Firewall Help

[booman]

At my work we are using a Watchguard Firebox X Edge.
I have been trying to research how to connect a computer that bypasses the firewall securities so I can connect to the internet.
But, the configurations are pretty confusing. I'm not firewall expert and it would be very educational for me to learn how this works.
I have been reading in Watchguards knowledge base about the concepts of incoming & outgoing connections.
I think that I will need an "external" connection to the firewall and just have to set up the connection and assign the static IP address.

Does anyone have some tips?

I am going to use an extra computer with Linux Mint.
I like this connection because if we are having internet, VPN, or firewall problems, I can still get to the internet with this machine. Also, the firewall sometimes blocks FTP and SSH connections. So instead, I can use the Linux for updating websites, etc.

[Áedán]

The "external" connection is just the firewall's connection to the Internet. Typically this would just be a bit of network cable between the firewall and the router, but could be a whole network. Remember that this connection is completely unprotected - it faces the whole brunt of the Internet, so you should run a firewall on the Linux box.

Generally, you shouldn't attempt to bypass the security policy on a firewall. Instead, you should use a separate network (or the dirty network), so you don't expose other parts of the business network to unnecessary risk.

You will need a real world IP address for your Linux box. I don't know what your ISP provides - you'll need to check that they can support this.

[booman]

I'm pretty sure they do. We are using Cox and our Firebox is already using a static IP address.
Are you saying our ISP will assign us a group of IP addresses for static use?
We used to have a webserver setup and it bypassed the firewall. I'm not sure how our contracted IT person configured it, but this is the same concept. Instead of a webserver I want a plain unprotected connection to the internet. But we moved locations and are now using Cox instead of Quest. So I want to configure the same setup myself instead of paying him $150.00 an hour to do it.

[Áedán]

For a webserver, you only have to punch a small hole (port 80) through the firewall, rather than bypassing the whole policy.

I don't know what the firewall policy/rules that have been implemented on the system, but from what I know of Firebox is that traffic going from a more trusted interface to a less trusted interface should travel outwards just fine. So, a machine on the inside should be able to access the outside without a problem. One thing that is confusing me - what exactly are you trying to do?

Most ISPs will charge for a group of IP addresses though - so that might not be the best way around it.

BTW, I'm no fan of WatchGuard products...

[booman]

Sounds like I could add the Linux IP address to the Outgoing connection on port 80.
My problem:
All of our workstations have to login to the firebox just to get internet.
The firebox will also block some FTP servers and SSH connections. Like for our website on godaddy.
In the past (when we had a T1 on DSL) our internet would stop and no one could get email, faxes or internet. I would hop on our Linux webserver and find that the internet was fine. It was either a firebox issue or a server issue. One more thing, if our server was down or being restarted, I could hop on the Linux webserver and still connect to the internet. This was important because I could still troubleshoot, research and download drivers with our server down.

So the Linux with a static IP address bypassing the firebox all together benefit me in many ways.
I want to recreate that configuration again, but with out the contracted IT person's help.

If you have a better idea let me know. I would love to try it

[booman]

I went through the New Service Wizard and set the Linux machine as an Outgoing on Port 80. But I'm just using the IP address set by the DHCP... Which means it is not a static IP address via ISP.
So how do I test the connection to see if is doing what I want?
Can I ping it from outside the firewall? say from home?
Also, do I "Allow" or "No Rule" for the firewall setting?