Security Basics mailing list archives
Re: Best IP configuration for OpenBSD firewall/router
From: Edward Rustin <ed () well com>
Date: Mon, 18 Aug 2003 09:24:42 -0700 (PDT)
On Sun, 17 Aug 2003, Damon McMahon wrote:
Greetings, I'm in the process of configuring an old Pentium 75 MHz box to act as an OpenBSD firewall/gateway for my small office LAN on a 192.168.0.0/24 subnet (I have some *BSD experience with MacOS X). Presently a Windows 2000 Professional box is doing the job (using the inbuilt Internet Connection Sharing service) but for some time I haven't been convinced of the security of this configuration, and the recently announced Windows RPC flaw has spurred me into action! OK, that's enough background, my question is:
blahch.... I personaly don't trust windows enough for my gateway device...
Is there any advantage of putting the firewall/gateway host on a different subnet - say, 192.168.1.0/24 - to the rest of the LAN, from a security perspective? The easy option seems to put it on the same subnet, say 192.168.0.254 (since 192.168.0.1 is already taken by the existing Windows 2000 gatway); everything communicates with everything in this configuration.
surely it would be easiest to give your BSD box the 192.168.0.1 ip since that would stop you from having to reconfigure all your clients. Change the IP of the 2k box afterwards if you are using it for other functions as well (like file server etc...)
However, part of me thinks it should be intentionally _difficult_ (from a security perspective) for the firewall/gateway box to communicate with the rest of the LAN.
ummmmm... I'm pretty certain that your gateway need to be able to talk to your LAN, that largely being the point of it. Afterall you -do- want you internet traffic to get to the internet don't you..?
Is that misguided? If this is a good idea (gateway on separate subnet), then how should I configure the routing tables on the gateway and rest of the LAN so that everything routes correctly? Thanks in advance for any assistance.
As I see it you want this sort of config: Network <-> Gateway <-> Internet your internal network need to be able to talk to the gateway and the gateway need to talk to the internet. So I'll assume the gateway has two interfaces. Now the internal side of the gateway will need to be on the same subnet as your network, or else you'll have problems getting the two sides to talk to each other. I'm also going to assume that you're going to be using some sort of iptables setup on your gateway so that it can perform some firewalling functions as well. So if you've got iptables set up with the appropriate restrictions on incoming traffic then your should be fine (for certain values of fine which include things such as making sure you're secure and patching your system when it needs it...) In the sort of config that you're talking about your gateway will always need to talk to your internal network and so if your gateway is compromised then the attacker will always be able to access your internal network. I thinkn that where you're getting the 'different subnet' idea from is in situations where you have a DMZ as well as an internal network in which case you will want the DMZ on a differnt subnet. Hope this helps and feel free to ask me if you've got any questions. Edward Rustin Director of Security, OnlineGuardians.org --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Best IP configuration for OpenBSD firewall/router Damon McMahon (Aug 18)
- Re: Best IP configuration for OpenBSD firewall/router Edward Rustin (Aug 18)
- Re: Best IP configuration for OpenBSD firewall/router chort (Aug 18)
- Re: Best IP configuration for OpenBSD firewall/router Arturo "Buanzo" Busleiman (Aug 18)
- Re: Best IP configuration for OpenBSD firewall/router Patrick Benson (Aug 18)
- Re: Best IP configuration for OpenBSD firewall/router Arturo "Buanzo" Busleiman (Aug 19)
- Re: Best IP configuration for OpenBSD firewall/router chort (Aug 18)
- Re: Best IP configuration for OpenBSD firewall/router Edward Rustin (Aug 18)
- <Possible follow-ups>
- RE: Best IP configuration for OpenBSD firewall/router Jason Armstrong (Aug 18)
- RE: Best IP configuration for OpenBSD firewall/router Arturo "Buanzo" Busleiman (Aug 18)
- Re: Best IP configuration for OpenBSD firewall/router Ansgar Wiechers (Aug 19)
- Re: Best IP configuration for OpenBSD firewall/router Arturo "Buanzo" Busleiman (Aug 19)
- Re: Best IP configuration for OpenBSD firewall/router Ansgar Wiechers (Aug 19)
- RE: Best IP configuration for OpenBSD firewall/router Arturo "Buanzo" Busleiman (Aug 18)