Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 18 Jan 2000 03:38:45 -0500 (EST)
From:      Mike Nowlin <mike@argos.org>
To:        Mark Holloway <mholloway@flashmail.com>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: Is IPFW Static or Dynamic?
Message-ID:  <Pine.LNX.4.05.10001180324170.354-100000@jason.argos.org>
In-Reply-To: <001e01bf5eae$95cc2e10$942510ac@sierrahealth.com>

next in thread | previous in thread | raw e-mail | index | archive | help

> At work we have a T1 to the net and a PIX firewall.  It works great for
> Layer 3 protection, but we have another T1 link coming in and before I
> propose another $18,000 solution [which is high in price for what it does],
> I want to investigate what FreeBSD + IPFW can do for me.  It has nothing to
> do with being a "free" solution, rather, it has everything to do with how
> solid and robust the TCP/IP stack is.

In my opinion, the FreeBSD IP stack is about as solid and robust as you
can get...  There have been several times when I've tried to do a
particular job with Linux or some other OS, and FreeBSD has come out to be
the best solution in terms of both speed and reliability.

> The intended goal:  To set up a firewall with two NIC cards.  One for the
> Internet, one for the private network.  There are 12 private subnets inside
> our network, and a 3Com Netbuilder II Router will forward all "unknown"
> packets from the inside of our network to the internal interface of the
> FreeBSD box.  There will not be a DMZ (yet), but maybe in the future.  We
> have clients from the outside who will connect to the inside of our network
> using Microsoft PPTP/VPN.  We also have to allow inbound connections for
> SMTP, FTP (which will eventually go to the DMZ), and some custom port
> configurations for Citrix clients from home (currently these are configured
> at ports 1400-1405, so they are out of the standard range).  From the inside
> of our network going outbound, we have to allow Telnet on ports 3000-3006.
> One thing that's interesting about the PIX is that I had to set up routes
> for the other subnets.  For example, the PIX lives on 172.16.10.xxx/16.  We
> have clients on routed segments (inside our network, from the Netbuilder II)
> on 192.168.xxx.xxx/24 - and there is approximately 10 class C networks
> there.  So on the PIX I had to configure "route inside 192.168.20.1
> 255.255.255.0 172.16.1.1"  -  172.16.1.1=Netbuilder II.  So when packets
> originate from 192.16.20.1, the Netbuilder forwards them to the PIX (because
> the IP for FreeBSD.org doesn't exist inside our network, so the "destination
> of last resort" is the IP of the PIX which forwards to the Internet) - but
> then the PIX has to know when packets come back, where does it forward to?
> Well, the answer is 172.16.1.1 which knows how to reach 192.168.20.1.

As for the routing end of it, no problem.  A fairly simple combination of
IPFW and NATD will handle all of your internal issues, and some basic IPFW
rules take care of the outside end of it.  

Not to question your brainpower, but you mentioned "172.16.10.xxx/16" and
"192.168.xxx.xxx/24" - these seem incorrect in regards to IP
block/netmask... ???   Fast fingers?

> Does this make sense?  Is it doable with FreeBSD and IPFW?  Does anyone here
> know what the benefits of IPFW are versus PIX?  PIX is pretty much a layer 3
> only Firewall with some extended features, but not much.  I can use
> encryption, but I can't share certificates like I can with Firewall-1.  What
> does FreeBSD offer for encryption using a VPN?  Does FreeBSD support IPSec?


I haven't had a reason to play around with IPsec yet, but (if memory's
working right now), I think there's some ports that may support it.  I
believe there's also a couple that allow PPTP from Windoze machines as
well.  

> I would greatly appreciate ANY feedback from this list...I'm not subscribed,
> so please "reply to all" so I get a CC:.  Thanks!

Subscribe to it -- it's worth it... :)

mike




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.05.10001180324170.354-100000>