From owner-freebsd-ipfw Fri Jan 14 10:48:28 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from flashmail.com (flash1.flashmail.com [207.173.216.240]) by hub.freebsd.org (Postfix) with SMTP id 8EEAD15183 for ; Fri, 14 Jan 2000 10:44:00 -0800 (PST) (envelope-from mholloway@flashmail.com) Received: from monaco ([206.135.117.1]) by flashmail.com ; Fri, 14 Jan 2000 08:46:21 -0800 Message-ID: <001e01bf5eae$95cc2e10$942510ac@sierrahealth.com> From: "Mark Holloway" To: Subject: Is IPFW Static or Dynamic? Date: Fri, 14 Jan 2000 08:44:08 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At work we have a T1 to the net and a PIX firewall. It works great for Layer 3 protection, but we have another T1 link coming in and before I propose another $18,000 solution [which is high in price for what it does], I want to investigate what FreeBSD + IPFW can do for me. It has nothing to do with being a "free" solution, rather, it has everything to do with how solid and robust the TCP/IP stack is. The intended goal: To set up a firewall with two NIC cards. One for the Internet, one for the private network. There are 12 private subnets inside our network, and a 3Com Netbuilder II Router will forward all "unknown" packets from the inside of our network to the internal interface of the FreeBSD box. There will not be a DMZ (yet), but maybe in the future. We have clients from the outside who will connect to the inside of our network using Microsoft PPTP/VPN. We also have to allow inbound connections for SMTP, FTP (which will eventually go to the DMZ), and some custom port configurations for Citrix clients from home (currently these are configured at ports 1400-1405, so they are out of the standard range). From the inside of our network going outbound, we have to allow Telnet on ports 3000-3006. One thing that's interesting about the PIX is that I had to set up routes for the other subnets. For example, the PIX lives on 172.16.10.xxx/16. We have clients on routed segments (inside our network, from the Netbuilder II) on 192.168.xxx.xxx/24 - and there is approximately 10 class C networks there. So on the PIX I had to configure "route inside 192.168.20.1 255.255.255.0 172.16.1.1" - 172.16.1.1=Netbuilder II. So when packets originate from 192.16.20.1, the Netbuilder forwards them to the PIX (because the IP for FreeBSD.org doesn't exist inside our network, so the "destination of last resort" is the IP of the PIX which forwards to the Internet) - but then the PIX has to know when packets come back, where does it forward to? Well, the answer is 172.16.1.1 which knows how to reach 192.168.20.1. Does this make sense? Is it doable with FreeBSD and IPFW? Does anyone here know what the benefits of IPFW are versus PIX? PIX is pretty much a layer 3 only Firewall with some extended features, but not much. I can use encryption, but I can't share certificates like I can with Firewall-1. What does FreeBSD offer for encryption using a VPN? Does FreeBSD support IPSec? I would greatly appreciate ANY feedback from this list...I'm not subscribed, so please "reply to all" so I get a CC:. Thanks! Regards, Mark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message