Date: Wed, 27 Feb 2002 08:41:28 -0500 From: "Barkell, Bill" <Bill.Barkell@compuware.com> To: 'm p' <sumirati@yahoo.de>, sec@hict.nl Cc: freebsd-security@freebsd.org Subject: RE: best firewall option for FreeBSD Message-ID: <A58643BEDEF7D211BABB0008C75D853F0A5F66ED@fhpri01.compuware.com>
next in thread | raw e-mail | index | archive | help
How about spending a few more $ and add a third NIC? This will give you the ability to add a DMZ for that pesky mail server at a later date. Bill Barkell -----Original Message----- From: m p [mailto:sumirati@yahoo.de] Sent: Wednesday, February 27, 2002 8:29 AM To: sec@hict.nl Cc: freebsd-security@freebsd.org Subject: Re: best firewall option for FreeBSD > Hi all, > > I have to build a firewall for our University with 2 NIC's. One > connected to internet and the second connected to the network. > The e-mail is running on M$ Exchange, but this servers are placed > outside of the network. > With the firewall we would like to increase the security, but also make > it impossible for internal users to use anything else but http, https, > ssh, ftp-client,pop3-client, Outlook. So it has to be impossible to use > Morpheus, Kazaa, Napster etc. > > What firewall software (Opensource) would you advice? Or do I have to > choose another OS? > > Best regards, > Geert Houben Hi Geert, you can use either ipfw (the firewall I prefer) or ipfilter. For your case I would you ipfilter. Why? To filter all but ssh, http, https, smtp and pop3 (aka mail (what you meant with outlook)) you can choose both. But ftp is a braindead (from a firewaller sight) protocol. You can not simple make a rule "allow tcp from internal network to external ftp-server" - because it will use more than one port. So you should use ipfilter which "inspects" the pakets flowing through to get the new ftp port which have to be open - or use a ftp-proxy (there are some in the ports, look for one fitting your purpose). Another thought: Should this firewall be "visible" to the user? Should he/she know about it? If not you can only add a transparent proxy and/or building a bridging rather than a routing firewall. If yes, well, why not considering a new infrastructure for your servers in the net and your users too? An Exchange server in the internet without firewall (and securing Windows behorehand - but of course you have done that, haven't you?) is not nearly secure - for example. You can work on that detail and a lot more with a new concept which have to include security concerns, usefulness, managebility (if there is this word), TOC .... Hope that helps Marc __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Ihre E-Mail noch individueller? - http://domains.yahoo.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A58643BEDEF7D211BABB0008C75D853F0A5F66ED>