Date: Wed, 27 Feb 2002 14:28:46 +0100 (CET) From: =?iso-8859-1?q?m=20p?= <sumirati@yahoo.de> To: sec@hict.nl Cc: freebsd-security@freebsd.org Subject: Re: best firewall option for FreeBSD Message-ID: <20020227132846.28405.qmail@web13305.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
> Hi all, > > I have to build a firewall for our University with 2 NIC's. One > connected to internet and the second connected to the network. > The e-mail is running on M$ Exchange, but this servers are placed > outside of the network. > With the firewall we would like to increase the security, but also make > it impossible for internal users to use anything else but http, https, > ssh, ftp-client,pop3-client, Outlook. So it has to be impossible to use > Morpheus, Kazaa, Napster etc. > > What firewall software (Opensource) would you advice? Or do I have to > choose another OS? > > Best regards, > Geert Houben Hi Geert, you can use either ipfw (the firewall I prefer) or ipfilter. For your case I would you ipfilter. Why? To filter all but ssh, http, https, smtp and pop3 (aka mail (what you meant with outlook)) you can choose both. But ftp is a braindead (from a firewaller sight) protocol. You can not simple make a rule "allow tcp from internal network to external ftp-server" - because it will use more than one port. So you should use ipfilter which "inspects" the pakets flowing through to get the new ftp port which have to be open - or use a ftp-proxy (there are some in the ports, look for one fitting your purpose). Another thought: Should this firewall be "visible" to the user? Should he/she know about it? If not you can only add a transparent proxy and/or building a bridging rather than a routing firewall. If yes, well, why not considering a new infrastructure for your servers in the net and your users too? An Exchange server in the internet without firewall (and securing Windows behorehand - but of course you have done that, haven't you?) is not nearly secure - for example. You can work on that detail and a lot more with a new concept which have to include security concerns, usefulness, managebility (if there is this word), TOC .... Hope that helps Marc __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Ihre E-Mail noch individueller? - http://domains.yahoo.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020227132846.28405.qmail>