Re: best firewall option for FreeBSD

From: Eric Anderson (anderson@centtech.com)
Date: 02/27/02 

Date: Wed, 27 Feb 2002 07:45:27 -0600
From: Eric Anderson <anderson@centtech.com>
To: "Barkell, Bill" <Bill.Barkell@compuware.com>

Speaking of this, what is the appropriate way to add a DMZ? I have a setup kind
of like this (3 nics - 1 to the net, 1 to the "internal" net, and 1 not used).
I would like to use the 3rd NIC to be a DMZ, but I would like to let nearly
everything thru - like stuff for games, internet phone stuff, etc. How can I
implement this and still keep the security of the box uncomprimised? ANyone
know of a good FAQ or HOWTO on this? I use ipfilter, and ipnat, so I just
started looking at the map and redir functions to ipnat.

Eric

"Barkell, Bill" wrote:
>
> How about spending a few more $ and add a third NIC? This will give you the
> ability to add a DMZ for that pesky mail server at a later date.
>
> Bill Barkell
>
> -----Original Message-----
> From: m p [mailto:sumirati@yahoo.de]
> Sent: Wednesday, February 27, 2002 8:29 AM
> To: sec@hict.nl
> Cc: freebsd-security@freebsd.org
> Subject: Re: best firewall option for FreeBSD
>
> > Hi all,
> >
> > I have to build a firewall for our University with 2 NIC's. One
> > connected to internet and the second connected to the network.
> > The e-mail is running on M$ Exchange, but this servers are placed
> > outside of the network.
> > With the firewall we would like to increase the security, but also make
> > it impossible for internal users to use anything else but http, https,
> > ssh, ftp-client,pop3-client, Outlook. So it has to be impossible to use
> > Morpheus, Kazaa, Napster etc.
> >
> > What firewall software (Opensource) would you advice? Or do I have to
> > choose another OS?
> >
> > Best regards,
> > Geert Houben
>
> Hi Geert,
>
> you can use either ipfw (the firewall I prefer) or ipfilter.
>
> For your case I would you ipfilter. Why?
>
> To filter all but ssh, http, https, smtp and pop3 (aka mail (what you meant
> with outlook)) you can choose both. But ftp is a braindead (from a
> firewaller
> sight) protocol. You can not simple make a rule "allow tcp from internal
> network to external ftp-server" - because it will use more than one port.
>
> So you should use ipfilter which "inspects" the pakets flowing through to
> get
> the new ftp port which have to be open - or use a ftp-proxy (there are some
> in
> the ports, look for one fitting your purpose).
>
> Another thought:
>
> Should this firewall be "visible" to the user? Should he/she know about it?
> If
> not you can only add a transparent proxy and/or building a bridging rather
> than
> a routing firewall.
> If yes, well, why not considering a new infrastructure for your servers in
> the
> net and your users too?
> An Exchange server in the internet without firewall (and securing Windows
> behorehand - but of course you have done that, haven't you?) is not nearly
> secure - for example.
> You can work on that detail and a lot more with a new concept which have to
> include security concerns, usefulness, managebility (if there is this word),
> TOC ....
>
> Hope that helps
>
> Marc
>
> __________________________________________________________________
>
> Gesendet von Yahoo! Mail - http://mail.yahoo.de
> Ihre E-Mail noch individueller? - http://domains.yahoo.de
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message 

-- 
------------------------------------------------------------------
Eric Anderson	   Systems Administrator      Centaur Technology
If at first you don't succeed, sky diving is probably not for you.
------------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: login attempts
    ... > Every day i have on my win2000 iternet server a lots of wrong login ... Windows by default allows ... You also need a firewall. ... the internet, except for those ports you know you're using. ...
    (microsoft.public.win2000.security)
  • Re: Firewall on a single NIC SBS2003 Standard edition
    ... Frank McCallister SBS MVP ... > " Well, if you're wanting to run the firewall on a single NIC, you aren't ... Don't ask the server to do *everything*, ... > internet traffic from the workstations don't have to go through the SBS. ...
    (microsoft.public.windows.server.sbs)
  • Re: Internet on nodes
    ... I stopped the Firewall in SBS and could upload ... print' from both the server and a WS. ... Was not able to connect to the internet on the WS. ...
    (microsoft.public.windows.server.sbs)
  • Re: 2 NICs Configuration Problem
    ... the server as Paul envisaged it. ... gateway (to the Internet through the NIC connected to the Sonicwall DMZ ... NICs should not have default gateways configured for both. ... DMZ ports of any firewall, is an alternative path that cause great ...
    (microsoft.public.windows.server.networking)
  • Re: XP/SP2 Firewall über W2K GPO deaktivieren
    ... Weil es einen zentralen Zugangpunkt zum Internet gibt und dieser geschützt ... Dafür sorgt der Proxy Server für die Mitarbeiter. ... Meine Clients haben auch keine lokale Firewall installiert, ...
    (microsoft.public.de.german.win2000.gruppen_richtlinien)