From owner-freebsd-questions Wed Jul 2 01:36:22 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id BAA22137 for questions-outgoing; Wed, 2 Jul 1997 01:36:22 -0700 (PDT) Received: from gatekeeper.barcode.co.il (gatekeeper.barcode.co.il [192.116.93.17]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id BAA22119 for ; Wed, 2 Jul 1997 01:36:16 -0700 (PDT) Received: (from smap@localhost) by gatekeeper.barcode.co.il (8.8.5/8.6.12) id LAA12431; Wed, 2 Jul 1997 11:35:24 +0300 (IDT) X-Authentication-Warning: gatekeeper.barcode.co.il: smap set sender to using -f Received: from localhost.barcode.co.il(127.0.0.1) by gatekeeper.barcode.co.il via smap (V1.3) id sma012429; Wed Jul 2 11:35:12 1997 Message-ID: <33BA129B.1826@barcode.co.il> Date: Wed, 02 Jul 1997 11:34:35 +0300 From: Nadav Eiron X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: greg baxter CC: freebsd-questions@FreeBSD.ORG Subject: Re: firewalls... References: <3.0.1.32.19970701221152.007dab40@microa.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk greg baxter wrote: > > we want to firewall our local net using freebsd 2.2. > > a little confused, we put two nics in one bsd machine, > each with its own different network (not just diff host). > > the idea is, we need it to: > > hit our inet router, a t1 interface when called to do so > by any local machine. this is on net 'a'. i suppose this > is the only host that will be on net 'a' other than the > nic in the bsd box. right? > > route ip data for us, with appropriate filtering via ipfw. > from net 'b' to net 'a' (net 'a' is the internet side of > things). > > do we need to configure this machine as a 'gateway' as > defined in rc.conf? turn on 'routing' in same rc file? > > right now, our default gateway is just the t1 router (ascend > pipeline) and all works well, but the ascend is on the same > net as everything else. > > have read the o'reilly book, and at least *believe* i'm on the > right track. Which O'Reilly book? Get a book on firewalls and security if you want to read on the subject (for example, Addison Wesley has: Firewalls and Internet Security - Repelling the Wily Hacker, by Cheswick and Belovin). > > any help you guys can toss my way is really gonna be > very much appreciated, i'd like to get this thing up and > going soon. > > thanks in advance -- greg Basically, you're on the right track. Whether this machine will actually be a gateway depends on what type of firewall you want. For a packet filtering firewall (one whose main weapon is ipfw and friends), you'll need it set to YES. For routing, running a routing daemon on a firewall is generally considered bad practice. You don't run something on a firewall unless you have to, so in a simple configuration like yours, I'd use static routing. Nadav