Date: Mon, 28 Jun 1999 13:08:09 -0400 From: "Jim Flowers" <jflowers@ezo.net> To: "Hans-Christoph Steiner" <hans@razorfish.com>, <freebsd-isp@FreeBSD.ORG> Subject: Re: Using one FreeBSD box as router/firewall/vpn Message-ID: <001d01bec188$cc446520$abd396ce@ezo.net> References: <199906281630.MAA11156@yaga.razorfish.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Your decision will be interesting. Please give us your logic when you make it. I have done a lot of fbsd routing, mostly with RIP and static routes. It is stable (2.2.2 through 3.2) and reliable. Ipfw and natd appear to operate correctly and are fairly straight-forward to setup. I have not yet setup the Sangoma driver although I have looked at it and have a unit that I may put up soon. I think the Linux driver may have the edge, here as it preceeded the fbsd version. I have heard that the Sangoma people are cooperative, although I haven't seen much discussion on the fbsd lists. The units I set up all use SKIP for VPN functions. It has worked well and has been reliable. The key management is good and the X interface is fairly intuitive. The largest system I am managing is 6 nodes spread all over the globe. I looked at early implementations of IPSEC (about a year ago) across fbsd and linux but did not feel that it was robust enough to use for production VPN's so stuck with SKIP. I think it is a big mistake to put everything in one box, particularly if you care about security. My preference is to use one box for a gateway router and firewall with an interface for a perimeter network where a bastion host and VPN Access Controller and any sacrificial hosts are located. A second interface connects an interior network, preferably using private (non-routable) addressing. The resulting system is a traditional screened subnet firewall which is well documented in the literature with a VPN operating in parallel logically but physically through the single choke point. It is both intuitive and robust and, I think, very difficult to compromise. ----- Original Message ----- From: Hans-Christoph Steiner <hans@razorfish.com> To: <freebsd-isp@FreeBSD.ORG> Sent: Monday, June 28, 1999 12:30 PM Subject: Using one FreeBSD box as router/firewall/vpn > > We are going to attempt to build a box that will serve as our router, > firewall, and VPN/IPSec machine. Right now, we are still up in the air as to > whether we are going to use FreeBSD or Linux so I was wondering what kind of > experience people have doing such things and whether we are crazy to try to > combine all of these functions into one box. > > The router will use two Sangoma WANpipe T1 CSU/DSU cards connecting to two T1s > using BGP routing. > > The firewall will use the kernel firewalling (either FBSD or Linux). > > The VPN, will use IPSec (FreeS/WAN or one of the FBSD implementations). > > -Hans > > | || ||| || r a z o r f i s h , inc. > > hans-christoph steiner > [ network systems manager ] > > >> tel +1.212.798.6432 > >> pager +1.888.433.4970 > >> http://www.razorfish.com/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001d01bec188$cc446520$abd396ce>