Date: Wed, 27 Feb 2002 07:45:27 -0600 From: Eric Anderson <anderson@centtech.com> To: "Barkell, Bill" <Bill.Barkell@compuware.com> Cc: freebsd-security@freebsd.org Subject: Re: best firewall option for FreeBSD Message-ID: <3C7CE2F7.B188503D@centtech.com> References: <A58643BEDEF7D211BABB0008C75D853F0A5F66ED@fhpri01.compuware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Speaking of this, what is the appropriate way to add a DMZ? I have a setup kind of like this (3 nics - 1 to the net, 1 to the "internal" net, and 1 not used). I would like to use the 3rd NIC to be a DMZ, but I would like to let nearly everything thru - like stuff for games, internet phone stuff, etc. How can I implement this and still keep the security of the box uncomprimised? ANyone know of a good FAQ or HOWTO on this? I use ipfilter, and ipnat, so I just started looking at the map and redir functions to ipnat. Eric "Barkell, Bill" wrote: > > How about spending a few more $ and add a third NIC? This will give you the > ability to add a DMZ for that pesky mail server at a later date. > > Bill Barkell > > -----Original Message----- > From: m p [mailto:sumirati@yahoo.de] > Sent: Wednesday, February 27, 2002 8:29 AM > To: sec@hict.nl > Cc: freebsd-security@freebsd.org > Subject: Re: best firewall option for FreeBSD > > > Hi all, > > > > I have to build a firewall for our University with 2 NIC's. One > > connected to internet and the second connected to the network. > > The e-mail is running on M$ Exchange, but this servers are placed > > outside of the network. > > With the firewall we would like to increase the security, but also make > > it impossible for internal users to use anything else but http, https, > > ssh, ftp-client,pop3-client, Outlook. So it has to be impossible to use > > Morpheus, Kazaa, Napster etc. > > > > What firewall software (Opensource) would you advice? Or do I have to > > choose another OS? > > > > Best regards, > > Geert Houben > > Hi Geert, > > you can use either ipfw (the firewall I prefer) or ipfilter. > > For your case I would you ipfilter. Why? > > To filter all but ssh, http, https, smtp and pop3 (aka mail (what you meant > with outlook)) you can choose both. But ftp is a braindead (from a > firewaller > sight) protocol. You can not simple make a rule "allow tcp from internal > network to external ftp-server" - because it will use more than one port. > > So you should use ipfilter which "inspects" the pakets flowing through to > get > the new ftp port which have to be open - or use a ftp-proxy (there are some > in > the ports, look for one fitting your purpose). > > Another thought: > > Should this firewall be "visible" to the user? Should he/she know about it? > If > not you can only add a transparent proxy and/or building a bridging rather > than > a routing firewall. > If yes, well, why not considering a new infrastructure for your servers in > the > net and your users too? > An Exchange server in the internet without firewall (and securing Windows > behorehand - but of course you have done that, haven't you?) is not nearly > secure - for example. > You can work on that detail and a lot more with a new concept which have to > include security concerns, usefulness, managebility (if there is this word), > TOC .... > > Hope that helps > > Marc > > __________________________________________________________________ > > Gesendet von Yahoo! Mail - http://mail.yahoo.de > Ihre E-Mail noch individueller? - http://domains.yahoo.de > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C7CE2F7.B188503D>