Mandrake 10.1 as a Firewall
Download this entire article as a PDF
- Introduction and Overview
- Installation
- Configuration Using the Web Interface
- Basic Web Services
- Testing and Enhancing Your Firewall
Update:
Since Mandrake was renamed to Mandriva, the MNF packages have been pulled from the main tree. I have since switch all of the Firewalls I setup over to use my NIMA packages (using Suse Linux Enterprise Server 10).
Introduction
As you investigate various Linux Distributions, you will soon notice that some Distributions excel at certain tasks over other Distributions. For example, Novell/Suse provides an excellent authentication/file server with their SLES9 product, Xandros makes for a great desktop for those transitioning from Microsoft Windows, Slackware can't be beat as a terminal client, Debian excels as a general purpose/backup server because of its security team and it's long release cycle, etc.
Mandrake Linux offers one of the best OSS Firewall servers available today. This stems from the fact that Mandrakesoft offers a great product called Multi-Network Firewall (MNF), which was released back in 2002. Mandrakesoft's MNF product offers a gathering of different Open Source Software Projects under a single easy to use web based graphical interface. What is little known, however, is the fact that the functionality of that product has been incorporated into their standard Distribution.
This article will cover installing and configuring Mandrake Linux 10.1 as a Firewall computer. This includes configuring Shorewall for Firewall Services, Named as a caching DNS Server, Squid as a web proxy, Squidguard for web filtering services, along with Snort and Prelude for intrusion detection services. Advanced features, such as Virtual Private Networks and utilizing a Demilitarized Zone are possible using the web interface, but will not be covered here. Note: This article covers setting up Mandrake in a way that is not supported by MandrakeSoft, also there are bugs that I will explain how to work around. If you are not comfortable editing text files on Linux, there are many other firewall distributions available (although IMO this is the best). Proceed at your own risk.
Prerequisites for this install are a Pentium (or higher) based computer with at least 64MB of RAM (mainly for the install), a floppy drive, 2 supported network cards and at least a 1GB hard drive (2GB is recommended if you will use the Squid caching-proxy server). You can also use a single network card and a supported modem if you are going to implement this on a dial-up connection. The firewall computer must also utilize a "supported" video card for the installation routine, as the "text mode" installation will not work properly for our needs.
Overview
What is a firewall is used for ?
Well, what a Firewall allows you to do is to route and control network traffic travelling between two different networks. For instance, You will want to implement a firewall wherever you want computers on another network to have limited or no access to your network. The classic example of this is the Internet. You should put a firewall between your local network and the Internet to protect your computers from unnecessary or unwanted traffic coming from the Internet.
Another good use for a firewall is to separate any Wireless Access Points on your network, so all traffic will go through a firewall before entering your network. This actually allows you to offer Internet Access to any one using a wireless connection without compromising the security of your local network. You could also use a firewall to separate a "testing network" from a production network, especially if you need Internet Access for your testing network. Doing this allows you to fully configure and test any servers without harming the current network, this is especially useful when working with Windows Domains.
What makes up a good firewall?
Well first, it must do what it is supposed to do - block unnecessary traffic. Beyond that, what you want to look for is the ease of use/install, the amount of features, etc. These will vary for different sites. Some sites could get by with a simple IP Tables script that simply blocks most incoming traffic and routes all traffic from the internal LAN to the Internet. Other sites need advanced routing techniques. Today there are many standalone Linux distributions that offer Firewall Services. Smoothwall, etc. all offer easy to install/use, and most offer very nice features (some for a hefty price). A nice thing about using Mandrake Linux as a firewall is that not only can you implement nearly any feature for little or no cost, but you also have nearly any Open Source Packages you would want or need readily available. Plus, the entire product is GPL'd so that you can see exactly how the product works at the source level if needed.
