From owner-freebsd-questions Wed Jan 22 6:31:57 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFD3037B401 for ; Wed, 22 Jan 2003 06:31:54 -0800 (PST) Received: from smtp.mailbox.co.uk (smtp.mailbox.net.uk [195.82.125.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id C152143F13 for ; Wed, 22 Jan 2003 06:31:52 -0800 (PST) (envelope-from m.hill@stjamessengirls.org.uk) Received: from [212.18.235.142] (helo=SJMOBILE11) by smtp.mailbox.co.uk with smtp (Exim 3.36 #1) id 18bLus-0001Ne-00 for freebsd-questions@freebsd.org; Wed, 22 Jan 2003 14:31:46 +0000 Message-ID: <000701c2c222$e7439dc0$6f00000a@SJMOBILE11> From: "Martyn Hill" To: "FreeBSD-questions" Subject: Subnetting or Bridging to secure different dapartments on our School LAN? Date: Wed, 22 Jan 2003 14:31:07 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4920.2300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Dear all I'd be very grateful for any insights you could share... Our school network continues to grow. Different departments within the school wish to piggy-back their windows machines on to our broadband internet connection, via our 100Mbps wired LAN within the building. Before I can allow anymore machines on, I need to put a measure of security in place - principally between the school Admin and Curriculum 'networks' and also between the other 3 departments who share the site with us. I was thinking along the lines of subnetting our existing network and applying a firewall between each sub-net. Currently, our setup comprises of two FreeBSD (4.5RELENG) boxes - one acting as a gateway/firewall between our private network (10.x.x.x/8) and the ADSL router, the other as a fileserver/web proxy/redirector and email server to our 40 or so Windows clients. DHCP and DNS is provided by the gateway. The gateway currently runs with two NICs - one to a switch, the other to the ADSL router. All other machines, including the fileserver hang off the switch. The ADSL router has another 3 10Mbps ports available for direct connection. The Admin and Curriculum users need to share the fileserver (for now, at least.) The other new users simply need the broadband connectivity (with or without the web-proxy facility that currently sits on the fileserver.) Questions: Do I consider placing more NICs into the gateway in order to create (along with a few switches) the new sub-nets, placing a firewall (ipfw) between each interface? Is it even possible to run >1 ipfw on the same box? Do I build a couple of cheap boxes (like the P90 I'm using for the current gateway) with FreeBSD and set them up for bridging along with ipfw? Do I buy a few hardware routers with firewall facility and build my sub-nets that way? Do I use ifconfig to alias the one internal NIC in the present gateway to create virtual sub-nets? Is a firewall really what I need to restrict particular traffic (like SMB browsing) across the sub-nets? Or, am I barking up the wrong tree (spanning, or otherwise...)? Thanks in advance. Martyn Hill ICT Teacher and IT Coordinator St James Independent School London To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message