Firewall concept question
b at bjwcs.com
Wed Oct 6 11:40:49 PDT 2004
Looking to use a FreeBSD server as a firewall for a modem pool. The theory
is we only want to give them access to HTTP and DNS (which we could do as
proxy on the FreeBSD box).
For accountability reasons, each modem will be assigned a specific IP
address. That way, I'll be able to use Radius accounting to keep track of
who was logged in on what ip at what time. The idea being that if someone
uses the modems to launch an attack or whatever, we have something to work
with for tracking the user down if the authorities come knocking.
I haven't set up a FreeBSD firewall before, so I have a "best way" question:
Should I use "transparent" mode where each modem has a public ip address or
use something like static NAT entries?
I'd planned on using a transparent mode, since I was familiar with it from
using a Netscreen. It would seem to have the easiest accounting. But, wasn't
sure if I could do that using FreeBSD, so static NAT entries would be the
next best thing... Right?
I would also entertain the idea of using something like Squid so all access
is through a local proxy, then simply lock the firewall down completely.
But, I'm still concerned about the accountability in case someone manages to
launch an attack thru the proxy. I'd have to have some way of easily mapping
back to the ip of the modem based on the external information given to me by
authorities (ie: public ip address).
Any other suggestions for methods to accomplish this task are welcome.
More information about the freebsd-questions