RE: Best IP configuration for OpenBSD firewall/router

From: Jason Armstrong (jarmstrong_at_technicacorp.com)
Date: 08/18/03

  • Next message: Kelly Martin: "SecurityFocus new article announcment"
    To: security-basics@securityfocus.com
    Date: Mon, 18 Aug 2003 14:23:37 -0400
    
    

    I don't see any particular advantage to doing it the way you describe.
    In fact I see it as being a bit more troublesome because of the
    extra routing you'll have to do.

    Granted it would make it slightly more difficult for someone to gain
    access to your LAN, but I don't see this as enough of a benefit
    considering what little you'll gain.

    Jason

    -----Original Message-----
    From: Damon McMahon [mailto:inst_karma@hotmail.com]
    Sent: Saturday, August 16, 2003 11:51 PM
    To: security-basics@securityfocus.com
    Subject: Best IP configuration for OpenBSD firewall/router

    Greetings,

    I'm in the process of configuring an old Pentium 75 MHz box to act as
    an OpenBSD firewall/gateway for my small office LAN on a 192.168.0.0/24
    subnet (I have some *BSD experience with MacOS X).

    Presently a Windows 2000 Professional box is doing the job (using the
    inbuilt Internet Connection Sharing service) but for some time I
    haven't been convinced of the security of this configuration, and the
    recently announced Windows RPC flaw has spurred me into action! OK,
    that's enough background, my question is:

    Is there any advantage of putting the firewall/gateway host on a
    different subnet - say, 192.168.1.0/24 - to the rest of the LAN, from a
    security perspective?

    The easy option seems to put it on the same subnet, say 192.168.0.254
    (since 192.168.0.1 is already taken by the existing Windows 2000
    gatway); everything communicates with everything in this configuration.

    However, part of me thinks it should be intentionally _difficult_ (from
    a security perspective) for the firewall/gateway box to communicate
    with the rest of the LAN.

    Is that misguided?

    If this is a good idea (gateway on separate subnet), then how should I
    configure the routing tables on the gateway and rest of the LAN so that
    everything routes correctly?

    Thanks in advance for any assistance.

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Kelly Martin: "SecurityFocus new article announcment"

    Relevant Pages

    • Best IP configuration for OpenBSD firewall/router
      ... an OpenBSD firewall/gateway for my small office LAN on a 192.168.0.0/24 ... subnet. ... everything communicates with everything in this configuration. ...
      (Security-Basics)
    • Windows 2000 IP Range Question More options
      ... I work in a small company that has a Windows 2000 LAN ... and a static IP address configuration. ... Our subnet is a class B subnet, ...
      (microsoft.public.windows.server.general)
    • Re: TCPIP - Ping tool
      ... Strangely enough the answer was under your nose all along, namely PING. ... If your "internal network" corresponds to a Local Area Network (LAN), ... assume the subnet address for your LAN is 192.168.10.0 and the subnet mask ...
      (bit.listserv.ibm-main)
    • Re: routing
      ... This is my lan configuration.. ... On that time i can able to access the internet through mozilla. ... It gives "Connection timed Out" ...
      (comp.os.linux.networking)
    • Re: How to telnet directly to HPUX instead of Management Processor
      ... I have configuered LAN interface on both the MP as well as OS. ... At each prompt you may type DEFAULT to set default configuration or Q ... This command allows you to enable/disable access to the MP. ...
      (comp.sys.hp.hpux)