From owner-freebsd-isp Wed Aug 28 1:37:54 2002 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BC3937B400 for ; Wed, 28 Aug 2002 01:37:51 -0700 (PDT) Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 375B943E6E for ; Wed, 28 Aug 2002 01:37:51 -0700 (PDT) (envelope-from absinthe@pobox.com) Received: from dhcp068-64-151-24.nt01-c4.cpe.charter-ne.com ([24.151.64.68] helo=laredo.retrovertigo.com) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 17jyKk-000280-00 for freebsd-isp@FreeBSD.ORG; Wed, 28 Aug 2002 01:37:50 -0700 Content-Type: text/plain; charset="us-ascii" From: Dylan Carlson Reply-To: absinthe@pobox.com To: freebsd-isp@FreeBSD.ORG Subject: [SUMMARY] Port forwarding recommendations? Date: Wed, 28 Aug 2002 04:37:50 -0400 User-Agent: KMail/1.4.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200208280437.50576.absinthe@pobox.com> Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I got a lot of responses to this (thank you). 1. "Derek" and Noah K Sematimba suggested the ipfw/natd combination. Which worked, but took me couple of hours. I ran into some circumstances where natd seemed to blow it's brains out when I was reloading the rules, but I got it to work. I've always (personally) preferred the ipfilter way of doing things, and this experience hasn't changed that. 2. "Leigh V" suggested an ipfilter script which worked pretty well, got the basic firewall up quickly, and then I dropped in the port forwarding rules and it worked great. 3. Martyn Routley suggested SmoothWall, a linux-based canned firewall package. Reluctant at first, I tried it out. Admittedly, it's pretty slick. If you don't plan on the machine being anything but a firewall, it does the job. I had it up and running in about 20 minutes with the port forwarding. And snort, squid, and dynamic DNS built in. Port forwarding was as easy as it gets. Apart from being an ipchains firewall, it's using the same tools as everything else ... it's just been packaged neatly into a purpose-built platform, and has an apache/mod_ssl interface for configuration-which is pretty much how all the commercial firewall interfaces are going anyway (web UI). The UI makes changes easy; particularly the "patching" part of SmoothWall was quite nice. There's no reason something like SmoothWall couldn't be built around FreeBSD. I hope someday there is, though I'm not the guy for that job. I'm wrapped up in Java and helping out the FreeBSD Java Project. Conclusions SmoothWall is the easiest and probably ideal way to go. I'm still running it live at the moment, but I plan on going back to #2, because I am a BSD guy. It's called "eating one's own dog food." I hope that someday a nice package such as this comes to BSD. Thanks to everyone for your input. Cheers, -- Dylan Carlson [absinthe@pobox.com] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message