Date: Thu, 26 Oct 2000 13:23:01 +0200 (MET DST) From: =?ISO-8859-1?Q?P=E4r_Thoren?= <t98pth@student.hk-r.se> To: freebsd-questions@freebsd.org Subject: Bridge Message-ID: <Pine.GSO.4.21.0010261320530.23335-100000@orc.rby.hk-r.se>
next in thread | raw e-mail | index | archive | help
Hi!
If I understand bridging correctly I would have one interface on the
fbsd-bridge connected to the border router .1
The other interface, not configured with an ip, connected to a hub with
the rest of the boxes .3-.255
The interface to the border router should be assigned with an ip, let say
.2
Internet
___|___
| |
| GW |
|_______|
|
|
___|___<---interface with an ip .2
| |
| Bridge| <-- fbsd with ipfw
|_______|
|<---Interface not configured with ifconfig
|
|
___|_________________<--Uplink on the hub disabled?
| |
|________hub__________|
| | | |
_|__ _|__ _|__ _|__ <--- Protected Servers
| || || || |
|____||____||____||____|
/Pär
On Wed, 25 Oct 2000, Glen Foster wrote:
> You have four options:
>
> 1) run the FreeBSD box as a filtering bridge
>
> 2) run the FreeBSD box as a NAT router
>
> 3) make the FreeBSD box your border router (ie. replacing the box
> marked "gw")
>
> 4) subnet your LAN (with one subnet between the border router and the
> FreeBSD box and the rest on your LAN).
>
> Advantages:
>
> 1) "Invisible" firewall possible (filtering w/o decrementing TTL).
>
> 2) Presence of NAT adds some security (e.g. no TCP connects to LAN
> boxes unless you make specific provisions for them).
>
> 3) Probably the speediest, fewer boxes, easiest to troubleshoot.
>
> 4) none
>
> Disadvantages:
>
> 1) There is no way to prevent non-IP packets, including ARP, from
> being seen by the border router.
>
> 2) Requires re-addressing of LAN machines and (maybe) some DNS tricks
> (to return different answers for LAN and Internet queries).
>
> 3) May require purchasing hardware, e.g. a sync serial board.
>
> 4) consumes address space, requires renumbering.
>
> My first choice would be #3, then #1 (unless I was running non-IP
> protocols).
>
> Good luck,
> Glen Foster <gfoster@gfoster.com>
>
> Pär Thoren writes:
> >
> > Hi!
> >
> > I want to protect a network with a firewall. The network is
> > xx.xx.xx.0 and has a gateway at xx.xx.xx.1
> > dns servers are xx.xx.xx.2 and xx.xx.xx.3
> >
> > How can I protect the network with a fbsd firewall? Do I use
> > bridge/firewall or do I set fbsd as a router/firewall "behind" the gateway
> > xx.xx.xx.1 ?
> >
> > Big Bad Internet
> > |
> > ___|__
> > | |
> > | gw |
> > |______|
> > |
> > ___|__
> > | | Acting as bridge? router? with ipfw
> > | fbsd |
> > |______|
> > |
> > _____|_____
> > | | Network including the dns servers
> > | .2-.255 |
> > |___________|
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.21.0010261320530.23335-100000>