From owner-freebsd-security Tue Nov 14 14:45:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from grok.example.net (cr479972-a.rct1.bc.wave.home.com [24.113.37.168]) by hub.freebsd.org (Postfix) with ESMTP id B439A37B4CF for ; Tue, 14 Nov 2000 14:45:13 -0800 (PST) Received: by grok.example.net (Postfix, from userid 1000) id 3B12521314D; Tue, 14 Nov 2000 14:45:13 -0800 (PST) Date: Tue, 14 Nov 2000 14:45:13 -0800 From: Steve Reid To: Nuno Teixeira Cc: freebsd-security@FreeBSD.ORG Subject: Re: PPP NAT Gateway security Message-ID: <20001114144513.A888@grok> References: <00c801c04dc4$12a89220$0200a8c0@n2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <00c801c04dc4$12a89220$0200a8c0@n2>; from Nuno Teixeira on Mon, Nov 13, 2000 at 10:50:05PM -0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 13, 2000 at 10:50:05PM -0000, Nuno Teixeira wrote: > ppp -background -nat MYISP > It works OK and I have access to a lot of Internet services. > My question is: do I need to configure this machine with firewall, so I can > protect my internal network from the outside net? You probably don't _need_ a firewall, but it usually is a good idea. In practice NAT provides some protection, but that is not what NAT is intended for so I wouldn't rely on it. The usual way to do it is with ipfw or ipfilter. "man ipfw" and "man ipf" respectively. Because you're using userland PPP you can also do it via the ppp daemon ("man ppp"). I would recommend using ipfw or ipfilter though, as then you don't have to re-write your filter rules if you ever change to a non-ppp interface. You'll probably find more ipf/ipfw information than ppp filter information, because ipf and ipfw are more widely used. Google search for "ipfw howto" or "ipf howto" should turn up some nice docs. Both ipfw and ipf are stateful now, so AFAICS the remaining differences are relatively minor for most people. ipf has been ported to systems other than FreeBSD; ipfw works with ethernet bridging. There may be other differences I'm not aware of- I'm an ipf user myself and haven't used ipfw in years. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message