Return to BSD News archive
#! rnews 3355 bsd Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.EDU.AU!munnari.OZ.AU!spool.mu.edu!howland.reston.ans.net!nntp.coast.net!agis!news3.noc.netcom.net!news.diamondmm.com!news From: pierce@diamondmm.com (John R Pierce) Newsgroups: comp.os.linux.networking,comp.security.firewalls,comp.dcom.isdn,comp.unix.bsd.freebsd.misc,comp.unix.bsd.netbsd.misc Subject: Re: Help: ISDN and firewall Date: Sun, 21 Jan 1996 17:22:54 GMT Organization: Diamond Multimedia Systems Lines: 53 Message-ID: <31027524.764884@199.182.102.2> References: <4deaub$nll@aurora.romoidoy.com> NNTP-Posting-Host: diamond237.diamondmm.com X-Newsreader: Forte Agent .99c/16.141 Xref: euryale.cc.adfa.oz.au comp.os.linux.networking:26728 comp.security.firewalls:1071 comp.dcom.isdn:26479 comp.unix.bsd.freebsd.misc:12957 comp.unix.bsd.netbsd.misc:2093 hjl@zoom.com (H J Lu) wrote: >Hi, > >I am put in charge to design/implement a firewall for our class C >network with an ISDN connection to internet. Our goal is to control the >access from the outside and yet provide the maximum transparency. > >1. From our class C network, all outgoing connections can be > allowed/denied bases on the IP addresses/ports. >2. From outside, all incoming connections should go through the > firewall and we can control the access. If necessary, we can allow > any incoming connections based on the IP addresses/ports. >3. We plan to run a few Internet servers on the firewall machine which > are accessible from the outside. >4. To access our Class C network from the outside, we should be able to > login on the firewall machine and go from there. > >From what we need, I am not sure proxy services will be sufficient for >us. Since the traffic between our network and the outside won't be very >heavy, I am thinking to implement the router/firewall machine on a Unix >machine with an ISDN interface using a router with a packet filter. I >was wondering what free/commercial packet filtering routers available >for Unix, especially for Linux. Will screend work in this case? > >Thanks a lot. > >H.J. You understand that external IP addresses are no longer trustworthy enough to use for security? see the articles on "IP Spoofing" on the CERT archives... Our firewall is a 'PIX' by Network Translations, inc. This allows you to use private IP addresses behind (inside) the firewall, and dynamically maps them to external public addresses when sockets are open. By default NO internal services can be accessed from outside. We have a 'DMZ' that our T-1 internet connection routes to... The 'DMZ' is a small ether hub with the public name server, mail server, news server, ftp server, web server and the PIX. Everything else is behind the PIX. Specific protocols to/from specific addresses can be allowed thru the pix (for instance, we allow SMTP to/from our external mail router to/from our internal email gateway...). The advantage of the PIX is that you can have more internal IP addresses than you have external.. We only have 1 class C (254 nodes) yet we have over 500 workstations... Sure, only 250 can surf the internet at once, but thats not a problem... Also, the PIX is very transparent, users don't need to configure their clients for proxies, and applications like IRC that don't have any proxies work fine thru it. -jrp