Build a kernel with Firewall Masquerading and Forwarding support
If you enabled IP Masquerading, then the modules ip_masq_ftp.o (for ftp file transfers), ip_masq_irc.o (for ire chats), ip_masq_quake.o (you guessed it), ip_masq_vdolive.o (for VDOLive video connections), ip_masq_cuseeme.o (for CU-SeeMe broadcasts) and ip_masq_raudio.o (for RealAudio downloads) will automatically be compiled. They are needed to make masquerading for these protocols work. Also, you’ll need to build a modularized kernel and answer “Yes” to the “Enable loadable module support (CONFIG_MODULES)” option instead of a monolithic kernel to be able to use masquerading functions and modules like ip_masq_ftp.o on your Gateway server (see the Linux Kernel section above in this book for more information).
The basic masquerade code described for “IP: masquerading” above only handles TCP or UDP packets (and ICMP errors for existing connections). The IP:ICMP Masquerading option adds additional support for masquerading ICMP packets, such as ping or the probes used by the Windows 95 tracer program.
NOTE: Remember that other servers like the Web Server and Mail Server examples don’t need to have these options enabled since they either have a real IP address assigned or don’t act as a Gateway for the inside network.
Some Points to Consider
You can safely assume that you are potentially at risk if you connect your system to the Internet. Your gateway to the Internet is your greatest exposure, so we recommend the following:
s The gateway should not run any more applications than are absolutely necessary.
s The gateway should strictly limit the type and number of protocols allowed to flow through it (protocols potentially provide security holes, such as FTP and telnet).
s Any system containing confidential or sensitive information should not be directly accessible from the Internet.