From owner-freebsd-questions@FreeBSD.ORG Wed Oct 6 18:40:48 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8EFF16A4CE for ; Wed, 6 Oct 2004 18:40:48 +0000 (GMT) Received: from bjwcs.com (swing.bjwcs.com [208.185.25.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F1C743D45 for ; Wed, 6 Oct 2004 18:40:48 +0000 (GMT) (envelope-from b@bjwcs.com) Received: from SAMBA [66.252.69.26] by bjwcs.com with ESMTP (SMTPD32-8.05) id AC2DAF800FC; Wed, 06 Oct 2004 14:40:45 -0400 From: "Brent Wiese" To: Date: Wed, 6 Oct 2004 11:40:40 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcSr07XZ50S6mW9BS9uZGZSVSjbPfw== Message-Id: <200410061440948.SM01528@SAMBA> Subject: Firewall concept question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: b@bjwcs.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Oct 2004 18:40:49 -0000 Looking to use a FreeBSD server as a firewall for a modem pool. The theory is we only want to give them access to HTTP and DNS (which we could do as proxy on the FreeBSD box). For accountability reasons, each modem will be assigned a specific IP address. That way, I'll be able to use Radius accounting to keep track of who was logged in on what ip at what time. The idea being that if someone uses the modems to launch an attack or whatever, we have something to work with for tracking the user down if the authorities come knocking. I haven't set up a FreeBSD firewall before, so I have a "best way" question: Should I use "transparent" mode where each modem has a public ip address or use something like static NAT entries? I'd planned on using a transparent mode, since I was familiar with it from using a Netscreen. It would seem to have the easiest accounting. But, wasn't sure if I could do that using FreeBSD, so static NAT entries would be the next best thing... Right? I would also entertain the idea of using something like Squid so all access is through a local proxy, then simply lock the firewall down completely. But, I'm still concerned about the accountability in case someone manages to launch an attack thru the proxy. I'd have to have some way of easily mapping back to the ip of the modem based on the external information given to me by authorities (ie: public ip address). Any other suggestions for methods to accomplish this task are welcome. Thanks! Brent