Re: design and built a firewall

[Brian Candler <B.Candler at pobox.com>]

On Thu, Jun 13, 2002 at 11:40:02AM +0100, kasole wrote:
> > You _can_ build a firewall and IPSEC router using a FreeBSD box. You need to
> > choose between 'ipfw' and 'ipf' (personally I prefer ipf because its NAT
> > implementation is cleaner, and because ipf runs on a number of different
> > platforms). Both of these now support 'stateful' rules, that is, packets are
> > only allowed inbound for a particular connection if a corresponding outbound
> > packet has been seen previously.
> How an I do that using ipf on freeBSd box

Starting point: compile a kernel with

options	IPFILTER
options IPFILTER_LOG
options	IPSEC
options IPSEC_ESP

To get the ipf part working, you create files
/etc/ipf.rules
(and /etc/ipnat.rules if you want NAT)

The documentation for ipfilter is at http://coombs.anu.edu.au/~avalon/
It's not particularly good, but there's a fairly comprehensive FAQ. Reading
the FAQ will give you an idea how many pitfalls there all!

B.

-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org