Date: Wed, 30 Sep 1998 04:45:05 +0800 From: chas <panda@peace.com.my> To: freebsd-questions@FreeBSD.ORG Subject: Not a cure for firewall licences. Re: Can DHCP really be this simple ? Message-ID: <3.0.32.19980930044505.00ad84ec@mail.peace.com.my>
next in thread | raw e-mail | index | archive | help
Just thought I'd mention that the set-up I described previously
for a FreeBSD proxy/router does not circumvent firewall licences.
Posting this to the list so that someone else doesn't make the
same mistake :
ie. we have -
LAN (50 PCs) <----> fxp1
fxp0 <----> Firewall <----> Internet
The idea being that the one FreeBSD box could route traffic
for the 50 PCs on the LAN. Having set this up (config below),
we've now been told that our firewall (Checkpoint Firewall-1)
still sees the 50 PCs as 50 machines, each requiring a licence...
since it sees the different MAC addresses.
So, looks like this was a waste of time - might as well turn
the FreeBSD proxy/router into a webserver or something - and
connect the LAN directly to the firewall.
chas
>I've got DHCP running but would appreciate it if someone could
>pass an experienced eye over this configuration before I unleash
>my Freebie box on 50 unsuspecting users tomorrow !
>
>The FreeBSD box sits between the LAN and firewall as follows :
>
>LAN (50 PCs) <----> fxp1
> fxp0 <----> Firewall <----> Internet
>
>
>The following startup scripts are appended to the end of /etc/rc.local :
># Start NATd on the external interface :
>/usr/local/sbin/natd -interface fxp0
># Allow all packets through :
>/sbin/ipfw -f flush
>/sbin/ipfw add divert natd all from any to any via fxp0
>/sbin/ipfw add pass all from any to any
># Start the DHCP server on the internal interface :
>/usr/local/sbin/dhcpd fxp1
>
>
>My /etc/dhcpd.conf file is based on the sample provided :
># dhcpd.conf
>server-identifier proxy.ourdomain.com; # the name of the proxy
>option domain-name "ourdomain.com"; # our company's domain
>option domain-name-servers ns.ourdomain.com; # our dns server
>
>shared-network NEURONET {
> option subnet-mask 255.0.0.0;
> default-lease-time 600;
> max-lease-time 7200;
> subnet 10.0.0.0 netmask 255.0.0.0 {
> range 10.0.0.50 10.0.0.254;
> option broadcast-address 10.0.0.255;
> option routers 10.0.0.1;
> }
>}
>
>Basically, I just want IPs between 10.0.0.50 and 10.0.0.254 to be
>allocated dynamically to PCs connecting on the LAN. The above seems
>to work but it was trial and error so I'm not that confident about
>what I've done.
>
>Also, if I then want to run a server with fixed IP (eg. 202.184.153.17)
>on one of the IPs on the LAN not assigned dynamically (eg. 10.0.0.17),
>where is this translation entered ?
>
>chas
>
>ps. Since DHCP requires the bpfilter option in the kernel, should
>anything else be done to beef up security on this machine ?
>(I'm disabling telnet, ftp, sendmail etc. Plus it sits behind a firewall)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.19980930044505.00ad84ec>