Return to BSD News archive
Newsgroups: comp.os.386bsd.misc Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!msunews!agate!library.ucla.edu!csulb.edu!csus.edu!netcom.com!jlemon From: jlemon@netcom.com (Jonathan Lemon) Subject: Re: FreeBSD as a firewall? Message-ID: <jlemonD3A2zL.M4I@netcom.com> Organization: NETCOM On-line Communication Services (408 261-4700 guest) References: <jlemonD387IF.7sz@netcom.com> <D391AE.7u7@world.std.com> Date: Tue, 31 Jan 1995 16:26:09 GMT Lines: 48 In article <D391AE.7u7@world.std.com>, James F Brown <brownj@world.std.com> wrote: >jlemon@netcom.com (Jonathan Lemon) writes: > >>I'm in the process of setting up a machine that will act as a firewall >>for a client's internet connection. I have 2 questions: > >> - will a 486 EISA machine with 8M be sufficient to handle the >> task of a firewall for a 56k link? (no IP forwarding, internal >> to external connections handled by SOCKS, etc) > >> - is there some sort of card + driver for the PC that will handle >> the input from a 56k frame relay link? Or is something equivalent >> to a cisco 2501 required to convert the frame relay input to >> ethernet packets which are then fed to the PC? > >>I really don't want to have to buy a router just to handle the frame relay >>stuff, since all real routing will be done internally, behind the firewall. >>-- >>Jonathan jlemon@netcom.com > >The firewall would be a lot stronger if you put filtering routers behind >and infront of your FreeBSD box. YOu could even use FreeBSD boxes running >screend as the routers... Well, I'm planning to use the FreeBSD box as the equivalent of a filtering bridge (two ethernet interfaces) and only provide proxy services. I don't need to worry about routing, since once I stick the packets on the internal ethernet segment, our existing routers can take it from there. Our service provider will be running routers on their end of the 56k link, so I should only be getting packets that are ultimately destined for our net. What I'm not sure about is whether the FreeBSD box will be able to handle all the traffic since filtering is done at the user-level, not kernel-level. (screend doesn't fit my needs). Also, I'm not sure if there is anything that will allow me to handle the frame relay stream coming directly from the CSU/DSU; it seems a waste to get a cisco box that will just act as a frame-relay <--> ethernet bridge. >If you haven't read Cheswick dna Bellovin's book, I'd pick it up. I haven't seen the book; does it provide any more information than Bellovin's white papers? -- Jonathan