RE: Firewall, OpenVPN and Squid question
From: Steve Bertrand (iaccounts_at_ibctech.ca)
Date: 07/21/04
- Previous message: /root/of/all/evil: "Re: Applications starting problem (from /usr/local/etc/rc.d/) afterupgrade"
- In reply to: Paul Hillen: "RE: Firewall, OpenVPN and Squid question"
- Next in thread: Radu MOLNAR: "jdk and disk space"
- Reply: Radu MOLNAR: "jdk and disk space"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 21 Jul 2004 16:59:38 -0400 (EDT) To: "Paul Hillen" <PHILLEN@NFM.NET>
> I would have to guess if a hardware firewall like Watchguard that offers
VPN
> also, that it would have to be beefer than that. Steve going back to
your
> initial response about the PIII 800MHz network, are you using a proxy
for
> the internal users or are they connecting directly to the firewall as their
> only means of getting out?
[At the main site]
(Selected) users go to a content filter (squid+dansguardian) and it goes
out to the net (through the fw). The content filter has a private IP, and
in itself, it is protected with it's own localized ipfw rules for
protection.
The rest of the clients go directly through the pipe unrestricted through
the firewall to the net. (I know I shouldn't do this with our own proxy,
but that's how it is for now).
> It seems most hardware firewalls do not include
> a
> proxy server, just NAT/VPN, which in this case the proxy would be on a
separate internal machine anyway.
Depends. I once used a Nortel dial-up NAT router box that had it's own
built in web cache. Very small cache mind you, but it worked ok,
especially on a 26.4Kb link.
>
> Comment about the ISA Server setup, which I actually like and not sure
if
> I
> can pull off the same type of setup with FreeBSD. The setup is like
this:
>
Yes, you can. Either with 2 BSD boxes replacing the ISA boxen, or with one
BSD box configured with 3 NIC's -- 1 for Internet connection, 1 for
Internal LAN, and the other from the DMZ. The DMZ NIC can have all sorts
of good rules applied to it, and the internal net can be absolutely cut
off for inbound traffic except for the VPN's.
> External ISA Server (not actual ips) ISP / 10.10.10.6
> |
> |-> Postfix Relay Server 10.10.10.5
> |-> TinyDNS for internet publishing 10.10.10.4
> |-> TinyDNS for internet publishing 10.10.10.3
> |-> Webserver 10.10.10.2
> |
> |-> Internal ISA Server 10.10.10.1 /
> 10.0.0.1
> |
> |-> Exchange Server 10.0.0.2
> |-> TinyDNS internal publishing 10.0.0.3
> |-> TinyDNS internal publishing 10.0.0.4
> |-> Rest of internal servers and network etc...
>
>
> External sites are actually creating a VPN tunnel with a VPN tunnel and
it
> works good, but the ISA Server gets to flaky after about a month of use.
I
> have rebuilt them more than ever thought I would.
>
> At this point I will be happy to just get the firewall and VPN to work, but
> I like the additional layer someone would have to break through in the
above
> scenario.
Like I said above, 2 boxes, or one box with 3 NIC's.
Steve
>
>> Yes, but take into consideration disk reads/writes. It is possible to
eliminate these tasks, and I have even done setups where everything was
flashed onto a CF card (ro) (obviously w/o logging capabilities). I did
a
>> custom build, frequently referring to:
>> http://neon1.net/misc/minibsd.html and put the system on an IDE->CF
card
>> converter.
>
>> Steve
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
>
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: /root/of/all/evil: "Re: Applications starting problem (from /usr/local/etc/rc.d/) afterupgrade"
- In reply to: Paul Hillen: "RE: Firewall, OpenVPN and Squid question"
- Next in thread: Radu MOLNAR: "jdk and disk space"
- Reply: Radu MOLNAR: "jdk and disk space"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
