From owner-freebsd-security Wed Nov 21 9:11:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsas1i.audiotel.com.ar (host030038.prima.com.ar [200.42.30.38]) by hub.freebsd.org (Postfix) with ESMTP id 1745B37B417 for ; Wed, 21 Nov 2001 09:11:41 -0800 (PST) Received: from audi2k (audi2k.audiotel.com.ar [192.168.100.237]) (authenticated) by bsas1i.audiotel.com.ar (8.11.6/8.11.6) with ESMTP id fALHBdt30220 for ; Wed, 21 Nov 2001 14:11:39 -0300 (ART) From: "Fernando Germano" To: Subject: RE: Best security topology for FreeBSD Date: Wed, 21 Nov 2001 14:12:12 -0300 Message-ID: <00d201c172af$a96227b0$ed64a8c0@audi2k> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org We'll, the answer is simple: money, we don't use something like PIX because it's way too expensive for something like this. I'm worried about NAT, will FreeBSD and IpFilter be able to NAT all of this traffic?? -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of freebsd-security@rikrose.net Sent: Miércoles, 21 de Noviembre de 2001 02:01 p.m. To: security@FreeBSD.ORG Subject: RE: Best security topology for FreeBSD For something that large, I'd wonder why you're not using a hardware router, but, to answer the question that was asked, I'd use *both* IPFilter and IPFW. I would use ipfilter for filtering and NAT (if needed), since it is actually better at doing that, and ipfw for bandwidth limiting/traffic shaping. As to which one sees the packet first, packets would come in on an interface, go through the ipfw rules, then the ipfilter rules, then out again (possibly through the rules again, assuming you don't do anything like use fastroute rules on either). Basically, ipfw doesn't give as much control over the packets and filtering as ipfilter, so use both. Useful url: http://www.obfuscation.org/ipf there's probably a good one for ipfw too, but i use ipfilter, and haven't had the need for traffic shaping yet... -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message