Date: Wed, 02 Jul 1997 11:34:35 +0300 From: Nadav Eiron <nadav@barcode.co.il> To: greg baxter <greg@microa.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: firewalls... Message-ID: <33BA129B.1826@barcode.co.il> References: <3.0.1.32.19970701221152.007dab40@microa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
greg baxter wrote: > > we want to firewall our local net using freebsd 2.2. > > a little confused, we put two nics in one bsd machine, > each with its own different network (not just diff host). > > the idea is, we need it to: > > hit our inet router, a t1 interface when called to do so > by any local machine. this is on net 'a'. i suppose this > is the only host that will be on net 'a' other than the > nic in the bsd box. right? > > route ip data for us, with appropriate filtering via ipfw. > from net 'b' to net 'a' (net 'a' is the internet side of > things). > > do we need to configure this machine as a 'gateway' as > defined in rc.conf? turn on 'routing' in same rc file? > > right now, our default gateway is just the t1 router (ascend > pipeline) and all works well, but the ascend is on the same > net as everything else. > > have read the o'reilly book, and at least *believe* i'm on the > right track. Which O'Reilly book? Get a book on firewalls and security if you want to read on the subject (for example, Addison Wesley has: Firewalls and Internet Security - Repelling the Wily Hacker, by Cheswick and Belovin). > > any help you guys can toss my way is really gonna be > very much appreciated, i'd like to get this thing up and > going soon. > > thanks in advance -- greg Basically, you're on the right track. Whether this machine will actually be a gateway depends on what type of firewall you want. For a packet filtering firewall (one whose main weapon is ipfw and friends), you'll need it set to YES. For routing, running a routing daemon on a firewall is generally considered bad practice. You don't run something on a firewall unless you have to, so in a simple configuration like yours, I'd use static routing. Nadav
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?33BA129B.1826>