Re: Best IP configuration for OpenBSD firewall/router

[Edward Rustin <ed () well com>]

On Sun, 17 Aug 2003, Damon McMahon wrote:

> Greetings,
>
> I'm in the process of configuring an old Pentium 75 MHz box to act as
> an OpenBSD firewall/gateway for my small office LAN on a 192.168.0.0/24
> subnet (I have some *BSD experience with MacOS X).
>
> Presently a Windows 2000 Professional box is doing the job (using the
> inbuilt Internet Connection Sharing service) but for some time I
> haven't been convinced of the security of this configuration, and the
> recently announced Windows RPC flaw has spurred me into action! OK,
> that's enough background, my question is:

blahch.... I personaly don't trust windows enough for my gateway device...

> Is there any advantage of putting the firewall/gateway host on a
> different subnet - say, 192.168.1.0/24 - to the rest of the LAN, from a
> security perspective?
>
> The easy option seems to put it on the same subnet, say 192.168.0.254
> (since 192.168.0.1 is already taken by the existing Windows 2000
> gatway); everything communicates with everything in this configuration.

surely it would be easiest to give your BSD box the 192.168.0.1 ip since
that would stop you from having to reconfigure all your clients. Change
the IP of the 2k box afterwards if you are using it for other functions as
well (like file server etc...)

> However, part of me thinks it should be intentionally _difficult_ (from
> a security perspective) for the firewall/gateway box to communicate
> with the rest of the LAN.

ummmmm... I'm pretty certain that your gateway need to be able to talk to
your LAN, that largely being the point of it. Afterall you -do- want you
internet traffic to get to the internet don't you..?

> Is that misguided?
>
> If this is a good idea (gateway on separate subnet), then how should I
> configure the routing tables on the gateway and rest of the LAN so that
> everything routes correctly?
>
> Thanks in advance for any assistance.


As I see it you want this sort of config:

Network <-> Gateway <-> Internet

your internal network need to be able to talk to the gateway and the
gateway need to talk to the internet. So I'll assume the gateway has two
interfaces.

Now the internal side of the gateway will need to be on the same subnet as
your network, or else you'll have problems getting the two sides to talk
to each other.

I'm also going to assume that you're going to be using some sort of
iptables setup on your gateway so that it can perform some firewalling
functions as well. So if you've got iptables set up with the appropriate
restrictions on incoming traffic then your should be fine (for certain
values of fine which include things such as making sure you're secure and
patching your system when it needs it...)

In the sort of config that you're talking about your gateway will always
need to talk to your internal network and so if your gateway is
compromised then the attacker will always be able to access your internal
network.

I thinkn that where you're getting the 'different subnet' idea from is in
situations where you have a DMZ as well as an internal network in which
case you will want the DMZ on a differnt subnet.

Hope this helps and feel free to ask me if you've got any questions.

Edward Rustin
Director of Security, OnlineGuardians.org



---------------------------------------------------------------------------
----------------------------------------------------------------------------