|
FIRST REMEMBER YOUR RISK SCORE FROM THE PREVIOUS PAGE. If you've
forgotten, Click here to go back
Regardless of the method used, the principle is the same: All TCP/IP
packets start off with header information that tell where the packet is
from and where it's going. The Internet connection-sharing software changes
the header information so that it appears to the server on the other end to
originate from the IP address of your Internet connection, instead of the
local IP address behind the box that is actually connected to the Internet.
Return packets from the server you're accessing still contain that header
information and are allowed to pass. Any packet from outside NOT containing
your return address information is rejected in a firewalled system
If you
are using a high-speed connection (DSL, cable, etc), would recommend one
of these three solutions: Linux-based firewall-router. Which
distribution of linux depends on whether this machine is ALSO going to be used
as a workstation in addition to being a host to other computers. If so I would
recommend using a standard distribution such as Redhat or Mandrake, and
configure it for 2 netcards. The 2 netcards is not too difficult. PCI cards
(if your motherboard can handle more than 1 of them) are autodetected by the
OS. ISA cards can work also provided you remember to supply linux with the
i/o parameters (IRQ and base address) and be sure to enter the base address in
hexadecimal format with the leading 0x (example 0x260). Also remember to
NOT use Samba on the netcard that will connect to the outside and consider
carefully what services (like Apache) you really want to have running on your
machine. Many DSL providers now use PPPOE. If the DSL provider supplied you
with "WinPOET" software, then they are using PPPOE. If so, you will need to
download a PPPOE package from www.roaringpenguin.com in order
to access the net on your DSL modem through linux. It comes with its own IP
masquerade-firewall package. On the other hand if you are simply leaving a
machine up 24 hrs to act as a server, you may be able to use one of the
floppy-disk based distributions custom-designed for firewall use: Freesco or FloppyFW. Both provide
excellent security without requiring you to be a linux expert. FloppyFW is
easier to use, but is suitable only for high-speed connections, whereas
Freesco can also be used on a dialup connection. The linux-based routers can
be used on a 386, 486 or Pentium computer, and the two I mentioned can be used
on a machine WITHOUT a hard drive. Windows-NT or 2000 and a proxy
server. You'll need at least a Pentium-133 for proper performance. NT
Workstation is enough. But don't use 9X -- you've got too much at stake.
You'll then need to get proxy-server software, which will generally cost you
some money. And you'll need to reconfigure your software on the client
computers (Internet Explorer, Netscape Navigator, etc) to use the proxied
connection. OR you can use "Network Address Translation" software to make the
IP masquerade that the linux-based router does natively. Download and apply a
recent NT4 service pack from Microsoft (recommend 5, not 6).
Commercial routers are the most expensive solution, but one I'd consider
if you want a ready-made solution. Sometimes the service provider (especially
for business-class DSL) will provide this. But be wary of this -- some
routers simply manage a bunch of preassigned IPs -- many BUSINESS CLASS DSL
providers will assign a group of IP addresses and supply a router to separate
them. Be sure your router is NOT of that type if you have a connection through
a single IP address. You need a NETWORK ADDRESS TRANSLATING device.
If you are using a dial-up connection, you can Use the Freesco router. Of course your modem
must be linux-compatible. (It needs to be a hardware modem) Use
Windows-NT or 2000 and a proxy server. If using NT4, apply service pack 3, 4
or 5 AFTER installing Remote Access Service. Of course your modem must be
compatible with NT4 or 2000 (unfortunately not all are, but any hardware modem
can be made to work. Analog-X has
a nice free proxy server for dialup connections. Buy a commercial
router. Make sure it is capable of sharing a single dialup IP.
Conspicuous by its absence is Microsoft Internet Connection Sharing.
Why? It is because this product does not meet techsup.net's standards for an
acceptable product. Why not? The reason is that although it is fairly easy to
set up (I had it working in 15 minutes), it fails the open standards
test. For the host computer, you need either Windows-98 2nd edition OR
Windows-2000. I have no problems with this. What I DO have a problem with is
its requirement for Windows on the CLIENT computers. It is NOT designed to
work with non-Windows clients. Therefore, it gets a NOT ACCEPTABLE
rating from techsup.net. What does open standards
mean and why is it important?. All of the other products I mentioned
will work regardless of the operating system on the client computer(s).
How do I configure the host and the
clients? |