Date: Thu, 09 Dec 1999 17:31:54 -0800 From: tomb <tomb@cgf.net> To: Adidas Boy <binkieboi@hotmail.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall using FreeBSD 3.3 Message-ID: <3850580A.5EDA9ABD@cgf.net> References: <19991209192616.44422.qmail@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Adidas Boy wrote: > > Dear FreeBSD Security, > > I have a FreeBSD 3.3 Box that I have installed and I'm trying to > get a rather secure firewall up to help prevent against basic > attacks to our system. I have did some research and have installed > tcpd to only allow certain hosts, and disabled services that I don't > need to use. > > What I want to happen is I'm going to have the Firewall which has 2 ethernet I err on the side of caution and go for total layer 1 isolation, i.e have 3 NIC's. It also makes the rule building easier. > cards one configured for the real internet of 205.1.1.x and then the fake > network of 10.0.0.x. I am going to put several web > servers and e-mail servers behind the firewall and then hoping > that I can have all the trafic route thru the firewall to help prevent > direct attacks to the servers behind the firewall. I'm assuming i could > somehow use natd and set some kind of static table that would be as follows: > > real inet ip fake ip behind firewall > 205.1.1.1 -> 10.0.0.1 > 205.1.1.2 -> 10.0.0.2 Or better still bind an smtp proxy to the interface to which your rules are diverting the mail traffic. For the web servers I'd go for a pure divert and armor the web boxes (idealy ssh in, web in, and filters that deny everything else). Hopefully you are running apache, which is as tough as old boots, which means that you can avoid having a proxy in the way. (There is an inherent performance penalty associated with any proxy.) > > how would i configure natd to do this static routing. 205.1.1.1, 205.1.1.2 > would all be answered by the firewall. I'm not 100% certain but I'd bind natd to the inside interface for the use of the 'soft and chewy' heart of your network (if you have one). As for the smtp and pop proxy's shop around and see what's available. I use the stuff from the TIS firewall toolkit, but it's a bit on the 'hard-core' side to install. > > then i would assume i would have to use ipfw to make the firewall more > tighter by only allowing certain connections on certain ports to certain > machines. so say for instance on machine 205.1.1.2 which was also 10.0.0.2 i > wanted users to only be able to connect to port 80 what should my ipfw > configuration look like? then i would need to have like 205.1.1.3 only have > port 25 and 110 available? > Sound like a plan. The rule building can take a while, and once you've finished don't forget to nmap the firewall from the outside. > any help would be greatly appreciated. > > I need your help please! please e-mail directly back to me. > > brian > > ______________________________________________________ > Get Your Private, Free Email at http://www.hotmail.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ________________________________________________________________________________ > This message has been checked for all known viruses by the Star Screening System > http://academy.star.co.uk/public/virustats.htm -- Tom Brown --------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3850580A.5EDA9ABD>