Firewall: Linux v. OpenBSD

Firewall: Linux v. OpenBSD

Post by Tim Hayne » Mon, 26 Nov 2001 04:25:24

[Newsgroups: header expanded to include c.o.l.n., in case anyone else wants
to chip in]

> I do intend to have both firewalls configured as if they are the only
> one, but I just wanted to let everyone know that if the filter rules
> weren't perfect on day one, it would be soon...but they network wouldn't
> be any more exposed than it is now (see far below)

Yeah. Not to worry too much, given that rulesets evolve over time anyway.
(Like I used to be fairly loose about outgoing packets, but now have
tightened those down considerably... every so often, a new area in which to
restrict things comes to light.)

Quote:> >It normally works that you have a LAN on e.g. eth0, using a private IP
> >range such as 10/8, and an external connection on eth1 (or ppp0 for dialup
> >PPP purposes), with real-world IP#s.
> >If you've got real-world IP#s inside the LAN, then you can forward packets.
> >If you've got private IPs, you're looking at SNAT or Masquerading outwards,
> >and optionally DNAT coming in.

> (I know this should get posted elsewhere, but let me just continue this
> thread first since someone started to address it.)

> From the diagrams below, the secondary firewall, the VPN server, and the
> mail server all have public addresses on their external NICs. I would
> like to keep that configuration. I am going to use 192.168 addresses in
> the example, but assume they are real public addresses.

> OldFirewall
> VPN Server
> Mail Server

> What would I want to do with the new linux server's NICs and do I have
> to change routing on the T1 router coming in?

From the below, it looks like the new linux-or-bsd box is going to be
inserted so that packets from the internet hit it first, ie it's the most
front-facing of the lot.


Quote:> The layout I plan to setup is:

> Current Layout: Notice the three points of entry. All have pretty good
> filters, but still are risks.

> Internet<--->Firewall<--->Network
>          |              |
>          |--->VPNSrv<---|
>          |              |
>          |->MailServer<-|

> Future Layout: Three points of entry now have another level protecting
> them.

(I've labelled a couple of points of interest):
            P        L   C

Quote:> Internet<->Linux/BSD<->CurrentFirewall<->Network
>                      |                 |
>                      |--->VPN Server<--|
>                      |                 |
>                      |->Mail Fowarder<-|->Mail Server

You can change the current firewall's outgoing IP# (`C'); as long as points
L and C are on the same network (a pointopoint link is all that's needed),
you'll be fine, and won't have to change anything behind the current

   19:12:05 up 17 days, 21:09, 13 users,  load average: 0.20, 0.16, 0.14     |and the river flowed


1. OpenBSD PF firewall on linux

I run openbsd firewalls,using PF, in general, and linux (SUSE 10
currently) on my laptop.

I would like to put PF on my laptop and thought there was a linux port
available. I cannot find it. This is so I can use rules and report
generators I am already familiar with to protect my laptop,
particularly in wireless mode.

Can some one point me to either an RPM or src distribution of PF for


2. HELP: Configuring a 2nd IP address on a NIC ?

3. DSL firewall: Linux, OpenBSD, or something else?

4. Audio conferencing client which is H.233 compliant?

5. Building Linux and OpenBSD Firewalls book

6. Second patch to 0.96a

7. Linux vs. OpenBSD as a dedicated firewall/router

8. Stuff to learn from Unisys

9. Firewall: Linux v. OpenBSD

10. Linux vs. OpenBSD as a dedicated firewall/router

11. Firewall: Linux v. OpenBSD

12. FTP client inside linux firewall communicating with FTP server inside another linux firewall

13. FTP server behind linux firewall communicating w/ FTP behind linux firewall