From owner-freebsd-questions@FreeBSD.ORG Tue Aug 2 16:59:15 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E5DD16A41F for ; Tue, 2 Aug 2005 16:59:15 +0000 (GMT) (envelope-from kdk@daleco.biz) Received: from ezekiel.daleco.biz (southernuniform.com [66.76.92.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id E518743D48 for ; Tue, 2 Aug 2005 16:59:14 +0000 (GMT) (envelope-from kdk@daleco.biz) Received: from [192.168.2.2] ([69.27.149.254]) by ezekiel.daleco.biz (8.13.1/8.13.1) with ESMTP id j72GxCYN072686; Tue, 2 Aug 2005 11:59:12 -0500 (CDT) (envelope-from kdk@daleco.biz) Message-ID: <42EFA65A.5080905@daleco.biz> Date: Tue, 02 Aug 2005 11:59:06 -0500 From: Kevin Kinsey User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050709 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Stephan Weaver References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Networking with FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Aug 2005 16:59:15 -0000 Stephan Weaver wrote: > Hello Everyone. > > We are going to be connecting our Stores to our Main Head Office Via > Fiber. > We want to separate our Internal Lan from the store computers. > So we have decided to separate them by networks [ip addressing] > because of security. > > > Head Office > I have 3 Servers in my LAN. And 4 Networks in Total inside of out Head > Office. > 10.10.10.1 - Pixel Replication Server > 192.168.1.1 - Web Based Server [Delivery Server] > 192.168.100.1 - File Server > Including Internet Users. > 192.168.0.1-254 [ Lan ]. > > > The store computers that need to access specific servers, are only on > that network. > For example. > Store 1, Computer 1 Needs to Replicate [he will have an ip of > 10.10.10.105] > Store 1, Computer 2 [The Delivery Pc]. he will have an ip of > 192.168.1.105 > Store 1, Computer 3 Will access the File Server by having an ip of > 192.168.100.105. > > Now the Risk involved with this is we have no Real Security, For Example. > A Malicious user can easily change his ip address to 192.168.0.105 For > Example and Get on our Head Office Internal Network. Which We don't Want. > > So i would like to Setup, Install And Configure a FreeBSD Based > Firewall, that > will have 4 Network Cards, and will be placed between Our Head Office > Switch, and out Fibre Switch [Wan]. > > But AFAIK, By Placing all these network cards in the Same Machine, > FreeBSD Will Bridge All Those Networks. > How Can i keep the networks Separate, and Secure the Servers by > Firewalling by ip addressing? > > I would appreciate Advice / Suggestions / Anything That will give me a > better clue on how to secure my network. > > Yours Sincerely, > Stephan Weaver > This is probably not Real Helpful(tm), but maybe we can get the ball rolling here (so I've included your entire post) --- I'm looking at m0n0wall (http://m0n0.ch/wall) to do a little of this on a smaller scale --- basically just keeping 2 LAN's on the same wire seperate from one another, and limiting access to the big bad Net via a "captive portal". Not sure if it would be any help to you, however.... Kevin Kinsey