Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.mira.net.au!news.mel.connect.com.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.eng.convex.com!newshost.convex.com!bcm.tmc.edu!pendragon!ames!agate!reason.cdrom.com!usenet From: "Jordan K. Hubbard" <jkh@FreeBSD.org> Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: FreeBSD as Internet firewall Date: Fri, 28 Jun 1996 00:48:16 -0700 Organization: Walnut Creek CDROM Lines: 57 Message-ID: <31D38E40.794BDF32@FreeBSD.org> References: <4qphok$2lf@nadine.teleport.com> NNTP-Posting-Host: time.cdrom.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 3.0b4 (X11; I; FreeBSD 2.2-CURRENT i386) To: David Chamberlain <david.chamberlain@ibm.net> David Chamberlain wrote: > I am having a Frame Relay put into our company from US Sprint. One to four > channels of it will be set up as a virtual circuit to the internet. I am > getting a hardware router to route the IP from the Frame Relay to an Ethernet > segment. Or you could just buy one of the Emerging Technologies boards (see http://www.freebsd.org/commercial.html) and plug the frame relay directly into the FreeBSD box. Its a lot cheaper than a router. :-) > The only machine I want on the Internet ethernet segment is the FreeBSD > machine (which I will call gateway). It will also have a NIC connected to > our internal network. I believe I have learned enough about firewalls to > decide that I want to implement an application level firewall, also called a > proxy gateway. If I understand it right, this means that no IP routing occurs > between the internet and my network. There are different ways of doing this. One way is to use the ipfw(8) command to specify exactly which ports and/or addresses are allowed in and out, thus making the FreeBSD machine a semi-permeable gateway. Another solution is to not gateway packets at all but use socks to proxy connections. As long as the boxes on the "secure side" of your LAN are able to deal with socks, and it's a reasonably well accepted standard for proxies, then you're golden. See /usr/ports/net/socks5 in a recent version of the ports collection - it's very well integrated with FreeBSD. > Also, what kind of hardware would you recommend for a gateway like this. > Should I use PCI NIC's instead of ISA for performance. What NIC's, either ISA > or PCI have the most reliable drivers for FreeBSD. (I am not afraid to The SMC Etherpower PCI NIC is a good one, as are the Compex ENET32 cards (I have one in my box here). I don't think that the NICs are going to be your bottleneck anyway since they'll be able to talk to the network faster than you can route packets through anyway. :-) > download and compile -stable, i've already done it just for fun). Also, does > FreeBSD have (or will have) drivers for HP 100VG NIC's? Not yet, no. > I don't have current plans for gateway to be a web or ftp server. Should I > still use SCSI drives or would IDE be OK. If I really need SCSI drives, what > SCSI adapter (either ISA or PCI) have the most reliable FreeBSD drivers. I recommend SCSI just for the expansion potential (you MIGHT want a web or FTP server someday, after all). The Adaptec 2940 is a good controller, as are the NCR PCI cards (the latter being very cheap). > I plan to use at least a Pentium 100. How much RAM should I use? How long is a piece of string? :-) Depends on what you're doing with the box. 16MB makes for a very comfortable single user or small server configuration, 32MB being enough for pretty much anything you might throw at the box (well, I assume you're not going to be doing common lisp development on your gateway :-). -- - Jordan Hubbard President, FreeBSD Project