Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 Feb 2002 14:28:46 +0100 (CET)
From:      =?iso-8859-1?q?m=20p?= <sumirati@yahoo.de>
To:        sec@hict.nl
Cc:        freebsd-security@freebsd.org
Subject:   Re: best firewall option for FreeBSD  
Message-ID:  <20020227132846.28405.qmail@web13305.mail.yahoo.com>

next in thread | raw e-mail | index | archive | help
> Hi all,
> 
> I have to build a firewall for our University with 2 NIC's. One
> connected to internet and the second connected to the network.
> The e-mail is running on M$ Exchange, but this servers are placed
> outside of the network.
> With the firewall we would like to increase the security, but also make
> it impossible for internal users to use anything else but http, https,
> ssh, ftp-client,pop3-client, Outlook. So it has to be impossible to use
> Morpheus, Kazaa, Napster etc.
> 
> What firewall software (Opensource) would you advice? Or do I have to
> choose another OS?
> 
> Best regards,
> Geert Houben

Hi Geert,

you can use either ipfw (the firewall I prefer) or ipfilter.

For your case I would you ipfilter. Why?

To filter all but ssh, http, https, smtp and pop3 (aka mail (what you meant
with outlook)) you can choose both. But ftp is a braindead (from a firewaller
sight) protocol. You can not simple make a rule "allow tcp from internal
network to external ftp-server" - because it will use more than one port.

So you should use ipfilter which "inspects" the pakets flowing through to get
the new ftp port which have to be open - or use a ftp-proxy (there are some in
the ports, look for one fitting your purpose).

Another thought: 

Should this firewall be "visible" to the user? Should he/she know about it? If
not you can only add a transparent proxy and/or building a bridging rather than
a routing firewall.
If yes, well, why not considering a new infrastructure for your servers in the
net and your users too?
An Exchange server in the internet without firewall (and securing Windows
behorehand - but of course you have done that, haven't you?) is not nearly
secure - for example.
You can work on that detail and a lot more with a new concept which have to
include security concerns, usefulness, managebility (if there is this word),
TOC .... 

Hope that helps

Marc


__________________________________________________________________

Gesendet von Yahoo! Mail - http://mail.yahoo.de
Ihre E-Mail noch individueller? - http://domains.yahoo.de

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020227132846.28405.qmail>