Skip to main content

Sat Aug 28, 2004 9:27 PM

Spent the afternoon upgrading my firewall. It was a very stable machine, but it was running RedHat 7.3, which is beyond getting old. Also, I wanted to add more network interfaces to it to handle the new dsl line I should in theory be getting next week.

I had hopes it would be a pretty simple operation. I installed fedora core 2 on a test box, and got it configured with selinux and the packages I wanted. Then, I just swapped the drive into the old machine along with a 4 port matrox network card. The first issue I ran into was that the video card had decided to croak on that firewall box, and I never noticed since I never logged into the console there. Managed to scrounge up another AGP card and got past that problem. Then I had to figure out which port was which on the network cards. This new setup I have currently 4 active interfaces and will soon have 6. One each for: main dsl, cable, new dsl, internal network, wireless, and dmz.

Moving the access point to it's own interface was a pain. Had to reconfigure it and then tweak the firewall rules to allow what I wanted. It should now allow vpn traffic and thats about it. Next pain was me messing up on modifying the /etc/sysconfig/syslog file to not log all the firewall denies to the console. I put in there a '-n 4' instead of '-c 4'. -n tells it to not background, so it would hang there on boot.

Some nice things about this setup: I named the interfaces based on what they are connected to, not eth0 or whatever. Makes looking at the firewall logs very nice, you can see right away that a package was IN=dsl and going OUT=wireless. selinux should make things pretty secure. Even root is pretty restricted on what it can do.