From owner-freebsd-security  Wed May  1 04:40:11 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id EAA04082
          for security-outgoing; Wed, 1 May 1996 04:40:11 -0700 (PDT)
Received: from sbstark.cs.sunysb.edu (sbstark.cs.sunysb.edu [130.245.1.47])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id EAA04077
          for <security@freebsd.org>; Wed, 1 May 1996 04:40:05 -0700 (PDT)
Received: (from root@localhost) by sbstark.cs.sunysb.edu (8.6.12/8.6.9) with UUCP id HAA05720; Wed, 1 May 1996 07:38:58 -0400
Received: (from gene@localhost) by starkhome.cs.sunysb.edu (8.6.11/8.6.9) id HAA08293; Wed, 1 May 1996 07:34:46 -0400
Date: Wed, 1 May 1996 07:34:46 -0400
From: Gene Stark <gene@starkhome.cs.sunysb.edu>
Message-Id: <199605011134.HAA08293@starkhome.cs.sunysb.edu>
To: Paul Danckaert <umbc.edu!pauld@sbstark.cs.sunysb.edu>
Cc: security@freebsd.org
In-reply-to: Paul Danckaert's message of Tue, 30 Apr 1996 10:02:16 -0400 (EDT)
Subject: Re: FreeBSD & firewalls
References: <4m5u6d$4r3@starkhome.cs.sunysb.edu>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

>Also, I'm just curious and haven't looked too much into it, but has 
>anybody used BSD to firewall people within a site?  For example, we are 
>looking at putting dorms on ethernet, but we are going to block various 
>protocols, ports, etc..  has anybody used a BSD solution to this sort of 
>problem?  Any recomendations on software?

Yes, I am using ipfw primarily to prevent egress from a student lab.
The purpose is to keep people from occupying seats in the lab while they
play MUDs or IRC or use X to outside, and to keep them from setting up lots
of quasi-commercial servers operating on machines within the lab.  The ipfw
code works more or less OK for this, but I found it a bit difficult to create
the filters I wanted.

Mostly, what I am doing is blocking TCP between endpoints inside and outside
the lab, both ports of which are >= 1024.  The main disadvantage of this
seems to be that "passive FTP", or whatever it is that happens sometimes
when you follow an ftp: link from an HTTP server and get a high numbered port,
is blocked.
							- Gene Stark