From owner-freebsd-security Wed Feb 27 5:47:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 01BFC37B402 for ; Wed, 27 Feb 2002 05:47:32 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g1RDlVK27762; Wed, 27 Feb 2002 07:47:31 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id HAA24911; Wed, 27 Feb 2002 07:47:30 -0600 (CST) Message-ID: <3C7CE2F7.B188503D@centtech.com> Date: Wed, 27 Feb 2002 07:45:27 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "Barkell, Bill" Cc: freebsd-security@freebsd.org Subject: Re: best firewall option for FreeBSD References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Speaking of this, what is the appropriate way to add a DMZ? I have a setup kind of like this (3 nics - 1 to the net, 1 to the "internal" net, and 1 not used). I would like to use the 3rd NIC to be a DMZ, but I would like to let nearly everything thru - like stuff for games, internet phone stuff, etc. How can I implement this and still keep the security of the box uncomprimised? ANyone know of a good FAQ or HOWTO on this? I use ipfilter, and ipnat, so I just started looking at the map and redir functions to ipnat. Eric "Barkell, Bill" wrote: > > How about spending a few more $ and add a third NIC? This will give you the > ability to add a DMZ for that pesky mail server at a later date. > > Bill Barkell > > -----Original Message----- > From: m p [mailto:sumirati@yahoo.de] > Sent: Wednesday, February 27, 2002 8:29 AM > To: sec@hict.nl > Cc: freebsd-security@freebsd.org > Subject: Re: best firewall option for FreeBSD > > > Hi all, > > > > I have to build a firewall for our University with 2 NIC's. One > > connected to internet and the second connected to the network. > > The e-mail is running on M$ Exchange, but this servers are placed > > outside of the network. > > With the firewall we would like to increase the security, but also make > > it impossible for internal users to use anything else but http, https, > > ssh, ftp-client,pop3-client, Outlook. So it has to be impossible to use > > Morpheus, Kazaa, Napster etc. > > > > What firewall software (Opensource) would you advice? Or do I have to > > choose another OS? > > > > Best regards, > > Geert Houben > > Hi Geert, > > you can use either ipfw (the firewall I prefer) or ipfilter. > > For your case I would you ipfilter. Why? > > To filter all but ssh, http, https, smtp and pop3 (aka mail (what you meant > with outlook)) you can choose both. But ftp is a braindead (from a > firewaller > sight) protocol. You can not simple make a rule "allow tcp from internal > network to external ftp-server" - because it will use more than one port. > > So you should use ipfilter which "inspects" the pakets flowing through to > get > the new ftp port which have to be open - or use a ftp-proxy (there are some > in > the ports, look for one fitting your purpose). > > Another thought: > > Should this firewall be "visible" to the user? Should he/she know about it? > If > not you can only add a transparent proxy and/or building a bridging rather > than > a routing firewall. > If yes, well, why not considering a new infrastructure for your servers in > the > net and your users too? > An Exchange server in the internet without firewall (and securing Windows > behorehand - but of course you have done that, haven't you?) is not nearly > secure - for example. > You can work on that detail and a lot more with a new concept which have to > include security concerns, usefulness, managebility (if there is this word), > TOC .... > > Hope that helps > > Marc > > __________________________________________________________________ > > Gesendet von Yahoo! Mail - http://mail.yahoo.de > Ihre E-Mail noch individueller? - http://domains.yahoo.de > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message