Archived Weblog Entry - 06/11/2005: "Our new firewall"

[Previous entry: "satellite Internet service"] [Main Index] [Next entry: "Preparing for the Bad Times Coming"]

06/11/2005 Archived Entry: "Our new firewall"

There's nothing like an impending new Internet service to prompt me to revamp our network security. A few months ago I acquired the hardware to replace our old firewall box....even before we knew we were switching to high-speed service. So with the satellite installation scheduled, I had to hustle to upgrade the firewall.

Long-time readers may recall that our old firewall was a dedicated Linux computer that I set up myself for Network Address Translation, automatic dial-up on demand, and IP filtering. But after five years of faithful service (with never a software crash), the hardware was beginning to get a bit creaky. And it took a lot of space and made a lot of fan noise.

Hardware router/firewalls are dirt cheap these days, even when purchased new. The problem for us was, most of them work only on high-speed Internet service (connected via an Ethernet port). But a few models were made that support a "backup" modem connection. One such is the SMC Barricade 7004BR router. (Not to be confused with the 7004VBR, which lacks the modem port.) No longer made, but available on eBay for about $10.

I must say, I'm quite impressed with this unit for its "no problem" installation.

Step 1: Modem. I connected the SMC7004BR to a spare "external" modem that I had, and through an Ethernet hub to our house network. All of its functions are configured through a web interface, and its configuration menu was immediately reachable from my desktop computer. (For some reason I couldn't log in from the Konqueror browser, but Firefox and Opera work great.) Better still, all I had to do was select "dial-up" network, enter our ISP's phone number, login name, and password, and it was able to dial in successfully on the first try. (As one who has spent long hours debugging modem scripts, I was impressed.) Just like that, we had all the function of our old firewall box. The switchover took about fifteen minutes.

The SMC7004 uses a fairly simple port-blocking firewall, basically identical to what I set up in our Linux firewall. (Newer routers have more sophisticated algorithms.) A quick visit to Shields Up! revealed that it was correctly stealthing all ports except 113. Fortunately, the Gibson Research page explains not only why most NAT routers leave this port visible, but also how to block it (by forwarding it to a nonexistent computer). After putting in this fix, we were 100% stealthed....at least on dial-up.

The firewall options of the SMC7004 are more than adequate for our needs. We can specify one computer to be in the "DMZ" (unprotected by the firewall) if we need to. We can forward specific ports to specific computers, and we can cause ports to be opened on request from specific applications. (Not important to us, but we could also block specific ports to specific computers in the house. And it includes a DHCP server so we don't have to manually set IP addresses for all our computers.)

Step 2: Satellite. With the SMC7004BR handling our dial-up access and the old firewall in storage, we brought in the satellite dish. Once the satellite transceiver was configured, I connected its Ethernet port to the "outgoing" Ethernet port of the SMC. I then reconfigured the SMC for Ethernet service, and "dynamic IP address" because the satellite transceiver has its own DHCP server. (The SMC documentation refers to this configuration as "Cable Modem" setup, contrasted with the "DSL" setup which uses a static IP address.)

This switchover took only 10 minutes. With both of these steps, no configuration changes were required for any computer in the house. (I had set up the SMC to use the same IP address as our old firewall.)

It seems a bit silly to run two DHCP servers, and to funnel all of our Internet access through two successive NAT routers. But until they add a firewall capability to the DW6000 transceiver, I insist on having some kind of protection between our computers and the Internet. Call me paranoid.

I also insist on having a backup. Plan B. Belt and suspenders. As long as I have the SMC7004 in the system, I can switch back to dial-up modem access in about 60 seconds. (The modem is still connected and we still have a backup dial-up account.) So if the satellite ever fails, we still have email access at the old, slow, speed. For many of you this may be excessive, but we depend on Internet service.

Step 3: Print Server. I had long planned to add a shared printer to our network, using a spare Linux PC (perhaps our old firewall PC). So the fact that the SMC7004 includes a Unix print server for a parallel printer was icing on the cake.

I have mixed results to report. Configuration of the SMC was, again, a snap: I plugged the printer in, turned everything on, and the SMC immediately recognized its presence. Under Xandros Linux I merely had to go to "install printer", specify the printer model, IP address, and port name ("lp"), and presto, Xandros was talking to the remote printer.

Well, mostly. For this test I'm using an ancient OL400 that was given to me by a friend. And while it prints its "self test" page ok, it tends to print black streaks on the test pages sent from my PC. This could be many different things: it may not be able to accept data at the speed the SMC is sending, the printer's RAM could be defective, the Linux device driver could be defective, or the Linux device driver could be overrunning the RAM. I'm going to attach a different printer and see if I get better results.

Addendum: I've switched to a different printer and it's working perfectly. So either there's a problem with the hand-me-down printer, or with its specific Linux drivers.

All in all, I've been really impressed with the SMC7004BR. It's easy to install and configure, and everything works. High-speed users have a wide array of router choices, but if you're still stuck with dial-up service, this is an easy way to get a firewall, Internet connection sharing, and a print server, for just a few dollars.

(I'd be interested to hear of any other router/firewall units that support dial-up modems.)

brad