Debian router/firewall config

[Guest KShots]

Hey guys, I recently ran a Mandrake server on a little P-200 MMX that was running nice and smooth, configured just the way I liked it for a couple months and then: WHAM! My /var volume disappeared from the software RAID-5 :shock: . It didn't even go into degraded mode, it didn't pass go, it just disappeared. I managed to boot it up after all the timeouts expired (no /var volume = no logs = mandrake->confused) and backup up all my data on the /home volume, then proceeded to rebuild under Mandrake again.

 

About six hours into it and still not even at the package installation (yes, it is that slow on this machine), I decided to try another distro. Well, what else have I used? Red hat! OK, start that up, and man, that's slow too... OK, what else is there? Oh yeah, I've used Debian too! I go through that and the whole thing installs over the internet in under a half hour. WOW! OK, I think I've found what I need :). Next: configuration... this is difficult without drakconf! :(.

 

OK, here's where I'm at now: I'm using Debian Woody with the 2.4 kernel, I've configured my software RAID (couldn't get the / into RAID, though (I could on Mandrake)), I managed to convince it that I do, indeed, have two ethernet cards (and btw, for those of you that know my config from earlier, I don't have any ISA hardware anymore, so no more looking up address ranges!) :).

 

Another thing to note at this time: My LAN got a LOT smaller. I moved out and am living on my own, so I've got this and my one desktop hooked up via crossover cable.

 

OK, more info: eth0 (10/100 MBit) is connected via crossover to my desktop. eth1 (10 MBit) is connected to my cable modem (I went back and forth a bit until I decided this made the most sense and could actually talk to my modem). I have internet access, but I don't have drakconf and its nice scripts to configure ICS (internet connection sharing). So, OK, I try and dive in manually. I install shorewall and udhcpd, configure them, and fire them up. Well, I think I got shorewall configured right (it's dropping packets from people and telling me about it in the console (btw, can I redirect that to a log somewhere?)), but udhcpd isn't doing anything unless I accidentally switch it to the internet and try and give you all IP's (oops ).

 

In summary, my question is: Beyond shorewall and udhcpd, what else would I need to share my internet connection and of course keep protected? You guys have been very helpful to me while I was using Mandrake (Thanks MottS, aRTee)!

 

PS: My GOD there's a lot of stuff out there going after Windows people without a firewall - I was getting popups on a fresh installation of XP without ever having touched my browser! I need my firewall back

[Guest KShots]

Well, I got it up and running somewhat...

 

I'm using shorewall's firewall (1.4.6, not the one that came with debian (1.2.12))

 

I'm using udhcpd (the 23k version)

 

I'm using bind (yuck!)

 

And therin lies the problem: bind! Every time I visit a new web page, I wait 1-2 seconds before it resolves the name into an IP! This is really annoying! Is there a way to tell udhcpd (or any dhcpd server) to use the DNS servers that my ISP provides me instead? My machine really doesn't perform that function well. And no, I don't want to just manually assign them because if the machine moves or I change my ISP, I want it to be an automatic change. Thanks...

[DOlson]

It doesn't take long for me, and I'm using bind as well (despite people warning me against it)... I didn't have to do anything to get bind working, so I assume there would be a way to configure it like how you want.

 

Only other thing I could think of is the firewall... I just use ipkungfu instead of shorewall. It's very simple to use and has great support on IRC. Every question I've ever had about it was answered within about 5 minutes. I tried other firewall programs, but they messed up a lot... NAT wasn't working right with them, so I just kept trying until I discovered this. If you're sure it's not a firewall issue, then just have a search for the bind documentation.

[Guest KShots]

Yeah, I've used this same firewall on Mandrake 9.1 on this same machine to great success - I was able to redirect packets to other machines inside my network so they too could act as servers looking like they were directly on my modem. I'd be hesitant to drop shorewall now that I've figured it out (I even wrote a .cgi script to do the configuration and restart the firewall that only responds to internal IP addresses :P ).

 

Actually, I may be able to write a script that could take the DNS info I get from my ISP from /etc/resolv.conf, place that data into /etc/udhcpd.conf, and place this script in init.d before udhcpd starts and after eth1 is started. Does this seem viable? Or is there a better way?

[DOlson]

Hmm... I don't even have udhcpd on my Woody box... There's no script in /etc/init.d/ and there's no config file in /etc/.

[Guest KShots]

Yeah, udhcpd you'd have to apt-get for - it's the really small version of a dhcp server. It's a 23 kb download.

[DOlson]

I don't use DHCP, so that'd be why I don't have it, heh.