From owner-freebsd-questions@FreeBSD.ORG Tue Aug 2 17:38:30 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C591C16A41F for ; Tue, 2 Aug 2005 17:38:30 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C35643D45 for ; Tue, 2 Aug 2005 17:38:30 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id D74305E89; Tue, 2 Aug 2005 13:38:29 -0400 (EDT) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 61000-09; Tue, 2 Aug 2005 13:38:27 -0400 (EDT) Received: from [192.168.1.3] (pool-68-161-54-113.ny325.east.verizon.net [68.161.54.113]) by pi.codefab.com (Postfix) with ESMTP id 3F40E5C9B; Tue, 2 Aug 2005 13:38:27 -0400 (EDT) Message-ID: <42EFAF93.5060800@mac.com> Date: Tue, 02 Aug 2005 13:38:27 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050801 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Stephan Weaver References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-questions@freebsd.org Subject: Re: Networking with FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Aug 2005 17:38:30 -0000 Stephan Weaver wrote: [ ... ] > But AFAIK, By Placing all these network cards in the Same Machine, > FreeBSD Will Bridge All Those Networks. FreeBSD is well-behaved in terms of security. It will not act as a layer-2 bridge or as a layer-3 IP router/firewall, unless and until you tell it to do so. See the options set in /etc/rc.conf and /etc/defaults/rc.conf such as: gateway_enable="NO" # Set to YES if this host will be a gateway. router_enable="NO" # Set to YES to enable a routing daemon. firewall_enable="NO" # Set to YES to enable firewall functionality firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) ...or "man bridge". > How Can i keep the networks Separate, and Secure the Servers by > Firewalling by ip addressing? Well, if you set the machines up on three or four seperate subnets, each on a seperate collision domain (ie, each with it's own hub or switch VLAN), you can firewall traffic both by subnet and by individual IPs. A proper ruleset will integrate anti-spoofing rules which will prevent a machine from sending traffic as if it were an IP on another subnet, or at least prevent the traffic from going through the firewall to reach your private internal networks. Obviously, you want to keep untrusted machines on another subnet than the servers you are protecting. Go read "Building Internet Firewalls" published by O'Reilley, as well as http://www.ietf.org/rfc/rfc2196.txt... -- -Chuck