From owner-freebsd-questions@freebsd.org Mon Aug 20 08:44:23 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33EA7108919E for ; Mon, 20 Aug 2018 08:44:23 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id C3A1982026 for ; Mon, 20 Aug 2018 08:44:22 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: by mailman.ysv.freebsd.org (Postfix) id 8513B108919D; Mon, 20 Aug 2018 08:44:22 +0000 (UTC) Delivered-To: questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61474108919B for ; Mon, 20 Aug 2018 08:44:22 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.kundenserver.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BA9CE82025 for ; Mon, 20 Aug 2018 08:44:21 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from r56.edvax.de ([92.195.99.237]) by mrelayeu.kundenserver.de (mreue101 [212.227.15.183]) with ESMTPA (Nemesis) id 0MJl3M-1fslj42icm-0017W5; Mon, 20 Aug 2018 10:44:18 +0200 Date: Mon, 20 Aug 2018 10:44:18 +0200 From: Polytropon To: Arturo Rafael =?ISO-8859-1?Q?Ram=EDrez_Brice=F1o?= Cc: "questions@FreeBSD.org" Subject: Re: I beg your response ... / Ruego su respuesta... Message-Id: <20180820104418.20cd6909.freebsd@edvax.de> In-Reply-To: References: <20180819205328.eb81c27b.freebsd@edvax.de> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:JldZB+CrrHQpM00KZpg2/UoRb0XcY7VUZvv5AWSHItBTyLFm7oH eJQVI+9A+h3rPyGZs1F54BI1lOYuLY76CwBnlax3bDMm/0dCYA1rOceb+zYUGNdJCLxahTN CQCselWkVOmKxX/4rxpYdU6fLlmIsoxZc+DaToff02aoDHQqVDscxkKmYTioG3k/ddG0M6G c4RzeGlYwdezGIXohZscg== X-UI-Out-Filterresults: notjunk:1;V01:K0:cgENSC2gEuY=:b5ECjCv6PpgqLRzSeGkG4c ilR2t67b6z5rmM7oW1Nc0ztE00DjlnK7mmtbqngNX+XoR4k5XJ6Ttnrbm5gvcQ6AC4iGoolwd GSDwEJShW4VxyXg6iwEuC4HaPN+jEPNkVfrQQLK63IBMkAiPkybr6VtB3/04jQACnOXNR2F2D 0X3NHUuszcOsyeHJr8bd+Vd3trqhar1X5CdrX/Iu7mGSEcQqUHhQB+YxQLsxFusWHexs+9gew 1dZWezx6E4dN2mraJ4Ctxw+xh634XuEcDbagoavnMEbuJgmInJAD7yAEeLTq4rkXLM/DwZ2+S h/L6Q3/s7kMQ3e8aQBrRbYkV0A69dEIVHybJMr6X0dfpG4EiAhdI1X92ExgbQMWUp/HUZbxzK P2TA/pc3Fe3t3M0kxkXuGmj8bfDqJWG2PIhJl4l6areZJ6J3R43RFw/Q2tUnB/phu9rbY/lL6 8rwetSN5xjR0RGC+OIOKs6ZENYhdplbZ0ZY9y6kOl/gkUuHugkf8oHRI/2IqG2hPcaJ8LfbAS YpZ8L6w3N7MlZn+cecjfvb928QiQNI68M/59c+jhTp8UoVJZUF8PdHD1HZQDiSFQ9wrXeaFhl KOO5K+Jb0eX33Tw4M7NGQ4dUB0CVxIdf7PdG3tyrqliagplubYzXKjiCzqaLwG76L0xXyNrBO u4vnJS+4oxvDsTjVbdqN0KpBB+nfUzqmqPAF4uV/1oKUyA60ucOlilL3VSiSbusQoSExH6hDH FidyG1qhh7H/RL5p X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2018 08:44:23 -0000 Re-including list, hope that's okay. On Sun, 19 Aug 2018 20:49:19 +0000, Arturo Rafael Ram=EDrez Brice=F1o wrote: > In the context of "preventing the nodes of the same lan from being > seen" is to say that files, printers, and other resources can not > be shared on the network; but nevertheless, through the server, each > node can access the internet. If possible, how can I do it? This doesn't really look like a task for a firewall, but instead I'd suggest to take a close look at resource management at the individual nodes. Simply don't enable the sharing ability for resources (like file access or printer access): If a node doesn't allow access to its files and printer, no other node can access it. On FreBSD, the system default settings do not offer any resource access, so if your nodes are FreeBSD computers, there is nothing you need to do. Access to the Internet through a server is easy. FreeBSD's IPFW firewall for example can be used here, in combination with NAT - which, by the way, is a quite typical setting. Additionally, such servers often add a 3rd thing to the mix: a DHCP server (for example isc-dhcpd). The advantage here is that all configuration can be done in "O(1) manner" on the server, like DHCP configuration, fixed or dynamically allocated addresses, Internet access permissions per node, if desired, or central resource sharing, like one printer that everyone can use. This approach is superior to the common "O(n) manner" where the amount of work is equivalent to the number of nodes in the network - more computers, more work. The information to implement the firewall-side for such a setting can be found in the FreeBSD Handbook: https://www.freebsd.org/doc/handbook/firewalls-ipfw.html There is more interesting information in this forum thread: https://forums.freebsd.org/threads/about-ipfw-nat.62177/ Instead of stupid copypasta, it really helps to make a short list (with pen and paper) where you draw and describe your desired network layout, permissions to access the Internet, and resource sharing. From this point, create your configuration settings (for rc.conf, ipfw.rules, and if desired, for dhcpd.conf). Always remember that a firewall (and servers in general, but node PCs as well) belong to the realm of thinking about security. :-) --=20 Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...