Crazy idea for a simple internal firewall?

[adrnlnrsh]

I am building my first server for colocation this weekend. The server will be using a midtower case which will have 2 pci cards installed and 2 hard drives. I realized this will leave a great deal of extra space inside the machine.

What I want to know is if it is possible to place a small Cable/DSL router (such as a linksys BEF series) inside of my case and plug the WAN RJ45 at the colo into the router. I could have everything else preconfigured and prewired. I could also administer the router from home.

First, the operating conditions for one of the linksys routers was 105 F max, assuming I have multiple fans, and I am running a relatively cool P4, will there be too much heat for the router to funciton reliably?

Second, I understand this might be ridiculous, so please don't flame me, but even if this solution only offers minimal security surely it is better than having no protection at all? How much would this solution help, if at all? This is assuming that server security starts with the system admin and running a tight ship, of course.

Third, what are the most obvious pitfalls of attempting this? Is this just crazy talk?

Finally, if this solution is not workable, are there any other ways to install a simple hardware firewall inside of a midtower case?

Thanks for any help and advice you can offer.

[HarborNetworks]

Nobody else seems to be answering this problem, so I'll take a stab . Personally, I wouldn't place a cable dsl router in my case, however this will work as long as you have proper cooling and ventilation. You will have to pass your cables through a slot in the back. I would check into using iptables or ipchains for internal software firewall software. Make sure you do a default deny, and then specifically allow the ports you need access to. If you want additional control you can configure another machine (can be older 486 machine) to work as another firewall to sit between you and the internet. I hope this helps you. Let me know if I missed this topic and didn’t answer your question.

[adrnlnrsh]

You sort of answered my question. I am aware of the cooling problem. I will be incorporating 6 total fans into the case, and at least I am not running dual AMD chips or anything so I think heat will be less of a problem.

And yes, I intend to us ipchains etc for the server itself. I guess I could have been more clear in my question.

Are there any real benefits to this? You are right about the old 486 firewall idea, and ideally I would put another machine in the colo, but I am paying by the machine, so the point of this is to get a hardware firewall without having to pay for the extra rack space.

I have gone through my Linksys router's internal software configuration and it has a lot of options for port forwarding/filtering etc. I basically want to know, if I do this, will it provide at least minimal additional security to my already secure server?

If the router is useless, I don't want to waste the time or money to install it.

Thanks for your answer, I really appreciate your help.

[HarborNetworks]

I don't see why it wouldn't work, however I believe you would have to do NAT translation for your servers behind your LinkSYS. I wouldn't worry about it. If you can lock things down with ipchains you should be ok. You could also run portsentry and tcpwrappers if you really want to control things tight.

A properly configured firewall running ipchains will work for what your trying to do, without having to install extra hardware. The key is to simply close all ports and only open the ones you REALLY need. Comment them out of the /etc/services file, and don't allow them in the firewall.

We purchased a Symantec VelociRaptor firewall to use for all our needs. The funny thing is, it's basically a 1U server running Linux with multiple network cards. It has a nice plugin for Windows to administer it, but you can get a root shell and administer the server as if you were at the system console.

Personally I wouldn't spend the money or time involved in configureing the LinkSYS. If for some reason the power cord gets tugged you could loose power to your LinkSYS and therefore loose network connectivity.