gateway security?

From: Eric Timme (
Date: 12/09/02

From: Eric Timme <>
Date: Mon, 9 Dec 2002 13:17:15 -0600

Hi everyone, I was wondering if someone could point me in the direction of
some discussions of general security in a LAN environment with a FreeBSD
machine doing NAT/firewalling? I haven't had a ton of luck browsing the
archives and finding any discussions. I've read over the general primer, but
would like to read about some actual deployment of security when your
headless gateway sits in a dark closet, accumulating dust.

Currently I have a pretty restrictive set of firewall rules in place, allowing
only http and ssh traffic from the outside, and I require DES public/private
keys for ssh access. There is a single user account on the gateway, and root
logins are disallowed from all but console. The gateway is doing a single
NFS export of my public_html directory for easy access from an internal
FreeBSD gateway.

As for current security, it is a little lacking, but I am planning to wipe and
reinstall now that winter break affords me some freedom from schoolwork. I
have the following settings in my partitioning scheme (ad0 is 1.5 gig, and
with this partitioning scheme I just barely fit, and use ad1 for additional
space), and use secure level 2 for daily operations.

/dev/ad0s1a / rw,nosuid
/dev/ad0s1e /tmp rw,noexec,nosuid
/dev/ad0s1g /usr ro
/dev/ad1s1e /usr/obj ro
/dev/ad0s1d /usr/home rw,noexec,nosuid
/dev/ad1s2e /usr/home/timothy/public_html rw,nosuid
/dev/ad0s1h /usr/local ro,nosuid
/dev/ad0s1f /var rw,noexec,nosuid

I've been using snort with a remote acid installation with alright success,
but it has never quite worked right, and am considering junking it, simply
because I don't see a lot of other people using it, and it has only been of
marginal success, spending more time picking up proxy scans from IRC and
false positives than anything else.

I'm planning to deploy aide with a write protected diskette, but would like
some advice as to other products to look into; I don't access the machine
regularly, aside from the NFS mount of my public_html directory, so would
like to find something that could email me status updates daily, or bi-daily,
ala the daily messages, which I currently forward to myself, to help reassure
me nobody is poking around in it.

Thanks for any pointers you can give me.

To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message