Return to BSD News archive
Xref: sserve comp.os.386bsd.misc:2656 comp.os.386bsd.questions:11452 Newsgroups: comp.os.386bsd.misc,comp.os.386bsd.questions Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!msuinfo!agate!library.ucla.edu!csulb.edu!csus.edu!netcom.com!lclee From: lclee@netcom.com (Larry Lee) Subject: Re: FreeBSD as a firewall Message-ID: <lcleeCsoH2L.533@netcom.com> Organization: NETCOM On-line Communication Services (408 261-4700 guest) References: <Cs9G7B.DE6@olivetti.nl> <2veim2$2is@fw.novatel.ca> Date: Sat, 9 Jul 1994 14:47:08 GMT Lines: 32 Paul van der Zwan (paulz@olivetti.nl) wrote: > Has anybody got any experience with using a 386 running FreeBSD as > an internet-firewall behind a screening router ?? It is unclear how you plan to set up the filters on the router. If you plan on being very restrictive, you would probably want to make sure that all traffic from the router is destined for the firewall machine and then install proxy servers on the firewall itself. Using something like the TIS toolkit, internal machines would ftp (for example) to the firewall proxy and when the proxy prompts for login, you provide the internet ftp host name along with your user name. From then on all usage is pretty normal. In the above situation, _all_ routing is disabled on the firewall, no user logins are allowed on the firewall and proxy servers are required for each and every service you allow. Thus to get through the firewall you must establish a process on the firewall that will store and forward all packets. In a less restrictive situation you might have the router block things new connects from the internet to anything but the firewall. However connected (see SYN bit) streams are passed through unchallenged. This allows telnet sessions directly from internal machines. In this case the firewall must do routing. FTP still requires a proxy server on the firewall, because it needs an inbound connection. In either case all UDP based services (DNS, NTP, ...) must be supported on the firewall. You really need to decide what your policies will be, what services you will support, and then walk it through completely to understand the implications, before you try to implement the firewall.