Using a PC as a Firewall/Router


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Using a PC as a Firewall/Router

  1. 1. Using a PC as a Firewall/Router Rod Peters ©Rodney Peters 2006
  2. 2. General Arrangement of SOHO Network Modem ISP /STB Firewall DMZ & /Router Switch Server PC PC1 PC2
  3. 3. Disadvangates of Hardware Alternatives ● Why not just use an ADSL modem/router ? – Is the easiest solution for most ADSL users, but ● security quickly becomes obsolete unless upgrades are produced expediently & flashed in frequently ● many modem/routers have only NAT, which does not provide suffient firewalling anyway ● Can't be used by VDSL users who require a Router only – firewall/routers without modem are available, but tend to be upmarket, wireless devices ● Hardware firewall/routers are no longer available for dial-up users – Still the majority of TIP users – Shared connections viable for email, light browsing
  4. 4. Workstation Doubling as Router Modem ISP /STB PC2 Internet Connection Sharing PC PC1
  5. 5. Disadvangates of Software Alternatives ● Why not just use Internet Connection Sharing plus a host of other programs on the “main” PC and Zone Alarm on every other PC ? ● Security concerns – Security guides recommend paring the firewal/router to the minimum software required for those purposes – Too many exploitable programs on the “main” PC ● DirectX, Java, Visual Basic & other interpreters ● recent warnings re continuing vulnerabilities in Office 2000 et seq – “Administrator” passwords on these PC tend to be non- existant/insecure ● Pragmatic disadvantages – Many updates & service packs to be applied to maintain firewalling – Needs “main” PC booted for Internet access ● power consumption
  6. 6. Prerequisites ● CD containing Smoothwall 2.0 software – Free software, downloaded as a 45 MB .iso file, including documents ● PDF documentation (12 MB) downloaded separately – Read documentation regarding burning .iso images to make a bootable CD ● Nero and freeware Deepburner have specific procedures to do this task easily ● PC fitted with: – Pentium 75 or faster CPU – 32 MB RAM minimum (EDO is OK) ● 64 MB is maximum usable by most Pentium mainboards – Hard Disk 504 MB minimum – CDROM Drive, ATAPI ● bootable one is easiest, but Smartboot floppy is an alternative – otherwise Floppy disk drive is optional, used only to save & restore settings
  7. 7. Prerequisites (cont) – Keyboard ) required only during installation – Monitor ) ● Two Network Interface Cards (NIC) – Dial-up users will need only one, plus a COM port – PCI are easiest to configure, later PnP 3Com or SMC ISA will work ● Use models having different chips, for easy identification – 10 or 100 Mb/sec does not matter ● We can't afford more than 1 Mb/sec bandwidth anyway – Onboard NIC on some PC ought to be usable as one interface ● Try to pick a quiet PC – it will run 24/7 ● External modem for ADSL or Dial-up users – Not USB, which are too difficult to configure – Not internal dial-up modems, which are not supported
  8. 8. Installation Resources Smoothwall Smartboot Diskette Image Firewall Test Site
  9. 9. Configuration ● Nomenclature – RED is hostile zone (Internet) – GREEN is safe zone (LAN) – ORANGE is DeMilitarized Zone ● Network configuration is GREEN plus RED for most situations – for Dial-up GREEN only, the modem becoming RED ● Probe to find first NIC and mark the rear plate of that GREEN – Give a private IP address, say ● avoid 192.168.0 or 192.168.1 ● must be on different network to modem/routers (if any) ● Skip restore – but it can be useful for re-installations ● Select US keyboard mapping
  10. 10. Configuration (cont) ● Change hostname to something meaningless ● Skip web proxy – No longer mandatory for TIP – We use here because mandatory for ANU ● Skip ISDN & ADSL configuration – Latter is largely for USB devices, which are unavailable in Oz ● and only supported in PPPoA mode, which TIP does not use ● For Broadband links, probe to find second NIC and mark the rear plate of that RED ● Addresss Settings – TIP users set RED to PPPoE for VDSL ● For most ADSL modems and here at ANU we must use DHCP ● Use very secure “root” password
  11. 11. Configuration (3) ● Optionally enter DNS addresses for ISP – Smoothwall can obtain automatically later ● Enter Gateway address supplied by ISP ● Above is ignored for ADSL modems, because it is in the modem ● Enable DHCP server – it is simplest way to get PC networked ● Accept other defaults ● Do not enter a Domain Name Suffix – Unless you have purchased one ● Add passwords for admin at least – Also dial & setup if there are many users ● Configure each client PC's Local Area Network Connection for DHCP – see Smoothwall documentation
  12. 12. Dial-up ● Point browser to your Smoothwall's GREEN address eg – bookmark this as Smoothwall ● Dial-up users need to configure connection parameters – Select Network -> ppp settings – under Telephony, configure dial-up modem details ● don't configure ADSL modems here; that is done in the modem – Configure TIP access details ● Label TIP and save ● Navigate to your Smoothwall's Home page ● single-click on connect to connect to ISP – applies to Dial-up and TransACT phase 1 – not applicable ADSL modems in routing mode ● Updates – download all and apply
  13. 13. Enhancements ● Similar Firewall/Router Software “IPCop” preferred by many – More informative – More configurable – Accepts automatic settings from ISP – Handles USB drives, wireless & bluetooth devices – Less suited to ADSL modem/routers ● Unless those put in “bridging” mode ● Power Improvements – Throttle CPU/FSB speed – Remove CDROM, floppy – Run without monitor & keyboard