Networking with FreeBSD
cswiger at mac.com
Tue Aug 2 17:38:30 GMT 2005
Stephan Weaver wrote:
[ ... ]
> But AFAIK, By Placing all these network cards in the Same Machine,
> FreeBSD Will Bridge All Those Networks.
FreeBSD is well-behaved in terms of security. It will not act as a layer-2
bridge or as a layer-3 IP router/firewall, unless and until you tell it to do so.
See the options set in /etc/rc.conf and /etc/defaults/rc.conf such as:
gateway_enable="NO" # Set to YES if this host will be a gateway.
router_enable="NO" # Set to YES to enable a routing daemon.
firewall_enable="NO" # Set to YES to enable firewall functionality
firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall)
...or "man bridge".
> How Can i keep the networks Separate, and Secure the Servers by
> Firewalling by ip addressing?
Well, if you set the machines up on three or four seperate subnets, each on a
seperate collision domain (ie, each with it's own hub or switch VLAN), you can
firewall traffic both by subnet and by individual IPs. A proper ruleset will
integrate anti-spoofing rules which will prevent a machine from sending traffic
as if it were an IP on another subnet, or at least prevent the traffic from
going through the firewall to reach your private internal networks.
Obviously, you want to keep untrusted machines on another subnet than the
servers you are protecting. Go read "Building Internet Firewalls" published by
O'Reilley, as well as http://www.ietf.org/rfc/rfc2196.txt...
More information about the freebsd-questions