Re: FBSD firewall in front of windows IIS servers HOW
On Mon, 3 Feb 2003, Peter wrote: > Just wondering what would be the best way to do this... > > INTERNETFBSD FIREWALLWINDOWS IIS SERVER Basically > what would be the best way to have freebsd accept incoming connections, > run them thru the firewall, and all the packets that pass forward them > to internal windows machines. I dont' want the windows boxen directly > on the net, I want to put a FBSD firewall in front of them, and so far > the best option I've found on how to do this is to have the windows > boxen be 192.168.x.x and have the fbsd boxen forward all connections to > "public_ip" to the windows box via natd. Does this seem like a good > plan? Or anyone know of another better way to do this? Thought hat is a good way of doing things; I would strongly recommend, if IIS is the only service, to do this differently and not do anything on packet level but on app level: internet>publicIP [ FreeBSD ]<--private IP--> IIS apache proxy I.e: not run any NAT, routing etc; but simply use apache configured as a pass through proxy: ProxyPass / http://192.168.1.2/ ProxyPassReverse/ http://192.168.1.2/ As this will allow apache to guard against bogus headers, buffer overuns and the usal fun and games. See directives like: LimitRequestBody LimitRequestFields LimitRequestFieldsize LimitRequestLine Though they are sensible set; if oyu use a lot of ASP/VB-script you may want to reduce a few. This will also speed up your installation considerbaly if you have a lot of slow modem users or high packet drop. Dw To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: FBSD firewall in front of windows IIS servers HOW
I use NATD see http://www.freebsddiary.org/ipfw.php M > You could do natd it or use a bridged firewall so to everyone else it > would appear that the Windows box is on the net. The other nice thing > about the bridge is that you can set it up so that it doesn't have an IP > address at all... which makes it pretty hard to break into :) > > Sometimes that can get around some of the issues with self-referencing > urls (whether they are private or public) that happens with natd and > proxy servers... > > On Mon, 3 Feb 2003, Peter wrote: > >> Hello, >> Just wondering what would be the best way to do this... >> >> >> INTERNETFBSD FIREWALLWINDOWS IIS SERVER >> >> >> Basically what would be the best way to have freebsd accept incoming >> connections, run them thru the firewall, and all the packets that pass >> forward them to internal windows machines. I dont' want the windows >> boxen directly on the net, I want to put a FBSD firewall in front of >> them, and so far the best option I've found on how to do this is to >> have the windows boxen be 192.168.x.x and have the fbsd boxen forward >> all connections to "public_ip" to the windows box via natd. Does this >> seem like a good plan? Or anyone know of another better way to do >> this? >> >> -- >> Innovation is hard to schedule. >> -- Dan Fylstra >> >> ---FreeBSD The Power To Serve--- >> >> To Unsubscribe: send mail to [EMAIL PROTECTED] >> with "unsubscribe freebsd-questions" in the body of the message >> > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: FBSD firewall in front of windows IIS servers HOW
You could do natd it or use a bridged firewall so to everyone else it would appear that the Windows box is on the net. The other nice thing about the bridge is that you can set it up so that it doesn't have an IP address at all... which makes it pretty hard to break into :) Sometimes that can get around some of the issues with self-referencing urls (whether they are private or public) that happens with natd and proxy servers... On Mon, 3 Feb 2003, Peter wrote: > Hello, > Just wondering what would be the best way to do this... > > > INTERNETFBSD FIREWALLWINDOWS IIS SERVER > > > Basically what would be the best way to have freebsd accept incoming > connections, run them thru the firewall, and all the packets that pass > forward them to internal windows machines. I dont' want the windows > boxen directly on the net, I want to put a FBSD firewall in front of > them, and so far the best option I've found on how to do this is to have > the windows boxen be 192.168.x.x and have the fbsd boxen forward all > connections to "public_ip" to the windows box via natd. Does this seem > like a good plan? Or anyone know of another better way to do this? > > -- > Innovation is hard to schedule. > -- Dan Fylstra > > ---FreeBSD The Power To Serve--- > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: FBSD firewall in front of windows IIS servers HOW
[Please wrap lines to a reasonable length] Peter wrote: Hello, Just wondering what would be the best way to do this... INTERNETFBSD FIREWALLWINDOWS IIS SERVER Basically what would be the best way to have freebsd accept incoming connections, run them > thru the firewall, and all the packets that pass forward them to internal windows machines. > I dont' want the windows boxen directly on the net, I want to put a FBSD firewall in front > of them, and so far the best option I've found on how to do this is to have the windows boxen > be 192.168.x.x and have the fbsd boxen forward all connections to "public_ip" to the windows > box via natd. Does this seem like a good plan? Or anyone know of another better way to do this? That's how I would do it. I can't think of a better way, off the top of my head. Unless you want to proxy. You could set up FreeBSD with squid configured to reverse proxy, which should reduce internal traffic and increase performance. I don't know what your situation is, but I wouldn't bother with squid unless I was experimenting with squid or had a situation where the IIS servers were getting hammered by requests. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
FBSD firewall in front of windows IIS servers HOW
Hello, Just wondering what would be the best way to do this... INTERNETFBSD FIREWALLWINDOWS IIS SERVER Basically what would be the best way to have freebsd accept incoming connections, run them thru the firewall, and all the packets that pass forward them to internal windows machines. I dont' want the windows boxen directly on the net, I want to put a FBSD firewall in front of them, and so far the best option I've found on how to do this is to have the windows boxen be 192.168.x.x and have the fbsd boxen forward all connections to "public_ip" to the windows box via natd. Does this seem like a good plan? Or anyone know of another better way to do this? -- Innovation is hard to schedule. -- Dan Fylstra ---FreeBSD The Power To Serve--- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message