RE: best firewall option for FreeBSD
From: Barkell, Bill (Bill.Barkell@compuware.com)
Date: 02/27/02
- Next message: Eric Anderson: "Re: best firewall option for FreeBSD"
- Previous message: m p: "Re: best firewall option for FreeBSD"
- Maybe in reply to: Geert Houben: "best firewall option for FreeBSD"
- Next in thread: Eric Anderson: "Re: best firewall option for FreeBSD"
- Reply: Eric Anderson: "Re: best firewall option for FreeBSD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Barkell, Bill" <Bill.Barkell@compuware.com> To: 'm p' <sumirati@yahoo.de>, sec@hict.nl Date: Wed, 27 Feb 2002 08:41:28 -0500
How about spending a few more $ and add a third NIC? This will give you the
ability to add a DMZ for that pesky mail server at a later date.
Bill Barkell
-----Original Message-----
From: m p [mailto:sumirati@yahoo.de]
Sent: Wednesday, February 27, 2002 8:29 AM
To: sec@hict.nl
Cc: freebsd-security@freebsd.org
Subject: Re: best firewall option for FreeBSD
> Hi all,
>
> I have to build a firewall for our University with 2 NIC's. One
> connected to internet and the second connected to the network.
> The e-mail is running on M$ Exchange, but this servers are placed
> outside of the network.
> With the firewall we would like to increase the security, but also make
> it impossible for internal users to use anything else but http, https,
> ssh, ftp-client,pop3-client, Outlook. So it has to be impossible to use
> Morpheus, Kazaa, Napster etc.
>
> What firewall software (Opensource) would you advice? Or do I have to
> choose another OS?
>
> Best regards,
> Geert Houben
Hi Geert,
you can use either ipfw (the firewall I prefer) or ipfilter.
For your case I would you ipfilter. Why?
To filter all but ssh, http, https, smtp and pop3 (aka mail (what you meant
with outlook)) you can choose both. But ftp is a braindead (from a
firewaller
sight) protocol. You can not simple make a rule "allow tcp from internal
network to external ftp-server" - because it will use more than one port.
So you should use ipfilter which "inspects" the pakets flowing through to
get
the new ftp port which have to be open - or use a ftp-proxy (there are some
in
the ports, look for one fitting your purpose).
Another thought:
Should this firewall be "visible" to the user? Should he/she know about it?
If
not you can only add a transparent proxy and/or building a bridging rather
than
a routing firewall.
If yes, well, why not considering a new infrastructure for your servers in
the
net and your users too?
An Exchange server in the internet without firewall (and securing Windows
behorehand - but of course you have done that, haven't you?) is not nearly
secure - for example.
You can work on that detail and a lot more with a new concept which have to
include security concerns, usefulness, managebility (if there is this word),
TOC ....
Hope that helps
Marc
__________________________________________________________________
Gesendet von Yahoo! Mail - http://mail.yahoo.de
Ihre E-Mail noch individueller? - http://domains.yahoo.de
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Eric Anderson: "Re: best firewall option for FreeBSD"
- Previous message: m p: "Re: best firewall option for FreeBSD"
- Maybe in reply to: Geert Houben: "best firewall option for FreeBSD"
- Next in thread: Eric Anderson: "Re: best firewall option for FreeBSD"
- Reply: Eric Anderson: "Re: best firewall option for FreeBSD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
