Spent the afternoon upgrading my firewall. It was a very stable
machine, but it was running RedHat 7.3, which is beyond getting
old. Also, I wanted to add more network interfaces to it to
handle the new dsl line I should in theory be getting next
week.

I had hopes it would be a pretty simple operation. I installed fedora
core 2 on a test box, and got it configured with selinux and
the packages I wanted. Then, I just swapped the drive into the
old machine along with a 4 port matrox network card. The first
issue I ran into was that the video card had decided to croak on
that firewall box, and I never noticed since I never logged into
the console there. Managed to scrounge up another AGP card and
got past that problem. Then I had to figure out which port was
which on the network cards. This new setup I have currently 4
active interfaces and will soon have 6. One each for: main dsl,
cable, new dsl, internal network, wireless, and dmz.

Moving the access point to it’s own interface was a pain. Had to
reconfigure it and then tweak the firewall rules to allow what I
wanted. It should now allow vpn traffic and thats about it. Next
pain was me messing up on modifying the /etc/sysconfig/syslog
file to not log all the firewall denies to the console. I put in
there a ‘-n 4’ instead of ‘-c 4’. -n tells it to not background,
so it would hang there on boot.

Some nice things about this setup: I named the interfaces based on
what they are connected to, not eth0 or whatever. Makes looking
at the firewall logs very nice, you can see right away that a
package was IN=dsl and going OUT=wireless. selinux should make
things pretty secure. Even root is pretty restricted on what it
can do.