PCBSD as a router (newbie)

[h8windows]

I am a novice to PCBSD. What I want to do is run a dedicated router/firewall computer. Behind it I want one PCBSD desktop to surf the web & check email. I want another WinXP for playing online games.

I already installed PCBSD on my router/firewall computer. I installed PCBSD on the web surfing computer. I'm not too concerned with the XP machine at the moment. My question is this:

What do I have to configure in either of the two PCBSD machines in order to have a VERY secure firewall/router for my network?

On my firewall system I have three 10/100/1000 ethernet cards. I'm using the onboard ethernet to connect to my broadband. I'm hoping this turns it into a three port super-router.

I've read that PCBSD is pretty good as it is. But I want it to be as absolutely secure as I can make it, while still being able to surf the web. As you might have surmised, I've been hacked repeatedly for years using various Windows machines & routers. I'm fed up & finally switched to open-source solutions.

What would I have to keep "open" for the XP machine to connect to friends for games?

I was clicking around BSD to familiarize myself with it. I noticed a lot of NetBios stuff allowed to pass through the default firewall. I've always been told NetBios is not secure. Is it okay to leave that alone?

I don't need any remote connections or VPN's etc. I don't even need chat programs or email (I use web-based emails). I do need ftp occasionally. All I really need is web surfing from the BSD machine and games from the Windows machine (sometimes ftp to update my web page). Everything else I want tight as a drum.

Any suggestions, or am I doing overkill? I've already got the dedicated firewall BSD computer up and running. That's what I'm using right now. But I want to hide behind it and use the other BSD machine.

Also, are does anyone know of a good, free proxy server that I can use as an added layer of anonymity?

Thanks, sorry for the long post.

[mgreen]

Constructing a firewall machine from any of the BSD versions ( FreeBSD OpenBSD NetBSD ) is certainly possible (Remember PCBSD is really an enhanced FreeBSD) but for various reasons (see their websites) you would be best advised to use OpenBSD if you really want a BSD , and note that will NOT come with the polished and superior desktop that PCBSD provides. You could put Gnome on it I suppose. However to make it watertight you will need to master the rather arcane syntax/lanquage for configuring the particular firewall protection system you choose - there are several. You will also need to build routing tables for your different subnets (one each network card). This is also somewhat obscure work. You may well then decide that you dont want all the gubbins that comes with KDE and X-windows etc blah blah. The best advice I can give is to use a specialist firewall system such as smoothwall, (See www.smoothwall.org) or very simillar ip-cop . They are linux based, but have been specifically purged of crap and have very good administration systems which are served up by a web server in the firewall machine itself. Another thing to consider is how you connect to the internet. If you have a DSL adapter, then you have to get that working if you have a BSD firewall, whereas smoothwall/ip-cop will recognise a USB device automatically. They both give you an easy interface to block/open ports in the firewall with a single mouse click and loads of screens giving you statistics and logs etc etc. Another thing you may want to do is use a dynamic-DNS service , such as offered by "www.no-ip.com" . They can give you a free domainanme and redirect traffic to your IP address, so you can run a web site at home on the cheap. Smoothwall and ip-cop can be made to update the IP address , every time your ISp cuts you off and reconnects you with a new IP address. If you use a BSD then you will have to get a dynamic-hostname-update demon working. My approach is "Horses for courses". So for gaming and music use XP, for development, programming and technical stuff use PCBSD , for a firewall use smoothwall, for a web server use a lean-mean netbsd and for cutting edge type stuff try DragonFLY BSD. I also have Centos for Linux reference purposes, Solaris to keep up with my work stuff and WIN2000 pro to run my on-line stock trading activities. I also keep WIN 95, for the very obscure reason that if you ever face the task of moving/cloning your XP system to a bigger C drive, you will need to adjust/alter the registry. XP regedit wont do the task. You have to use WIN95 regedit to "read in the XP hive", alter it then write it out again onto your new cloned disk before it will boot properly. Incidently most hostile activity arives at your machine , not as attacks on various ports, but as stuff embeded in web pages. You may get javascripts , active-X stuff, or even executables of various types embeded in spreadsheets or graphics files. Your best protection is to be very carefull which web pages you visit. Of course with BSD or Linux a lot of that stuff cant harm you. Yes I am a BSD enthusiast but smoothwall is better as a firewall system.

[h8windows]

Thanks, I think I understand.

So Smoothwall is just another free operating system, like BSD. I could still use the 3 NIC card computer that currently has PCBSD. I would just reinstall it to make it run Smoothwall.

Then I would have a more "user friendly" firewall to configure, compared to slogging out a bunch of BSD technical stuff on a command line. Is that a fair assessment?

Then behind Smoothwall computer I could use a PCBSD computer for surfing & an XP computer for games.

I was also considering a VPN for pay service like ACE VPN or similar. I would prefer running it on the BSD computer. But if it's too difficult to configure I suppose I could run it on the XP computer.

As far as my webpage, I host it on a provider. That way if it gets hacked at least it's not on my computer.

So, if I understand your suggestion, I should reformat the "firewall" BSD computer to Smoothwall, which is also open-source free. Then run computers x,y,z behind this.

Thanks.

[h8windows]

Also, for connection, I just signed up with a company called CLEAR.

They're some kind of wifi service. Their modem connects via an ethernet card. It's G4 whatever the heck that means. But I've read that wifi can be insecure. And I've had BIG problems in the past with insecure internet connections. We're talking identity theft etc.

So that's why I am thinking of a pay service VPN. I don't want a repeat of my Cox Cable Modem torture.

Would you know of any reliable VPN's that would be easy to set up in PCBSD?

[mgreen]

From what I can gather CLEAR provide internet connection by radio with a range of about 30 miles and their channel is encrypted so there should be very little chance of insecurity on the link from your place to CLEAR premises. Their radio/modem at your place will then supply an ethernet connection to your firewall machine. You can then use the other two cards on the "safe" side of your firewall. smoothwall will designate them as the green zone and the DMZ zone. You should configure your PC and PCBSD machines on the green network, which normally will allow NO traffic in. If you later install a web server put it on the DMZ zone and allow only port 80 through so people can request your web pages. The danger you face will not be on the link from your place to CLEAR over the radio link, it will come from "out there" on the net. You could get people sniffing packets and getting data you send, so the BEST security is to send no important data. Never put your card number on the net - use PAY PAL. Despite peoples worries about the internet, is well suspected that most fraud comes from corrupt employees at places where you use your card. They get your number and they know your address for delivery purposes then they most likely sell your details on to others who start ripping you off. You will always be at risk from credit card fraud. In europe it is well known you should never let resteraunts take your card out back cause they often run extra stuff through on it , although UK is a lot safer in that respect, but as far as hackers go you will find smoothwall or ip-cop are pretty watertight. I get probed every 10 minutes for the microsoft ports 139 and 445 (I think) and also on port 23 for telnet access but smoothwall blocks all of that. G4 ( or 4G ) stands for fourth generation, which is a general term for very fast wireless internet access that CLEAR use. smoothwall and ip-cop are both free.

[mgreen]

VPN is a setup where you can configure a very secure channel between two computers. Usually companies would use this between there head office and other places, but in your case all you could do , if say CLEAR do it is too establish such a VPN between you and them, which is probably what they do anyway. After your data gets beyond them on to the wider net then you dont know who the fcuk is sniffing the data, cause you cant have a VPN to every web site, so once again you are at risk, but I repeat the bigest risk is the websites you look at. If you look at "Girls from Russia" or whatever, expect trouble later. If you want to use your PC at work or your laptop when youi are in Vegas to connect to your house then you could convigure for VPN on your company PC or your laptop and likewise at home, then tell your smoothwall to let the VPN traffic through and you will be safe, but that is not the same situation as web surfing. For instance today I looked on U-tube about some russian kids jumping off a 5 storey building into a giant pile of snow, but then up came a thing saying look at naked russian girls jumping into snow, so obviously I zapped that PDQ. You just gotta wise up. As my wife says - If every one was honest, who would run the banks and the goverment ?

[h8windows]

Thanks,

I'll download Smoothwall this weekend. I'm not sure if CLEAR actually sends data encrypted. I know they split the data into what they call orthogonal frequencies. I'm not sure if that means some kind of polarized signal or just a multi-frequency chopping up of the data. Supposedly it speeds up wifi during the busy hours. I didn't read anywhere that it was encrypted. That's what has my questioning if I should pay for a VPN network.

Now, to get Chocolate Doom up and running.

[mgreen]

See this site for info about WiMAX which is the 4G radio system that CLEAR offer.

http://www.freewimaxinfo.com/aes-in-wimax.html