Help in Building a Linux Firewall....

[number001]

Firewalls use standard conventions when referencing areas of the network. There are four basic network types, all of which can be managed by the firewall at the same time. These networks are called:

Red (external Internet)
Orange (DMZ or DeMilitarized Zone)
Green (internal network)
Blue (wireless network)

More details here

I'd like to build something like this in the coming months.

Problems associated with building or assembling the hardware (server) compatibility issues and installing the software would come later on.

Right now, I'm in the process of building the infrastructure side (wiring up all the rooms involved using CAT5E). All wires would run to a small utility room where a utility box would hold the router, dsl modem, switch (future upgrade) together in a bunch. The server would be placed in another room. Will those Red, Green, Orange, Blue, network implementation etc... (as mentioned above) be compatible with this kind of wiring? What is correct? Should I rewire or add more wires/lines?

Hope anybody with experience with this kind of matter can contribute to this thread. Your help is highly appreciated!

[Jun aka Pekto]

More details here

I'd like to build something like this in the coming months.

Problems associated with building or assembling the hardware (server) compatibility issues and installing the software would come later on.

Right now, I'm in the process of building the infrastructure side (wiring up all the rooms involved using CAT5E). All wires would run to a small utility room where a utility box would hold the router, dsl modem, switch (future upgrade) together in a bunch. The server would be placed in another room. Will those Red, Green, Orange, Blue, network implementation etc... (as mentioned above) be compatible with this kind of wiring? What is correct? Should I rewire or add more wires/lines?

Hope anybody with experience with this kind of matter can contribute to this thread. Your help is highly appreciated!

I thought the network and wireless are all internal. Internet and demilitarized zone are typically external. Wiring is wiring. They're normally all CAT5.

[number001]

What I'm asking is, am I doing it right if I just run just one wire from each room to the central area ? Only one room would have two lan ports (1 for the server and 1 for the workstation).All 4 other rooms will just have one lan port. So another question, is the infrastructure (wiring) correct to accomodate a linux firewall (bec. if you read the article, the server would have like 3 to 4 ethernet inside it- this is the part that confuses me. I want to get the infrastructure right. )

[badkuk]

there's no concern. a cable is a cable is a cable; it doesn't care if it's attached to the RED/ORANGE/GREEN section of your network. The article used "orange" Cat5e cables and such just to highlight the concept of the network segments. Now, if you want to color code your cables, that's fine; kami we usualy label the cables with stickers(ung sticker ang color coded), or use color coded RJ45 boots.

usual practice is the wiring closet(i.e. bagsakan ng cables to the router), PABX, routers, and servers are in the same room -- preferrably securely locked, with backup power(UPS), sufficiently cooled(even on weekends) and vermin-free

So another question, is the infrastructure (wiring) correct to accomodate a linux firewall (bec. if you read the article, the server would have like 3 to 4 ethernet inside it- this is the part that confuses me. I want to get the infrastructure right. )

tama lang; kasi ung router is ung pinaka-"exchange" between your different network segments, so it will need at least one interface/network card per segment. e ung rooms/workstations mo naman, normally would connect within that segment(e.g. green); then you can control access from one segment to another via your router -- that's your control point.

What I'm asking is, am I doing it right if I just run just one wire from each room to the central area ? Only one room would have two lan ports (1 for the server and 1 for the workstation)

normally, if you're gonna go about the business of laying cables, drilling holes, etc., you might as well lay down a few extra cables -- be it for flexibility(e.g. you may change your mind about your layout in the future), scalability, or for redundancy(e.g. when any of cables get damaged). Chances are you're gonna run the cables through some conduit..might as well stuff a few extras B)

With regard to the hardware...if you really need all four segments, you should look for a mobo with one onboard NIC(lahat ata meron na these days)), and least 3 PCI expansion slots. afaik me nabibili namang usb LAN adapters, though i have not had experience with them.



btw, you guys gonna provide Wifi internet access within the building?

[1D4LV]

bro, will you be using Endian?
PM me, i can help you in detail.

[1D4LV]

bro, will you be using Endian?
PM me, i can help you in detail.

[number001]

This is not an enterprise level project or something, just a house that is in the process of being wired with CAT5E wires for all rooms and locations. :D

*badkuk
Good idea on installing multiple wires inside the conduit. But since this is a house, in most cases aesthetics preceeds everything else. So for each room I have alloted cable tv, landline phone, LAN to share a one gang three device outlet.

What kind of router should I buy to accomodate this server in the article? Most routers only have 4 ports and the max of 8 (a linksys). In total, I just need 8 ports to accomodate the whole place (not counting the firewall PC). But since the firewall requires multiple LAN cards, I think a switch needs to be added.

tama lang; kasi ung router is ung pinaka-"exchange" between your different network segments, so it will need at least one interface/network card per segment. e ung rooms/workstations mo naman, normally would connect within that segment(e.g. green); then you can control access from one segment to another via your router -- that's your control point.

sorry I don't get it. :D .M a newbie in networks. Ok for the sake of the argument, lets say for example, I have an 8 port linksys router with 4 workstations connected to the four ports and an internet connection through the WAN port. So if I were to use the firewall pc as stated in the article, then I have to connect the 4 lan cards (in that PC) to the four remaining ports in the router (to represent red, green, blue, orange)? Correct? :D

usual practice is the wiring closet(i.e. bagsakan ng cables to the router), PABX, routers, and servers are in the same room -- preferrably securely locked, with backup power(UPS), sufficiently cooled(even on weekends) and vermin-free

what brand of wiring closet do you suggest? I prefer if its like a utility box that is embedded into the concrete wall. What kind of cooling system also? As for the UPS will the APC Back UPS ES500 suffice? I prefer a more compact UPS. Also since the place is designed to be enclosed (but the doors can be left open), will there be a problem? Btw, an exhaust fan is installed inside this room (where the main power switch is also located a few centimeters away).

[number001]

bro, will you be using Endian?
PM me, i can help you in detail.

Thanks for your offer! I'm still sorting out the infrastructure then hardware before moving onto the software side. :D

[badkuk]

hmm, impression ko kasi this is for workplace; depending on what you want to achieve, the setup the article described could be overkill.

ganito kasi: in a typical corporate network kasi, you may have

1. an internal network -- where your accounting, financial, etc data is stored
2. dmz -- probably some corporate web server
3. your internet connection -- i.e. the connection provided by the isp
4. internet access -- usually via wifi

Now, depending on how complex your network needs to be -- e.g. you may now want everyone to share the same network as your accounting guys -- you could possibly have even more segments. The more segments you have, the more interfaces you need on your router, or the more routers needed.


Now, if you just want to provide each room with internet access, there's basically just two interfaces/segments involved:

1. internet access(RED) -- the connection provided by your isp
2. home network(BLUE/GREEEN) -- where your home pcs are connected to

Now, normally you need a public ip address to connect to the internet -- this is the one your isp provides you. The router you'll set up shares this connection for all your home pcs via Network Address Translation -- simply put, your home pcs need NAT(provided by your router) to connect to the internet.

Actually there is no need for the Cat5e cable -- you can do that with WiFi. However, if you want to provide wired connection, ok din lang.

If internet access if all you're after, bili ka na lang ng WiFi router; you can buy an 8-port switch to provide more ports.

with regard to cooling...unless you plan to have a server farm or really big servers, no need na rin -- like i said akala ko company/corporate setting B).
Ung UPS naman i think would be more useful at your work/home pc rather than for your router; siguro just provide an AVR for your router/switch para me protection kahit papano

[number001]

What is the right/specific terminology for this whole topic/subject, so that I can google it.

I think I'm getting it already....So its like everything has to go through the firewall pc. Its like a filter bag. Correct me if I'm wrong. Thanks!

Case Scenario:

Assuming the ff will be utilized:

Red (external Internet)
Orange (DMZ or DeMilitarized Zone)
Green (internal network)
Blue (wireless network)

Example:
For internet access (from ISP), the connection is:
ISP (modem)--->WAN port (Router #1)--->firewall pc (ethernet#1)
and if DMZ is utilized
firewall pc (ethernet#2)--->(Router #2)--->web servers, VOIP, etc.
and for the internal network
firewall pc (ethernet#3)--->(Router #3)--->workstation(s) #1, #2, #3, etc
and finally the wireless network
firewall pc (ethernet#4)--->(Wireless Router)--->workstation(s), laptop, portable devices, etc..