Networking with FreeBSD

Garrett Cooper youshi10 at
Tue Aug 2 17:10:50 GMT 2005

On Tue, 2 Aug 2005, Stephan Weaver wrote:

> Hello Everyone.
> We are going to be connecting our Stores to our Main Head Office Via Fiber.
> We want to separate our Internal Lan from the store computers.
> So we have decided to separate them by networks [ip addressing] because of 
> security.
> Head Office
> I have 3 Servers in my LAN. And 4 Networks in Total inside of out Head 
> Office.
> - Pixel Replication Server
> - Web Based Server [Delivery Server]
> - File Server
> Including Internet Users.
> [ Lan ].
> The store computers that need to access specific servers, are only on that 
> network.
> For example.
> Store 1, Computer 1 Needs to Replicate [he will have an ip of]
> Store 1, Computer 2 [The Delivery Pc]. he will have an ip of
> Store 1, Computer 3 Will access the File Server by having an ip of 
> Now the Risk involved with this is we have no Real Security, For Example.
> A Malicious user can easily change his ip address to For 
> Example and Get on our Head Office Internal Network. Which We don't Want.
> So i would like to Setup, Install And Configure a FreeBSD Based Firewall, 
> that will have 4 Network Cards, and will be placed between Our Head Office 
> Switch, and out Fibre Switch [Wan].
> But AFAIK, By Placing all these network cards in the Same Machine, FreeBSD 
> Will Bridge All Those Networks.
> How Can i keep the networks Separate, and Secure the Servers by Firewalling 
> by ip addressing?
> I would appreciate Advice / Suggestions / Anything That will give me a better 
> clue on how to secure my network.
> Yours Sincerely,
> Stephan Weaver

 	I can tell you as of right now that you're going to have to setup 
a NAT with your FreeBSD box acting as the gateway using something like 
ipf, ipfilter, etc. However, I have little experience with this, and 
depending on what you want in terms of user interaction, different 
solutions will pose certain pros and cons.
 	Also, no one outside of the network can just change their IP 
address to 192.168.0.x because the 192.168.x.y IP address blocks are 
reserved as Class C addresses which under all correct implementations of 
IP physically inaccessible outside the network. Therefore, that isn't so 
much of an issue... however, it still doesn't hurt to have a firewall 
because you don't want someone tunnelling in and wreaking havok on your 
network. That is of course if the information you listed above was in fact 
what's currently implemented as opposed to what should be implemented.
 	Just a few minor thoughts.

More information about the freebsd-questions mailing list