Date: Tue, 02 Aug 2005 13:38:27 -0400 From: Chuck Swiger <cswiger@mac.com> To: Stephan Weaver <stephanweaver@hotmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Networking with FreeBSD Message-ID: <42EFAF93.5060800@mac.com> In-Reply-To: <BAY20-F2F61C3D84924A4CD57576A8C20@phx.gbl> References: <BAY20-F2F61C3D84924A4CD57576A8C20@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
Stephan Weaver wrote: [ ... ] > But AFAIK, By Placing all these network cards in the Same Machine, > FreeBSD Will Bridge All Those Networks. FreeBSD is well-behaved in terms of security. It will not act as a layer-2 bridge or as a layer-3 IP router/firewall, unless and until you tell it to do so. See the options set in /etc/rc.conf and /etc/defaults/rc.conf such as: gateway_enable="NO" # Set to YES if this host will be a gateway. router_enable="NO" # Set to YES to enable a routing daemon. firewall_enable="NO" # Set to YES to enable firewall functionality firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) ...or "man bridge". > How Can i keep the networks Separate, and Secure the Servers by > Firewalling by ip addressing? Well, if you set the machines up on three or four seperate subnets, each on a seperate collision domain (ie, each with it's own hub or switch VLAN), you can firewall traffic both by subnet and by individual IPs. A proper ruleset will integrate anti-spoofing rules which will prevent a machine from sending traffic as if it were an IP on another subnet, or at least prevent the traffic from going through the firewall to reach your private internal networks. Obviously, you want to keep untrusted machines on another subnet than the servers you are protecting. Go read "Building Internet Firewalls" published by O'Reilley, as well as http://www.ietf.org/rfc/rfc2196.txt... -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42EFAF93.5060800>