Re: Best IP configuration for OpenBSD firewall/router

From: Edward Rustin (ed_at_well.com)
Date: 08/18/03

  • Next message: Keith T. Morgan: "RE: Syslog over Internet" 
    Date: Mon, 18 Aug 2003 09:24:42 -0700 (PDT)
To: Damon McMahon <inst_karma@hotmail.com>

    On Sun, 17 Aug 2003, Damon McMahon wrote:

    > Greetings,
    >
    > I'm in the process of configuring an old Pentium 75 MHz box to act as
    > an OpenBSD firewall/gateway for my small office LAN on a 192.168.0.0/24
    > subnet (I have some *BSD experience with MacOS X).
    >
    > Presently a Windows 2000 Professional box is doing the job (using the
    > inbuilt Internet Connection Sharing service) but for some time I
    > haven't been convinced of the security of this configuration, and the
    > recently announced Windows RPC flaw has spurred me into action! OK,
    > that's enough background, my question is:

    blahch.... I personaly don't trust windows enough for my gateway device...

    > Is there any advantage of putting the firewall/gateway host on a
    > different subnet - say, 192.168.1.0/24 - to the rest of the LAN, from a
    > security perspective?
    >
    > The easy option seems to put it on the same subnet, say 192.168.0.254
    > (since 192.168.0.1 is already taken by the existing Windows 2000
    > gatway); everything communicates with everything in this configuration.

    surely it would be easiest to give your BSD box the 192.168.0.1 ip since
    that would stop you from having to reconfigure all your clients. Change
    the IP of the 2k box afterwards if you are using it for other functions as
    well (like file server etc...)

    > However, part of me thinks it should be intentionally _difficult_ (from
    > a security perspective) for the firewall/gateway box to communicate
    > with the rest of the LAN.

    ummmmm... I'm pretty certain that your gateway need to be able to talk to
    your LAN, that largely being the point of it. Afterall you -do- want you
    internet traffic to get to the internet don't you..?

    > Is that misguided?
    >
    > If this is a good idea (gateway on separate subnet), then how should I
    > configure the routing tables on the gateway and rest of the LAN so that
    > everything routes correctly?
    >
    > Thanks in advance for any assistance.

    As I see it you want this sort of config:

    Network <-> Gateway <-> Internet

    your internal network need to be able to talk to the gateway and the
    gateway need to talk to the internet. So I'll assume the gateway has two
    interfaces.

    Now the internal side of the gateway will need to be on the same subnet as
    your network, or else you'll have problems getting the two sides to talk
    to each other.

    I'm also going to assume that you're going to be using some sort of
    iptables setup on your gateway so that it can perform some firewalling
    functions as well. So if you've got iptables set up with the appropriate
    restrictions on incoming traffic then your should be fine (for certain
    values of fine which include things such as making sure you're secure and
    patching your system when it needs it...)

    In the sort of config that you're talking about your gateway will always
    need to talk to your internal network and so if your gateway is
    compromised then the attacker will always be able to access your internal
    network.

    I thinkn that where you're getting the 'different subnet' idea from is in
    situations where you have a DMZ as well as an internal network in which
    case you will want the DMZ on a differnt subnet.

    Hope this helps and feel free to ask me if you've got any questions.

    Edward Rustin
    Director of Security, OnlineGuardians.org

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Keith T. Morgan: "RE: Syslog over Internet"

    Relevant Pages

    • Joining Networks over the Internet with a Gateway to Gateway VPN - Loose Internet Browsing
      ... remote VPN clients. ... Gateway properly (all you know is that they can't use the ... >My Configuration: ... >can navigate in the Internet without problems. ...
      (microsoft.public.isa)
    • Re: Network problem
      ... If you want someone to get out onto the internet set ... > their default gateway to the ip address of the main computer Leave ... ventilation; avoid extreme temperatures and store in a cool, ... away from open flames, naked flames and old flames; avoid inhaling fumes; ...
      (alt.os.windows-xp)
    • Re: Routing Problem
      ... Checked gateway on client is 132.149.2.75? ... This is my lan configuration.. ... On that time i can able to access the internet through mozilla. ... It gives "Connection timed Out" ...
      (comp.os.linux.security)
    • RE: SBS 2003 periodically keeps losing default gateway
      ... the gateway is set manually. ... looks like there were remains of the Internet wizard setup left in RRAS as ... This newsgroup only focuses on SBS technical issues. ...
      (microsoft.public.windows.server.sbs)
    • ICS DNS suddenly stopped working.
      ... After adding a new gateway server, and reconfiguring the old gateway server ... without any intervention or other configuration, the ICS connection was ... The first adapter was connected to my cable modem ... internet connection, and configured it appropriately. ...
      (microsoft.public.windowsxp.network_web)
    • Quantcast