Firewall Wizards mailing list archives
RE:Linux Firewall - Bob's Experiment
From: "Baxter, John" <JHB () cbsnews com>
Date: Sat, 11 Aug 2001 05:23:26 -0400
I'm not entirely sure what you mean about 'orderings'. As far as the filtering on the transparent bridge goes, you wouldn't need to open the NAT range, just keep state on packets inbound on the internal interface of the bridge from your LAN to port 80, and port 53 etc. eg pass out quick on (internal interface of bridge) from (internal IP range) to any port = 80 keep state etc and then pass inbound packets on the external interface of the bridge bound for your web server on port 80..... The IDS would become slightly more interesting, but I would suggest using an IDS (read only cable, no IP) outside the firewall, and another on the bridge. That way you would get traces from the wild, and post filtering. John Baxter -----Original Message----- From: Bob Washburne [mailto:rcwash () concentric net] Sent: Saturday, August 11, 2001 4:23 AM To: Baxter, John Cc: 'firewall-wizards () nfr com' Subject: Re: [fw-wiz] Linux Firewall - Bob's Experiment Hmmm... I hadn't really thought much about. Truethfully, my first thought was that the system which was connected to the Internet had to be visable to the Internet, and NAT was the minimum service which had to be visable. But not that you started me thinking I see that transparent is transparent. You should be able to place the bridge anywhere. But, does it make any difference? Ideally, the packets which reach the LAN *SHOULD* be identical for both orderings. But wait! How would the firewall be defined to filter translated headers? In the original layout we can program the firewall with the classic settings; deny all except port 80 for HTTP, etc. But with the alternate layout with firewall up front we would have to open up ALL the ports in the translation range (20000-40000, etc.). I suspect this would be a Bad Thing(tm). Also, the results of the IDS would be different. Up front, it would report all activity including all the failed attempts. While behind the NAT it would only report those attacks which got through to the LAN, much more interesting to my way of thinking. Theoreticly - assuming that there are no bugs or exploits - the NAT should act as an IP filter. Only the NAT can be addressed from the Internet - the bridge has no address and the LAN is unroutable. But the NAT has no services of its own, so any packets sent specificly to it would be discarded. The only hope a black hat would have would be to highjack a session - unlikely with the unpredictable nature of NAT and the statefull nature of the firewall - or to send a virus/worm through which could create a tunnel. But that would have to be defended from on the LAN client in any event. So the only benefit I see to placing a bridge before the NAT would be a protected IDS for monitoring ALL activity. If that would be of interest. And that function might be placed on the NAT itself, if it was a little stronger. Anyone else have ideas about this? Bob Washburne "Baxter, John" wrote:
I see you're running your IPless box between LAN and NAT box - wouldn't it be better between the NAT box and the outside world? eg LAN --- NAT --- IPless box ----- Internet John Baxter -----Original Message----- From: Bob Washburne [mailto:rcwash () concentric net] Sent: 08 August 2001 14:05 To: rob.roberson () verizon com Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] Linux Firewall - Bob's Experiment Linux is usable, but my personal prefferance is http://www.openbsd.org/ which is a battle hardened unix clone. I am developing a system for my home as an experiment: -) i486 running OpenBSD as a gateway/NAT to the Internet. Everything else other than NAT stripped off the system (can't hack what ain't there). -) P166 running OpenBSD as a bridge/firewall/IDS between the NAT and the LAN (a bridge doesn't have an IP address. Can't hack what you can't see.) -) LAN running whatever with non-routable IP addresses. I am hopeing that this stratagy will go a long way in protecting my firewall from compromise. I have no illusions about what a firewal can and cannot do, but at least this one layer will be well protected :-) The next phase would be to configure the NAT is such a way that it can be burned onto CD and the hard drive removed. Very difficult to hack a read-only system... Bob Washburnei got a linux box i would like to turn into a firewall for home... i
have
it set up right now with 2 nics and just using simple maquerading. I
would
like to go to the next step in complexity... I was looking around sourceforge and freshmeat and saw a mind boggling number of programs.. Iamnew to firewalls, but experienced in Linux / AIX / HPUX. Any input wouldbeappretiated and welcomed.. Adam Graham
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Linux Firewall - Bob's Experiment Baxter, John (Aug 10)
- Re: Linux Firewall - Bob's Experiment Bob Washburne (Aug 11)
- <Possible follow-ups>
- RE:Linux Firewall - Bob's Experiment Baxter, John (Aug 11)
- Re: Linux Firewall - Bob's Experiment Baxter, John (Aug 11)