*BSD News Article 60263


Return to BSD News archive

#! rnews 3355 bsd
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.EDU.AU!munnari.OZ.AU!spool.mu.edu!howland.reston.ans.net!nntp.coast.net!agis!news3.noc.netcom.net!news.diamondmm.com!news
From: pierce@diamondmm.com (John R Pierce)
Newsgroups: comp.os.linux.networking,comp.security.firewalls,comp.dcom.isdn,comp.unix.bsd.freebsd.misc,comp.unix.bsd.netbsd.misc
Subject: Re: Help: ISDN and firewall
Date: Sun, 21 Jan 1996 17:22:54 GMT
Organization: Diamond Multimedia Systems
Lines: 53
Message-ID: <31027524.764884@199.182.102.2>
References: <4deaub$nll@aurora.romoidoy.com>
NNTP-Posting-Host: diamond237.diamondmm.com
X-Newsreader: Forte Agent .99c/16.141
Xref: euryale.cc.adfa.oz.au comp.os.linux.networking:26728 comp.security.firewalls:1071 comp.dcom.isdn:26479 comp.unix.bsd.freebsd.misc:12957 comp.unix.bsd.netbsd.misc:2093

hjl@zoom.com (H J Lu) wrote:

>Hi,
>
>I am put in charge to design/implement a firewall for our class C 
>network with an ISDN connection to internet. Our goal is to control the
>access from the outside and yet provide the maximum transparency.
>
>1. From our class C network, all outgoing connections can be
>   allowed/denied bases on the IP addresses/ports.
>2. From outside, all incoming connections should go through the
>   firewall and we can control the access. If necessary, we can allow
>   any incoming connections based on the IP addresses/ports.
>3. We plan to run a few Internet servers on the firewall machine which
>   are accessible from the outside.
>4. To access our Class C network from the outside, we should be able to
>   login on the firewall machine and go from there.
>
>From what we need, I am not sure proxy services will be sufficient for
>us. Since the traffic between our network and the outside won't be very
>heavy, I am thinking to implement the router/firewall machine on a Unix
>machine with an ISDN interface using a router with a packet filter. I 
>was wondering what free/commercial packet filtering routers available
>for Unix, especially for Linux. Will screend work in this case?
>
>Thanks a lot.
>
>H.J.

You understand that external IP addresses are no longer trustworthy
enough to use for security?  see the articles on "IP Spoofing" on the
CERT archives...

Our firewall is a 'PIX' by Network Translations, inc.  This allows you
to use private IP addresses behind (inside) the firewall, and
dynamically maps them to external public addresses when sockets are
open.  By default NO internal services can be accessed from outside.
We have a 'DMZ' that our T-1 internet connection routes to... The
'DMZ' is a small ether hub with the public name server, mail server,
news server, ftp server, web server and the PIX.  Everything else is
behind the PIX.  Specific protocols to/from specific addresses can be
allowed thru the pix (for instance, we allow SMTP to/from our external
mail router to/from our internal email gateway...).

The advantage of the PIX is that you can have more internal IP
addresses than you have external.. We only have 1 class C (254 nodes)
yet we have over 500 workstations... Sure, only 250 can surf the
internet at once, but thats not a problem...  Also, the PIX is very
transparent, users don't need to configure their clients for proxies,
and applications like IRC that don't have any proxies work fine thru
it.

-jrp