From owner-freebsd-questions@FreeBSD.ORG Tue Dec 16 07:20:17 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BBFD16A4CE for ; Tue, 16 Dec 2003 07:20:17 -0800 (PST) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7877343D2D for ; Tue, 16 Dec 2003 07:20:13 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) hBGFImD3021452 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 16 Dec 2003 15:19:37 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id hBGFIkvM021431; Tue, 16 Dec 2003 15:18:46 GMT (envelope-from matthew) Date: Tue, 16 Dec 2003 15:18:08 +0000 From: Matthew Seaman To: Gareth Bailey Message-ID: <20031216151808.GA20944@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Gareth Bailey , freebsd-questions@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5vNYLRcllDrimb99" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.5.1i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00,CASHCASHCASH autolearn=ham version=2.60 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-questions@freebsd.org Subject: Re: Windows client - internet connection sharing X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Dec 2003 15:20:17 -0000 --5vNYLRcllDrimb99 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 15, 2003 at 07:40:14PM +0200, Gareth Bailey wrote: > Is it possible to set up a freebsd server connected to an > ADSL line to provide internet access via LAN to a number of > Windows clients. I don't know where to start. Any > information in this regard will be greatly appreciated. Yes, absolutely. However, there are such a huge number of variations on possible ways of doing that that it's impossible to describe everything you'ld need to know in a simple e-mail. Lets look at a few questions you'ld need to answer: 1) ADSL router or modem? This is all about how you interface your FreeBSD system to ADSL -- the basic choice is between a router: a standalone unit which you plug the phone line into one side of, and an ethernet cable into the other -- or a modem: this is a device that plugs into a serial or USB port on your FreeBSD box. Routers will work entirely independently of your FreeBSD machine. Since your connection to them is via ethernet, there's practically no compatibility problems. Depending on how much money you spend, your can get routers which provide packet filtering, network and port address translation, DNS, DHCP and various other capabilities -- although if you go to the expense of buying a really capable router there's not much left to do for your FreeBSD box. Modems are the other end of this scale: you need to find a device for which appropriate drivers are available under FreeBSD. Once you've got the modem connected up, you'll need to use the attached FreeBSD box to provide appropriate functionality to make a practicable ADSL connection. This includes running PPPoA or PPPoE (A =3D ATM, E =3D Ethernet: all ADSL in the UK is PPPoA, other countries do things differently) to establish networking into your service provider. You would use the standard FreeBSD stuff to do NAT and firewall packet filtering, and you can install DHCP servers and so forth. Effectively the FreeBSD box + modem takes the place of the standalone router above. 2) What sort of address space do you want to have assigned to you from your ISP? The cheapest ADSL accounts give you a single Internet-routable IP number, usually assigned via DHCP. There can be an implicit assumption that you've basically got just one machine you want to have net access, although this is becoming less common nowadays. Lots of ISPs will give you two addresses: this is intended to give you an address for the router box, plus an address for a real PC. Next step up is to get that one or two addresses permanently assigned to you. Beyond that, you can get a routed connection -- you get a small net block permanently assigned to you, as well as the single IP used for the WAN side of your router. This enables you to set up a 'DMZ' network, and for instance have several servers visible on the Internet. Many ISPs will have local policies forbidding you from running servers of various sorts, mostly as a way of protecting the ISP from the awful consequences of allowing Windoze machines out on the open Internet in the hands of the clueless. 3) A consequential decision related to the above: do you want some or all of your Windows (or other) LAN machines to have Internet routable addresses or to run Internet visible services? There's several ways of doing this: DMZ network -- classic firewall design. Here the Internet accessible machines are kept on a separate small sub-net, and you have a second packet-filtering router (generally a machine with a couple of network cards, running natd and ipfw or similar) between that and your private internal network. Packet filtering bridge -- similar to the above, except that the DMZ is and the internal private stuff are now technically on the same subnet, and your packet filter serves to separate public and private parts of the subnet. This is a much harder setup to get working effectively and securely than either of the other two, so use only as a last resort. NAT address proxying -- your NAT gateway has one or more IP addresses assigned and the NAT gateway knows how to forward incoming connections to an internal server. Or you run proxy servers on the Internet visible addresses which will accept incoming connections and relay them to the real servers on the internal network. Taken to the extreme, you could use this sort of setup to do load balancing and other fancy networking tricks, but you'ld probably have to spend $$$ to by the right sort of hardware load balancing kit needed. 4) From the point of view of the private side of your network, the FreeBSD box should minimally appear as the default gateway to the Internet. You can assign IP addresses and other configuration parameters to each machine manually or you can run various network servers to provide a level of autoconfiguration and subnet wide resources. Generally these do not need to be run on the gateway machine, and in many ways it's better to keep them on separate servers. However, not being made of money, that may not be entirely practical: if you're going to run DNS, DHCP, Samba, Kerberos, LDAP, Sendmail, Apache etc. on the gateway machine you will a) make the firewall rule set you need on that box significantly more complicated, b) have to take extra care when configuring those servers that you don't unintentionally expose them on the Internet side of the box and c) give potential attackers a lot more scope for finding an exploitable flaw. Most server software on Unix machines can be configured to bind to a subset of the available network interfaces. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --5vNYLRcllDrimb99 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/3yIwdtESqEQa7a0RAkKBAJ9AhEnErnrvbZX4XLjQDCU3bXaq+ACeMNaT prC076TOLsbcuPs6Q4JmWj0= =pkXM -----END PGP SIGNATURE----- --5vNYLRcllDrimb99--