Also what control do you have over this network? Can you remove/touch the firewall?
|
Aaron
Member
Registered: 9th Aug 04
Location: Cottingham, East Riding
User status: Offline
|
Its an RM Smart Cache running Squid
I have total control over this network and yes i can work on the firewall
|
Aaron
Member
Registered: 9th Aug 04
Location: Cottingham, East Riding
User status: Offline
|
The setup i have drawn at the top of the thread is the one now in use...all web traffic is now routed out the cache, into the firewall and then to the router.
For test purposes i have taken my default gateway out (92.20.0.10) and it seems to work.
[Edited on 13-02-2007 by Aj.]
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
quote:
Originally posted by willay
quote:
Originally posted by Dom
I know that the red and green sides can't share the same subnet, but thought you could run the same same ip range as long as the subnets were different (though idealy it's seen that you should have different ip addresses and subnets)?
Otherwise like you say, you'll have to change you're internal addresses
If a device has the same subnet on each side (on both network connections) then its a filtering bridge type device, i.e. its transparent to the user but stis there and filters
A router by description is a device that forwards packets from one subnet to another.
never knew that
so you could have a webcache inbetween your router and lan that has the same subnet eitherside and it would be completly transparent to the LAN but still caching?
And willay whats a linux firewall then if Snort just detects that your systems are getting bummed?
|
