From owner-freebsd-security Wed Feb 27 5:41:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from stargate.compuware.com (stargate.compuware.com [166.90.248.158]) by hub.freebsd.org (Postfix) with SMTP id 08EA837B400 for ; Wed, 27 Feb 2002 05:41:34 -0800 (PST) Received: from [199.186.16.12] by stargate.compuware.com via smtpd (for hub.FreeBSD.org [216.136.204.18]) with SMTP; 27 Feb 2002 13:41:34 UT Received: from bh1.compuware.com (compuware.com [172.22.1.239]) by cwus-dtw-mr02.compuware.com (Postfix) with ESMTP id 4600174F17; Wed, 27 Feb 2002 08:41:33 -0500 (EST) Received: by bh1.compuware.com with Internet Mail Service (5.5.2653.19) id ; Wed, 27 Feb 2002 08:41:32 -0500 Message-ID: From: "Barkell, Bill" To: 'm p' , sec@hict.nl Cc: freebsd-security@freebsd.org Subject: RE: best firewall option for FreeBSD Date: Wed, 27 Feb 2002 08:41:28 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org How about spending a few more $ and add a third NIC? This will give you the ability to add a DMZ for that pesky mail server at a later date. Bill Barkell -----Original Message----- From: m p [mailto:sumirati@yahoo.de] Sent: Wednesday, February 27, 2002 8:29 AM To: sec@hict.nl Cc: freebsd-security@freebsd.org Subject: Re: best firewall option for FreeBSD > Hi all, > > I have to build a firewall for our University with 2 NIC's. One > connected to internet and the second connected to the network. > The e-mail is running on M$ Exchange, but this servers are placed > outside of the network. > With the firewall we would like to increase the security, but also make > it impossible for internal users to use anything else but http, https, > ssh, ftp-client,pop3-client, Outlook. So it has to be impossible to use > Morpheus, Kazaa, Napster etc. > > What firewall software (Opensource) would you advice? Or do I have to > choose another OS? > > Best regards, > Geert Houben Hi Geert, you can use either ipfw (the firewall I prefer) or ipfilter. For your case I would you ipfilter. Why? To filter all but ssh, http, https, smtp and pop3 (aka mail (what you meant with outlook)) you can choose both. But ftp is a braindead (from a firewaller sight) protocol. You can not simple make a rule "allow tcp from internal network to external ftp-server" - because it will use more than one port. So you should use ipfilter which "inspects" the pakets flowing through to get the new ftp port which have to be open - or use a ftp-proxy (there are some in the ports, look for one fitting your purpose). Another thought: Should this firewall be "visible" to the user? Should he/she know about it? If not you can only add a transparent proxy and/or building a bridging rather than a routing firewall. If yes, well, why not considering a new infrastructure for your servers in the net and your users too? An Exchange server in the internet without firewall (and securing Windows behorehand - but of course you have done that, haven't you?) is not nearly secure - for example. You can work on that detail and a lot more with a new concept which have to include security concerns, usefulness, managebility (if there is this word), TOC .... Hope that helps Marc __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Ihre E-Mail noch individueller? - http://domains.yahoo.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message