From owner-freebsd-questions@FreeBSD.ORG Tue Aug 2 17:10:50 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33DD016A41F for ; Tue, 2 Aug 2005 17:10:50 +0000 (GMT) (envelope-from youshi10@u.washington.edu) Received: from mxout1.cac.washington.edu (mxout1.cac.washington.edu [140.142.32.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90BA843D49 for ; Tue, 2 Aug 2005 17:10:49 +0000 (GMT) (envelope-from youshi10@u.washington.edu) Received: from smtp.washington.edu (smtp.washington.edu [140.142.32.139]) by mxout1.cac.washington.edu (8.13.4+UW05.04/8.13.4+UW05.05) with ESMTP id j72HAmx6002712 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 2 Aug 2005 10:10:49 -0700 X-Auth-Received: from dante76.u.washington.edu (dante76.u.washington.edu [140.142.14.69]) (authenticated authid=youshi10) by smtp.washington.edu (8.13.4+UW05.04/8.13.4+UW05.07) with ESMTP id j72HAjRD003588 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 2 Aug 2005 10:10:48 -0700 Date: Tue, 2 Aug 2005 10:10:44 -0700 (PDT) From: Garrett Cooper To: Stephan Weaver In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-questions@freebsd.org Subject: Re: Networking with FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Aug 2005 17:10:50 -0000 On Tue, 2 Aug 2005, Stephan Weaver wrote: > Hello Everyone. > > We are going to be connecting our Stores to our Main Head Office Via Fiber. > We want to separate our Internal Lan from the store computers. > So we have decided to separate them by networks [ip addressing] because of > security. > > > Head Office > I have 3 Servers in my LAN. And 4 Networks in Total inside of out Head > Office. > 10.10.10.1 - Pixel Replication Server > 192.168.1.1 - Web Based Server [Delivery Server] > 192.168.100.1 - File Server > Including Internet Users. > 192.168.0.1-254 [ Lan ]. > > > The store computers that need to access specific servers, are only on that > network. > For example. > Store 1, Computer 1 Needs to Replicate [he will have an ip of 10.10.10.105] > Store 1, Computer 2 [The Delivery Pc]. he will have an ip of 192.168.1.105 > Store 1, Computer 3 Will access the File Server by having an ip of > 192.168.100.105. > > > Now the Risk involved with this is we have no Real Security, For Example. > A Malicious user can easily change his ip address to 192.168.0.105 For > Example and Get on our Head Office Internal Network. Which We don't Want. > > > So i would like to Setup, Install And Configure a FreeBSD Based Firewall, > that will have 4 Network Cards, and will be placed between Our Head Office > Switch, and out Fibre Switch [Wan]. > > But AFAIK, By Placing all these network cards in the Same Machine, FreeBSD > Will Bridge All Those Networks. > How Can i keep the networks Separate, and Secure the Servers by Firewalling > by ip addressing? > > > I would appreciate Advice / Suggestions / Anything That will give me a better > clue on how to secure my network. > > > > Yours Sincerely, > Stephan Weaver I can tell you as of right now that you're going to have to setup a NAT with your FreeBSD box acting as the gateway using something like ipf, ipfilter, etc. However, I have little experience with this, and depending on what you want in terms of user interaction, different solutions will pose certain pros and cons. Also, no one outside of the network can just change their IP address to 192.168.0.x because the 192.168.x.y IP address blocks are reserved as Class C addresses which under all correct implementations of IP physically inaccessible outside the network. Therefore, that isn't so much of an issue... however, it still doesn't hurt to have a firewall because you don't want someone tunnelling in and wreaking havok on your network. That is of course if the information you listed above was in fact what's currently implemented as opposed to what should be implemented. Just a few minor thoughts. -Garrett