Language Selection

English French German Italian Portuguese Spanish

Ubuntu-Server 6.10 As A Firewall/Gateway For Your Small Business

Filed under
HowTos

This is a COPY&PASTE howto creating a firewall/(mail)gateway for a small network (say 10 to 15 users or so on a PIII 450MHz, 512 MB ram and two identical network interface cards, broadband connection, fully featured, for a bussines environment.

Needs very little maintenance and is extendable beyond your wildest imagination. All depending on the hardware used, of course.

Includes: Shorewall, NAT, Caching NameServer, DHCP Server, VPN Server, Webmin, Munin, Apache (SSL enabled), Squirrelmail, Postfix setup with virtual domains, courier imap imaps pop3 pop3s, sasl authentication for road warriors, MailScanner as a wrapper for SpamAssassin, Razor, ClamAv, etc. Samba installed, not configured.

Full Story.

re: Firewall/Gateway

What a stupendously bad idea, making a standard Linux box into a swiss army knife of Firewalls.

The basic idea is just plain dumb, but adding all those additional applications (especially samba) to a edge device is just begging to be exploited.

There are plenty of really good firewall projects (PFSense, IPCOP, Monowall to name a few) that provide excellent security and they're written and maintained by developers who actually know how to test and verify that they are indeed secure. Home rolled Linux boxes are NOT hardened, and most folks are clueless how to run their own exploit or penetration tests.

re: Firewall/Gateway

I tend to agree.

If you're gonna be building your own, get a good idea of what you're doing. Get well versed with REAL penetration tools, to ensure you've configured your box right. (The majority of compromises are because of mis-configuration or didn't keep up with updates).

One thing I've seen alot of people do, is slap on service upon service, upon service! Its a firewall FFS! The more services you offer, the higher probability of encountering a problem (exploit). Often, its just wiser to keep your firewall and servers separate.

This is a business we're talking about...Who's gonna take the blame when the shit hits the fan? :cry:

Wouldn't it be wiser if there was a support contract? So your boss can yell at someone else? :cuss:

For simplicity, go for something like M0n0Wall or IPCop. (M0n0Wall has much lower system requirements).

For something of features, consider ClarkConnect or SME Server. (ClarkConnect has paid support versions)

Personally, I wouldn't put pfSense in a production situation. I don't think its sufficiently ready. (Its getting there quite well, but they're trying to do too much...The result is quite a number of bugs and problems. Haven't you noticed not many of their plugins work?)

If I were to build my own, I would pick OpenBSD as the basis. They have (at least) a reputation for security...Well, they live for it.

Compared this to Ubuntu...What's their security stance like? Is there an active team monitoring issues? What's their response when informed of security issues? Do they release a patch within hours of being informed? Do they drag their feet?

Firewalls aren't just for shits and giggles, put some serious effort and thought into it. Especially when your butt is on the line!

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

9 Top Free and Open Source Elixir Web Frameworks

One of the types of software that’s important for a web developer is the web framework. A framework “is a code library that makes a developer’s life easier when building reliable, scalable, and maintainable web applications” by providing reusable code or extensions for common operations. By saving development time, developers can concentrate on application logic rather than mundane elements. A web framework offers the developer a choice about how to solve a specific problem. By using a framework, a developer lets the framework control portions of their application. While it’s perfectly possible to code a web application without using a framework, it’s more practical to use one. Read more

Games: Valve, Kingdoms and Castles, and a Lot More

today's howtos

  • How to Install and Configure HAProxy on Ubuntu 22.04

    In this post, we will demonstrate how to install HAProxy on Ubuntu 22.04 (Jammy Jellyfish) step by step. We will later configure it to act as a load balancer by distributing incoming requests between two web servers.

    HaProxy, short for High Availability Proxy, is a free and open-source HTTP load balancer and reverse-proxy solution that is widely used to provide high availability to web applications and guarantee maximum possible uptime.

  • How to use DNF Software Package Manager with Examples - TREND OCEANS

    The dandified yum (DNF) command is the next-generation version of the YUM package manager for Fedora, CentOS, AlmaLinux, and other RHEL-based distributions. This command was first implemented after the Fedora 22, CentOS 8, and RHEL 8 release. The launch was to remove the bottleneck involved in the YUM command.

  • How to Install FFmpeg on CentOS 9 Stream

    FFmpeg is the leading free, open-source multimedia framework, able to decode, encode, transcode, mux, demux, stream, filter, and play nearly all multimedia files that have been created on any platform. FFmpeg compiles and runs on Linux, Mac OS X, Microsoft Windows, BSD systems, and Solaris. The following tutorial will teach you how to install FFmpeg on CentOS 9 Stream using the RPM Fusion free repository command line terminal.

  • How to Install ClamAV on Arch Linux

    ClamAV is an open-source and free antivirus toolkit that detects many types of malicious software, including viruses, trojans, malware, adware, rootkits, and other malicious threats. One of its primary uses of ClamAV is on mail servers as a server-side email virus scanner or file hosting servers to periodically scan to ensure files are clean, especially if the public can upload to the server. ClamAV supports multiple file formats (documents, executables, or archives), utilizes multi-thread scanner features, and receives updates for its signature database daily to sometimes numerous times per day for the latest protection. The following tutorial will teach you how to configure ClamAV on Arch Linux desktop or server and some basic scan commands using the command line terminal.

  • Linux su vs sudo: what's the difference? | Opensource.com

    Both the su and the sudo commands allow users to perform system administration tasks that are not permitted for non-privileged users—that is, everyone but the root user. Some people prefer the sudo command: For example, Seth Kenlon recently published "5 reasons to use sudo on Linux", in which he extols its many virtues. I, on the other hand, am partial to the su command and prefer it to sudo for most of the system administration work I do. In this article, I compare the two commands and explain why I prefer su over sudo but still use both.

today's howtos

  • A Detailed Guide on How to Work with Documents in Nextcloud

    Nextcloud is an open-source content collaboration platform that makes it possible to create secure file storage with sharing and synchronization features. It’s not too much to say that Nextcloud is an ideal solution for file management, as this platform allows you to share files and folders on your computer, and instantly synchronize them with your Nextcloud server.

  • How to Reset Forgotten Root Password in Fedora

    The only way any Linux user can boldly claim to have full control of their operating system environment is if they can be identified as root or Sudoer users.

  • How to Change the Default Interface in Linux?

    “Almost everything productive we can do in Linux requires us to have a network connection. Whether developing apps, installing software, scripting, sharing files, or even watching movies, we need a working network connection. Hence, “I require a network connection” is simply an understatement. The only way to enable network connection on a machine is through a network interface. A network interface is a device or a point of connection between a device and a private or public network. In most cases, a network interface is a physical card such as a wireless adapter, a network card, etc. However, this does not necessarily mean that a network interface should be a physical device. For example, a loopback adapter that is not physically visible is implemented by software and available on all devices.” This quick tutorial will show you how to set the default interface in Linux.

  • CoreOS in VirtualBox

    Three Fedora CoreOS (FCOS) update streams are available: stable, testing, and next. In general, you will want to use stable, but it is recommended to run some machines on testing and next and provide feedback. Each stream has a canonical URL representing its current state in JSON format, known as “stream metadata.” For example, the stream metadata URL for stable is: https://builds.coreos.fedoraproject.org/streams/stable.json For automating Fedora CoreOS installations, it is expected that you will interact with stream metadata. While Fedora CoreOS does automatic in-place updates, it is generally a good practice to start provisioning new machines from the latest images.