Date: Fri, 10 Sep 2004 11:08:33 +0000 From: "Dan" <dan@skyinternet.co.uk> To: freebsd-net@freebsd.org Subject: Networking/Security Question... Message-ID: <fb497c560c13bf711641a328609691b9@skyinternet.co.uk>
next in thread | raw e-mail | index | archive | help
Hello. My first post here, Hope you're all well and enjoying the summer. Okay, this is likely to be an extremely exhaustive post, so I'd really be grateful if you could spare the time to read and reply please... Let me first introduce you to the scenario. We are a not for profit organisation that I'm dealing with during free time. We have fortunately (as it's Internet based) had funds to get a Leased Line - after about a year of negotiating with various UK providers, we finally got the price completely down - although still scarily high as we're a not for profit. As mentioned, I do this in my spare time, and do not lie I have "expertise" in this field. However, I have researched, and compiled a very simple step by step guide of what I *think* I should be doing to a) install the Leased Line and get it working, and b) secure the network. Please have a look through and comment on whether you agree, or where I've completely gone wrong. The Leased Line is due to be installed in a few weeks time, so basically I want to have a completely clear set of instructions and knowing I'm doing everything right so I'm not stumped when the time comes! Okay... 1. Obviously complete the process to get the Leased Line. The will consist of 2 visits to the presmise, one to install an NTU and the other to install the circuit. 2. The router will come "preconfigured" - not quite sure what that exactly involves. The router itself will be a Cisco 1721. As I want to perhaps support up 4 or 5 PC's through the connection my new ISP's response regarding it was: "The 1721 will allow as many PC's as you wish to connect. The machines would need to be networking together but the whole network can be given access by a single router. With regards to IP's we will allocate a block of 8 IP's with the leased line. These could be assigned to individual machines (one will be needed for the router). To achieve this, as I'd ideally like each machine to have a "public" internet address. To explain myself: PC1: 211.167.0.1 -- running a HTTPD. -- running FreeBSD. PC2: 211.167.0.2 -- running a mail daemon. -- running FreeBSD. PC3: 211.167.0.3 -- just internet access. -- running XP. PC4: 211.167.0.4 -- again internet access. -- running XP. PC5: 211.167.0.5 -- internet access through a Netgear HE102 Access Point and Netgear HA501 PC card. -- running XP. I have no idea what the IPs would be, but I'm sure you'll get the point I'm trying to make... Therefore to achieve that, I'll need to purcahse a Switch that would plug into the Router itself. I want to use an External Switch to link all the PC's to the connection. With advice from some people, it seems people prefer Swithces to Hubs because it only directs data when it's needed. Are you able to recommend a decent 8 port external switch that'd be suited? I searched sites like dabs.com and there's just so many, I don't which are suitable. 3. This switch would need to be connected to the Router with a Cat5 cable - could you advise what port it'd go into? I tried reading the guide at http://www.cisco.com/univercd/cc/td...hig/1721ovw.htm about the Ethernet, Auxilary, and Console port, and I *think* it's the Auxiliry one? Is the "Ethernet" port used to actually connect the router to the NTU? 4. Each PC wanting to access the connection, including 3 PC's and one laptop would need to do the following: 2 x FreeBSD servers would need a Cat5 cable from an Ethernet card in the Boxes to the Switch. 1 x Windows machine would need a Cat5 cable from an Ethernet card in the box to the switch. 1 x Laptop (Netgear HE102 Access Point) talking to a HA501 PC card on the Laptop. In the FreeBSD machines, I'd need to use the following in /etc/rc.conf: ifconfig_sis0="inet the.ip.here netmask 255.255.255.0" where sis0 is the Ethernet in that particular machine, "the.ip.here" the public IP assigned to me by the ISP (I'll be getting a block of them) and ensure /etc/hosts and /etc/resolv.conf are all set. I'd also need to repeat this on the 2 Windows machines, though their setup is very simple... Do you agree this is the right idea for the actual "network setup"? Now my questions begin regarding security for the services in particular. Would it be "sufficient" to just run IPFW rules on each of the FreeBSD servers, and software firewalls on the Windows machines? Or, could you recommend a Hardware Firewall that and how it'd integrate into the above setup please? For the FreeBSD machines I thought the following fules (again researching to find these - but I may very well be incorrect): # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" # Force a flushing of the current rules before we reload. $fwcmd -f flush # Allow all connections that have dynamic rules built for them, # but deny established connections that don't have a dynamic rule. # See ipfw(8) for details. $fwcmd add check-state $fwcmd add pass tcp from any to any keep-state # Allow all localhost connections $fwcmd add 100 pass all from any to any via lo0 $fwcmd add 200 deny log all from any to 127.0.0.0/8 $fwcmd add 300 deny log ip from 127.0.0.0/8 to any # Allow all connections from my network card that I initiate $fwcmd add allow tcp from me to any out xmit any setup keep-state $fwcmd add deny log tcp from me to any $fwcmd add allow ip from me to any out xmit any keep-state $fwcmd add allow all from 192.168.0.0/24 to any # Everyone on the Internet is allowed to connect to the following # services on the machine. This example specifically allows connections # to sshd and a webserver. $fwcmd add allow tcp from any to any keep-state $fwcmd add allow tcp from any to me 80 setup # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to me 113 in recv any # Enable ICMP: remove type 8 if you don't want your host to be pingable $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14 # Deny all the rest. $fwcmd add deny log ip from any to any How's this? Obviously, for each there'd be different rules as they'll be running different daemons, so I'd just alter the $fwcmd add allow tcp from any to me 80 setup line... Thanks very much for reading, and I hope I've been clear in explaining this "scenario" - I really appreciate your advice, and our community thanks you. Regards,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fb497c560c13bf711641a328609691b9>