[Solved] Firewalling a small office network

[rloc]

Hi all. I intend to use FreeBsd as a platform for a firewall \ router \ gateway for a small office network but I need some guidance about the basic setup.

At present, all boxes connect to www via an ADSL router.

What I want to do is set up a Snort or IpSense BSD box to act as a Firewall \ IDS between www and my network.

I assume I need to configure the BSD box with 2 NICs, but I don't know how to do this, nor do I understand the setup of passing traffic from one NIC to the other within the BSD box.

Is there a HOWTO for this presumably common requirement, or can someone here point me in the right direction?

thanks

Rloc

[jb_fvwm2]

Have you consulted pfsense.org ?
(see "common deployments" there?)
Will it *replace* the router?
*Some* threads on the freebsd-questions list might
answer, however they would take a while to find.
I've not checked the howto"s section in this forum...
I'm sure there are guides online. But you may want
to post a network diagram for answers here too.

[Oko]

Quote:

Originally Posted by rloc

can someone here point me in the right direction?

http://www.openbsd.org/faq/pf/index.html

Bare in mind that FreeBSD implementation of PF is at least 2-3 release cycles behind the official OpenBSD version. Also bare in mind that not all features of the PF are implemented in FreeBSD due to the deficiencies of FreeBSD network stuck.That is also the reason OpenBGPD was never ported (nor it can be ported) to FreeBSD.

[gpatrick]

OpenBSD doesn't have jails which I want to isolate services.

[jb_fvwm2]

Quote:

Originally Posted by gpatrick

OpenBSD doesn't have jails which I want to isolate services.

Next "newbie-on-my-part" suggestion: (for the OP)
google "dmz" and "freebsd" and "guide" ??

[gpatrick]

If your google suggestion was for me, I don't need it.

My response was for Oko who constantly states that line about PF on FreeBSD and the network stack. I won't use OpenBSD because it lacks jails and I don't want to chroot everything.

[dennylin93]

Check out Gateways and Routes. I'd recommend using PF for the firewall. There are quite a lot of resources on the Internet:

• pf.conf
• pfctl
• PF FAQ
• Firewalling with OpenBSD's PF packet filter

As for Snort, check the official documentation since its configuration is unrelated to FreeBSD.

Another option is to use pfSense. It should be easier to set up, but you won't receive any support for pfSense on this forum (try the pfSense Forum instead).

[Oko]

Quote:

Originally Posted by gpatrick

OpenBSD doesn't have jails which I want to isolate services.

It has chroot and systrace. It also supports hardware jails (on SUN hardware) but I guess you already know what to do. I apologize for my original post. I was under impression that you need help with firewall for small office. My intent was not to get into the fan boys flame war.

Sorry,
OKO

[rloc]

Thanks all, you have given me several suggestions to read up on so let me do just that before I ask any more questions in this forums.

cheers

Robert

[gpatrick]

Oko, I like OpenBSD but for what I'm currently doing FreeBSD suits my needs because of jails. As mentioned, I don't want to chroot everything and not sure about using systrace. I wish OpenBSD would adopt jails but it would probably require a rewrite. There was a project called sysjail that used systrace but it has since been abandoned.

[zeissoctopus]

I love PF and FreeBSD jails

2 weeks ago, I run my home servers (apache, sendmail, postgresql in 3 FreeBSD jails)behind my router. I configure port forward for outside to my servers in jails.
I run PF at FreeBSD host in font of FreeBSD jails. Since my servers machine only have 1 NIC, it is hard to configure ftp function well in PF

Now, I install OpenBSD 4.6 in Soekris net5501 embedded board with 4 NIC as PF router. I assign 1 WAN to internet, 1 private LAN, 1 isolated zone for WiFi connection and 1 DMZ for FreeBSD Services Jails.

I can enjoy up-to-dated PF version as well as power of FreeBSD jails