Date: Wed, 14 Apr 1999 16:28:59 +1000 (EST) From: Gary Gaskell <gaskell@isrc.qut.edu.au> To: Thomas Uhrfelt <thomas.uhrfelt@plymovent.se> Cc: "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG> Subject: Re: IPFilter? Message-ID: <Pine.GSO.4.10.9904141625070.14762-100000@primrose.isrc.qut.edu.au> In-Reply-To: <01BE864B.F30FCA00.thomas.uhrfelt@plymovent.se>
index | next in thread | previous in thread | raw e-mail
Thomas,
1. I recommend buying some books and reading some web pages by gurus (not
by some of the vendors!). OReilly's have some good books. try Building
Inernet Firewalls by Chapman and Zwicky, or a book by Bellovin and
Cheswick (I don't recall the published just now).
2. Yes, don't go for any OS with a history of continuing weaknesses. And
perferrably add in some defence in depth, by using choking routers
externally and internally.
Good luck (but really there is no luck - just use a good scientific
approach).
Cheers, Gary
On Wed, 14 Apr 1999, Thomas Uhrfelt wrote:
> I am in the process of setting up a gateway/firewall and I need all the
> help I can possibly get, so this description is going to be rather lenghty
> I fear.
>
> Today we are running a WinNT Server based network, but since we are getting
> a "constant" connection to Internet and we are planning to install some
> sort of firewall I thought I should use FreeBSD instead of a MicroSoft
> sollution.
>
> Here is a brief description of the network today:
>
> Approx 40 workstations +
> 2 NT Servers + (192.168.1.xxx) -------------> (192.168.1.1) Router
> (Dynamic IP)
> 1 AS/400
>
>
> Here is the first step of my "planned" change:
>
> Approx 40 workstations +
> 2 NT Servers + (192.168.1.xxx) ----> (192.168.1.1) FreeBSD (192.168.2.2)
> -------> (192.168.2.1) Router (Dynamic IP)
> 1 AS/400
>
> The reason for changing the routers IP is that I don't want to change all
> the clients as we don't use DHCP.
>
> I was planning to use IPFilter+IFNAT on the FreeBSD box to accomplish this
> task. So now I need to know if there is any good beginners documentation on
> IPFilter + IFNAT and/or if its possible at all to accomplish this using
> these tools. I also want to put in rather restrictive rules on what is
> allowed to be passed through the BSD box, so I need a pretty elaborate doc
> on the IPFilters capabilities ( easy to understand wouldnt be bad either ).
>
> Anyone care to enlighten me on this subject?
>
> PS: The later changes will pretty much only involve a static IP on the
> other side of the router and a hardware VPN sollution ( if anyone can
> direct me to a VPN sollution for FreeBSD that is good, that would also be
> appriciated ) DS.
> /
>
> Thomas Uhrfelt
> Datortekniker
>
> PlymoVent AB
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
Cheers,
Gary
-----------------------------------------------------------
Gary Gaskell
Manager Secure Network Laboratory Phone (07) 3864 1190
Information Security Research Centre Fax (07) 3221 2384
Queensland University of Technology
-----------------------------------------------------------
_--_|\
/ QUT A University for http://www.qut.edu.au/
_.--._/ the Real World.
v
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.10.9904141625070.14762-100000>