Date: Mon, 19 Nov 2001 16:24:08 +0100 From: Walter Hop <walter@binity.com> To: Chris Appleton <cappleton@emailtopia.com> Cc: freebsd-questions@freebsd.org Subject: Re[2]: NAT security Message-ID: <83141508858.20011119162408@binity.com> In-Reply-To: <917DCA667947D4118E2100AA00BAEA6E1ABC06@vonneumann.emailtopia.com> References: <917DCA667947D4118E2100AA00BAEA6E1ABC06@vonneumann.emailtopia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[in reply to cappleton@emailtopia.com, 14-11-2001] > So if I have a C block of ip's already assigned, and want to > incorporate bsd ipfw, I don't necessarily have to reconfigure my > network as a 192? If you have one, you can just setup your FreeBSD gateway machine to forward packets by simply recompiling your kernel with gatewaying and adding to /etc/rc.conf: router_enable="YES" and disabling natd. Typically your router would have one IP address on your class C network (which is used by the other computers as a gateway), and one IP address on the outside network, to talk to the gateway and other hosts there. > I can setup ifpw to allow connections to these ip's but with > essentially a restricted port/direction list? Yes, with ipfw you can specify exactly what traffic is allowed and disallowed. ipfw acts on a gateway like on a normal host (allow this, deny that, allow that, etc); ipfw rules are processed on the gateway before and after packets are forwarded. Setting up ipfw rules for a usual network situation is not that hard. > Would ipfilter allow me to do this as well? I have no experience with that (ipfw always did what I needed), maybe someone else can add to the story... > Is this unsafe practice - is an internal and external network a better > move (albeit more work)? I would say, if you have the blessing of having "real" IP addresses for your network, why not use them? Lots of applications do not work properly with NAT (IPsec, file transfers, Netmeeting, peer-to-peer applications..) and you have to spend time on security either way. :) > Or maybe it would actually be more work maintaining a complex ruleset? Well, some sort of ruleset SHOULD be implemented either way (for example to prevent your inside machines from participating in a DDoS attack, to prevent people on the outside to use services on your gateway, etc..), and it's fun to learn too (although I've never found a _GOOD_ ipfw tutorial on the web and it can be very frustrating too :) -- Walter Hop <walter@binity.com> Updated contact information: http://www.binity.com/~walter/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?83141508858.20011119162408>