A transparent firewall has some pros and cons. In OpenBSD, it use a bridging feature offered by the OS. I use a machine with 2 NICs, running OpenBSD 4.1 to build this perimeter fencing.
Pros:
On network, nobody knows it was there(except its coming from your big mouth)
Since it is ip-less, you can avoid the many hacking attempt(physical attempt is excluded), but still open for DDOS in rare cases.
Cons:
You cannot do anything related with IP on it(eg. NATting,dhcp,mail)
You cannot ping(for monitoring or testing or troubleshooting) since it is ip-less
You cannot ssh to it since it is ip-less(again). So anything, you have to face the coldness of the server cave.
How do you configure it. Well the rules in the pf.conf is up to you. What I know on setting up this poise machine is as below:
first create a file in /etc called bridgename.bridge0
and put these lines into it:
add bge0
add bge1
up
Save it and while still in /etc, create files called hostname.bge0 and hostname.bge1 and put this line into both:
up
Save it and go on editing /etc/rc.conf
search for pf=NO entry and change "NO" to "YES"
Save rc.conf and move on to the next file /etc/sysctl.conf and uncomment this line
net.inet.ip.forwarding=1
Provided you have pf.conf well-configured, restart the network and load the rules
#sh /etc/netstart
#pfctl -f /etc/pf.conf
Last but not least, to avoid some performance issue(kapla_hodot and I found an issue of duplicate packet or something, sorry I dont remember but I've read it somewhere) be sure to use only one interface to control the rules. The other interface should be all allow, for example:
external_if="bge0"
internal_if="bge1"
scrub in all
#allow all internal
pass in quick on $internal_if all
pass out quick on $internal_if all
#block all external
block in log on $external_if all
block out log on $external_if all
#your passing rules go here and just use "external_if" in your lines
That's about it, I dont want to drill down this firewall thingy, because there is already a firewall engineer post available nowadays(and I got a lot of other things to think about in life). Please let me know if I'm missing something. Else, voila.
Friday, July 20, 2007
A See Thru Firewall
Posted by yoe at 7/20/2007 06:45:00 PM
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment