From owner-freebsd-ipfw Fri Jun 8 15:42:39 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gscamnlm03.wr.usgs.gov (gscamnlm03.wr.usgs.gov [130.118.4.113]) by hub.freebsd.org (Postfix) with ESMTP id C8CFD37B401; Fri, 8 Jun 2001 15:42:35 -0700 (PDT) (envelope-from rsowders@usgs.gov) To: Cc: freebsd-ipfw@FreeBSD.ORG, owner-freebsd-ipfw@FreeBSD.ORG Subject: Re: A epiphany of sorts MIME-Version: 1.0 X-Mailer: Lotus Notes Release 5.0.7 March 21, 2001 Message-ID: From: "Robert L Sowders" Date: Fri, 8 Jun 2001 15:42:31 -0700 X-MIMETrack: Serialize by Router on gscamnlm03/SERVER/USGS/DOI(Release 5.0.7 |March 21, 2001) at 06/08/2001 03:42:34 PM, Serialize complete at 06/08/2001 03:42:34 PM Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG You might be able to simplify your rules by setting up a VPN tunnel with IPSec. Here is a simple step by step. http://www.freeBSDdiary.org/ipsec-tunnel.php "Carlos Andrade" Sent by: owner-freebsd-ipfw@FreeBSD.ORG 06/08/2001 10:21 AM Please respond to carlos To: cc: Subject: A epiphany of sorts I have been working on our company's firewall for some time and I have been helped quite a bit from the wonderful people on this list. I had a epiphany of sorts today. Due to the way our office is networked to our other sales offices I want to redo our firewall rules. (background) our_network : will be put behind the firewall, natd will be running so I may have to have nat rules somewhere for directing requests to the correct machine. midland_office : a sales office behind a DSL router, machines are dhcp'ing to the net. abilene_office : a sales office behind a DSL router, machines are dhcp'ing to the net. (theoretical rule set) allow everything from our_network out allow everything? from our midland_office in allow everything? from our abilene_office in pass tcp from any to our outside_interface 80 setup (access web servers) and then our thin client (which we use to connect to a app server from the offices and sometimes from the road) : TCP/IP port 1494 (inbound) UDP port 1604 (inbound and outbound) Outbound ports 1023 and above for both TCP/IP & UDP deny the rest (commentary) we have no mail or dns servers, all that is done by our ISP. So there is very little traffic wanting to come into our network, so I can let those things in. I hope that I can just allow in the IP's of the DSL routers since the machines behind it pass through it over DHCP, or am I loony and need to read up more on DHCP? Yes, I know I must have a huge measure of trust to allow everything from our offices. I do. I am just trying to add to the layers of security by dictating exactly where people can access us from and by how. thanks in advance, Carlos Andrade ---- Carlos A. Andrade IS Manager RJS Technologies 915.845.5228 ext 13 915.845.2119 fax carlos@rjstech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message