From owner-freebsd-questions  Sun Nov 22 10:38:45 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA00258
          for freebsd-questions-outgoing; Sun, 22 Nov 1998 10:38:45 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from caladan.tdx.co.uk (caladan.tdx.co.uk [195.188.177.4])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA00250
          for <freebsd-questions@FreeBSD.ORG>; Sun, 22 Nov 1998 10:38:41 -0800 (PST)
          (envelope-from kpielorz@tdx.co.uk)
Received: from localhost (kpielorz@localhost)
	by caladan.tdx.co.uk (8.9.1/8.9.1) with ESMTP id SAA36568;
	Sun, 22 Nov 1998 18:37:40 GMT
Date: Sun, 22 Nov 1998 18:37:40 +0000 (GMT)
From: Karl Pielorz <kpielorz@tdx.co.uk>
To: Antonio Bemfica <bemfica@militzer.me.tuns.ca>
cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Firewall Question
In-Reply-To: <Pine.BSF.3.96.981122122445.8701B-100000@militzer.me.tuns.ca>
Message-ID: <Pine.BSF.4.05.9811221834100.36553-100000@caladan.tdx.co.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


On Sun, 22 Nov 1998, Antonio Bemfica wrote:

> This question might be better suited to a firewall list, but since I'd
> implement a firewall with FreeBSD, I decided to run the risk of asking it
> here:
> 
> Must the machine acting as the firewall be physically "between" the
> machines it is to protect and the rest of the world:
> 
> 	world --> firewall box --> Hub --> protected machines
> 
> or is is possible to specify routes so that packets on the way to the
> protected machines would be filtered by the firewall box before being
> allowed to continue: 
> 
> 	world --> Hub --> firewall box --> protected machines
> 
> If so, I assume these routes would have to be set someplace before the
> packets hit the hub on the subnet where the machines are. I'm fairly new
> at this, and would appreciate any help I can get.

You can run a 'ships-in-the-night' firewall system (i.e. have the firewall
with 1 network card, and route between 2 IP networks on the same card) -
but this is potentially risky... If someone screws up a subnet mask
somewhere (either deliberately or accidentally) they can end up seeing the
'raw' traffic...

(In fact even if they accidentaly pick the wrong IP address - they can end
up 'nudging' themselves onto the other (i.e. world/raw) IP network...

You can potentially get rid of 1 hub by using a cross-over cable or BNC
connection to the hub...

We have:

Cisco 2503             Crossover cable    FreeBSD box (firewall)      Us
(AUI - UTP Connector)  -------X-------    (2 Network cards)          (Hub)

Some network cards are a bit fussy about crossover cables (particularly
fxp (Intel Pro 100's etc.))

If you can, I'd certainly go for the extra security of 2 network cards...
:-)

Regards,

Karl


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message