From owner-freebsd-ipfw Sat Jan 15 17:15:22 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 56B3615158 for ; Sat, 15 Jan 2000 17:15:15 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id UAA53469; Sat, 15 Jan 2000 20:19:21 -0500 (EST) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <200001160119.UAA53469@cc942873-a.ewndsr1.nj.home.com> Subject: Re: Simple router with basic firewall functionalioties In-Reply-To: <4.1.20000114165656.00c8d940@mail.rz.fh-wilhelmshaven.de> from Olaf Hoyer at "Jan 14, 2000 05:26:31 pm" To: ohoyer@fbwi.fh-wilhelmshaven.de (Olaf Hoyer) Date: Sat, 15 Jan 2000 20:19:21 -0500 (EST) Cc: freebsd-ipfw@FreeBSD.ORG Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Olaf Hoyer wrote, > Hi! > > Well, I want to recycle my old 486 for a security project... > > Basic idea is, since i'm sitting on a LAN with my machine here in our > students home, I want to have a second machine as a router/gateway/firewall > betwenn my vaued box an the rest of my fellow bas-ass students... > > Are there any links to good documentation regarding this? > Or could someone tell some issues with the following config: > > 486/66 or 100 or: 486/sx 25 > 16/32 MB RAM 8/16 MB RAM > 1 GB HDD 300 MB HDD > 2 NIC (whether cheap Realtek ISA or AMD PCnet ISA from Allied telesyn) The first column should be able to handle the dedicated IPFW/NAT job fine. In the second case, 8 RAM would really be pushing things. The HDD is also pretty small. It would be enough to hold a FreeBSD install, but the machine would not have the room for much of anything else or to do make-worlds. > I have a FBSD 3.2 R here, or should I have a look at a different distro? Why not download 3.x-STABLE? But 3.2R should be just fine with the possible caveat that it may have one of the exploitable BIND versions. So if you plan to do DNS on the box... [snip] > So I want to connect the 486 to the TP network jack, then connect the big > machine with coax or TP to the second NIC. You want to have a firewall machine to protect _one_ machine? I would only bother with this if (1) you are doing it purely as an excercise or (2) the machine behind the wall is running an M$ OS. > I understand that I must have packet forwarding activated/compiled. > I also heard a lot about IP masquerading/NAT. CAn anyone explain the > difference between them, and give me some opinion if thats preferrable or not? To my knowledge, there is no difference between them. They are different words for the same thing. Masquerading is something that Linux-types talk about whereas everyone else calls it NATd, but I may be wrong. > Some braindead jerks are also trying to make funny games, like nuking > computers and that stuff of network games, mainly targeted on the M$ > machines running here. Any opinions about that, except that a UN*X runs > better here? Detection/Trace/Retaliation-wise? UNIX-type OSes will of course not be vulnerable to attacks specific to ones used on M$ OSes. That is not to say that a UNIX OS is completely secure either. However, if you are careful, even as a novice, you can probably put together a pretty secure firewall box with FreeBSD. IMHO, the only thing that might be more secure would be an OpenBSD box put together with equal care. > I also thought about a SAMBA server, to ensure compatibility to exchanga > data with the M$ machines running here. Any security issues? If you run Samba servers, yes. But... > Yes, I know that running a server app on a router/firewall imposes a severe > threat, but ir would be a thought, since I need some basic compatibility > with the rest of the environment. Depending on what type of "compatibility" we are talking about here, you may not need to run the Samba servers. If you want to be able to grab files from M$ networked machines or use their printers, you need only run smbclient(1). You only need to run a Samba server (smbd(8) and nmbd(8)) if you want other machines accessing files and resources on yours. Allowing such accesses are obviously big security issues. > Is it also possible to Send/receive the "messenging service" of NT, > respective the "Popups"? No idea what you are talking about. Can't help there. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message