176
|
Chapter 8: Local Network Services
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
option domain-name-servers server1.centralsoft.org,
server2.centralsoft.org;
range 192.168.1.2 192.168.100.254;
}
Another Approach to Gateway Services
This section covers the use of packaged gateway and firewall combination products
with multiple feature sets. Several free packages exist, such as Firestarter, IPCop,
Netfilter, and Shorewall. You will see Smoothwall and ClarkConnect mentioned in
Linux literature, but these are commercial products that install an entire Linux distri-
bution, not standalone applications.
For use in this chapter, we chose Firestarter. However, you may want to take a look
at Shorewall, a configuration utility for Netfilter (a command-line tool).
You can download Firestarter from the Fedora repositories. Our installation had the
following package:
[root@host2 ~]# rpm -q firestarter
firestarter-1.0.3-11.fc5
[root@host2 ~]#
The Firestarter Firewall Wizard (Figure 8-5) launches when an administrator starts
the program the first time. You can relaunch the wizard from the Firewall menu in
the main interface, as well as change the choices through the Preferences option.
Figure 8-5. The Firestarter Firewall Wizard
Gateway Services
|
177
After the initial splash screen there will be a series of configuration screens, starting
with the Network device setup screen (Figure 8-6), which can setup dual network
cards.
Firestarter refers to its primary function as connection sharing. However, since it uses
NAT it functions as a gateway, so client PCs on an internal LAN look like a single
machine with a single IP address to the Internet. This becomes evident, for example,
in the preferences screen shown in Figure 8-7. Notice that the first device descrip-
tion refers to the “Internet connected network device” and the second description
refers to the “local network connected device.”
You can also see toward the bottom of Figure 8-7 that Firestarter allows the adminis-
trator to use an existing DHCP configuration or create a new one. Here’s Fire-
starter’s dhcpd.conf file:
# DHCP configuration generated by Firestarter
ddns-update-style interim;
ignore client-updates;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
option domain-name-servers 70.253.158.42, 70.253.158.45, 151.164.1.8;
option ip-forwarding off;
range dynamic-bootp 192.168.1.10 192.168.1.254;
default-lease-time 21600;
max-lease-time 43200;
}
Figure 8-6. The Network device setup screen
178
|
Chapter 8: Local Network Services
The resolv.conf file on the gateway shows up on DHCP client machine configura-
tion settings as Firestarter reads that file and places the DNS server addresses in
dhcpd.conf.
The main interface of Firestarter provides a view of the gateway’s status and connec-
tions to DHCP hosts. It also provides a summary of events and activity, as shown in
Figure 8-8.
In Figure 8-9, you can see a view of events from the second tab of the main interface.
In this view, you can see the blocked connections.
The Events panel provides a log of attempts to exploit the firewall. You might find it
useful when intruders attempt to break into your systems. If they seem to persist,
add their IP addresses to the /etc/hosts.deny file. If someone attempts to enter
through ssh’s port 22 using a dictionary attack, you can simply close the port with
Firestarter.
The Firestarter icon turns red when it sees a potential exploit in the making. Notice
the message above it in Figure 8-10: “Hit from 221.237.38.68 detected.” That’s
worth investigating.
The third tab on the main interface allows you to set policies for services you will or
will not allow. For example, we allow SSH connections into the firewall from the
outside, so we set a policy to allow SSH on port 22.
Figure 8-7. Firestarter Preferences screen
Gateway Services
|
179
Firestarter uses a wizard to configure gateway policies. You can get a glimpse of how
this works in Figure 8-11.
Figure 8-11 shows a window named “Add new inbound rule.” This screen appears
after you select Add Rule on the Policy tab. In this window, you can see a selection of
options you can use to allow services into the network. A similiar screen eixts for
outbound services you provide your users.
You will find Firestarter an easy application to configure. The project community has
done an outstanding job of documenting the procedures in a well-written and suc-
cinct user guide, which you can find at http://fs-security.com/docs.php.
Figure 8-8. Firestarter’s main interface
180
|
Chapter 8: Local Network Services
At this point, you may be wondering why we’ve included an applica-
tion dependent on the GNOME desktop. Recall that when we chose
Fedora as the distribution for local networking, we did so because of
its extensive tool set. Adding Firestarter fits into our philosophy with-
out removing our ability to use the command-line interface.
Figure 8-9. Firestarter’s Events panel
Figure 8-10. Panel icons showing an attempted intrusion

Get Linux System Administration now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.