Situation:

Someone who does not have a lot of money bought a used computer for around $200 and connected it to a DSL line. Being cheap (why he has DSL is beyond me but I have to fix his problem) he is using zone alarm as his firewall. Now he wants better security than zone alarm provides.

Well, he does still have the computer that he replaced for $200. As he cannot spend a lot of money I am wondering if I can press the older computer into service for the cost of a second networking card and a free download of firewall software.

I would prefer to go with a WIN or DOS setup as I have no experience with linux. Does anyone have an idea that would help?

I think I can offer a helpful suggestion.

http://www.software602.com/products/ls/

After you register for a free version of this (you have to register so you can play with the advanced settings :/ ) it sets up to be a gateway for internet sharing, it has a firewall built into it, and it can even function as a proxy server. It has an access list that you can set up too I believe. I use this at work for our email and web server and its works nicely.

I have heard of something called carl bridge (sp?) for DOS, but I havent seen anything about it.

Even though you arent looking at a UNIX setup, there is however a distro that is called Smoothwall, that is built for doing this.

I hope this helps

-Ryan

His DSL modem is not configurable?

I know you mentioned that your not really interested in Linux because of your lack of knowledge. But as RyanRichard replied, there are distro's made specifically for this. SmoothWall is one. But I'm using ClarkConnect. It's Linux as well. But it's a server/Gateway/Firewall in one. It's very simple to setup and only takes about 15 minutes to get it up and running.

I'm using it as a Gateway and network file server. It's GREAT! I have no knowledge of Linux at all. That just goes to show you that you don't really need it for basic setup.

It's got a really nice web based SSH you can control the gateway PC thru. You can restart, shutdown, and configure router setting's thru like any other stand alone router. Plus you have unlimited port forwarding, blocking options and much, much more.

It's really worth looking into. Like I said it only takes about 15 minutes to setup. So if you don't like it your not wasting a bunch of your time (except on maybe the download and image burn).
I would recomend it to anyone.

Here's a link to the info page on there website if you wanna learn more about it.

Here (http://www.clarkconnect.org/info/index.html)

Another "out of the box" "no knowledge needed" linux router/gateway/firewall solution is:
http://www.smoothwall.org

There's also coyote linux, which is floppy based, and can be run harddrive-less

Smoothwall gets my vote.

Definately go with smoothwall... its SO easy to use and confgure, once its installed everything is down through your browser just like a normal router, you wouldn't know the difference. Installation takes about 5 minutes... and I think its less than 30MB to dl the ISO file if memory serves me correct. It will run on just about anything from a 486 and up, actually supposed to be able to run on a 386 but i think thats pushing it.

no better a firewall then an old slackware box, with limitied installation. of course you could use FREEDOS as well im sure that will make just as fine of a firewall//router

*Gnatbox Light (FreeBSD-based, but commercial hardened)
*Coyote Linux

Both are floppy-based, takes less than 10 min to setup. (if you're knowledgeable about networking). NO hard disk, no worries. To turn off, simply press ON/OFF button, there's no need to issue shutdown commands.

Use Intel based NICs (i8255x based) for trouble free setup.
x = 7, 8, 9 => eg : i82559, etc

Intel NICs are very cheap at Ebay. I got 4 of them for about $17 US Dollars (approximately, since I'm in Australia).

For Gnatbox Light, you can set it up so you can send all logs to a Windows PC that has the logging program installed. That way, all the records are on your PC for later use if needed.

The only thing you need to know about either, is networking.

Coyote Linux has a Windows-based disk creator (as does Gnatbox Light).

For Coyote Linux, you setup the basics in Windows, save onto a floppy. You then can fine tune the machine to your requirements. Don't worry, it comes with documentation that is in very easy to follow steps. In fact, its quite a no-brainer. Just make sure you pick a very strong ROOT password.

For Gnatbox Light, you create your floppy in Windows, then boot it up on your Firewall/router PC and it will run through setup wizard. You then run through some very easy steps. Once done, save and exit. You then can login via a Windows PC to the firewall PC and fine tune the changes.

Once done setting up and you're satisfied, save the floppy and flip the write-protect tab ON. That way your settings are NEVER written over. (clearly an advantage over hard disk based ones).

If the Firewall PC is compromised, press the reset switch on the PC. (This wipes the attempt forcing the intruder to start again). In that case, I would change the a password/username and in Gnatbox Light, enable the Lockout feature and set it to the longest time available. (you can Lockout unsuccessful attempts to login in for around 60 days if failure to login correctly five times).

For both, all you need is...

(1) CPU, PSU, mobo, 32MB RAM (do-able with 16MB)
(2) 2x NICs (Preferably Intel or 3Com from Ebay)
(3) Video card
(4) Floppy drive and floppy disk

You'll only need a monitor and keyboard for the setup part. Once done, they are not needed for the Firewall PC to function.

That's it.

For Gnatbox Light (Free)
http://www.gta.com/products/gblight/

Make sure you download :

(1) GBAdmin Windows Installer Package (Not included with GNAT Box Light)
(2) GNAT Box Light 3.3.4 Windows Installer Package
(3) GNAT Box Light Installation Guide

For Coyote Linux (Free)

http://www.coyotelinux.com/modules.php?name=Products&op=coyote

Download : Coyote Linux Windows Disk Creator v2.2.3
http://www.coyotelinux.com/modules.php?name=Downloads&d_op=viewdownload&cid=1

I've used both in the last four years...Never been penetrated, never had a problem. My firewall can switch very easily from Coyote Linux to Gnatbox Light or vice versa, by simply changing the disk and pressing reboot.

This flexibility allows me to switch from a Linux to BSD firewall in minutes if there's a security hole in one of them.

Make sure you make a copy of the disks and store them in a safe place.

The only disadvantage I can see is that it takes a minute or so to boot up the floppy.

A Firewall PC is a stand alone machine, it is best secured that way. Don't get too fancy with it. (double duty also as a file server).

Whatever you choose, good luck.

Don't forget, once you finish setting up the firewall PC, test it using those online testing security sites.

I honestly don't see a problem with running a stand alone firewall router based PC as a file server as long as it's internal. I actually think it's much more convienent this way. Having all your files stored on the router PC so you can transfer files and setup programs on any PC you hook up to the network. I love the flexibility of not having to have my main PC on when I hook up another PC to transfer files or install programs.
I don't run a public file server though.

It depends on your situation.

Security and convienence are inverse proportional.

I'm paranoid when it comes to security. (But that's just me)

I personally wouldn't do it, as a firewall PC, in my view, serves as your guardian and nothing else.

Adding features could compromise its strengths, something I'm not willing to risk.

Hence, the reason for a floppy-based one with write protect tab on. (Cheap, low power consumption, have amazingly high uptimes.)

If I do have a file server, its on another machine. (I have so many here I can pretty much have PCs with individual roles).

In the end, its up to your uses, budget, etc.

I can see your concern. But I don't really see how having the gateway PC with a big drive in it used for storing files, which the rest of the PC's on the network can access would cause a security risk? And I mean striclty for internal network use, not over the internet. The Gateway PC is still doing it's job running the firewall and all. Keeping things locked up tight and stealth from the rest of the world. All your really doing by doing this I believe is maybe putting the gateway system under a little more stress then it otherwise would right?
It's just running one extra service that has nothing to do with anything outside of the network. Now I could see a possible problem if your running a public file server, where others from the internet are able to log in and access your files.
Or maybe I just don't know enough about network security to know about this. And this is a strong possiblity as I really don't know all that much.

All I gotta say is I'm pretty happy with my setup so far since I got all the bugs worked out. Was able to tuck it away upstairs out of sight and sound :).

You gotta remember to I'm coming from using a Linksys router (which I really hated) to this. There's just so many more options I love it.

From a network security point of view, it is of course a good idea to not put internal files onto a server that interfaces with the internet.

However, with a properly configured firewall, a home user should have nothing to worry about. In a corporate world, you wouldn't want to do this though.

The idea behind any firewall is to minimise exposure to the internet. If you are not running any services on your box, then you should have an explicit drop on all incomming packets ports 1-1023, that should minimise potential threats, and still allows all services to be accessed internally.

I gotcha. I'm not really gonna worry about much seeing as I'm only storing files that are not critical to me. Just programs and stuff. Nothing to important ya know. But I understand more now.

Thanks

So what's it like moving up from one of those "routers you buy" to the " ones you build yourself " ?

(I began with firewall PCs as, since I had bits lying around the place. It was more economical for me.)

Well, I was not expecting to attract this much discussion! However it really did help. I believe that I am going to go with smoothwall for my friend. It sounds like it is just what he needs. Thanks guys!!!

Originally posted by stmok
So what's it like moving up from one of those "routers you buy" to the " ones you build yourself " ?

(I began with firewall PCs as, since I had bits lying around the place. It was more economical for me.)

Much better! So much more flexibility and stability. My old linksys would lose the connection every now and then. I'd have to unplug the router and plug it back in to get it back. Plus I've got a USB network adapter I use every now and then when I work on PC's. Comes in handy. But with my linksys it would lose connection in the middle of transfer. To get it back I'd have to unplug from the USB port and plug it back in. So I could really only use if for internet access. Could never transfer file with it.
But now I can use it and never have a problem. Plus the CC box never loses the internet connection like the Linksys did. Endless port forwarding, blocking. I love it. I'll most likely never go back to a stand alone router again. Atleast not a cheap one anyway. And I won't be able to afford a really nice one for a long time. Who know's I may never go back to a regular router. I love my ClarkConnect gateway!