Date: Wed, 30 Sep 98 09:25:00 +0200 From: Thierry.Herbelot@alcatel.fr To: panda@peace.com.my Cc: freebsd-questions@FreeBSD.ORG Subject: Not a cure for firewall licences. Re: Can DHCP really be this simple ? Message-ID: <H000057c018a4399@MHS> In-Reply-To: <3.0.32.19980930044505.00ad84ec@mail.peace.com.my>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello,
Just one question : how can the firewall see the Ethernet MAC addresses
of the PCs which are behind the FreeBSD machine ?
I would expect all Ethernet frames transmitted from the FreeBSD machine
use the MAC address of fxp0 (just the IP address in the header could be
the address of one of your PCs - except with NAT : the IP address in each
Ethernet frame is also the address of the FreeBSD box).
TfH
PS :It's really sad that your setup does not work : it would be a very
elegant way to circumvent the licencing policy of your Firewal vendor.
PPS : do you have a tcpdump trace of the traffic beetween the FreeBSD box
and the firewall ? This trace could be used to explain why the firewall
sees 50 machines when it should see only one ....
> Just thought I'd mention that the set-up I described previously
> for a FreeBSD proxy/router does not circumvent firewall licences.
> Posting this to the list so that someone else doesn't make the
> same mistake :
>
> ie. we have -
>
> LAN (50 PCs) <----> fxp1
> fxp0 <----> Firewall <----> Internet
>
> The idea being that the one FreeBSD box could route traffic
> for the 50 PCs on the LAN. Having set this up (config below),
> we've now been told that our firewall (Checkpoint Firewall-1)
> still sees the 50 PCs as 50 machines, each requiring a licence...
> since it sees the different MAC addresses.
^^^ how can this be ???
>
> So, looks like this was a waste of time - might as well turn
> the FreeBSD proxy/router into a webserver or something - and
> connect the LAN directly to the firewall.
>
> chas
>
>
> >I've got DHCP running but would appreciate it if someone could
> >pass an experienced eye over this configuration before I unleash
> >my Freebie box on 50 unsuspecting users tomorrow !
> >
> >The FreeBSD box sits between the LAN and firewall as follows :
> >
> >LAN (50 PCs) <----> fxp1
> > fxp0 <----> Firewall <----> Internet
> >
> >
> >The following startup scripts are appended to the end of /etc/rc.local
:
> ># Start NATd on the external interface :
> >/usr/local/sbin/natd -interface fxp0
> ># Allow all packets through :
> >/sbin/ipfw -f flush
> >/sbin/ipfw add divert natd all from any to any via fxp0
> >/sbin/ipfw add pass all from any to any
> ># Start the DHCP server on the internal interface :
> >/usr/local/sbin/dhcpd fxp1
> >
> >
> >My /etc/dhcpd.conf file is based on the sample provided :
> ># dhcpd.conf
> >server-identifier proxy.ourdomain.com; # the name of the proxy
> >option domain-name "ourdomain.com"; # our company's domain
> >option domain-name-servers ns.ourdomain.com; # our dns server
> >
> >shared-network NEURONET {
> > option subnet-mask 255.0.0.0;
> > default-lease-time 600;
> > max-lease-time 7200;
> > subnet 10.0.0.0 netmask 255.0.0.0 {
> > range 10.0.0.50 10.0.0.254;
> > option broadcast-address 10.0.0.255;
> > option routers 10.0.0.1;
> > }
> >}
> >
> >Basically, I just want IPs between 10.0.0.50 and 10.0.0.254 to be
> >allocated dynamically to PCs connecting on the LAN. The above seems
> >to work but it was trial and error so I'm not that confident about
> >what I've done.
> >
> >Also, if I then want to run a server with fixed IP (eg.
202.184.153.17)
> >on one of the IPs on the LAN not assigned dynamically (eg. 10.0.0.17),
> >where is this translation entered ?
> >
> >chas
> >
> >ps. Since DHCP requires the bpfilter option in the kernel, should
> >anything else be done to beef up security on this machine ?
> >(I'm disabling telnet, ftp, sendmail etc. Plus it sits behind a
firewall)
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?H000057c018a4399>