gateway security?

From: Eric Timme (timothy@voidnet.com)
Date: 12/09/02


From: Eric Timme <timothy@voidnet.com>
To: freebsd-security@freebsd.org
Date: Mon, 9 Dec 2002 13:17:15 -0600

Hi everyone, I was wondering if someone could point me in the direction of
some discussions of general security in a LAN environment with a FreeBSD
machine doing NAT/firewalling? I haven't had a ton of luck browsing the
archives and finding any discussions. I've read over the general primer, but
would like to read about some actual deployment of security when your
headless gateway sits in a dark closet, accumulating dust.

Currently I have a pretty restrictive set of firewall rules in place, allowing
only http and ssh traffic from the outside, and I require DES public/private
keys for ssh access. There is a single user account on the gateway, and root
logins are disallowed from all but console. The gateway is doing a single
NFS export of my public_html directory for easy access from an internal
FreeBSD gateway.

As for current security, it is a little lacking, but I am planning to wipe and
reinstall now that winter break affords me some freedom from schoolwork. I
have the following settings in my partitioning scheme (ad0 is 1.5 gig, and
with this partitioning scheme I just barely fit, and use ad1 for additional
space), and use secure level 2 for daily operations.

/dev/ad0s1a / rw,nosuid
/dev/ad0s1e /tmp rw,noexec,nosuid
/dev/ad0s1g /usr ro
/dev/ad1s1e /usr/obj ro
/dev/ad0s1d /usr/home rw,noexec,nosuid
/dev/ad1s2e /usr/home/timothy/public_html rw,nosuid
/dev/ad0s1h /usr/local ro,nosuid
/dev/ad0s1f /var rw,noexec,nosuid

I've been using snort with a remote acid installation with alright success,
but it has never quite worked right, and am considering junking it, simply
because I don't see a lot of other people using it, and it has only been of
marginal success, spending more time picking up proxy scans from IRC and
false positives than anything else.

I'm planning to deploy aide with a write protected diskette, but would like
some advice as to other products to look into; I don't access the machine
regularly, aside from the NFS mount of my public_html directory, so would
like to find something that could email me status updates daily, or bi-daily,
ala the daily messages, which I currently forward to myself, to help reassure
me nobody is poking around in it.

Thanks for any pointers you can give me.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: how can I find general security infomation ?
    ... how can I find general security infomation? ... but are not necessarily specific to FreeBSD or any other OS ...
    (FreeBSD-Security)
  • RE: PAWS security vulnerability
    ... FreeBSD security list" isn't grammatically correct. ... "I told you to post the patch and info to the appropriate FreeBSD security ... "...This point and others are often discussed on the mailing lists, ...
    (freebsd-questions)
  • Re: Idea to make package vulnerabilities not matter, along with third party software
    ... but they seem arrogant about security, ... FreeBSD contains such mechanisms, but as memory access ... The server doesn't run a GUI. ... installation won't continue. ...
    (freebsd-questions)
  • Re: Web Server supporting up to 4 WANs/Interfaces
    ... I also have a reasonable grasp of FreeBSD, though I am no where near the expert of many. ... There is NO routing required between networks inside the box and in fact, it CANNOT be allowed to happen because of security. ... The issue is getting traffic back through the same interface it came in on and through the same router gateway. ...
    (freebsd-net)
  • Changes to FreeBSD security support policy
    ... for tracking security fixes to FreeBSD 4.3-RELEASE: ... This eliminates support for the class of vulnerabilities exploitable ...
    (FreeBSD-Security)