firewall_linux by wulinqing


									    ‫‪linux firewall & security getway‬‬

    ‫کارگاه آموزشی لینوکس‬
      ‫های مبتنی بر سرور‬
    ‫جهت دیواره های اتش و‬
       ‫دروازه های امنیتی‬
           ‫جلسه 931 گروه کاربران لینوکس گیلن‬

                       ●   Alpine
●   Alpine originally stood for A Linux Powered
    Itegrated Network Engine
●   On the other hand, there are a number of
    installations where Alpine Linux is used as the basis
    for enterprise servers running Postgresql, Postfix,
    Asterisk, Kamailio, iSCSI SAN. It is the little engine
    that could.
●   Astaro Network Security
●   Astaro Network Security includes fully integrated
    features such as a configurable firewall paired with
    an Intrusion Protection system, Denial of Service,
    lots of traffic forwarding and NAT tools and much
    more. Take a deeper look at the extensive range of
    features provided by this security application.
                      Astaro fw
●   Astaro’s firewall uses an object-based approach.
    Simply define an object like a workstation or
    company web server, and then re-use this
    information all through the configuration. Astaro’s
    firewall is intuitive
Astora fw
Bandwidth Control
Intrusion Prevention
           DoS Protection
Protect your network against artificial
            traffic floods.
                           M0n0 wall
●   m0n0wall is a project aimed at creating a complete, embedded
    firewall software package that, when used together with an embedded
    PC, provides all the important features of commercial firewall boxes
    (including ease of use) at a fraction of the price (free software).
●   m0n0wall is based on a bare-bones version of FreeBSD, along with a
    web server, PHP and a few other utilities. The entire system
    configuration is stored in one single XML text file to keep things
●   m0n0wall is probably the first UNIX system that has its boot-time
    configuration done with PHP, rather than the usual shell scripts, and
    that has the entire system configuration stored in XML format.
              Mono wall

04/17/2010 - m0n0wall 1.32 released
m0n0wall 1.32 patches an Ethernet bug on
ALIX boards (among others) and contains
several other small fixes and
improvements on IPv6, the DNS forwarder
and the hardware monitor.
                         Features monowall
●   # web interface (supports SSL)
●   # serial console interface for recovery

●     * set LAN IP address
●     * reset password
●     * restore factory defaults
●     * reboot system

●   # wireless support
●   # captive portal
●   # 802.1Q VLAN support
                              Features monowall
●   # stateful packet filtering
       * block/pass rules
●     * logging
●   # NAT/PAT (including 1:1)
●   # DHCP client, PPPoE, PPTP and Telstra BigPond Cable support on the WAN interface
●   # IPsec VPN tunnels (IKE; with support for hardware crypto cards, mobile clients and certificates)
●   # PPTP VPN (with RADIUS server support)
●   # static routes
●   # DHCP server and relay
●   # caching DNS forwarder
●   # DynDNS client and RFC 2136 DNS updater
                Features monowall
●   # SNMP agent
●   # traffic shaper
●   # SVG-based traffic grapher
●   # firmware upgrade through the web browser
●   # Wake on LAN client
●   # configuration backup/restore
●   # host/network aliases
Monowall embeded
                      What is         pfSense ??

●   pfSense is a free, open source customized distribution of
    FreeBSD tailored for use as a firewall and router. In addition to
    being a powerful, flexible firewalling and routing platform, it
    includes a long list of related features and a package system
    allowing further expandability without adding bloat and
    potential security vulnerabilities to the base distribution. pfSense
    is a popular project with more than 1 million downloads since its
    inception, and proven in countless installations ranging from
    small home networks protecting a PC and an Xbox to large
    corporations, universities and other organizations protecting
    thousands of network devices.

●   Firewall
●   State Table
●   Network Address Translation (NAT)
●   Load Balancing
●   Vpn -ipsec
●   OpenVPN
●   PPTP Server
●   PPPoE Server
●   Reporting and Monitoring
●   RRD Graphs
●   Real Time Information
●   Dynamic DNS
●   Limitations
●   Captive Portal
●   DHCP Server and Relay
●   pfSense includes most all the features in expensive
    commercial firewalls,
     Minimum Hardware Requirements
●   CPU - 100 MHz Pentium
●   RAM - 128 MB
●   Requirements specific to individual platforms follow.
●   Live CD
●   CD-ROM drive
●   USB flash drive or floppy drive to hold configuration file
●   Hard drive installation
●   CD-ROM for initial installation
●   1 GB hard drive
●   Embedded
●   128 MB Compact Flash card
●   Serial port for console
●   Untangle provides a powerful suite of Internet
    management applications for small-to-medium
    businesses and education institutions.

●   The Untangle Server is a multi-function firewall. It
    simplifies and consolidates the many network and
    security products that businesses need at the
    gateway to the Internet.
Installing New Applications
Basic Application Configuration
Advanced Features & Customization
HTML Reporting: Platform Overview
PDF Reporting: User Level Detail
Untangle Setup Wizard
Active Directory Integration
Kaspersky Virus Blocker Screenshots
WAN Balancer shares traffic across
  multiple Internet connections
Set the traffic allocation for each
      Internet connection.
Port Forward Editor
                           Open Source Package
●   The Untangle Server and 12 of the applications that run on it are open source and free under the GNU General Public
    License v2 (GPLv2). Automatic signature updates and software upgrades.
●     * Includes:
●     * Spam Blocker
●     * Spyware Blocker
●     * Web Filter
●     * OpenVPN
●     * Protocol Control
●     * Phish Blocker
●     * Intrusion Prevention
●     * Attack Blocker
●     * Virus Blocker
●     * Routing & QoS
●     * Reports
●     * Firewall
                  eBox Platform
●   Linux Small Business Server
●   eBox Platform can act as a Gateway, Infrastructure
    Manager, Unified Threat Manager, Office Server,
    Unified Communication Server or a combination of
    them. One single, easy-to-use platform to manage
    all your network services.
General Configuration
System Free Space
Asterisk General
            What's coming in 2.0
●   * New base: Ubuntu 10.04 LTS
●   * New graphical installer
●   * Easy disaster recovery
●   * Thin Clients server
●   * FTP server
●   * Webserver with HTTPS support
●   * Improved software management
●   * Autoconfiguration wizards
                        See also
●   * ClarkConnect
●   * ClearOS
●   * eBox
●   * Endian Firewall
●   * m0n0wall
●   * PfSense
●   * Shorewall
●   * SmoothWall
●   * Untangle
●   * Zeroshell
                            See also
●   BrazilFW
●     BrazilFW is a Router/firewall distribution based on Coyote
●   Cflinux
●      Cflinux is intended to be a small, embedded linux based system,
    mostly usable for firewall (Linux kernel 2.4 with iptables), router
    (ripd, ospfd, even bgpd from quagga), 802.11a/b/g access point
    (hostap and madwifi drivers), IPSEC gateway (openswan), PPPoE
    server (with radius authentication, kernel PPPoE), PPTP access

●   ClarkConnect
●     Firewall and Internet server distribution
                              See also
●   Collax Business Server
●     A Router/firewall & web-, email- and database server distribution
●   Collax Security Gateway
●     A specialized Router/firewall/IDS/IPS server distribution
●   Coyote Linux
●     Router/firewall distribution
●   Devil-Linux
●     firewall/router/server distribution running from CD
●   DD-WRT
●     Embedded Linux firmware distribution based on OpenWrt
                             See also
●   Eisfair
●     small easy to install server
●   Endian Firewall
●    Unified Threat Management distribution (Router/Firewall,
    Gateway Anti-Spam & Anti-Virus for Web, FTP and Email,
    Hotspot functionality)
●   EnGarde Secure Linux
●     A Router/firewall & web-, email- and database server
●   Fli4l
●     a single floppy ISDN, DSL and Ethernet-Router
                              See also
●   floppyfw
●     floppyfw is a router with the advanced firewall-capabilities in Linux
    that fits on one single floppy disc.
●     a free replacement for proprietary routers supporting up to 10
    network cards and up to 10 modems.
●   FreeWRT
●     Router distribution
●   Gibraltar
●     Router/firewall distribution.
●   Global Technology Associates, Inc.
●     GB-OS Firewall UTM Appliance
                            See also
●   IPCop
●     Router/firewall distribution
●   IPFire
●     Router/firewall/homeserver distribution with webbased
●   LEAF Project
●     a customizable embedded Linux network appliance used as an
    Internet gateway, router, firewall, and wireless access point.
●   Ideco Gateway
●     Advanced Router/Firewall distro.
                             See also
●   NetGate
●     Router/firewall distribution featuring traffic control, captive
    portal, QoS, web proxy, URL blocker and filter as well as
    bandwidth management and quota support with automatic
●   OpenWrt
●     Modular embedded distribution for ARM, MIPS, PPC and x86
●   PyramidLinux
●     A wireless router distribution for x86 embedded systems.
●   redWall
●     Router/firewall distribution
                          See also
●   Sentry Firewall
●     A firewall, server or intrusion detection system
●   SME Server
●     A Router/firewall[citation needed] & web-, file-, email-
    and database server distribution based on CentOS
●   SmoothWall
●     Router/firewall distribution
●   The Linux Router Project
●     Router distribution (Defunct as of 2003)
●   It can also be installed on a PC and will turn it into a
    router with all the necessary features - routing,
    firewall, bandwidth management, wireless access
    point, backhaul link, hotspot gateway, VPN server
    and more.
                         ●   Routing Protocols

●   Routing Protocols

●   Routing protocols enable information exchange about routing
    between routers and eases the network administration. Following
    routing protocols are supported by MikroTik RouterOS:


●     * RIP v1 and v2
●     * OSPF
●     * BGP
              Bandwidth Management
●   Queuing / Bandwidth Management

●   MikroTik RouterOS supports Class Based Queuing (CBQ)
    for bandwidth limitation. It is possible to limit just one IP or
    MAC address, or whole subnet. Queuing can be performed
    based on:


●     * Source/destination address
●     * Protocol, port
●     * Many other parameters
Bandwith Limiting on PPP Connections
●    PPP connections and HotSpot can be set for certain
    bandwidth. Following connections can have
    bandwidth limiting in MikroTik RouterOS:


●     * PPP
●     * PPPoE
●     * PPPTP
●   Filtering rules
●   Filtering rules is the set of conditions and actions that are applied in a
    certain order until a decision to route or drop the packet is reached.
    When a particular packet meets all the conditions specified in a given
    row of the table, the action is carried out specified in that row (whether
    to route or drop the packet) is carried out. Rules can be applied to the
    following :
●     * Source Address
●     * Destination Address
●     * Source Port
●     * Destination Port
●     * Source MAC address
●     * and many more ...

To top