Date: Wed, 25 Oct 2000 20:37:59 +0200 From: "James Wilde" <james.wilde@telia.com> To: =?iso-8859-1?B?UORyIFRob3Jlbg==?= <t98pth@student.hk-r.se>, <freebsd-security@FreeBSD.ORG> Subject: RE: Firewall Message-ID: <000601c03eb2$b2f67150$8208a8c0@iqunlimited.net> In-Reply-To: <Pine.GSO.4.21.0010251834490.20165-100000@orc.rby.hk-r.se>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message-----
> From: owner-freebsd-security@FreeBSD.ORG
> [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Pär Thoren
> Sent: Wednesday, October 25, 2000 18:57
> To: freebsd-security@FreeBSD.ORG
> Subject: Firewall
>
>
>
> Hi!
>
> I want to protect a network with a firewall. The network is
> xx.xx.xx.0 and has a gateway at xx.xx.xx.1
> dns servers are xx.xx.xx.2 and xx.xx.xx.3
>
> How can I protect the network with a fbsd firewall? Do I use
> bridge/firewall or do I set fbsd as a router/firewall "behind" the gateway
> xx.xx.xx.1 ?
Hej Pär:
Why would you want to expose your gateway to the BBI? In the first place it
has an intimate relationship with the hosts on your network, .2-.255 so a
compromised gateway is halfway to a compromised network. In the second
place, in the diagram you have drawn, it is not even on the same network.
Your gateway could not have the number .1 and still be accessible from the
network since there is no direct route from, say, .2 to .1.
From what I have been able to learn - others may come in and correct me -
your diagram could look something like this:
> Big Bad Internet
> |
> ___|__
> | fbsd |
> | fw/gw|
> |______|
> |
> |
> _____|_____
> | | Network including the dns servers
> | .2-.255 |
> |___________|
>
An even better alternative might be:
> Big Bad Internet
> |
R---------- smtp, public DNS
> ___|___
> | fbsd |
> | fw/gw |
> |_______|
> |
> |---[DMZ]------- Internet Service Lan (mail, www, etc)
> ___|___
> | fbsd |
> | fw/gw |
|___.1__|
> |
> _____|_____
> | | Network including the dns servers
> | .2-.255 |
> |___________|
>
Some people, with tight budgets, hang the IS Lan directly off a third NIC in
the outer firewall and scrap the inner firewall.
Some suggestions:
Seal your smtp/DNS servers with, say, IP-Filter configured for minimal
services (25, 53, maybe 22 and ntp) and switch off pretty well all daemons.
Seal your outer firewall the same way, although you will need to let in more
services, at least to the IS Lan.
Decide where your .2-.255 network will go for its external contacts, to a
proxy on the inner firewall or the IS Lan or direct to the BBI and configure
the IP-Filter in the inner wall in accordance with that.
If you want me to take this in Swedish off-line, say the word.
mvh/regards
James
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000601c03eb2$b2f67150$8208a8c0>