RE:Linux Firewall - Bob's Experiment

["Baxter, John" <JHB () cbsnews com>]

I'm not entirely sure what you mean about 'orderings'. As far as the
filtering on the transparent bridge goes, you wouldn't need to open the NAT
range, just keep state on packets inbound on the internal interface of the
bridge from your LAN to port 80, and port 53 etc.
eg

pass out quick on (internal interface of bridge) from (internal IP range) to
any port = 80 keep state
etc

and then pass inbound packets on the external interface of the bridge bound
for your web server on port 80.....

The IDS would become slightly more interesting, but I would suggest using an
IDS (read only cable, no IP) outside the firewall, and another on the
bridge. That way you would get traces from the wild, and post filtering.

John Baxter

-----Original Message-----
From: Bob Washburne [mailto:rcwash () concentric net]
Sent: Saturday, August 11, 2001 4:23 AM
To: Baxter, John
Cc: 'firewall-wizards () nfr com'
Subject: Re: [fw-wiz] Linux Firewall - Bob's Experiment


Hmmm... I hadn't really thought much about.  Truethfully, my first
thought was that the system which was connected to the Internet had to
be visable to the Internet, and NAT was the minimum service which had to
be visable.

But not that you started me thinking I see that transparent is
transparent.  You should be able to place the bridge anywhere.  But,
does it make any difference?

Ideally, the packets which reach the LAN *SHOULD* be identical for both
orderings.  But wait!  How would the firewall be defined to filter
translated headers?

In the original layout we can program the firewall with the classic
settings; deny all except port 80 for HTTP, etc.  But with the alternate
layout with firewall up front we would have to open up ALL the ports in
the translation range (20000-40000, etc.).  I suspect this would be a
Bad Thing(tm).

Also, the results of the IDS would be different.  Up front, it would
report all activity including all the failed attempts.  While behind the
NAT it would only report those attacks which got through to the LAN,
much more interesting to my way of thinking.

Theoreticly - assuming that there are no bugs or exploits - the NAT
should act as an IP filter.  Only the NAT can be addressed from the
Internet - the bridge has no address and the LAN is unroutable.  But the
NAT has no services of its own, so any packets sent specificly to it
would be discarded.  The only hope a black hat would have would be to
highjack a session - unlikely with the unpredictable nature of NAT and
the statefull nature of the firewall - or to send a virus/worm through
which could create a tunnel.  But that would have to be defended from on
the LAN client in any event.

So the only benefit I see to placing a bridge before the NAT would be a
protected IDS for monitoring ALL activity.  If that would be of
interest.  And that function might be placed on the NAT itself, if it
was a little stronger.

Anyone else have ideas about this?

Bob Washburne

"Baxter, John" wrote:
> I see you're running your IPless box between LAN and NAT box - wouldn't it
> be better between the NAT box and the outside world? eg
>
>         LAN --- NAT --- IPless box ----- Internet
>
> John Baxter
>
> -----Original Message-----
> From: Bob Washburne [mailto:rcwash () concentric net]
> Sent: 08 August 2001 14:05
> To: rob.roberson () verizon com
> Cc: firewall-wizards () nfr com
> Subject: Re: [fw-wiz] Linux Firewall - Bob's Experiment
>
> Linux is usable, but my personal prefferance is
>
> http://www.openbsd.org/
>
> which is a battle hardened unix clone.
>
> I am developing a system for my home as an experiment:
> -) i486 running OpenBSD as a gateway/NAT to the Internet.  Everything
> else other than NAT stripped off the system (can't hack what ain't
> there).
> -) P166 running OpenBSD as a bridge/firewall/IDS between the NAT and the
> LAN (a bridge doesn't have an IP address.  Can't hack what you can't
> see.)
> -) LAN running whatever with non-routable IP addresses.
>
> I am hopeing that this stratagy will go a long way in protecting my
> firewall from compromise.  I have no illusions about what a firewal can
> and cannot do, but at least this one layer will be well protected :-)
>
> The next phase would be to configure the NAT is such a way that it can
> be burned onto CD and the hard drive removed.  Very difficult to hack a
> read-only system...
>
> Bob Washburne
>
> > i got a linux box i would like to turn into a firewall for home... i
have
> > it set up right now with 2 nics and just using simple maquerading. I
would
> > like to go to the next step in complexity... I was looking around
> > sourceforge and freshmeat and saw a mind boggling number of programs.. I
> am
> > new to firewalls, but experienced in Linux / AIX / HPUX. Any input would
> be
> > appretiated and welcomed..
> >
> > Adam Graham
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards