From owner-freebsd-questions@FreeBSD.ORG Tue Aug 2 17:15:51 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE33A16A41F for ; Tue, 2 Aug 2005 17:15:51 +0000 (GMT) (envelope-from stephanweaver@hotmail.com) Received: from hotmail.com (bay20-f1.bay20.hotmail.com [64.4.54.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 933B943D49 for ; Tue, 2 Aug 2005 17:15:51 +0000 (GMT) (envelope-from stephanweaver@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 2 Aug 2005 10:15:51 -0700 Message-ID: Received: from 201.238.77.219 by by20fd.bay20.hotmail.msn.com with HTTP; Tue, 02 Aug 2005 17:15:51 GMT X-Originating-IP: [201.238.77.219] X-Originating-Email: [stephanweaver@hotmail.com] X-Sender: stephanweaver@hotmail.com In-Reply-To: From: "Stephan Weaver" To: youshi10@u.washington.edu Date: Tue, 02 Aug 2005 13:15:51 -0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 02 Aug 2005 17:15:51.0443 (UTC) FILETIME=[D544D630:01C59785] Cc: freebsd-questions@freebsd.org Subject: Re: Networking with FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Aug 2005 17:15:52 -0000 >From: Garrett Cooper >To: Stephan Weaver >CC: freebsd-questions@freebsd.org >Subject: Re: Networking with FreeBSD >Date: Tue, 2 Aug 2005 10:10:44 -0700 (PDT) > >On Tue, 2 Aug 2005, Stephan Weaver wrote: > >>Hello Everyone. >> >>We are going to be connecting our Stores to our Main Head Office Via >>Fiber. >>We want to separate our Internal Lan from the store computers. >>So we have decided to separate them by networks [ip addressing] because of >>security. >> >> >>Head Office >>I have 3 Servers in my LAN. And 4 Networks in Total inside of out Head >>Office. >>10.10.10.1 - Pixel Replication Server >>192.168.1.1 - Web Based Server [Delivery Server] >>192.168.100.1 - File Server >>Including Internet Users. >>192.168.0.1-254 [ Lan ]. >> >> >>The store computers that need to access specific servers, are only on that >>network. >>For example. >>Store 1, Computer 1 Needs to Replicate [he will have an ip of >>10.10.10.105] >>Store 1, Computer 2 [The Delivery Pc]. he will have an ip of 192.168.1.105 >>Store 1, Computer 3 Will access the File Server by having an ip of >>192.168.100.105. >> >> >>Now the Risk involved with this is we have no Real Security, For Example. >>A Malicious user can easily change his ip address to 192.168.0.105 For >>Example and Get on our Head Office Internal Network. Which We don't Want. >> >> >>So i would like to Setup, Install And Configure a FreeBSD Based Firewall, >>that will have 4 Network Cards, and will be placed between Our Head Office >>Switch, and out Fibre Switch [Wan]. >> >>But AFAIK, By Placing all these network cards in the Same Machine, FreeBSD >>Will Bridge All Those Networks. >>How Can i keep the networks Separate, and Secure the Servers by >>Firewalling by ip addressing? >> >> >>I would appreciate Advice / Suggestions / Anything That will give me a >>better clue on how to secure my network. >> >> >> >>Yours Sincerely, >>Stephan Weaver > > I can tell you as of right now that you're going to have to setup a NAT >with your FreeBSD box acting as the gateway using something like ipf, >ipfilter, etc. However, I have little experience with this, and depending >on what you want in terms of user interaction, different solutions will >pose certain pros and cons. > Also, no one outside of the network can just change their IP address to >192.168.0.x because the 192.168.x.y IP address blocks are reserved as Class >C addresses which under all correct implementations of IP physically >inaccessible outside the network. Therefore, that isn't so much of an >issue... however, it still doesn't hurt to have a firewall because you >don't want someone tunnelling in and wreaking havok on your network. That >is of course if the information you listed above was in fact what's >currently implemented as opposed to what should be implemented. > Just a few minor thoughts. >-Garrett Nothing is implimented as yet, i am looking for solutions. Thanks EVERYONE! Love You Guys stephan weaver _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/