From owner-freebsd-questions@FreeBSD.ORG Wed Dec 17 02:17:14 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41D2D16A4CE for ; Wed, 17 Dec 2003 02:17:14 -0800 (PST) Received: from mail02.infosat.net (mailout02.infosat.net [66.18.69.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C53343D53 for ; Wed, 17 Dec 2003 02:16:54 -0800 (PST) (envelope-from blygar1@webmail.co.za) Received: from [66.18.70.48] (HELO mail03.infosat.net) by mail02.infosat.net (CommuniGate Pro SMTP 4.1.5) with ESMTP id 30594291; Wed, 17 Dec 2003 12:16:50 +0200 Received: from [198.54.202.4] (account blygar1@webmail.co.za) by mail03.infosat.net (CommuniGate Pro WebUser 4.1.8) with HTTP id 32653352; Wed, 17 Dec 2003 12:16:50 +0200 From: "Gareth Bailey" To: Matthew Seaman , Gareth Bailey X-Mailer: CommuniGate Pro WebUser Interface v.4.1.8 Date: Wed, 17 Dec 2003 12:16:50 +0200 Message-ID: In-Reply-To: <20031216151808.GA20944@happy-idiot-talk.infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit cc: freebsd-questions@freebsd.org Subject: Re: Windows client - internet connection sharing X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2003 10:17:14 -0000 Thank you Matthew. a big help! On Tue, 16 Dec 2003 15:18:08 +0000 Matthew Seaman wrote: > On Mon, Dec 15, 2003 at 07:40:14PM +0200, Gareth Bailey > wrote: > > Is it possible to set up a freebsd server connected to > an > > ADSL line to provide internet access via LAN to a > number of > > Windows clients. I don't know where to start. Any > > information in this regard will be greatly appreciated. > > Yes, absolutely. However, there are such a huge number > of variations > on possible ways of doing that that it's impossible to > describe > everything you'ld need to know in a simple e-mail. > > Lets look at a few questions you'ld need to answer: > > 1) ADSL router or modem? > > This is all about how you interface your FreeBSD > system to ADSL -- > the basic choice is between a router: a standalone > unit which you > plug the phone line into one side of, and an ethernet > cable into > the other -- or a modem: this is a device that plugs > into a serial > or USB port on your FreeBSD box. > > Routers will work entirely independently of your > FreeBSD machine. > Since your connection to them is via ethernet, > there's practically > no compatibility problems. Depending on how much > money you spend, > your can get routers which provide packet filtering, > network and > port address translation, DNS, DHCP and various other > capabilities > -- although if you go to the expense of buying a > really capable > router there's not much left to do for your FreeBSD > box. > > Modems are the other end of this scale: you need to > find a device > for which appropriate drivers are available under > FreeBSD. Once > you've got the modem connected up, you'll need to use > the attached > FreeBSD box to provide appropriate functionality to > make a > practicable ADSL connection. This includes running > PPPoA or PPPoE > (A = ATM, E = Ethernet: all ADSL in the UK is PPPoA, > other > countries do things differently) to establish > networking into your > service provider. You would use the standard FreeBSD > stuff to do > NAT and firewall packet filtering, and you can > install DHCP > servers and so forth. Effectively the FreeBSD box + > modem takes > the place of the standalone router above. > > 2) What sort of address space do you want to have > assigned to you > from your ISP? The cheapest ADSL accounts give you a > single > Internet-routable IP number, usually assigned via > DHCP. There can > be an implicit assumption that you've basically got > just one > machine you want to have net access, although this is > becoming > less common nowadays. Lots of ISPs will give you two > addresses: > this is intended to give you an address for the > router box, plus > an address for a real PC. Next step up is to get > that one or two > addresses permanently assigned to you. Beyond that, > you can get a > routed connection -- you get a small net block > permanently assigned > to you, as well as the single IP used for the WAN > side of your > router. This enables you to set up a 'DMZ' network, > and for > instance have several servers visible on the > Internet. Many ISPs > will have local policies forbidding you from running > servers of > various sorts, mostly as a way of protecting the ISP > from the > awful consequences of allowing Windoze machines out > on the open > Internet in the hands of the clueless. > > 3) A consequential decision related to the above: do you > want some or > all of your Windows (or other) LAN machines to have > Internet > routable addresses or to run Internet visible > services? There's > several ways of doing this: > > DMZ network -- classic firewall design. Here the > Internet > accessible machines are kept on a separate small > sub-net, and you > have a second packet-filtering router (generally a > machine with a > couple of network cards, running natd and ipfw or > similar) between > that and your private internal network. > > Packet filtering bridge -- similar to the above, > except that the > DMZ is and the internal private stuff are now > technically on the > same subnet, and your packet filter serves to > separate public and > private parts of the subnet. This is a much harder > setup to get > working effectively and securely than either of the > other two, so > use only as a last resort. > > NAT address proxying -- your NAT gateway has one or > more IP > addresses assigned and the NAT gateway knows how to > forward > incoming connections to an internal server. Or you > run proxy > servers on the Internet visible addresses which will > accept > incoming connections and relay them to the real > servers on the > internal network. Taken to the extreme, you could > use this sort > of setup to do load balancing and other fancy > networking tricks, > but you'ld probably have to spend $$$ to by the right > sort of > hardware load balancing kit needed. > > 4) From the point of view of the private side of your > network, the > FreeBSD box should minimally appear as the default > gateway to the > Internet. You can assign IP addresses and other > configuration > parameters to each machine manually or you can run > various network > servers to provide a level of autoconfiguration and > subnet wide > resources. Generally these do not need to be run on > the gateway > machine, and in many ways it's better to keep them on > separate > servers. However, not being made of money, that may > not be > entirely practical: if you're going to run DNS, DHCP, > Samba, > Kerberos, LDAP, Sendmail, Apache etc. on the gateway > machine you > will a) make the firewall rule set you need on that > box > significantly more complicated, b) have to take extra > care when > configuring those servers that you don't > unintentionally expose > them on the Internet side of the box and c) give > potential > attackers a lot more scope for finding an exploitable > flaw. Most > server software on Unix machines can be configured to > bind to a > subset of the available network interfaces. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 26 > The Paddocks > Savill > Way > PGP: http://www.infracaninophile.co.uk/pgpkey > Marlow > Tel: +44 1628 476614 > Bucks., SL7 1TH UK ___________________________________________ Look Good, Feel Good www.healthiest.co.za