Re: Bridging firewall and NAT router setup
From: Berk S. Daemon (someone@somewhere.com)Date: 10/06/02
- Next message: Latet: "Re: They can break ZoneAlarm easily !"
- Previous message: Arge: "Re: NIS 2003 - baffled by this.."
- In reply to: Hill Bicks: "Re: Bridging firewall and NAT router setup"
- Next in thread: Hill Bicks: "Re: Bridging firewall and NAT router setup"
- Reply: Hill Bicks: "Re: Bridging firewall and NAT router setup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Berk S. Daemon" <someone@somewhere.com> Date: Sun, 06 Oct 2002 20:36:38 GMT
"Hill Bicks" <tnwraSPAMOFF@yahoo.co.uk> wrote in message
news:fNednbXiv-5bPQKgXTWcrg@News.GigaNews.Com...
> "Berk S. Daemon" <someone@somewhere.com> wrote in
> news:qPFn9.457147$v53.20253707@news3.calgary.shaw.ca:
>
> > - Put the OpenBSD bridge before the NAT router.
> > - Block to/from windows-ip to/from any (except your Linux box)
> > - Seeing the OpenBSD box won't have any IPs, if you want, add a third
> > NIC and connect that to behind the NAT Router. Make sure you filter
> > good on the bridge and/or the FreeSCO box as to not allow any
> > potential backdoor's with source routing or what not into the OpenBSD
> > box. Keep state on all outbound connections.
> >
> > I use a similar setup myself, but OpenBSD Bridge + OpenBSD NAT Router.
> >
> > Hope this helps, gotta run...
> >
>
> Thanks for your feedback.
>
> Block Windows with Freesco I take it (till now I've only used it at
> default, block all incoming/allow all local - about time I read up on
> how to tighten that). Putting the bridge in front makes sense, and I'm
> sure I will eventually, but (at least till I have a more configured
> router) I'd been thinking of putting it behind so I could refine the
> filtering on the local side with pf, which seems nice to use. Or
> is that why you suggest a third NIC bypassing the router? Whether for
> that or admin purposes, I don't really want to add a card that will
> bypass the router - given my inexperience I feel better with everything
> still going through tried and trusted Freesco for now. It's also my lack
> of expertise which makes the lack of IPs/'invisibility' of the bridge so
> appealing.. if I got rooted I maybe wouldn't know about it, so knowing
> it almost certainly can't happen is, like, nice. Another reason I
> thought of placing it behind the router, given its apparent
> impregnability I thought it would be a good place to run any security
> related stuff across the LAN, something along the lines of this article
> I just found: http://www.linuxjournal.com/article.php?sid=6222 ... so,
> reading that, I could run things like Snort on the bridge? And because
> the NICs are in promiscuous mode, you can download patches or whatever
> to the IPless bridge from behind the router?
Yeah, was just thinking third NIC for admin purposes, with tight control
over that in the event the NAT box gets compromised somehow. From there they
would try to compromise the Bridge, or simply sniff traffic, or what not.
Either method will technically work, but I was just thinking that as to
protect the box that has an IP address (such as the NAT router). Not saying
it's not secure, but when comes to network security, i'm anal.
Yup, you can run snort. I do on my bridge as well.
PS: You ever by chance get an ISA Intel EtherExpress PRO/100 working in
FreeSCO? For the life of me, the modules won't load it properly. No biggie
if not, I'm gonna use another NIC and try FreeSCO tonight on my wireless
segement.
> This may seem like overkill given my needs and relative ignorance, but
> at some point I want to set up a couple of servers, and it'd be nice to
> know I was on top of everything beforehand. :)
>
> I'm surprised more people aren't using OpenBSD for a transparent
> bridging firewall (or maybe they are and keep it quiet!), I love the
> concept. Here's a handful of links if anyone's curious.
>
> http://www.openlysecure.org/openbsd/how-to/invisible_firewall.html
> http://monkey.org/openbsd/archive/tech/0110/msg00049.html
> http://cfm.gs.washington.edu/security/firewall/pf-bridge/
> http://www.daemonnews.org/200103/ipf_bridge.html
>
- Next message: Latet: "Re: They can break ZoneAlarm easily !"
- Previous message: Arge: "Re: NIS 2003 - baffled by this.."
- In reply to: Hill Bicks: "Re: Bridging firewall and NAT router setup"
- Next in thread: Hill Bicks: "Re: Bridging firewall and NAT router setup"
- Reply: Hill Bicks: "Re: Bridging firewall and NAT router setup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
