Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 22 Nov 1998 18:37:40 +0000 (GMT)
From:      Karl Pielorz <kpielorz@tdx.co.uk>
To:        Antonio Bemfica <bemfica@militzer.me.tuns.ca>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: Firewall Question
Message-ID:  <Pine.BSF.4.05.9811221834100.36553-100000@caladan.tdx.co.uk>
In-Reply-To: <Pine.BSF.3.96.981122122445.8701B-100000@militzer.me.tuns.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Sun, 22 Nov 1998, Antonio Bemfica wrote:

> This question might be better suited to a firewall list, but since I'd
> implement a firewall with FreeBSD, I decided to run the risk of asking it
> here:
> 
> Must the machine acting as the firewall be physically "between" the
> machines it is to protect and the rest of the world:
> 
> 	world --> firewall box --> Hub --> protected machines
> 
> or is is possible to specify routes so that packets on the way to the
> protected machines would be filtered by the firewall box before being
> allowed to continue: 
> 
> 	world --> Hub --> firewall box --> protected machines
> 
> If so, I assume these routes would have to be set someplace before the
> packets hit the hub on the subnet where the machines are. I'm fairly new
> at this, and would appreciate any help I can get.

You can run a 'ships-in-the-night' firewall system (i.e. have the firewall
with 1 network card, and route between 2 IP networks on the same card) -
but this is potentially risky... If someone screws up a subnet mask
somewhere (either deliberately or accidentally) they can end up seeing the
'raw' traffic...

(In fact even if they accidentaly pick the wrong IP address - they can end
up 'nudging' themselves onto the other (i.e. world/raw) IP network...

You can potentially get rid of 1 hub by using a cross-over cable or BNC
connection to the hub...

We have:

Cisco 2503             Crossover cable    FreeBSD box (firewall)      Us
(AUI - UTP Connector)  -------X-------    (2 Network cards)          (Hub)

Some network cards are a bit fussy about crossover cables (particularly
fxp (Intel Pro 100's etc.))

If you can, I'd certainly go for the extra security of 2 network cards...
:-)

Regards,

Karl


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9811221834100.36553-100000>