From owner-freebsd-security  Fri Aug 10  5:33:13 2001
Delivered-To: freebsd-security@freebsd.org
Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169])
	by hub.freebsd.org (Postfix) with ESMTP id 78E5A37B40B
	for <freebsd-security@freebsd.org>; Fri, 10 Aug 2001 05:33:09 -0700 (PDT)
	(envelope-from kzaraska@student.uci.agh.edu.pl)
Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001)
	id 1B44C1C88; Fri, 10 Aug 2001 14:33:45 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id CB15C5493
	for <freebsd-security@freebsd.org>; Fri, 10 Aug 2001 14:33:45 +0200 (CEST)
Date: Fri, 10 Aug 2001 14:33:45 +0200 (CEST)
From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
X-Sender: kzaraska@lhotse.zaraska.dhs.org
To: freebsd-security@freebsd.org
Subject: Re: Separate firewall or not...OOPS no subject sorry!
In-Reply-To: <20010810031430.S3889@gnjilux.cc.fer.hr>
Message-ID: <Pine.BSF.4.21.0108101425490.63404-100000@lhotse.zaraska.dhs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Fri, 10 Aug 2001, Ivan Krstic wrote:

> On Fri, Aug 10, 2001 at 10:47:49AM +1000, Keith Spencer wrote:
> > Should I build a separate preimeter firewall machine
> > with only that on it...restrict/remove compilers etc
> > (how do I do that?) and have the router/dns/web/wail
> > server inside the perimeter.
> 
> This would be the most desired solution, if you have the resources to spare for
> a separate firewall machine. If this machine would serve no other purpose
> beside being a firewall, just about any old box (PI) will do for SOHOs.
Also see Chapman, "Building Internet Firewalls". There's some good stuff
about firewall design as itself. Specifically, they recommend building
perimeter network and moving all services there and placing all other
machines on the internal network. So if a server is compromised, still
there's a firewall to go between the attacker and internal network. 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message