From owner-freebsd-security  Wed Feb 27  5:28:52 2002
Delivered-To: freebsd-security@freebsd.org
Received: from web13305.mail.yahoo.com (web13305.mail.yahoo.com [216.136.175.41])
	by hub.freebsd.org (Postfix) with SMTP id 094F937B405
	for <freebsd-security@freebsd.org>; Wed, 27 Feb 2002 05:28:47 -0800 (PST)
Message-ID: <20020227132846.28405.qmail@web13305.mail.yahoo.com>
Received: from [193.174.9.34] by web13305.mail.yahoo.com via HTTP; Wed, 27 Feb 2002 14:28:46 CET
Date: Wed, 27 Feb 2002 14:28:46 +0100 (CET)
From: =?iso-8859-1?q?m=20p?= <sumirati@yahoo.de>
Subject: Re: best firewall option for FreeBSD  
To: sec@hict.nl
Cc: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> Hi all,
> 
> I have to build a firewall for our University with 2 NIC's. One
> connected to internet and the second connected to the network.
> The e-mail is running on M$ Exchange, but this servers are placed
> outside of the network.
> With the firewall we would like to increase the security, but also make
> it impossible for internal users to use anything else but http, https,
> ssh, ftp-client,pop3-client, Outlook. So it has to be impossible to use
> Morpheus, Kazaa, Napster etc.
> 
> What firewall software (Opensource) would you advice? Or do I have to
> choose another OS?
> 
> Best regards,
> Geert Houben

Hi Geert,

you can use either ipfw (the firewall I prefer) or ipfilter.

For your case I would you ipfilter. Why?

To filter all but ssh, http, https, smtp and pop3 (aka mail (what you meant
with outlook)) you can choose both. But ftp is a braindead (from a firewaller
sight) protocol. You can not simple make a rule "allow tcp from internal
network to external ftp-server" - because it will use more than one port.

So you should use ipfilter which "inspects" the pakets flowing through to get
the new ftp port which have to be open - or use a ftp-proxy (there are some in
the ports, look for one fitting your purpose).

Another thought: 

Should this firewall be "visible" to the user? Should he/she know about it? If
not you can only add a transparent proxy and/or building a bridging rather than
a routing firewall.
If yes, well, why not considering a new infrastructure for your servers in the
net and your users too?
An Exchange server in the internet without firewall (and securing Windows
behorehand - but of course you have done that, haven't you?) is not nearly
secure - for example.
You can work on that detail and a lot more with a new concept which have to
include security concerns, usefulness, managebility (if there is this word),
TOC .... 

Hope that helps

Marc


__________________________________________________________________

Gesendet von Yahoo! Mail - http://mail.yahoo.de
Ihre E-Mail noch individueller? - http://domains.yahoo.de

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message