Date: Wed, 17 Dec 2003 12:16:50 +0200 From: "Gareth Bailey" <blygar1@webmail.co.za> To: Matthew Seaman <m.seaman@infracaninophile.co.uk>, Gareth Bailey <blygar1@webmail.co.za> Cc: freebsd-questions@freebsd.org Subject: Re: Windows client - internet connection sharing Message-ID: <web-32653352@mail03.infosat.net> In-Reply-To: <20031216151808.GA20944@happy-idiot-talk.infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you Matthew. a big help!
On Tue, 16 Dec 2003 15:18:08 +0000
Matthew Seaman <m.seaman@infracaninophile.co.uk> wrote:
> On Mon, Dec 15, 2003 at 07:40:14PM +0200, Gareth Bailey
> wrote:
> > Is it possible to set up a freebsd server connected to
> an
> > ADSL line to provide internet access via LAN to a
> number of
> > Windows clients. I don't know where to start. Any
> > information in this regard will be greatly appreciated.
>
> Yes, absolutely. However, there are such a huge number
> of variations
> on possible ways of doing that that it's impossible to
> describe
> everything you'ld need to know in a simple e-mail.
>
> Lets look at a few questions you'ld need to answer:
>
> 1) ADSL router or modem?
>
> This is all about how you interface your FreeBSD
> system to ADSL --
> the basic choice is between a router: a standalone
> unit which you
> plug the phone line into one side of, and an ethernet
> cable into
> the other -- or a modem: this is a device that plugs
> into a serial
> or USB port on your FreeBSD box.
>
> Routers will work entirely independently of your
> FreeBSD machine.
> Since your connection to them is via ethernet,
> there's practically
> no compatibility problems. Depending on how much
> money you spend,
> your can get routers which provide packet filtering,
> network and
> port address translation, DNS, DHCP and various other
> capabilities
> -- although if you go to the expense of buying a
> really capable
> router there's not much left to do for your FreeBSD
> box.
>
> Modems are the other end of this scale: you need to
> find a device
> for which appropriate drivers are available under
> FreeBSD. Once
> you've got the modem connected up, you'll need to use
> the attached
> FreeBSD box to provide appropriate functionality to
> make a
> practicable ADSL connection. This includes running
> PPPoA or PPPoE
> (A = ATM, E = Ethernet: all ADSL in the UK is PPPoA,
> other
> countries do things differently) to establish
> networking into your
> service provider. You would use the standard FreeBSD
> stuff to do
> NAT and firewall packet filtering, and you can
> install DHCP
> servers and so forth. Effectively the FreeBSD box +
> modem takes
> the place of the standalone router above.
>
> 2) What sort of address space do you want to have
> assigned to you
> from your ISP? The cheapest ADSL accounts give you a
> single
> Internet-routable IP number, usually assigned via
> DHCP. There can
> be an implicit assumption that you've basically got
> just one
> machine you want to have net access, although this is
> becoming
> less common nowadays. Lots of ISPs will give you two
> addresses:
> this is intended to give you an address for the
> router box, plus
> an address for a real PC. Next step up is to get
> that one or two
> addresses permanently assigned to you. Beyond that,
> you can get a
> routed connection -- you get a small net block
> permanently assigned
> to you, as well as the single IP used for the WAN
> side of your
> router. This enables you to set up a 'DMZ' network,
> and for
> instance have several servers visible on the
> Internet. Many ISPs
> will have local policies forbidding you from running
> servers of
> various sorts, mostly as a way of protecting the ISP
> from the
> awful consequences of allowing Windoze machines out
> on the open
> Internet in the hands of the clueless.
>
> 3) A consequential decision related to the above: do you
> want some or
> all of your Windows (or other) LAN machines to have
> Internet
> routable addresses or to run Internet visible
> services? There's
> several ways of doing this:
>
> DMZ network -- classic firewall design. Here the
> Internet
> accessible machines are kept on a separate small
> sub-net, and you
> have a second packet-filtering router (generally a
> machine with a
> couple of network cards, running natd and ipfw or
> similar) between
> that and your private internal network.
>
> Packet filtering bridge -- similar to the above,
> except that the
> DMZ is and the internal private stuff are now
> technically on the
> same subnet, and your packet filter serves to
> separate public and
> private parts of the subnet. This is a much harder
> setup to get
> working effectively and securely than either of the
> other two, so
> use only as a last resort.
>
> NAT address proxying -- your NAT gateway has one or
> more IP
> addresses assigned and the NAT gateway knows how to
> forward
> incoming connections to an internal server. Or you
> run proxy
> servers on the Internet visible addresses which will
> accept
> incoming connections and relay them to the real
> servers on the
> internal network. Taken to the extreme, you could
> use this sort
> of setup to do load balancing and other fancy
> networking tricks,
> but you'ld probably have to spend $$$ to by the right
> sort of
> hardware load balancing kit needed.
>
> 4) From the point of view of the private side of your
> network, the
> FreeBSD box should minimally appear as the default
> gateway to the
> Internet. You can assign IP addresses and other
> configuration
> parameters to each machine manually or you can run
> various network
> servers to provide a level of autoconfiguration and
> subnet wide
> resources. Generally these do not need to be run on
> the gateway
> machine, and in many ways it's better to keep them on
> separate
> servers. However, not being made of money, that may
> not be
> entirely practical: if you're going to run DNS, DHCP,
> Samba,
> Kerberos, LDAP, Sendmail, Apache etc. on the gateway
> machine you
> will a) make the firewall rule set you need on that
> box
> significantly more complicated, b) have to take extra
> care when
> configuring those servers that you don't
> unintentionally expose
> them on the Internet side of the box and c) give
> potential
> attackers a lot more scope for finding an exploitable
> flaw. Most
> server software on Unix machines can be configured to
> bind to a
> subset of the available network interfaces.
>
> Cheers,
>
> Matthew
>
> --
> Dr Matthew J Seaman MA, D.Phil. 26
> The Paddocks
>
Savill
> Way
> PGP: http://www.infracaninophile.co.uk/pgpkey
> Marlow
> Tel: +44 1628 476614
> Bucks., SL7 1TH UK
___________________________________________
Look Good, Feel Good www.healthiest.co.za
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?web-32653352>