[ILUG] Firewall/Proxy/Gateway Build

Hamilton, David (HPS) david.hamilton3 at hp.com
Wed Oct 6 12:09:27 IST 2004 

I am finally going to build up a nice little firewall/appliance box for
home, and am trying to decide on the best way to put it together in a
secure, yet functional manner.
I am building it around a mini-itx 1GHz board with 265Mb RAM, so it'll
be running nothing too heavy, but I would be looking for peoples
experience/recommendations around the various functions it will be
performing.

DNS - BIND forwarding different zones to different servers, chroot'ed.
DHCPFWD - Forwarding DHCP requests to server in secure LAN, chroot'ed.
Squid - Squid configured as transparent proxy, would like to integrate
CLAM-AV, but not sure how. Can this be chroot'ed?
Postfix - Configured to relay mails from internal server to external
server. Can this be chroot'ed?
Fetchmail - Configured to gather mails from external server and deliver
to internal server. Can this be chroot'ed?
IPTABLES - configured via shorewall. I have to say that I love this
package!
Webmin - Configured to only allow access from internal LAN. (Might not
bother with this)
OpenSSH - Configured to only allow access from internal LAN and
secure(ish) Wireless LAN.
Squirrelmail - To be done later...

Has anyone managed to get a CAPI based ISDN USB modem working reliably?

Does anyone have any recommendations on which VPN software to use?  I
need it to be easy enough to maintain with Windows and Linux clients.
I am planning on building it around Fedora Core 2 for a variety of
reasons, and don't feel the need to change that unless there is a bloody
good reason. (Religious debate not required on this one)

I have looked at most of the firewall specific builds, but none of them
really suit my config which has 5 network interfaces, and no clear cut
green/orange/red zones.

I know there's a lot of questions in there, and I know I will be able to
find the answers to some of them via google, but I'd like to know what
experiences other people have had with the different parts to allow me
to avoid any known pitfalls.

Thanks,
	David.

More information about the ILUG mailing list