Firewall question

[Tea]

Bloody Tannin. Leaves everything to me.

I've no sooner got back to the office than he tells me I have to figure out a better way to connect customer machines up to the cable modem for on-line virus scanning.

Back in the old days, Tannin used to get a fresh copy of VET in the mail once every month, and that was about three times oftener than was required to keep up with the latest viruses. (This was floppy disc days, of course.)

Now, the only way to be sure something is virus-free is to scan it with a right up-to-date program, and while we can have PC-Cillan subscriptions for our own machines and keep them up-to-date, we can't do that with customer machines. House Call is the only practical method.

Currently, we have a Smoothwall firewall/DHCP server/router for the office network, and it works great. But, obviously, we can't go plugging random machines off the street into our own network. So we use the Tannin method: pull the pin on the office network and, using a crossover cable, plug the customer's machine directly into the Smoothwall, which (in turn) connects to the cable modem.

That works, but it (a) takes away our internet access for an hour or more at a time, and (b) means that if we get two or three virus jobs in at the same time, we can't do them all - we can only do one at a time.

So, what we need is a second hub ONLY for suspect machines (easy enough) and to have that second hub isolated from the ofice network. Ideally, each of the ports on it would be isolated from each of the others (to avoid cross infection) but that might be asking a bit much.

One final complication: our stupid cable provider has an infuriating system such that you must always use the same NIC to access the network. If you use a different machine (or actually, a NIC with a different MAC address), it times out for anything up to 4 hours. Then, when you switch back, you have to wait four hours again.

So, as far as the cable modem is concerned, we need to always present it with the same firewall machine.

Any ideas?

 

[Tea]

PS: I don't mind spending a bit of the old boy's money, though ideally I'd do the whole thing on a shoestring.

 

[The JoJo]

A separate NIC in the Smoothwall, and call that the DMZ. Only DMZ to internet traffic allowed of course.

 

[The JoJo]

...and a switch to the DMZ interface and customers machines behind that.

 

[Tea]

Easy as that? I tried setting up a DMZ NIC once, but it got way too complivated for me to understand. That, however, was with the (over-ambitious) intention of setting up a web server - something I don't need to do at present. I'll give it another go.

Thanks, JoJo!

(Have a mango.)

 

[Tea]

OK, I finally got around t trying this out. Or rather, the Soup Nazi did. Took him quite awhile, as it's simply not documented.

Smoothwall walks you by the hand through the basic red-green setup in ways that your father could understand - hell, Tannin understands it! But as soon as you venture off into the world of an irange NIC - blooie! You're on your own.

Anyway, the Soup Nazi finally figured it out. (With a little help from me.) You have to set the Orange NIC to a fixed IP which must be in a seperate address range. But you can't use DHCP on the orange card. Let's work an example.

Red IP: dynamic, assigned by your ISP

Green IP: 192.168.0.1

Local network (trusted machine) IPs: dynamic, in the 192.168.0.x range, as assigned by the Smoothie - or you can have static IPs within that range as well, provided they don't clash with the dynamic IPs. For e.g., my #1 server has the fixed IP 192.168.0.111.

Orange IP: 10.0.0.1

The machines attached to the orange NIC must be manually given static settings from within that range. For example:

Address: 10.0.0.22
Default gateway: 0.0.0.1

And so on.

This is a total pain in the arse.

 

[The JoJo]

Oh damm, that sucks. Sorry, I thought it would have worked ok.

 

[Tea]

Anyway, here is what I plan to do about it.

Buy a combination firewall/router/hub from one of the usual suspects. (I could also use a second Smoothwall and a stand-alone hub - same difference, but I'm getting short of space.)

Configure it to the static address 10.0.0.1 on it's RED side (i.e., the bit that connects to the orange outlet of the Smoothwall).

Configure it to 192.168.1.1 on its GREEN side. (Or anything non-routable, just so long as it is not 192.168.0.1, as that is the default address of most firewalls - and yes, we will be plugging other firewalls into this - see below).

Set it to be a DHCP server.

With this setup, we can:

(a) Virus scan customer machines: fit a NIC or configure an existing one to auto-everything, then hit Housecall for a scan.

(b) Set up and test customer firewalls: note that this way they can be configured in exactly the same way that they will be once they enter service - which is always a good practice.

In neither case can a customer's machine infect our network, as the Smoothwall orange isolates it 100%.

Or does it? From my 192.168.0.111 server (for example) I can ping a customer machine on (say) 10.0.0.20 through the orange link. But it can't ping me. Is this right?

Anyway, is this setup as good a way as any to do it gentlemen?

I am aware that by hooking up, say, three customer machines to the hub at the same time, we risk cross-infections, but I don't see any way to avoid that. I'm damned if I'm going to have four firewalls just so I can have our own network and three customer machines hooked up.

 

[Tea]

Clarification: I mean hooking up 3 customer machines to the second hub - i.e., the new one that I'm going to attach to the orange NIC.

 

[The JoJo]

This configuration was the first that I would have thought of, but it bothers me to use 2 firewalls/routers for that.

Sounds like the easiest way to get what you want. And it's not so pricey, as a router/firewall/switch with a lot of ports is pretty cheap.

 

[Tea]

Thanks, JoJo. I'll do it that way then, not stoping to count the pennies. Especially as it's Tannin's credit card, not mine. :wink:

 

[CityK]

Currently, we have a Smoothwall firewall/DHCP server/router

Shouldn't that be Sonicwall as opposed to Smoothwall (the s/w firewall run by notorious loudmouth/jackass Richard Mic-something-or-other)?

 

[blakerwry]

no, i think he means smoothwall


If it helps tannin, I'm sure you can do what you want with a single smoothwall box, but it's going to take some linux expereince or the time to learn it.

As far as the hand holding, I have encountered the same thing with coyote firewall... As long as you're doing the basic setup it's easy as pie. But once you get to something more advanced you're just kinda on your own.

 

[Tea]

Nope, CityK, "Smoothwall" is correct. He is indeed a loudmouthed jackass, but who cares? I don't have to listen to him. The product (bar the lousy documentation) works perfectly, and it's completely free. All you need is an old PC (anything will do - this one is a Pentium 133 with 32MB and a 2GB hard drive, but a 486 DX/4 would do at a pinch) and two (or in my case 3) network cards. It's the cheapest, and probably the best, firewall you can get.

 

[Tea]

I suspect you are right, Blake. But way too complicated for me to try. I'm a Linux moron.

 

[Howell]

Richard is no loger a part of the Smoothwall project. Tannin you might just post a message to the newsgroup/messageboards. You will want to make sure that orange is indeed closed to green by default.

Alternatively, anybody with iptable experience and time should be able to help you.

 

[Tea]

Looks like I might have to do that, Howell. I can't get it working. (Well, actually I might have to ask Tannin to do that for me - I don't know if the Smoothwall BBS people are quite ready for ... er ... a young and cheeky simian companion.

Today I built another Smoothie. Let's call it "Roughie" to distinguish it from the primary Smoothie that looks after the office network. Buggerised around for about three hours, but I couldn't get it working. Among other things, I also tried a Linksys firewall/router. Exactly the same problem with that.

I can see the Roughie from a client machine no problems.

I can connect to the web via the Orange port on the Smoothie with a client machine no problems. (i.e., connect direct using a static IP and without the Roughie in the chain.)

The Roughie can connect well enough to register with smoothwall.org no problems. (At least I think so.)

But nothing else. I can't even ping out.

Damned if I know what the problem is. I'll have a look at it again tommorow.

sigh

 

[Howell]

When you say you can see Roughie from a client machine I assume you mean from Roughie green.
Sounds like roughie red is not working properly. Can you ping SF.net from the smoothie console?

 

[Tea]

Can you ping SF.net from the smoothie console?

Nope.

I don't know how. (I'm a linux moron.) Hell, I don't even know how to get to a Smoothwall console, never mind ping.

But that is, I think, the nub of the problem. I can't get nuffin through any of the second firewalls (the Roughie, or either of two different Linksys firewall/routers). But just plugging a spare machine into the orange interface of the Smoothie and setting the appropriate static IP, DNS server, and gateway works fine.

 

[Howell]

Hook a monitor/mouse/keyboard up to Roughie. Login as username:root, password:whatever you picked.

Try to ping the gateway address of the segment you are on.

During smoothie setup did you tell it to use DHCP on Roughie Red or did you specify the IP/subnet mask and gatway.

ping command: ping 192.168.0.1

Alternatively you could login at the console as setup and whatever password you picked and check the network configuration.

 

[Tea]

OK, I tried another theory. It seems to make sense, but someone check my logic, please. I started by asking myself:

* What's the difference between connecting to 17,000,000 insecure computers (the Internet) and 17,000,001 insecure computers (the Internet plus one local machine)?

Answer came there none.

If I'm prepared to connect to the web, protected only by a Smoothwall, why should I not be prepared to connect to an insecure local network (again, via a Smoothwall) which is itself connected to the web? I couldn't think of a good reason.

So I took a second box (call it Roughie), plugged an 8-port switch into it, and then plugged the office Smoothie into that switch, Also plugged into that switch is anything from zero to 6 customer machines doing on-line virus scans, Windows Update, and anything else that seems like a good idea at the time.

It means that I now need two woking firewall boxes up to (e.g.) do mo on-line banking, but I can live with that. The benefit of having all the in-workshop machines on-line without stuffing about with static IP addresses is significant.

Did I did good?

 

[Tannin]

And the benefit of hitting "preview" before hitting "submit" is that your posts don't come out scrambled, Tea.

 

[Buck]

Sounds good to me.

 

[ddrueding]

Late to the party again....sorry.

My suggestion would be to connect the orange on smoothie to one of the LAN ports on your hardware router. That way you are only using the DHCP server and not bothering with another layer of NAT/BS...

Just a thought.

 

[ddrueding]

So here I make one of my very few contributions, and I get no responses? I've taken so much from the group, I wish I could give more back...but this was it

 

[Howell]

David, It's enough just to see that "cat-in-a-glass".

 

[ddrueding]

David, It's enough just to see that "cat-in-a-glass".

I'm glad you like it ;