The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
FreeBSD Support
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 [firewall] small subset of a real ip range
Author: Harrison Caudill 
Date:   13-02-03 18:39

I'm working in one of the physics labs and CNS (Computing Networking Services) keeps getting on our case about unprotected computers running default old installs done by physics majors, of redhat, or debian. I'd, under normal circumstances, just throw up a firewall running natd like I have running at home, but that would interfere with the Matlab lisence(sp?) server. I'd like for the computers to be able to maintain their current, real ip addresses. What I'd like to do is have a computer that sits between the outside world and the lab and just allows or disallows packets through based on the following ipfw rules:

#allow ssh, outgoing, and dns
allow all from (internal computers) to any via ${oif} setup
allow tcp from any 22 to any 22 #allow ssh to all computers
allow udp from any 53 to any 53 #allow dns querying

# Deny non-existent internal networks
deny log all from 192.168.0.0/16 to any
deny log all from 10.0.0.0/8 to any
deny log all from 172.16.0.0/16 to any

# Deny Microsoft...<evil grin>
deny log all from 207.46.0.0/16
deny log all from any to 207.46.0.0/16

my biggest problem right now is how to ifconfig the inside interface. That interface should ONLY be used to talk to a specific list of computers...

any suggestions?
thanks in advance

Reply To This Message
 
 Re: [firewall] small subset of a real ip range
Author: bb 
Date:   13-02-03 19:46

deny microsoft :)

love that

Reply To This Message
 
 Re: [firewall] small subset of a real ip range
Author: Scott 
Date:   24-02-03 14:21

Use freebsd as a bridging firewall.
http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/index.html

This link explains how to get the firewall to bridge traffic from outside to inside, disallowing specific ports, etc. but without using nat.
Scott

Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org