Saturday, February 21, 2009


I've built network firewalls before, but this time I'm going to try and go all-out. The hardware I'll be using to build my firewall on is an old Gateway 2000 with a 233-MHz Pentium II that a friend gave to me. (Yes, that's a 5.25'' floppy drive.) The old setup only had input from the internet (RED) and output to a GREEN zone (my LAN). This time I'd like to have it handle a wireless LAN, called the BLUE zone, my wired-only LAN which will be the former GREEN zone, and an ORANGE zone that will only have one computer on it, my server. All of the zones are separated by a DMZ within the firewall.

The reason for putting the wireless separate from the rest of my LAN is more security concerns. Someone can run a man-in-the-middle attack on a wireless network and sometimes can intercept not only wireless traffic, but traffic traveling through wired connections. It's just another level of network security. Same for the ORANGE zone. Since this will be a server facing the outside world, it's generally not a good idea to have it on the same network as computers with sensitive data. The firewall will do its best to keep all of these networks separate to make it harder for anyone to sniff around my network.

I use IPCop ( for my firewall's software. It runs exclusively on whatever computer you decide to use, but is not hardware intensive. This means that old, obsolete equipment like this is perfect to run IPCop on (hence the 12-year-old Gateway). My former install of IPCop worked well for a couple weeks and then randomly started restricting download speeds from 350 kb/s or so to 30 kb/s or so. That was really annoying, and I couldn't figure out how to solve the problem, so as much as my paranoid self hates to have my cable modem plugged straight into the wireless router, I was forced to by circumstance.

To start, the computer has two NICs installed in it. One will be RED (the outside world) and the other GREEN. I should be able to install the BLUE and ORANGE NICs after the install. The reason for waiting is that I have several old NICs and sometimes IPCop won't have the drivers for them. So, there's a lot of trial and error that happens. But IPCop needs at least a GREEN interface for the installation procedure, and I know that IPCop has drivers for the cards in the computer now. (Yes, I know you can theoretically install drivers yourself, but I don't know how/don't want to mess with doing that.)

There are detailed step-by-step instructions for installing IPCop ( so I won't go into it here. I'll be back after my initial install is finished.

Make sure that all of the cables are plugged into the right NICs. For example, if you try and plug the outside internets into the GREEN NIC then it'll crash the DHCP server on the firewall. Just something to note.

Any way, now that I have the base install finished, I need to run a speed test to make sure that the firewall isn't arbitrarily restricting my bandwidth again. The speed test showed about 6 M down and 1.8 M up, which is normal.

Now I can SSH into the firewall instead of having to hook my monitor up to it. This only takes some fiddling around with the web interface. The only thing I really need to do, though, is shut it down so I can install the other two NICs.

That was surprisingly successful. The "tulip" card I tried to install didn't work last time because IPCop couldn't find a driver. But if it's working now, I'm not going to argue. Now the only thing left to do is to plug everything in to my firewall how I had planned for it to go before, only I'm missing a key piece of network hardware: a switch for the GREEN interface so I can plug more than one computer in to the protected LAN of the firewall. Oh well, I'll make do, I suppose.


OK I finished my firewall. And it was working for a little bit but it seems to be doing it's old thing where it restricts download bandwidth. I think it might be a bad hard drive. Any way, there were a couple of issues with the firewall which affect my Solaris project. First of all, my server operating in a DMZ didn't work well because my desktop can't see its Samba and DAAP shares, and DMZ pinholes don't really work passively. So, the only thing keeping my server on that part of the firewall is my missing piece of network hardware. I'll deal with it until I can get a new switch. But I'll probably move my Web/SSH servers to Solaris and have that operate on ORANGE and then keep everything else on my server, which will eventually move back to my GREEN LAN. Any way, more later.


OK, I tried a new hard drive that I know is good. It's not the hard drive. Download bandwidth went back to 1.5 M and upload is a normal 1.8 M. Don't have any idea what's wrong, but I don't really torrent anything so I haven't noticed any usability issues... yet.

No comments:

Post a Comment