how would i setup stateful firewall, NAT, and http proxy server ??

[jjyiz28]

what would be the best way to set something like this up for an internal network??? which should come between the internet and the internal network??

internet <> stateful firewall <> dedicated NAT server <> then internal network which has http proxy server and clients

is this the correct way?

 

[Fuzznuts]

internet <> linux or bsd nox doing firewall, NAT. STATEFUL FILTERING and squid for proxy <> LAN

Thats how it would work. you could move the proxy to another box but put it on the gateway box make it transparent and your laughing

thats what id suggest any way

 

[jjyiz28]

so your saying one box should do them all?? then have it connect to lan??

 

[Fuzznuts]

yeah by far easiest option. one distro of linux will do all you need.

 

[jjyiz28]

but isnt that one point of failure??? kinda like why you don't want to run domain controller, dns, dhcp, etc.. all on 1 server.
if i want to set it up so that only one server does the one function, how then would i set it up?

 

[Thoreau]

If either the firewall box or the NAT box goes down, your network is not going online anyway. That way you have two machines that could fail, instead of one.

 

[gunrunnerjohn]

Many new SOHO routers have SPI and obviously all of them have NAT.

 

[Fuzznuts]

Originally posted by: jjyiz28
but isnt that one point of failure??? kinda like why you don't want to run domain controller, dns, dhcp, etc.. all on 1 server.
if i want to set it up so that only one server does the one function, how then would i set it up?

Itll be fine as long as the box is up to the job hadrware wise. obvioulsy if you use and old 486 thats 12 yrs old dont expect much in the way of reliablility.

my home box is a xp1500 running fedora core its my firewall, domain controller,dns, ftp server, mailserver,webserver and a load of other things its currently been up for 15 days previous to that it was 58 brought it down to upgrade to fedora. while it was running redhat 9 it was up for 190 days.

it runs seti 24/7 so its under load constantly. i fyou build a box with decent parts i would expect the saem level of reliability for yours.

 

[groovin]

i agree with them, linux or bsd. if you want high availibility, go with linux because there are lots of failover options out there. not too much with bsd, but some do exist. i just never liked iptables on linux... making firewall rules with it never made sense to me.

 

[JackMDS]

I have a $10 (currnet value of very old SMC Barricade) Wireless Router thta does all of this.

 

[JackMDS]

I have a $10 Wireless Router (current value of an old SMC Barricade) that doe all of the above.

In other word you find somewhere an old Barricade you flash it with the most updated Firmware and presto you set.

However if you want to learn how to use Linux (may be it is your 2004 big resolution) then start with Smoothwall.

 

[n0cmonkey]

High availability/load balancing available through CARP on OpenBSD -current.
BGP available on OpenBSD -current.

OpenBSD already has PacketFilter, one of the best new firewalls out there. It's quickly shaping up to be a great firewall system for more than just home use.

Squid, which runs on OpenBSD, does http proxying, as does apache. I'd consider putting the proxying on one box and the firewalling on a second/third. Of course, this depends on how many users and how busy the connection will be.

 

[jjyiz28]

but how would i set it up if i want one computer to do just 1 function?? how do most big corporations have it set up?? obviously they won't put it all on one box.

 

[n0cmonkey]

Originally posted by: jjyiz28
but how would i set it up if i want one computer to do just 1 function?? how do most big corporations have it set up?? obviously they won't put it all on one box.

Every place I've worked has done Firewalling and NAT on the same machine.

Internet <-> Firewall/NAT <-> Proxy server <-> clients

I guess you can do NAT and Firewalling on seperate machines, but I can't imagine it would really help much.

EDIT: Most corporations would probably be using a firewall with HA/autofailover too (along with routers, and sometimes the internet connections themselves).

 

[Rainsford]

Originally posted by: n0cmonkey

Originally posted by: jjyiz28
but how would i set it up if i want one computer to do just 1 function?? how do most big corporations have it set up?? obviously they won't put it all on one box.

Every place I've worked has done Firewalling and NAT on the same machine.

Internet <-> Firewall/NAT <-> Proxy server <-> clients

I guess you can do NAT and Firewalling on seperate machines, but I can't imagine it would really help much.

EDIT: Most corporations would probably be using a firewall with HA/autofailover too (along with routers, and sometimes the internet connections themselves).

Same with me, I don't think I've ever seen Firewalling and NAT on different systems. Like n0cmonkey said, I suppose you could do it on different machines, but realize you will be introducing an extra hop, additional latency, added configuration issues and lower reliability (two systems to fail instead of one, either of which would take down your internet link). Also, keep in mind that unless you are really setting this up for some heavy duty use (and I mean really, really heavy duty), any system you would set up would be way underutilized and would have plenty of power to do all three tasks, and certainly firewalling and nat.

 

[Fuzznuts]

Originally posted by: JackMDS
I have a $10 Wireless Router (current value of an old SMC Barricade) that doe all of the above.

In other word you find somewhere an old Barricade you flash it with the most updated Firmware and presto you set.

However if you want to learn how to use Linux (may be it is your 2004 big resolution) then start with Smoothwall.

pah wheres the fun in that besides does you smc do email filtering and host a website with a myqsl backend id also like to see it traffic shape

 

[jjyiz28]

ok thank. firewall and nat togethor.