From owner-freebsd-newbies  Sat Jul  4 23:33:48 1998
Return-Path: <owner-freebsd-newbies@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA26014
          for freebsd-newbies-outgoing; Sat, 4 Jul 1998 23:33:48 -0700 (PDT)
          (envelope-from owner-freebsd-newbies@FreeBSD.ORG)
Received: from mail.impulse.net (mail.impulse.net [204.188.6.10])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id XAA26008
          for <freebsd-newbies@FreeBSD.ORG>; Sat, 4 Jul 1998 23:33:47 -0700 (PDT)
          (envelope-from mike@merchantsnet.com)
Received: (qmail 19499 invoked from network); 5 Jul 1998 06:33:49 -0000
Received: from sb1-71.impulse.net (HELO 708644668) (204.188.6.71)
  by mail.impulse.net with SMTP; 5 Jul 1998 06:33:49 -0000
From: "Michael P. Sale" <mike@merchantsnet.com>
To: <junkmale@xtra.co.nz>, <freebsd-newbies@FreeBSD.ORG>
Subject: Re: using IPFW as a firewall
Date: Sat, 4 Jul 1998 23:28:47 -0700
Message-ID: <01bda7de$2ad93c20$4706bccc@708644668>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3
Sender: owner-freebsd-newbies@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Dan,

Neat stuff.  Building a "real" firewall is an art form that few people ever
gain enough skill to do correctly.  It should provide you with a fun
challenge at the least.  I've never set anything up on a unix box, so I'm
not too sure about the specifics of such an operation.  I have however set
up a few "screens" on routers in the past few years.  ( We never called them
firewalls because I've never believed that a router should or could be a
*true* firewall.)

After figuring out what we wanted to let through ( Ip addresses, smpt, ftp,
etc...) we would build a wall.  I.e. Disallow all.  From there you can start
poking holes in the wall, testing each "hole" as you go.  I.e. allow ftp on
xx port to this address only.  This seems to prevent the "oh heck, now this
doesn't work" problems too because nothing works untill you allow it to.  It
always seemed to work well for me to do things in this setup and test
methodology, but everyone is different.  Again, I'm not sure how much IPFW
will allow here, so I'm not sure if this will work for you or not.

Things you generally allow are  telnet, ftp, and smtp (mail) on their
specific ports.

Sorry I can't provide specifics on UNIX systems.

As you press ahead with the project, I would be interested to see some posts
on the outcome.

Good Luck!

Mike





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-newbies" in the body of the message