From owner-freebsd-questions Tue Jun 1 11:47:49 1999 Delivered-To: freebsd-questions@freebsd.org Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by hub.freebsd.org (Postfix) with ESMTP id 4243414FA8 for ; Tue, 1 Jun 1999 11:47:46 -0700 (PDT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.9.3/8.9.3) id NAA04248; Tue, 1 Jun 1999 13:47:43 -0500 (CDT) (envelope-from dan) Date: Tue, 1 Jun 1999 13:47:42 -0500 From: Dan Nelson To: "Scott I. Remick" Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw vs. MS Proxy Message-ID: <19990601134742.B3289@dan.emsphone.com> References: <4.2.0.56.19990601135626.034fa010@mail.computeralt.com> <4.2.0.56.19990601135626.034fa010@mail.computeralt.com> <19990601130713.A3289@dan.emsphone.com> <4.2.0.56.19990601142406.03508710@mail.computeralt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.5i In-Reply-To: <4.2.0.56.19990601142406.03508710@mail.computeralt.com>; from "Scott I. Remick" on Tue Jun 1 14:29:42 GMT 1999 X-OS: FreeBSD 4.0-CURRENT Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In the last episode (Jun 01), Scott I. Remick said: > At 02:07 PM 6/1/1999 , you wrote: > >ipfw is packet filtering, not proxying. For that you probably want > >squid and/or natd. > > This was my understanding as well. I've actually looked at squid. Squid is not strictly necessary, but the caching can really help if you have enough people inside the firewall. > They're looking at it from a security standpoint. Which I agree with > totally... I've always wanted a firewall. There never seems to be > money available for my FreeBSD projects, but if someone describes the > same need using MS "solutions", then everyone gets excited :( > > The idea is to do just what a firewall does: filter traffic between > our private network and the outside world. I'd like to see a FreeBSD > box with 2 NICs dropped into place, running ipfw, to perform this > task fairly invisibly. They'd like to use MS solutions because > "that's what we sell" and they don't like FreeBSD solutions because > NOEKI (No One Else Knows It) except for me. Grrr. ( ask them how often they expect to be rebooting this NT box and disabling net access for everyone :) So packet filtering is all that's needed? Then ipfw can certainly do what you need. Take a look at /etc/rc.firewall for a simple config. you can even make the FreeBSD box completely invisible by using Luigi Rizzo's bridging mods; I think there's also a sysctl that makes the kernel not decrement the hopcount on IP packets :) Heck; if all you need is packet filtering, do that on your router. If you have more hosts than Inet-routable IPs, or if you have a private address space, then you'll need natd in addition to ipfw. -Dan Nelson dnelson@emsphone.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message