From owner-freebsd-ipfw Fri Jun 8 10:33:28 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from new-dns.whc.net (new-dns.whc.net [204.90.111.214]) by hub.freebsd.org (Postfix) with ESMTP id 17D0937B406 for ; Fri, 8 Jun 2001 10:33:25 -0700 (PDT) (envelope-from carlos@rjstech.com) Received: from null ([66.85.10.250]) by smtp.whc.net (8.11.4/8.11.4/kbp) with SMTP id for ; Fri, 8 Jun 2001 11:31:37 -0600 (MDT) Reply-To: From: "Carlos Andrade" To: Subject: A epiphany of sorts Date: Fri, 8 Jun 2001 11:21:45 -0600 Message-ID: <001101c0f03f$7eb57140$fa0a5542@rjstech.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have been working on our company's firewall for some time and I have been helped quite a bit from the wonderful people on this list. I had a epiphany of sorts today. Due to the way our office is networked to our other sales offices I want to redo our firewall rules. (background) our_network : will be put behind the firewall, natd will be running so I may have to have nat rules somewhere for directing requests to the correct machine. midland_office : a sales office behind a DSL router, machines are dhcp'ing to the net. abilene_office : a sales office behind a DSL router, machines are dhcp'ing to the net. (theoretical rule set) allow everything from our_network out allow everything? from our midland_office in allow everything? from our abilene_office in pass tcp from any to our outside_interface 80 setup (access web servers) and then our thin client (which we use to connect to a app server from the offices and sometimes from the road) : TCP/IP port 1494 (inbound) UDP port 1604 (inbound and outbound) Outbound ports 1023 and above for both TCP/IP & UDP deny the rest (commentary) we have no mail or dns servers, all that is done by our ISP. So there is very little traffic wanting to come into our network, so I can let those things in. I hope that I can just allow in the IP's of the DSL routers since the machines behind it pass through it over DHCP, or am I loony and need to read up more on DHCP? Yes, I know I must have a huge measure of trust to allow everything from our offices. I do. I am just trying to add to the layers of security by dictating exactly where people can access us from and by how. thanks in advance, Carlos Andrade ---- Carlos A. Andrade IS Manager RJS Technologies 915.845.5228 ext 13 915.845.2119 fax carlos@rjstech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message