From owner-freebsd-questions Tue Feb 4 3:41: 4 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E24937B401 for ; Tue, 4 Feb 2003 03:41:02 -0800 (PST) Received: from foem.leiden.webweaving.org (fia224-72.dsl.hccnet.nl [62.251.72.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 780E943F43 for ; Tue, 4 Feb 2003 03:40:59 -0800 (PST) (envelope-from dirkx@webweaving.org) Received: from foem (foem [10.11.0.2]) by foem.leiden.webweaving.org (8.12.6/8.12.6) with ESMTP id h14Beqwc053559 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 4 Feb 2003 12:40:52 +0100 (CET) (envelope-from dirkx@webweaving.org) Date: Tue, 4 Feb 2003 12:40:52 +0100 (CET) From: Dirk-Willem van Gulik X-X-Sender: dirkx@foem.leiden.webweaving.org To: Peter Cc: freebsd-questions@FreeBSD.ORG Subject: Re: FBSD firewall in front of windows IIS servers HOW In-Reply-To: <20030203152311.7af897d4.fbsdq@kuyarov.org> Message-ID: <20030204123237.A68739-100000@foem.leiden.webweaving.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 3 Feb 2003, Peter wrote: > Just wondering what would be the best way to do this... > > INTERNET----FBSD FIREWALL----WINDOWS IIS SERVER Basically > what would be the best way to have freebsd accept incoming connections, > run them thru the firewall, and all the packets that pass forward them > to internal windows machines. I dont' want the windows boxen directly > on the net, I want to put a FBSD firewall in front of them, and so far > the best option I've found on how to do this is to have the windows > boxen be 192.168.x.x and have the fbsd boxen forward all connections to > "public_ip" to the windows box via natd. Does this seem like a good > plan? Or anyone know of another better way to do this? Thought hat is a good way of doing things; I would strongly recommend, if IIS is the only service, to do this differently and not do anything on packet level but on app level: internet---->publicIP [ FreeBSD ]<--private IP--> IIS apache proxy I.e: not run any NAT, routing etc; but simply use apache configured as a pass through proxy: ProxyPass / http://192.168.1.2/ ProxyPassReverse / http://192.168.1.2/ As this will allow apache to guard against bogus headers, buffer overuns and the usal fun and games. See directives like: LimitRequestBody LimitRequestFields LimitRequestFieldsize LimitRequestLine Though they are sensible set; if oyu use a lot of ASP/VB-script you may want to reduce a few. This will also speed up your installation considerbaly if you have a lot of slow modem users or high packet drop. Dw To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message