From owner-freebsd-security Thu Nov 4 7:11:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from server.computeralt.com (server.computeralt.com [207.41.29.10]) by hub.freebsd.org (Postfix) with ESMTP id 3C96C14C05 for ; Thu, 4 Nov 1999 07:11:52 -0800 (PST) (envelope-from scott@computeralt.com) Received: from scott (scott.computeralt.com [207.41.29.100]) by server.computeralt.com (8.9.1/8.9.1) with ESMTP id KAA14448 for ; Thu, 4 Nov 1999 10:11:03 -0500 (EST) Message-Id: <4.2.2.19991104094637.00cdd9f0@mail.computeralt.com> X-Sender: scott@mail.computeralt.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 04 Nov 1999 10:11:15 -0500 To: freebsd-security@freebsd.org From: "Scott I. Remick" Subject: Firewall questions Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello. I'm working on my first firewall, and have a few questions: 1) I've purchased the O'Reilly book "Building Internet Firewalls", and have printed out chapters 6.4 and 16 from the handbook. However, is there any other guide that describes in better detail how to do what I am doing? (read on for details) 2) Is sendmail necessary on a firewall? I've removed all other non-essential daemons already (r*, telnetd, ftpd, even inetd). The only service running right now is ssh, which is the only way I communicate with this system. I've never telnetted to it. 3) What the heck would be using port 111? Strobe shows it as being alive and listening. 4) How do I properly set up routes for a dual-homed firewall where both sides are within the same class C? This is the first time I've ever had to play with routing and gateways. 5) Where's the proper place to put your ipfw rules so they get reloaded on every boot? rc.local? 6) Should www/ftp/dns/etc servers be inside the firewall, or in the DMZ? What I'm ultimately trying to have is a system like the following: INTERNET <-> Router (A.B.C.1) <-> DMZ <-> (A.B.C.2) Firewall (A.B.C.3) <-> internal_network (A.B.C.*) I've already got the firewall system up and going (FreeBSD 3.3 RELEASE), with ssh 2.0.13 running. The necessary stuff to enable IPFW has been built into the kernel per Handbook 6.4. Both network cards are installed, have IPs, and appear operational. I've edited /etc/rc.firewall to match the IP addresses on our network. I've added the following to /etc/rc.conf (IP addresses and hosts have been changed): network_interfaces="ed0 ed1 lo0" ifconfig_ed0="inet A.B.C.3 netmask 255.255.255.0" ifconfig_ed1="inet A.B.C.2 netmask 255.255.255.0" defaultrouter="A.B.C.1" hostname="firewall.domain.com" sendmail_enable="NO" inetd_enable="NO" gateway_enable="YES" router_enable="YES" router="routed" router_flags="-q" firewall_script="/etc/rc.firewall" firewall_type="open" <---- YES I KNOW THIS IS BAD, I'm not ready to go live yet. firewall_enable="YES" So I feel like I'm making good progress. I'm getting a good understanding of ipfw rules. But the routes thing has got me a bit stumped. I'm not clear on what routing is being done by routed, what routing is being done (if any) by ipfw (because rc.firewall has places for you to put in both sides of your firewall), and what the difference in enabling routing and enabling gateway is. I want anything destined for the internet to go out A.B.C.2 and anything destined for the internal network to go out A.B.C.3. I figure I would then set up routes to A.B.C.1 and any systems in the DMZ as individual routes from A.B.C.2 correct? Oh well. Any advice? Tips? Suggestions? URLs? PDFs? Books? What I'm planning on doing is, once I've got the routes set up properly, then having my system point to the firewall as the gateway instead of the current router (I assume this would be the proper procedure for everyone once we're ready to go live) and then start tweaking ipfw rules. That way, everyone can remain functional until I have it set up proper. Then I'll tell the router to only communicate to the firewall, plug the router directly into A.B.C.2 w/ a cross-over cable (I'd use a separate hub if I were to set up other hosts in a DMZ, and then adjust everyone else's default gateway to be the firewall. I'm sure I'm missing a lot here and have a bunch of stuff wrong. Please advise.... thanks! :) ----------------------- Scott I. Remick scott@computeralt.com Network and Information (802)388-7545 ext. 236 Systems Manager FAX:(802)388-3697 Computer Alternatives, Inc. http://www.computeralt.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message