From owner-freebsd-isp Mon Jun 28 10: 6: 8 1999 Delivered-To: freebsd-isp@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id D5CCC15343 for ; Mon, 28 Jun 1999 10:06:00 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from ivy.ezo.net (ivy.ezo.net [206.150.211.171]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id NAA16299; Mon, 28 Jun 1999 13:05:47 -0400 (EDT) Message-ID: <001d01bec188$cc446520$abd396ce@ezo.net> From: "Jim Flowers" To: "Hans-Christoph Steiner" , References: <199906281630.MAA11156@yaga.razorfish.com> Subject: Re: Using one FreeBSD box as router/firewall/vpn Date: Mon, 28 Jun 1999 13:08:09 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Your decision will be interesting. Please give us your logic when you make it. I have done a lot of fbsd routing, mostly with RIP and static routes. It is stable (2.2.2 through 3.2) and reliable. Ipfw and natd appear to operate correctly and are fairly straight-forward to setup. I have not yet setup the Sangoma driver although I have looked at it and have a unit that I may put up soon. I think the Linux driver may have the edge, here as it preceeded the fbsd version. I have heard that the Sangoma people are cooperative, although I haven't seen much discussion on the fbsd lists. The units I set up all use SKIP for VPN functions. It has worked well and has been reliable. The key management is good and the X interface is fairly intuitive. The largest system I am managing is 6 nodes spread all over the globe. I looked at early implementations of IPSEC (about a year ago) across fbsd and linux but did not feel that it was robust enough to use for production VPN's so stuck with SKIP. I think it is a big mistake to put everything in one box, particularly if you care about security. My preference is to use one box for a gateway router and firewall with an interface for a perimeter network where a bastion host and VPN Access Controller and any sacrificial hosts are located. A second interface connects an interior network, preferably using private (non-routable) addressing. The resulting system is a traditional screened subnet firewall which is well documented in the literature with a VPN operating in parallel logically but physically through the single choke point. It is both intuitive and robust and, I think, very difficult to compromise. ----- Original Message ----- From: Hans-Christoph Steiner To: Sent: Monday, June 28, 1999 12:30 PM Subject: Using one FreeBSD box as router/firewall/vpn > > We are going to attempt to build a box that will serve as our router, > firewall, and VPN/IPSec machine. Right now, we are still up in the air as to > whether we are going to use FreeBSD or Linux so I was wondering what kind of > experience people have doing such things and whether we are crazy to try to > combine all of these functions into one box. > > The router will use two Sangoma WANpipe T1 CSU/DSU cards connecting to two T1s > using BGP routing. > > The firewall will use the kernel firewalling (either FBSD or Linux). > > The VPN, will use IPSec (FreeS/WAN or one of the FBSD implementations). > > -Hans > > | || ||| || r a z o r f i s h , inc. > > hans-christoph steiner > [ network systems manager ] > > >> tel +1.212.798.6432 > >> pager +1.888.433.4970 > >> http://www.razorfish.com/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message