From owner-freebsd-questions Thu Oct 26 4:23: 7 2000 Delivered-To: freebsd-questions@freebsd.org Received: from obelix.rby.hk-r.se (obelix.rby.hk-r.se [194.47.134.4]) by hub.freebsd.org (Postfix) with ESMTP id CB25F37B479 for ; Thu, 26 Oct 2000 04:23:03 -0700 (PDT) Received: from orc.rby.hk-r.se (orc [194.47.134.179]) by obelix.rby.hk-r.se (8.10.2/8.10.2) with ESMTP id e9QBNRK13727 for ; Thu, 26 Oct 2000 13:23:27 +0200 (MEST) Received: from localhost (t98pth@localhost) by orc.rby.hk-r.se (8.10.2/8.10.2) with ESMTP id e9QBN1j23337 for ; Thu, 26 Oct 2000 13:23:01 +0200 (MET DST) Date: Thu, 26 Oct 2000 13:23:01 +0200 (MET DST) From: =?ISO-8859-1?Q?P=E4r_Thoren?= To: freebsd-questions@freebsd.org Subject: Bridge Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi! If I understand bridging correctly I would have one interface on the fbsd-bridge connected to the border router .1 The other interface, not configured with an ip, connected to a hub with the rest of the boxes .3-.255=20 The interface to the border router should be assigned with an ip, let say =2E2 Internet ___|___ | | | GW | |_______| | | ___|___<---interface with an ip .2 | | | Bridge| <-- fbsd with ipfw |_______| |<---Interface not configured with ifconfig =20 | | ___|_________________<--Uplink on the hub disabled? | | |________hub__________| | | | | _|__ _|__ _|__ _|__ <--- Protected Servers | || || || | |____||____||____||____| /P=E4r On Wed, 25 Oct 2000, Glen Foster wrote: > You have four options: >=20 > 1) run the FreeBSD box as a filtering bridge >=20 > 2) run the FreeBSD box as a NAT router >=20 > 3) make the FreeBSD box your border router (ie. replacing the box > marked "gw") >=20 > 4) subnet your LAN (with one subnet between the border router and the > FreeBSD box and the rest on your LAN). >=20 > Advantages: >=20 > 1) "Invisible" firewall possible (filtering w/o decrementing TTL). >=20 > 2) Presence of NAT adds some security (e.g. no TCP connects to LAN > boxes unless you make specific provisions for them). >=20 > 3) Probably the speediest, fewer boxes, easiest to troubleshoot. >=20 > 4) none >=20 > Disadvantages: >=20 > 1) There is no way to prevent non-IP packets, including ARP, from > being seen by the border router. >=20 > 2) Requires re-addressing of LAN machines and (maybe) some DNS tricks > (to return different answers for LAN and Internet queries). >=20 > 3) May require purchasing hardware, e.g. a sync serial board. >=20 > 4) consumes address space, requires renumbering. >=20 > My first choice would be #3, then #1 (unless I was running non-IP > protocols). >=20 > Good luck, > Glen Foster >=20 > P=E4r Thoren writes: > >=20 > > Hi! > >=20 > > I want to protect a network with a firewall. The network is=20 > > xx.xx.xx.0 and has a gateway at xx.xx.xx.1 > > dns servers are xx.xx.xx.2 and xx.xx.xx.3 > >=20 > > How can I protect the network with a fbsd firewall? Do I use > > bridge/firewall or do I set fbsd as a router/firewall "behind" the gat= eway > > xx.xx.xx.1 ? > >=20 > > Big Bad Internet > > | > > ___|__ > > | |=20 > > | gw | > > |______| > > | > > ___|__ > > | | Acting as bridge? router? with ipfw > > | fbsd | > > |______|=20 > > | > > _____|_____ > > | | Network including the dns servers > > | .2-.255 | > > |___________| >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message