From owner-freebsd-newbies Thu Sep 9 0:34:35 1999 Delivered-To: freebsd-newbies@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id 615AD150BD for ; Thu, 9 Sep 1999 00:34:16 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id AAA18214; Thu, 9 Sep 1999 00:30:27 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D762BC.322BD487@aracnet.com> Date: Thu, 09 Sep 1999 00:33:16 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Michael Rothenberg Cc: freebsd-newbies@FreeBSD.ORG Subject: Firewalls [Was: Re: HW requirements] References: <3.0.3.32.19990907141928.010f27c8@slider> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-newbies@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My apologies for the delay in replying. Michael Rothenberg wrote: > At 03:17 PM 9/3/99 -0700, dmp@aracnet.com wrote: > >Yes, for a normal workstation. But Michael's building a gateway. > >NAT, xntpd, ipfw/ipfilter, and DNS don't need much. The only > >hardware capacity issue you really have to concern yourself with is > >having sufficient network hardware and processing power to handle a > >saturated internet link. Other than that, a few steps to fix > >potential security problems and DoS vulnerabilities and you're good > >to go. > > > > Now what kind of DoS (Not MS DOS right *cringe*) vulnerabilities would > those be? Potential security problems? DoS = Denial of Service. It's an umbrella term for attacks that prevent the normal operation of a service or computer, usually by overloading or crashing the server daemon or operating system of the target. Almost all of the vulnerabilities you'll face are those from people coming at you over the internet. Run only what you absolutely need to run on the firewall. Firewall deny everything. Explicitly allow what you need to let in. There's hundreds of things you can do to tighten security. It all depends on how paranoid you are. :) > Though if a > win 95 machine on the subnet wants to FTP a file does that mean I have to > be running FTP services on the gateway BSD box? Or does it just happily > transfer the packets along? You have to make special considerations for FTP connections because of how they work, but a properly configured gateway will pass the packets without problems. > Though, would it be bad form to also put say.. apache on the same machine? For security purposes, it's not a good idea to run any server daemons on the same firewall box that protects your workstations, but you can do it. > Now it will just be my self and my fiance on the sub net. I dont think we > could saturate the link except for the occational mass web page updating > she or I might do. After that its just going to be surfing. How fast is your internet link? I think if this thread is to remain listed, it should be moved to -questions, unless Sue has no objections to it remaining here. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-newbies" in the body of the message