Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 02 Jul 1997 11:34:35 +0300
From:      Nadav Eiron <nadav@barcode.co.il>
To:        greg baxter <greg@microa.com>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: firewalls...
Message-ID:  <33BA129B.1826@barcode.co.il>
References:  <3.0.1.32.19970701221152.007dab40@microa.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
greg baxter wrote:
> 
> we want to firewall our local net using freebsd 2.2.
> 
> a little confused, we put two nics in one bsd machine,
> each with its own different network (not just diff host).
> 
> the idea is, we need it to:
> 
> hit our inet router, a t1 interface when called to do so
> by any local machine. this is on net 'a'.  i suppose this
> is the only host that will be on net 'a' other than the
> nic in the bsd box. right?
> 
> route ip data for us, with appropriate filtering via ipfw.
> from net 'b' to net 'a' (net 'a' is the internet side of
> things).
> 
> do we need to configure this machine as a 'gateway' as
> defined in rc.conf?  turn on 'routing' in same rc file?
> 
> right now, our default gateway is just the t1 router (ascend
> pipeline) and all works well, but the ascend is on the same
> net as everything else.
> 
> have read the o'reilly book, and at least *believe* i'm on the
> right track.

Which O'Reilly book? Get a book on firewalls and security if you want to
read on the subject (for example, Addison Wesley has: Firewalls and
Internet Security - Repelling the Wily Hacker, by Cheswick and Belovin).

> 
> any help you guys can toss my way is really gonna be
> very much appreciated, i'd like to get this thing up and
> going soon.
> 
> thanks in advance -- greg

Basically, you're on the right track. Whether this machine will actually
be a gateway depends on what type of firewall you want. For a packet
filtering firewall (one whose main weapon is ipfw and friends), you'll
need it set to YES.

For routing, running a routing daemon on a firewall is generally
considered bad practice. You don't run something on a firewall unless
you have to, so in a simple configuration like yours, I'd use static
routing.

Nadav



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?33BA129B.1826>