Jump to content
Posted 06 January 2013 - 16:34
Posted 06 January 2013 - 16:48
"though would have been prepared to do this myself"
Just so you know - updating those would not be free Cisco is not cheap!! You can pick up older hardware from 3rd party for not all that much. But the images they have installed is where lots of cost comes from.
Now (cough, cough) you might have alternate sources for your images?? Now some people might be ok with (cough, cough) sharing images if they know its only going to go on VM for learning.. Putting on actual hardware is a different matter, and brings into question other concerns of trust and where that hardware might end up in the end, etc.
As to securing your network - any of the distros out there will be good. Keep in mind you made no mention of an application firewall or reverse proxy. If you looking to secure web/ftp applications a normal firewall does not promise any extra security for flaws/exploits into those applications.
Your firewall to will allow you to secure it from who you don't want to access it - but if you open that up to the public net, then the security of the application comes down to that application. Not the firewall that just provided access - if that is your concern then you need to look for a reverse proxy, etc. that can filter for application exploits and block them, etc.
edit: that is info about the feature set, not the actual feature set image. Again (cough, cough) actual purchase of the feature set is NOT CHEAP!!
Posted 06 January 2013 - 20:32
Posted 06 January 2013 - 20:42
If you want you could do what I did, keep the NAT setup on debian and get SNORT/Suricata and put that on it and run it in IPS which will protect your servers and clients
Posted 07 January 2013 - 12:56
Posted 07 January 2013 - 14:00
Or you could just run pfsense and install the snort package.
Who do you want to be able to access your ftp server?? People on the .0 or people on the internet? Cuz people on the internet is not going to happen unless you have control or access to the nat router between the .0 and the internet to create the forward to your .0 address.
Posted 07 January 2013 - 14:39
Posted 07 January 2013 - 15:09
many routers do not like a double nat scenerio. esp soho routers. You would have to forward the port to your debian from your router then forward the port from your debian to your computer.
Posted 07 January 2013 - 16:26
Posted 07 January 2013 - 16:31
Posted 18 January 2013 - 16:17
Not if you go with pfsense it wouldn't it would allow you to see the correct PF syntax - since pfsense runs on freebsd, and freebsd uses PF not iptables. You could go with a router/firewall disto that uses iptables though if that is your ultimate goal.
My question is what if some user on the .0 wants to forward ports to their IP - do they also have access? Only 1 person would be able to forward port 21.
Also keep in mind with ftp, and double nat you can run into some issues. Are you going to be doing active or passive connections? Now many soho and router distros do have ftp helpers to work through the data port to be open and changing the IP to the public one that the ftp server might send, etc. But with a double nat you can have problems, etc. You can make it work if you have access to both routers, but its more complicated to be sure. As with anything its a good idea to fully understand the protocol in question to get it to work through a firewall.
Posted 02 February 2013 - 14:27
Posted 03 February 2013 - 14:04
Posted 03 February 2013 - 14:42
What to you mean opened it? You need to forward it as well
It going to be easier to just put the ip address of pfsense wan into DMZ, or exposed HOST of your adsl router - now ALL unsolicited traffic will be sent to pfsense wan IP.
Do you have anyway to put that adsl router into bridge mode so that pfsense gets public IP!
So I would for a test, sniff on your pfsense wan interface - do you test, do you see the packets??
Posted 03 February 2013 - 15:20