Creating a "Hardware" firewall w/ Debian 6.0.3

[DrB0b]

First post on this side of the world so please be gentle. My majority of Linux background comes from Ubuntu Server 9 - 11 and some Debian. For a couple years in college, I created and maintained a mock rootDNS server in the above OSs sans GUI. Thats been 2 years ago so Im a bit rusty.

Basically looking to get Debian, or other OS if a better suited one, running as a firewall for a very small business.(Only 25 clients) If this is possible and will server to better protect the internal I would like to pursue it, but could use some help in the fact. Just started the install today and looking for either a helping hand or a possible tutorial or general advice on what should be enabled/disabled and what precautions to take to make this secure.

Thanks in advance for any and all info.

"You don't know what you got, till its gone..
80's hair band Cinderella or ode to data backups???

 

[Noway2]

Pretty much any distribution will work as a firewall for you organization. I would suggest working with what your comfortable with. The Linux Kernel has a built in firewall application that will also handle NAT called netfilter. The main front end for netfilter is iptables, which also has some GUI's associated with it. Given your application, I would recommend learning iptables directly, which will have a syntax very much the Cisco switch and router rules.

Here is a link to the most comprehensive iptables tutorial that I know of:

http://www.frozentux.net/iptables-tutorial/chunkyhtml/index.html

Here is a link to a more gentle introduction by a good author (you mention Ubuntu and you may recognize the name from the Ubuntu forums):

http://bodhizazen.net/Tutorials/iptables

and here is a more application specific link from the same:

http://blog.bodhizazen.net/linux/prevent-dos-with-iptables/

There are also firewall applications / software distributions specifically targeted towards this application. The most common one that I know of is shorewall:

http://shorewall.net/

 

[DrB0b]

Thanks Noway2,

I see your knowledge spreads far as almost all of the threads I follow you tend to have intelligent responses on in some manner. Enough flattery, back to the task at hand.

Yea, I saw a lot of people recommended Shorewall and there was a multitude of tutorials I had found for it. Honestly haven't looked into it much, but I will take a peak today. The tutorials you posted seem to depict what I'm looking for and after some more reading I should be able to get a good start on the project.

Have you used Shorewall and/or do you know of any of its inherent weaknesses that need to be addressed?

"You don't know what you got, till its gone..
80's hair band Cinderella or ode to data backups???

 

[Noway2]

No, I haven't personally used shorewall. The reason I haven't is that I don't have spare hardware to dedicate to it. The recommendation for Shorewall came from my local LUG (linux user's group) trilug.org. They have an active mailing list and if you have questions on the product that aren't being answered sufficiently in a forum setting, you might want to ping that list. You may need to subscribe first so that you are validated by the spam filter, but I do vouch for their professionalism based upon my experience as a member for the last three of years and I am certain you will get honest, informed replies.

Off the top of my head, the primary disadvantage I see with Shorewall is a potential limitation of throughput. I want to emphasize the potential here as it will depend on your needs and the processing capacity to perform the packet inspection.