Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 4 Feb 2003 12:40:52 +0100 (CET)
From:      Dirk-Willem van Gulik <dirkx@webweaving.org>
To:        Peter <fbsdq@kuyarov.org>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: FBSD firewall in front of windows IIS servers  HOW
Message-ID:  <20030204123237.A68739-100000@foem.leiden.webweaving.org>
In-Reply-To: <20030203152311.7af897d4.fbsdq@kuyarov.org>
next in thread | previous in thread | raw e-mail | index | archive | help 


On Mon, 3 Feb 2003, Peter wrote:

> 	Just wondering what would be the best way to do this...
>
> 		INTERNET----FBSD FIREWALL----WINDOWS IIS SERVER Basically
> what would be the best way to have freebsd accept incoming connections,
> run them thru the firewall, and all the packets that pass forward them
> to internal windows machines.  I dont' want the windows boxen directly
> on the net, I want to put a FBSD firewall in front of them, and so far
> the best option I've found on how to do this is to have the windows
> boxen be 192.168.x.x and have the fbsd boxen forward all connections to
> "public_ip" to the windows box via natd.  Does this seem like a good
> plan? Or anyone know of another better way to do this?

Thought hat is a good way of doing things; I would strongly recommend,
if IIS is the only service, to do this differently and not do anything on
packet level but on app level:

	internet---->publicIP [ FreeBSD ]<--private IP--> IIS
                              apache proxy

I.e: not run any NAT, routing etc; but simply use apache configured as
a pass through proxy:

	<VirtualHost OUTSIDEIP:80>
		ProxyPass		/	http://192.168.1.2/
		ProxyPassReverse	/	http://192.168.1.2/
	</VirtualHost>

As this will allow apache to guard against bogus headers, buffer overuns
and the usal fun and games. See directives like:

	LimitRequestBody
	LimitRequestFields
	LimitRequestFieldsize
	LimitRequestLine

Though they are sensible set; if oyu use a lot of ASP/VB-script you may
want to reduce a few.

This will also speed up your installation considerbaly if you have a lot
of slow modem users or high packet drop.

Dw


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030204123237.A68739-100000>