From owner-freebsd-security Tue Apr 13 23:31:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from sentry.isrc.qut.edu.au (sentry.isrc.qut.edu.au [131.181.97.10]) by hub.freebsd.org (Postfix) with SMTP id 253FD155CE for ; Tue, 13 Apr 1999 23:31:22 -0700 (PDT) (envelope-from gaskell@isrc.qut.edu.au) Received: (qmail 27190 invoked from network); 14 Apr 1999 06:29:00 -0000 Received: from primrose.isrc.qut.edu.au (HELO isrc.qut.edu.au) (@131.181.6.10) by secure.isrc.qut.edu.au with SMTP; 14 Apr 1999 06:29:00 -0000 Received: from primrose.isrc.qut.edu.au (primrose.isrc.qut.edu.au [131.181.6.10]) by isrc.qut.edu.au (8.8.8+Sun/8.8.6) with ESMTP id QAA18926; Wed, 14 Apr 1999 16:28:59 +1000 (EST) Date: Wed, 14 Apr 1999 16:28:59 +1000 (EST) From: Gary Gaskell To: Thomas Uhrfelt Cc: "'freebsd-security@freebsd.org'" Subject: Re: IPFilter? In-Reply-To: <01BE864B.F30FCA00.thomas.uhrfelt@plymovent.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thomas, 1. I recommend buying some books and reading some web pages by gurus (not by some of the vendors!). OReilly's have some good books. try Building Inernet Firewalls by Chapman and Zwicky, or a book by Bellovin and Cheswick (I don't recall the published just now). 2. Yes, don't go for any OS with a history of continuing weaknesses. And perferrably add in some defence in depth, by using choking routers externally and internally. Good luck (but really there is no luck - just use a good scientific approach). Cheers, Gary On Wed, 14 Apr 1999, Thomas Uhrfelt wrote: > I am in the process of setting up a gateway/firewall and I need all the > help I can possibly get, so this description is going to be rather lenghty > I fear. > > Today we are running a WinNT Server based network, but since we are getting > a "constant" connection to Internet and we are planning to install some > sort of firewall I thought I should use FreeBSD instead of a MicroSoft > sollution. > > Here is a brief description of the network today: > > Approx 40 workstations + > 2 NT Servers + (192.168.1.xxx) -------------> (192.168.1.1) Router > (Dynamic IP) > 1 AS/400 > > > Here is the first step of my "planned" change: > > Approx 40 workstations + > 2 NT Servers + (192.168.1.xxx) ----> (192.168.1.1) FreeBSD (192.168.2.2) > -------> (192.168.2.1) Router (Dynamic IP) > 1 AS/400 > > The reason for changing the routers IP is that I don't want to change all > the clients as we don't use DHCP. > > I was planning to use IPFilter+IFNAT on the FreeBSD box to accomplish this > task. So now I need to know if there is any good beginners documentation on > IPFilter + IFNAT and/or if its possible at all to accomplish this using > these tools. I also want to put in rather restrictive rules on what is > allowed to be passed through the BSD box, so I need a pretty elaborate doc > on the IPFilters capabilities ( easy to understand wouldnt be bad either ). > > Anyone care to enlighten me on this subject? > > PS: The later changes will pretty much only involve a static IP on the > other side of the router and a hardware VPN sollution ( if anyone can > direct me to a VPN sollution for FreeBSD that is good, that would also be > appriciated ) DS. > / > > Thomas Uhrfelt > Datortekniker > > PlymoVent AB > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Cheers, Gary ----------------------------------------------------------- Gary Gaskell Manager Secure Network Laboratory Phone (07) 3864 1190 Information Security Research Centre Fax (07) 3221 2384 Queensland University of Technology ----------------------------------------------------------- _--_|\ / QUT A University for http://www.qut.edu.au/ _.--._/ the Real World. v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message