From owner-freebsd-security  Thu Oct  1 00:19:44 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id AAA02934
          for freebsd-security-outgoing; Thu, 1 Oct 1998 00:19:44 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from tinker.com (troll.tinker.com [204.214.7.146])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA02928;
          Thu, 1 Oct 1998 00:19:41 -0700 (PDT)
          (envelope-from kim@tinker.com)
Received: by localhost (8.8.5/8.8.5)
Received: by mail.tinker.com via smap (V2.0)
	id xma005157; Thu Oct  1 02:14:09 1998
Received: by localhost (8.8.5/8.8.5) id CAA29785; Thu, 1 Oct 1998 02:21:44 -0500 (CDT)
Message-ID: <36132D71.39FCD5A3@tinker.com>
Date: Thu, 01 Oct 1998 02:21:21 -0500
From: Kim Shrier <kim@tinker.com>
Organization: Shrier and Deihl
X-Mailer: Mozilla 4.05 [en] (X11; U; FreeBSD 2.2.7-RELEASE i386)
MIME-Version: 1.0
To: Alejandro Galindo Chairez AGALINDO <agalindo@servidor.exsocom.com.mx>
CC: questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Subject: Re: Firewall with 2 NIC and a NET class C
References: <Pine.BSF.3.96.981001000443.24945A-100000@servidor.exsocom.com.mx>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

You have a couple of ways to approach this.  You could use network address
translation and have private addresses for all your machines.  The "public"
machines would have static mappings to real IP addresses that are aliased
on the outside interface of the firewall.  You would also use ipfw rules to
control the traffic.

Another approach is to split your class C into subnets, one subnet for the
outside interface and the other for the inside interface, and then set up
ipfw rules and routes in the firewall to control the traffic.

If you want, I can help you with the rules once I know how you want to
proceed.

Kim Shrier
kim@tinker.com

Alejandro Galindo Chairez AGALINDO wrote:
> 
> Hello!
> 
>         I have a network class C (conected to Internet), some hackers are
> cracking my server and i need to install a firewall.
> 
>         I have 2 xl NIC's (xl0 and xl1), but i dont know how will be the
> rc.firewall configuration and how i can protect all my network for outside
> attacks.
> 
>         In the rc.firewall i use the "simple" firewall type, but i dont
> understand how i can divide my network class C in 2 networks (with a mask
> 255.255.255.128 sample).
> 
>         I need to have real internet ip's in the 2 NIC's becouse i want to
> protect my WWW and e-mail servers.
> 
> Here is a sample of what i have and what i need:
> 
>                 INTERNET
>                    |
>                    |
>                 My router (208.195.117.2)
>                    |
>                    |
>                  ----------------------- (network class C 208.195.117.*)
>                    |             |     |
>                    |             |     |
>                 WWW server   email server  and PCs
>              208.195.117.11   208...12     208...13 (sample)
> 
> I need to protect all my network and i think the solution can be:
> 
>                 INTERNET
>                    |
>                    |
>                 ROUTER  (208.195.117.2)
>                    |
>                    |                      maybe mask 255.255.255.128
>                 FIREWALL (208.195.117.14) xl0 (first NIC)
>                    |
>                    |  208.195.117.129 xl1 (second NIC) of the firewall
>                 ------------------------
>                 |          |        |       maybe mask 255.255.255.128
>                 |          |        |
>             WWW server   email server  PC's ...
>             208.195.117.130  208...131   208...132  etc
> 
> Please i need help i how to plain the network and how to indicate the
> rules in the rc.firewall
> 
> Iam desesperate becouse my network is attacked.
> 
> Thanks in advanced
> 
> Alejandro Galindo
> 
>  ----------------------------------------------------------------------------
> |                                                          ,        ,        |
> |                                                         /(        )`       |
> |                                                         \ \___   / |       |
> |                                                         /- _  `-/  '       |
> |                                                        (/\/ \ \   /\       |
> |     ExSoCom Dgo. MEXICO                                / /   | `    \      |
> |                                                        O O   ) /    |      |
> |                                                        `-^--'`<     '      |
> |                                                       (_.)  _  )   /       |
> |     Alejandro Galindo                                  `.___/`    /        |
> |     Tel: (52 18) 179177                                  `-----' /         |
> |     Fax: (52 18) 185155                     <----.     __ / __   \         |
> |                                             <----|====O)))==) \) /====     |
> |    e-mail alejandro.galindo@exsocom.com.mx  <----'    `--' `.__,' \        |
> |                                                          |        |        |
> |          http://www.exsocom.com.mx                       \       /       /\|
> |                                                     ______( (_  / \______/ |
> |                                                   ,'  ,-----'   |          |
> |                      a FreeBSD ISP                `--{__________)          |
>  ----------------------------------------------------------------------------
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message