Thursday, November 10, 2016

Gen 3 Firewall is Up




Subtitle: Firewall Phobia is conquered

So after some months of procrastinating where Marcus seemed to invent any excuse to stop 'getting on with the job' our Gen3 firewall is finally up and running.

If you read this
https://majzel.blogspot.com/2016/11/f-is-for-firewall.html

you would be familiar with the fact that we started off with a Gen#1:Hardware Zyxel firewall, then graduated to a Gen#2:Sophos UTM firewall running on a tiny yet capable Mini ITX computer.

The final move was to custom build a better PC and run a Linux firewall on this computer directly.

Sensible Upgrade Plan
Reading, Prototyping, Implementing, Testing, Gotchas, Retesting, Production Cutover, Dismantling Old ...


Reading


The first step is to read about IPtables in Linux and also about the gufw which is the foundation for what will be implemented.


Prototyping



The system is built upon a fully patched Linux Mint 18 Sarah with Cinnamon desktop, though the choice of desktop is just an irrelevant detail.

I chose Linux Mint since it's a very well supported Linux variant.  Any issues then Google can help me better here than on other distributions.

Apparently 'real Nerds' would have course used FreeBSD but all levels of Presentation i.e. GUI and Code Levels are well frankly 'downlevel' and whilst I acknowledge that plaform is know for its Rock Hard Stability I felt it was too hard core for me.
 




No honestly, I really hate firewalls!  Usually change one thing and everything stops working.  Grrrr.

I mention these things as pointers because I'm not about to display our firewall config for security reasons

/etc/default/ufw
/etc/ufw/sysctl.conf

sudo ufw disable && sudo ufw enable

Lookup  MASQUERADE, you will need it

ufw enable ssh   # enable ssh traffic

Lookup PREROUTING to allow port forward for incoming webserver

I just tell you that the above headings will speed up your firewall implementation should you choose to clone our setup.
 

Gotchas

The Asrock Mini ITX computer, that I reviewed here

https://majzel.blogspot.com/2016/10/asrock-mini-itx-computers.html

forms the basis of the build.  And in quite a fancy, considering the function Corsair Air 240 case and quality BeQuiet PSU.

I also invested in a single PCIe x1 single port Gigabit Ethernet card.

SO:  1 planar ethernet will be used to talk to the Internet (well my ISP router) and downstream I will have 1 wired Ethernet and some USB 3.0 to Gigabit Ethernet Adapaters.

It did not work!

Somehow these Linksys adapters were not compatible. I was gutted.  I had to fallback on some USB 2.0 to Gigabit dongles of the 2012 variety.  They worked but only at 30MB/sec speed maximum.


Gotchas: DHCP
During prototyping things worked well but I was using fixed IP addresses.  I quite neglected to think about DHCP serving for when visitors or ad hoc users need to visit.

cat /etc/dhcp/dhcpd.conf
subnet 192.168.7.0 netmask 255.255.255.0
{
#network
 range 192.168.7.20 192.168.7.75; # Range
 option domain-name-servers  8.8.8.8; #Pri DNS , Sec DNS
 # option domain-name "linuxinfo.com"; #Domain name
 option routers 192.168.7.249; #Gateway
 option broadcast-address 192.168.7.255; #Broadcast
 default-lease-time 600;
 max-lease-time 7200;

}

service isc-dhcp-server restart



Something like this



Testing
We tested the config for 1 week and all was well, though in the course the following issues came up too ...  [After go live we kept the old firewalls for 1 week, now they are still available for emergency fallback but are up for sale]


Noise&  Access


  • Could we make the firewall totally silent?  Since it is up 24x7 (or is it?) more fans means more noise.  Since the motherboard CPU needs no fan we steadily reduced the case fans down to 0.  Nothing overheated.  So now it runs with only a PSU fan and even that stops when it can
  • We had to enable ssh so that command line logon  and also at firewall level so that remote logon possible.
  • To provide GUI logon we setup a VNC server with security
  • I noticed that the firewall and DHCP and VNC did not autostart correctly so that needed attention


Finally the Benefits

 

For reasons of modesty we'll only show you the slowest computer in the house.  Nevertheless it's a 20MB/second via the local Device Firewall and Anti Virus and Anit Malware, wireless router,  our new Firewall, the ISP router firewall: well it's pretty decent

Actually I tested with iperf and as I expected, this modest hardware can transfer between Wired interfaces at over 80 MB/second. Finally our dataflows between servers to NAS as they jump to a different security level in our multi network home setup, can progress at a decent speed.  About time.


So it is all good.  A home firewall from

Asrock N3700-ITX Motherboard
Corsair 240 case
BeQuiet PSU System Power 8
Intel I210-T1 PCIe Ethernet
Linux Mint Cinamon
ASUS VE 276 Monitor