RE: Firewall, OpenVPN and Squid question
Want to thank you guys for your help; I setup my first firewall last night. Granted it is basic, and have a lot of work to do yet, but it's a start. It is routing and letting my test machines access the web. Hopefully the last question (yeah right) I decided to use IPFILTER and appears to be easy enough - just have to get use to the syntax. Does anyone know if IPFILTER can pass/block based on MAC ADDRESS instead of just IP address. I can not find anything on Goggle unless I am simply doing an incorrect query. Thanks again Paul ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall, OpenVPN and Squid question
If you run your own DHCP server then you can lock IP numbers via their MAC id there for the machines you trust. Then allow them appropriate access via ipf and corral the rest. (In DCHP create a 'pool' for others that uses a different section of your ip range) HTH mjt On Thu, 2004-07-22 at 23:51, Paul Hillen wrote: Want to thank you guys for your help; I setup my first firewall last night. Granted it is basic, and have a lot of work to do yet, but it's a start. It is routing and letting my test machines access the web. Hopefully the last question (yeah right) I decided to use IPFILTER and appears to be easy enough - just have to get use to the syntax. Does anyone know if IPFILTER can pass/block based on MAC ADDRESS instead of just IP address. I can not find anything on Goggle unless I am simply doing an incorrect query. Thanks again Paul ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] This Email has been scanned for Viruses by MailMarshal. -- Murray Taylor Special Projects Engineer - Bytecraft Systems Entertainment P: +61 3 8710 2555 F: +61 3 8710 2599 D: +61 3 9238 4275 M: +61 417 319 256 E: [EMAIL PROTECTED] or visit us on the web http://www.bytecraftsystems.com http://www.bytecraftentertainment.com --- The information transmitted in this e-mail is for the exclusive use of the intended addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. E-mails may not be secure, may contain computer viruses and may be corrupted in transmission. Please carefully check this e-mail (and any attachment) accordingly. No warranties are given and no liability is accepted for any loss or damage caused by such matters. --- This Email has been scanned for Viruses by MailMarshal. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall, OpenVPN and Squid question
There are 3 remote sites connecting to our network using GATEWAY to GATEWAY VPN and around 25 remote VPN users that must be dealt with also. Last item, there is a chance that I will have to connect 3 more remote sites into the picture within the next 6 months, so this needs to be scalable to handle the load.. My question is, what is the best way to set this up. Here are my thoughts, but not sure what is the best way. * Setup one FreeBSD box that contains FIREWALL, SQUID and OPENVPN or * Setup 3 separate boxes to break up the work load. What will the load requirements be? (How many users will require the use of squid). I have a FBSD PIII 800 w/256M RAM as a firewall for one of our clients, with 3 OpenVPN instances running simultaneously (Two are site-site, and one is an XP-client-site). The box is also performing NAT (ipfw/natd) for the internal users, which when all are accounted for equal ~120, and I find it works great. There are about 30 users through the VPN's, though usually never on all at the same time. Depending on caching requirements though, you might be better off splitting that off onto it's own box, especially if you have the hardware readily available as you suggest. YMMV. Steve Many thanks in advance for being patient with what I am sure is stupid beginner questions to most of you. When giving your choice of which setup, please point me in the direction of the best resource to put it all together and the hardware requirement you would recommend. I have a truck load of PII 300 - 450's due to upgrades, so if I can use them great, if not, time to go on a spending spree. Thanks again Paul ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall, OpenVPN and Squid question
I have around 100 users at our site that would require the use of squid, we house are own webserver, mail server, public DNS servers in the DMZ and 2 private DNS servers on the internal network, used by both Internal and VPN users. Sites connecting Gateway to Gateway, there are apprx as follows; Site 1 - 25 users Site 2 - 5 users Site 3 - 12 users Our site VPN users are Apprx 25, and about 50% of them are connected at any given time. My first thought is to put up a Firewall box that can the load of publishing many internal boxes and publish a box with OpenVPN and another for SQUID and just keep them all separate. Will this setup put to much strain on the FIREWALL box or will it have no problem handling the NAT/ROUTING in this configuration. Thanks in advance Paul -Original Message- From: Steve Bertrand [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 2:10 PM To: Paul Hillen Cc: [EMAIL PROTECTED] Subject: Re: Firewall, OpenVPN and Squid question There are 3 remote sites connecting to our network using GATEWAY to GATEWAY VPN and around 25 remote VPN users that must be dealt with also. Last item, there is a chance that I will have to connect 3 more remote sites into the picture within the next 6 months, so this needs to be scalable to handle the load.. My question is, what is the best way to set this up. Here are my thoughts, but not sure what is the best way. * Setup one FreeBSD box that contains FIREWALL, SQUID and OPENVPN or * Setup 3 separate boxes to break up the work load. What will the load requirements be? (How many users will require the use of squid). I have a FBSD PIII 800 w/256M RAM as a firewall for one of our clients, with 3 OpenVPN instances running simultaneously (Two are site-site, and one is an XP-client-site). The box is also performing NAT (ipfw/natd) for the internal users, which when all are accounted for equal ~120, and I find it works great. There are about 30 users through the VPN's, though usually never on all at the same time. Depending on caching requirements though, you might be better off splitting that off onto it's own box, especially if you have the hardware readily available as you suggest. YMMV. Steve Many thanks in advance for being patient with what I am sure is stupid beginner questions to most of you. When giving your choice of which setup, please point me in the direction of the best resource to put it all together and the hardware requirement you would recommend. I have a truck load of PII 300 - 450's due to upgrades, so if I can use them great, if not, time to go on a spending spree. Thanks again Paul ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall, OpenVPN and Squid question
I have around 100 users at our site that would require the use of squid, we house are own webserver, mail server, public DNS servers in the DMZ and 2 private DNS servers on the internal network, used by both Internal and VPN users. Sites connecting Gateway to Gateway, there are apprx as follows; Site 1 - 25 users Site 2 - 5 users Site 3 - 12 users Our site VPN users are Apprx 25, and about 50% of them are connected at any given time. My first thought is to put up a Firewall box that can the load of publishing many internal boxes and publish a box with OpenVPN and another for SQUID and just keep them all separate. Will this setup put to much strain on the FIREWALL box or will it have no problem handling the NAT/ROUTING in this configuration. I'll go as far as to say that it should have no problem. At the ISP I am currently working full time for, we recently deployed an ipfw bridge configured firewall (internally) to protect our core servers from improper access. There's 8 servers in all (mail, web, mysql, ftp, radius, ssh and dns). We have about 6000 users, and the FBSD firewall never ever hiccup'ed. I could even run tcpdump for hours, and it would rarely ever drop even a single packet. Sounds like a good setup you are planning. I would set it up, implement it (with the old setup on standby), and if you find performance problems, pull the drive out of the P3 and do as you say, go on a 'spending spree', and put the drive directly into a p4 with a gig of memory, and drop it back in place. Please note that natd is NOT running on the ISP firewall, but on the other such setup it is, and Ive never seen any performance problems at all. Steve ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall, OpenVPN and Squid question
- Original Message - From: Paul Hillen [EMAIL PROTECTED] To: Steve Bertrand [EMAIL PROTECTED]; Paul Hillen [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 1:33 PM Subject: RE: Firewall, OpenVPN and Squid question I have around 100 users at our site that would require the use of squid, we house are own webserver, mail server, public DNS servers in the DMZ and 2 private DNS servers on the internal network, used by both Internal and VPN users. Sites connecting Gateway to Gateway, there are apprx as follows; Site 1 - 25 users Site 2 - 5 users Site 3 - 12 users Our site VPN users are Apprx 25, and about 50% of them are connected at any given time. My first thought is to put up a Firewall box that can the load of publishing many internal boxes and publish a box with OpenVPN and another for SQUID and just keep them all separate. Will this setup put to much strain on the FIREWALL box or will it have no problem handling the NAT/ROUTING in this configuration. Thanks in advance Paul Considering that many of the current hardware firewall solutions aren't much more than either a BSD or Linux kernel in a ROM chip, with a 486 or 586 based cpu, memory, and a nice gui (Windows or Internal Web interface), I can't see why a similar system on a PC would be any different. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall, OpenVPN and Squid question
We have about 6000 users, and the FBSD firewall never ever hiccup'ed. I could even run tcpdump for hours, and it would rarely ever drop even a single packet. What size hardware is your firewall running on to handle the potential of 6000 users accessing your internal servers for mail, etc... The best I can come up with is a P4 1.8Ghz with 768MB memory, other than that I have PII's with around 384MB memory. I would have to assume the Squid server would be the best place for the P4? This one is a P4 2.0 Ghz with 1024M memory. I'd try the P3 as the firewall and the P4 as the squid server initially (all things considered so far). Sounds like a good setup you are planning. I would set it up, implement it (with the old setup on standby), and if you find performance problems, pull the drive out of the P3 and do as you say, go on a 'spending spree', and put the drive directly into a p4 with a gig of memory, and drop it back in place. Okay, the tough question, due you know of any good resources that I can use to put this together. Any pitfalls that I might want to think about in this design? Well, searching ipfw+natd+howto in google is a great place to start. I did not use one single definitive guide, I used a variety of sources, man pages, sample rules, and finally conjured up what works for us. In planning rules, I placed each openvpn connections rules in it's own ruleset, as to allow a reload of each connections rules individually if they needed to be changed. I also would set up a 'fwd' rule, to forward all packets destined to ``any 80'' from the Internal net to be passed directly to the squid box, as then you would have a transparent proxy. This will prevent you from having to change browser settings. Please note that natd is NOT running on the ISP firewall, but on the other such setup it is, and Ive never seen any performance problems at all. I am assuming that I will have to use NATD on the firewall in this scenario, am I thinking right here? It appears so, yes. natd(8) is quite flexible, and will allow you to many things, including port forward etc. By the sounds of it, you are planning on ridding yourself of a DMZ, which means your mail(etc) servers will be behind the NAT router. natd will take care of this, however, another option is to put in a third NIC into the box, connect it to a switch, plug in the servers into the switch. Give each server it's own IP, and route packets as nessicary to the servers. Effectively, this will still allow you to keep your DMZ, but eliminating one entire firewall server, and thus, one license of MS ISA server (and the headaches that comes with it :o) Sounds like you'll want to do some testing in a lab first. Hopefully all your P3's you have available are still loaded with Windows so you can test effectively and ensure everything works properly. Steve Thanks again Paul ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall, OpenVPN and Squid question
I have around 100 users at our site that would require the use of squid, we house are own webserver, mail server, public DNS servers in the DMZ and 2 private DNS servers on the internal network, used by both Internal and VPN users. Sites connecting Gateway to Gateway, there are apprx as follows; Site 1 - 25 users Site 2 - 5 users Site 3 - 12 users Our site VPN users are Apprx 25, and about 50% of them are connected at any given time. My first thought is to put up a Firewall box that can the load of publishing many internal boxes and publish a box with OpenVPN and another for SQUID and just keep them all separate. Will this setup put to much strain on the FIREWALL box or will it have no problem handling the NAT/ROUTING in this configuration. Thanks in advance Paul Considering that many of the current hardware firewall solutions aren't much more than either a BSD or Linux kernel in a ROM chip, with a 486 or 586 based cpu, memory, and a nice gui (Windows or Internal Web interface), I can't see why a similar system on a PC would be any different. Yes, but take into consideration disk reads/writes. It is possible to eliminate these tasks, and I have even done setups where everything was flashed onto a CF card (ro) (obviously w/o logging capabilities). I did a custom build, frequently referring to: http://neon1.net/misc/minibsd.html and put the system on an IDE-CF card converter. Steve -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall, OpenVPN and Squid question
From: Steve Bertrand [mailto:[EMAIL PROTECTED] I have around 100 users at our site that would require the use of squid, we house are own webserver, mail server, public DNS servers in the DMZ and 2 private DNS servers on the internal network, used by both Internal and VPN users. Sites connecting Gateway to Gateway, there are apprx as follows; Site 1 - 25 users Site 2 - 5 users Site 3 - 12 users Our site VPN users are Apprx 25, and about 50% of them are connected at any given time. My first thought is to put up a Firewall box that can the load of publishing many internal boxes and publish a box with OpenVPN and another for SQUID and just keep them all separate. Will this setup put to much strain on the FIREWALL box or will it have no problem handling the NAT/ROUTING in this configuration. Thanks in advance Paul Considering that many of the current hardware firewall solutions aren't much more than either a BSD or Linux kernel in a ROM chip, with a 486 or 586 based cpu, memory, and a nice gui (Windows or Internal Web nterface), I can't see why a similar system on a PC would be any different. I would have to guess if a hardware firewall like Watchguard that offers VPN also, that it would have to be beefer than that. Steve going back to your initial response about the PIII 800MHz network, are you using a proxy for the internal users or are they connecting directly to the firewall as their only means of getting out? It seems most hardware firewalls do not include a proxy server, just NAT/VPN, which in this case the proxy would be on a separate internal machine anyway. Comment about the ISA Server setup, which I actually like and not sure if I can pull off the same type of setup with FreeBSD. The setup is like this: External ISA Server (not actual ips)ISP / 10.10.10.6 | |- Postfix Relay Server10.10.10.5 |- TinyDNS for internet publishing 10.10.10.4 |- TinyDNS for internet publishing 10.10.10.3 |- Webserver 10.10.10.2 | |- Internal ISA Server 10.10.10.1 / 10.0.0.1 | |- Exchange Server 10.0.0.2 |- TinyDNS internal publishing 10.0.0.3 |- TinyDNS internal publishing 10.0.0.4 |- Rest of internal servers and network etc... External sites are actually creating a VPN tunnel with a VPN tunnel and it works good, but the ISA Server gets to flaky after about a month of use. I have rebuilt them more than ever thought I would. At this point I will be happy to just get the firewall and VPN to work, but I like the additional layer someone would have to break through in the above scenario. Yes, but take into consideration disk reads/writes. It is possible to eliminate these tasks, and I have even done setups where everything was flashed onto a CF card (ro) (obviously w/o logging capabilities). I did a custom build, frequently referring to: http://neon1.net/misc/minibsd.html and put the system on an IDE-CF card converter. Steve ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Firewall, OpenVPN and Squid question
I would have to guess if a hardware firewall like Watchguard that offers VPN also, that it would have to be beefer than that. Steve going back to your initial response about the PIII 800MHz network, are you using a proxy for the internal users or are they connecting directly to the firewall as their only means of getting out? [At the main site] (Selected) users go to a content filter (squid+dansguardian) and it goes out to the net (through the fw). The content filter has a private IP, and in itself, it is protected with it's own localized ipfw rules for protection. The rest of the clients go directly through the pipe unrestricted through the firewall to the net. (I know I shouldn't do this with our own proxy, but that's how it is for now). It seems most hardware firewalls do not include a proxy server, just NAT/VPN, which in this case the proxy would be on a separate internal machine anyway. Depends. I once used a Nortel dial-up NAT router box that had it's own built in web cache. Very small cache mind you, but it worked ok, especially on a 26.4Kb link. Comment about the ISA Server setup, which I actually like and not sure if I can pull off the same type of setup with FreeBSD. The setup is like this: Yes, you can. Either with 2 BSD boxes replacing the ISA boxen, or with one BSD box configured with 3 NIC's -- 1 for Internet connection, 1 for Internal LAN, and the other from the DMZ. The DMZ NIC can have all sorts of good rules applied to it, and the internal net can be absolutely cut off for inbound traffic except for the VPN's. External ISA Server (not actual ips) ISP / 10.10.10.6 | |- Postfix Relay Server10.10.10.5 |- TinyDNS for internet publishing 10.10.10.4 |- TinyDNS for internet publishing 10.10.10.3 |- Webserver 10.10.10.2 | |- Internal ISA Server 10.10.10.1 / 10.0.0.1 | |- Exchange Server 10.0.0.2 |- TinyDNS internal publishing 10.0.0.3 |- TinyDNS internal publishing 10.0.0.4 |- Rest of internal servers and network etc... External sites are actually creating a VPN tunnel with a VPN tunnel and it works good, but the ISA Server gets to flaky after about a month of use. I have rebuilt them more than ever thought I would. At this point I will be happy to just get the firewall and VPN to work, but I like the additional layer someone would have to break through in the above scenario. Like I said above, 2 boxes, or one box with 3 NIC's. Steve Yes, but take into consideration disk reads/writes. It is possible to eliminate these tasks, and I have even done setups where everything was flashed onto a CF card (ro) (obviously w/o logging capabilities). I did a custom build, frequently referring to: http://neon1.net/misc/minibsd.html and put the system on an IDE-CF card converter. Steve ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
