Kirk Marat wrote:
>
> Any recommendations on firewalls?
Kirk:
I haven't actually done this in the NMR lab (yet), but if
all of your NMR unix boxes are in fairly close proximity,
this would be simple:
Set up a RedHat Linux 7.2 machine as the firewall machine.
Put two ethernet cards in the machine. "eth0" will talk to
the internet, and will have a "real" IP number assigned to
it. The second ethernet card, "eth1", will be on your
"private" network. You can use the range of numbers
192.168.1.x, which is not used on the internet. Get a
simple hub of appropriate size. Plug eth1 into that hub,
and also all of your protected machines. Assign new static
IP numbers to those machines. Using NAT, network address
translation, the protected machines will be able to get out
to the internet through the firewall machine. The address
of the firewall machine should be used as the Gateway and
DNS (along with your campus DNS too) for the others. The
subnet mask for the protected machines would be
255.255.255.0. Do a custom Redhat 7.2 installation and
select all of the packages relating to firewall. (I can't
recall right now, but there might even be an installation
choice of "Firewall machine.")
I'm doing just this at home, where I have three computers
accessing broadband (cable modem) through a fourth Redhat
machine which acts as the firewall. The only thing that I
have NOT tried to figure out is whether one can get INTO the
protected machines (directly) from the outside. However, if
I am at work, I CAN ssh into my firewall machine, and once
there I can then get into the protected machines to transfer
files, etc. Obviously, you do not want to allow simple
telnet or ftp access to the firewall machine. That would
make the whole exercise useless. Only allow secure
shell/ftp, and use tcp_wrappers. Of course it would be even
better if you don't allow ANY incoming access, but I suppose
most labs need some way for people to get their data off the
instrument computers.
The Redhat firewall machine could be a simple 486 or classic
Pentium that's probably gathering dust in some corner
anyway. But if you wanted to set up a respository for data
files you might want something better.
-Bill-
Bill Gurley, Supervisor of Technical Services
Department of Chemistry
University of Tennessee, Knoxville Campus
Received on Fri Dec 14 2001 - 10:51:40 MST