hello Steven,
I am currently working on a project with a 5.6 update4 server as a 'firewall only' server and will be posting my findings soon because I need some help 'stripping' the server of unneeded features. It goes something like this, 1. 400MHz PC, 8GB IDE,2 Nic Cards (I have a cable modem). 2. Install 5.6 as gateway/private server and update to latest U4. 3. Install rpms , IPSEC VPN, Service control, port opening, port forwarding, Review DHCP, System Monitor Disk utilization, update system, DansGuardian 2.6.0 and PAM ( I will elaborate further in a later post). With the 'Services Module', I turn off unneeded services, leaving on DHCP, Transparent Proxy WEB Server and Web Proxy). 3. Install DG 2.6 along with Blacklists. 4. Install PAM (Pluggable Authentication
Modules).
I just began working on this 'project', but I findings are as follows: PAM and transparent proxy are not possible, so you need to set each browser to point to proxy server at port 8080. 2. Users can bypass PAM, if they known squid sits at port 3128.(I know iptables can help me here!!).
To use PAM and DansGuardian together goes something like this: Add 5 Users (A,B,C,D and E) to firewall server. 2. Add Users A and B to danguardians exceptionuserlist. Users A and B will still need to authenticate to PAM with thier username password that is on the firewall, but will not be restricted from any websites (unfiltered), Users C,D, and E with also need to authenticate to PAM, but will be filtered with DansGuardian which will block them from porn sites and so on.. If a user is NOT on the firewall server, then NO Internet Access at ALL. The username and passwords do not need to be the same as your internal servers username/passwords.
I need help to remove unneeded hyperlinks in the server-manager panel and tighten up this FW. I will be running vulnerability/portscans against the external interface using Nessus,ISS and GFI's system scanner.
If anyone wishes to help with this project please butt in.
Bill
6 Replies
821 Views