Date: Tue, 1 Jun 1999 13:47:42 -0500 From: Dan Nelson <dnelson@emsphone.com> To: "Scott I. Remick" <scott@computeralt.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw vs. MS Proxy Message-ID: <19990601134742.B3289@dan.emsphone.com> In-Reply-To: <4.2.0.56.19990601142406.03508710@mail.computeralt.com>; from "Scott I. Remick" on Tue Jun 1 14:29:42 GMT 1999 References: <4.2.0.56.19990601135626.034fa010@mail.computeralt.com> <4.2.0.56.19990601135626.034fa010@mail.computeralt.com> <19990601130713.A3289@dan.emsphone.com> <4.2.0.56.19990601142406.03508710@mail.computeralt.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Jun 01), Scott I. Remick said: > At 02:07 PM 6/1/1999 , you wrote: > >ipfw is packet filtering, not proxying. For that you probably want > >squid and/or natd. > > This was my understanding as well. I've actually looked at squid. Squid is not strictly necessary, but the caching can really help if you have enough people inside the firewall. > They're looking at it from a security standpoint. Which I agree with > totally... I've always wanted a firewall. There never seems to be > money available for my FreeBSD projects, but if someone describes the > same need using MS "solutions", then everyone gets excited :( > > The idea is to do just what a firewall does: filter traffic between > our private network and the outside world. I'd like to see a FreeBSD > box with 2 NICs dropped into place, running ipfw, to perform this > task fairly invisibly. They'd like to use MS solutions because > "that's what we sell" and they don't like FreeBSD solutions because > NOEKI (No One Else Knows It) except for me. Grrr. ( ask them how often they expect to be rebooting this NT box and disabling net access for everyone :) So packet filtering is all that's needed? Then ipfw can certainly do what you need. Take a look at /etc/rc.firewall for a simple config. you can even make the FreeBSD box completely invisible by using Luigi Rizzo's bridging mods; I think there's also a sysctl that makes the kernel not decrement the hopcount on IP packets :) Heck; if all you need is packet filtering, do that on your router. If you have more hosts than Inet-routable IPs, or if you have a private address space, then you'll need natd in addition to ipfw. -Dan Nelson dnelson@emsphone.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990601134742.B3289>