Security Basics mailing list archives
RE: Best IP configuration for OpenBSD firewall/router
From: Jason Armstrong <jarmstrong () technicacorp com>
Date: Mon, 18 Aug 2003 14:23:37 -0400
I don't see any particular advantage to doing it the way you describe. In fact I see it as being a bit more troublesome because of the extra routing you'll have to do. Granted it would make it slightly more difficult for someone to gain access to your LAN, but I don't see this as enough of a benefit considering what little you'll gain. Jason -----Original Message----- From: Damon McMahon [mailto:inst_karma () hotmail com] Sent: Saturday, August 16, 2003 11:51 PM To: security-basics () securityfocus com Subject: Best IP configuration for OpenBSD firewall/router Greetings, I'm in the process of configuring an old Pentium 75 MHz box to act as an OpenBSD firewall/gateway for my small office LAN on a 192.168.0.0/24 subnet (I have some *BSD experience with MacOS X). Presently a Windows 2000 Professional box is doing the job (using the inbuilt Internet Connection Sharing service) but for some time I haven't been convinced of the security of this configuration, and the recently announced Windows RPC flaw has spurred me into action! OK, that's enough background, my question is: Is there any advantage of putting the firewall/gateway host on a different subnet - say, 192.168.1.0/24 - to the rest of the LAN, from a security perspective? The easy option seems to put it on the same subnet, say 192.168.0.254 (since 192.168.0.1 is already taken by the existing Windows 2000 gatway); everything communicates with everything in this configuration. However, part of me thinks it should be intentionally _difficult_ (from a security perspective) for the firewall/gateway box to communicate with the rest of the LAN. Is that misguided? If this is a good idea (gateway on separate subnet), then how should I configure the routing tables on the gateway and rest of the LAN so that everything routes correctly? Thanks in advance for any assistance. --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Best IP configuration for OpenBSD firewall/router Damon McMahon (Aug 18)
- Re: Best IP configuration for OpenBSD firewall/router Edward Rustin (Aug 18)
- Re: Best IP configuration for OpenBSD firewall/router chort (Aug 18)
- Re: Best IP configuration for OpenBSD firewall/router Arturo "Buanzo" Busleiman (Aug 18)
- Re: Best IP configuration for OpenBSD firewall/router Patrick Benson (Aug 18)
- Re: Best IP configuration for OpenBSD firewall/router Arturo "Buanzo" Busleiman (Aug 19)
- Re: Best IP configuration for OpenBSD firewall/router chort (Aug 18)
- Re: Best IP configuration for OpenBSD firewall/router Edward Rustin (Aug 18)
- <Possible follow-ups>
- RE: Best IP configuration for OpenBSD firewall/router Jason Armstrong (Aug 18)
- RE: Best IP configuration for OpenBSD firewall/router Arturo "Buanzo" Busleiman (Aug 18)
- Re: Best IP configuration for OpenBSD firewall/router Ansgar Wiechers (Aug 19)
- Re: Best IP configuration for OpenBSD firewall/router Arturo "Buanzo" Busleiman (Aug 19)
- Re: Best IP configuration for OpenBSD firewall/router Ansgar Wiechers (Aug 19)
- RE: Best IP configuration for OpenBSD firewall/router Arturo "Buanzo" Busleiman (Aug 18)
- RE: Best IP configuration for OpenBSD firewall/router Edward Rustin (Aug 19)