From owner-freebsd-questions Tue May 23 19:25:37 2000 Delivered-To: freebsd-questions@freebsd.org Received: from hermes.avantgo.com (ws1.avantgo.com [207.214.200.194]) by hub.freebsd.org (Postfix) with ESMTP id 753AA37BB7A for ; Tue, 23 May 2000 19:25:31 -0700 (PDT) (envelope-from scott@avantgo.com) Received: from river.avantgo.com (river.avantgo.com [10.0.128.30]) by hermes.avantgo.com (Postfix) with ESMTP id DC2F62E; Tue, 23 May 2000 19:25:29 -0700 (PDT) Date: Tue, 23 May 2000 19:25:36 -0700 (PDT) From: Scott Hess To: Lehquin@aol.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: firewall, how much horsepower? In-Reply-To: <9f.5b1fdb1.265b3b7a@aol.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 22 May 2000 Lehquin@aol.com wrote: > I'm thinking about a network connection to the internet, either ISDN > or DSL router. If I want to setup a firewall using FreeBSD, how much > horsepower does the box need? I'm thinking that it won't need much > power to just pass IP packets back and forth. It will need just need > 2 ethernet cards right? Would a 486 66 w/ pentium upgrade chip and > 64Meg Ram be enough? Long long ago, I used a 66Mhz 486 w/32M of RAM as a firewall/NAT box, under RedHat4.2. It was way overpowered for that job. The primary reason I upgraded it was that: a) the 486 was very loud and big, and b) if I ever wanted to rebuild a kernel or something to try out a wacky new feature related to what the box did, it took literally forever. > Regardless of the horsepower, what about other services. Can I run > sendmail, and DNS on the same box that's the firewall. How do I > makesure that the "Server Services" are protected behind the firewall > eventhough they are on the same box. Would this mean that the > server services would answer TCP/IP packets only on the ethernet > interface that is on my side of the firewall. You can do all of this, the question is whether you should. If you aren't running any services on the firewall box, then those services cannot be used to break into the firewall box. If you run sendmail, someone can still crack the box sendmail is running on, but you can still have a working firewall (instead of turning off the firewalling, the cracker can poke a port back out - but at least other people can't just waltz in at that point). My feeling for home networks is that it doesn't really make much difference. After all, once they've broken into one of your machines, they _most_ likely can break the others at their leasure, anyhow. That said, you can certainly arrange so that services only listen on internal ports, and you can arrange that the firewalling rules do not forward packets from the outside world to your selected services. Either option is probably sufficient, but I'd try hard to do both, if I could. Later, scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message