From owner-freebsd-questions Mon Jul 15 12:41:32 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA04667 for questions-outgoing; Mon, 15 Jul 1996 12:41:32 -0700 (PDT) Received: from hustle.rahul.net (hustle.rahul.net [192.160.13.2]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA04657 for ; Mon, 15 Jul 1996 12:41:22 -0700 (PDT) Received: by hustle.rahul.net with UUCP id AA26550 (5.67b8/IDA-1.5 for freebsd-questions@freebsd.org); Mon, 15 Jul 1996 12:41:01 -0700 Received: (from jim@localhost) by starshine (8.6.11/8.6.9) id KAA02397; Mon, 15 Jul 1996 10:21:04 -0700 From: Jim Dennis Message-Id: <199607151721.KAA02397@starshine> Subject: Re: firewall on FreeBSD To: sgt@netmedia.net.il (Sergei Barbarash) Date: Mon, 15 Jul 1996 10:21:02 -0700 (PDT) Cc: freebsd-questions@freebsd.org In-Reply-To: <199607151342.PAA18010@zaraza.bofh.org.il> from "Sergei Barbarash" at Jul 15, 96 03:42:09 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > --==!Exmh_-1590452672P > Content-Type: text/plain; charset=us-ascii > > Hello, > > I need to install a firewall - I want it to be based on FreeBSD. What's the > best way to do it / the best free software to use? > SOCKS plus Darren Reed's IPFilter. Add TCP Wrappers for host level security, Tripwire for host-level integrity validation, and maybe some components from TIS FWTK (Firewall Toolkit) (particularly 'smapd'). Add in a copy of Brent Chapman's _Building_Firewalls_ book (O'Reilly & Associates) blend, bake and chill ;). Seriously -- a firewall has much more to do with designing a policy and not much to do with the implementation details and components. ftp://rtfm.mit.edu (or mirror) and look for the firewalls FAQ. What are the segments of you LAN? What are the services that need to flow in each direction between these segments? What services are you trying to provide to the Internet? What services do you want to be accessible from or through the Internet? Do you want to provide employees remote access? If so -- what services/applications should be remotely accessibly? What are you trying to protect (draw up scenarios and evaluate -- that is come up with cost risk assessments -- of each)? If you have to ask such a broad and general question ... you probably should hire a professional to come in a configure a firewall for you. This is particularly true if you want to quilt together your own from freeware components. Companies like CheckPoint and Borderware sell their products by pitching the idea that they are a "plug & play" solution that "does it all" and doesn't require any special knowledge on the part of the admin who sets it up. Both of these notions make me nervous (so I can't in good faith recommend any of the integrated commercial firewall products that I've seen). A firewall is useless without a data security policy. Jim Dennis,