Re: best firewall option for FreeBSD
From: m p (sumirati@yahoo.de)
Date: 02/27/02
- Next message: Barkell, Bill: "RE: best firewall option for FreeBSD"
- Previous message: Bart Matthaei: "Re: best firewall option for FreeBSD"
- Maybe in reply to: Geert Houben: "best firewall option for FreeBSD"
- Next in thread: Bart Matthaei: "Re: best firewall option for FreeBSD"
- Reply: Bart Matthaei: "Re: best firewall option for FreeBSD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 27 Feb 2002 14:28:46 +0100 (CET) From: m p <sumirati@yahoo.de> To: sec@hict.nl
> Hi all,
>
> I have to build a firewall for our University with 2 NIC's. One
> connected to internet and the second connected to the network.
> The e-mail is running on M$ Exchange, but this servers are placed
> outside of the network.
> With the firewall we would like to increase the security, but also make
> it impossible for internal users to use anything else but http, https,
> ssh, ftp-client,pop3-client, Outlook. So it has to be impossible to use
> Morpheus, Kazaa, Napster etc.
>
> What firewall software (Opensource) would you advice? Or do I have to
> choose another OS?
>
> Best regards,
> Geert Houben
Hi Geert,
you can use either ipfw (the firewall I prefer) or ipfilter.
For your case I would you ipfilter. Why?
To filter all but ssh, http, https, smtp and pop3 (aka mail (what you meant
with outlook)) you can choose both. But ftp is a braindead (from a firewaller
sight) protocol. You can not simple make a rule "allow tcp from internal
network to external ftp-server" - because it will use more than one port.
So you should use ipfilter which "inspects" the pakets flowing through to get
the new ftp port which have to be open - or use a ftp-proxy (there are some in
the ports, look for one fitting your purpose).
Another thought:
Should this firewall be "visible" to the user? Should he/she know about it? If
not you can only add a transparent proxy and/or building a bridging rather than
a routing firewall.
If yes, well, why not considering a new infrastructure for your servers in the
net and your users too?
An Exchange server in the internet without firewall (and securing Windows
behorehand - but of course you have done that, haven't you?) is not nearly
secure - for example.
You can work on that detail and a lot more with a new concept which have to
include security concerns, usefulness, managebility (if there is this word),
TOC ....
Hope that helps
Marc
__________________________________________________________________
Gesendet von Yahoo! Mail - http://mail.yahoo.de
Ihre E-Mail noch individueller? - http://domains.yahoo.de
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Barkell, Bill: "RE: best firewall option for FreeBSD"
- Previous message: Bart Matthaei: "Re: best firewall option for FreeBSD"
- Maybe in reply to: Geert Houben: "best firewall option for FreeBSD"
- Next in thread: Bart Matthaei: "Re: best firewall option for FreeBSD"
- Reply: Bart Matthaei: "Re: best firewall option for FreeBSD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
