Security Basics mailing list archives

RE: Best IP configuration for OpenBSD firewall/router

From: Jason Armstrong <jarmstrong () technicacorp com>
Date: Mon, 18 Aug 2003 14:23:37 -0400

I don't see any particular advantage to doing it the way you describe.
In fact I see it as being a bit more troublesome because of the 
extra routing you'll have to do. 

Granted it would make it slightly more difficult for someone to gain 
access to your LAN, but I don't see this as enough of a benefit 
considering what little you'll gain.

Jason


-----Original Message-----
From: Damon McMahon [mailto:inst_karma () hotmail com] 
Sent: Saturday, August 16, 2003 11:51 PM
To: security-basics () securityfocus com
Subject: Best IP configuration for OpenBSD firewall/router


Greetings,

I'm in the process of configuring an old Pentium 75 MHz box to act as 
an OpenBSD firewall/gateway for my small office LAN on a 192.168.0.0/24 
subnet (I have some *BSD experience with MacOS X).

Presently a Windows 2000 Professional box is doing the job (using the 
inbuilt Internet Connection Sharing service) but for some time I 
haven't been convinced of the security of this configuration, and the 
recently announced Windows RPC flaw has spurred me into action! OK, 
that's enough background, my question is:

Is there any advantage of putting the firewall/gateway host on a 
different subnet - say, 192.168.1.0/24 - to the rest of the LAN, from a 
security perspective?

The easy option seems to put it on the same subnet, say 192.168.0.254 
(since 192.168.0.1 is already taken by the existing Windows 2000 
gatway); everything communicates with everything in this configuration.

However, part of me thinks it should be intentionally _difficult_ (from 
a security perspective) for the firewall/gateway box to communicate 
with the rest of the LAN.

Is that misguided?

If this is a good idea (gateway on separate subnet), then how should I 
configure the routing tables on the gateway and rest of the LAN so that 
everything routes correctly?

Thanks in advance for any assistance.



---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Best IP configuration for OpenBSD firewall/router Damon McMahon (Aug 18)
- Re: Best IP configuration for OpenBSD firewall/router Edward Rustin (Aug 18)
  - Re: Best IP configuration for OpenBSD firewall/router chort (Aug 18)
    - Re: Best IP configuration for OpenBSD firewall/router Arturo "Buanzo" Busleiman (Aug 18)
    - Re: Best IP configuration for OpenBSD firewall/router Patrick Benson (Aug 18)
    - Re: Best IP configuration for OpenBSD firewall/router Arturo "Buanzo" Busleiman (Aug 19)
- <Possible follow-ups>
- RE: Best IP configuration for OpenBSD firewall/router Jason Armstrong (Aug 18)
  - RE: Best IP configuration for OpenBSD firewall/router Arturo "Buanzo" Busleiman (Aug 18)
    - Re: Best IP configuration for OpenBSD firewall/router Ansgar Wiechers (Aug 19)
    - Re: Best IP configuration for OpenBSD firewall/router Arturo "Buanzo" Busleiman (Aug 19)
    - Re: Best IP configuration for OpenBSD firewall/router Ansgar Wiechers (Aug 19)
- RE: Best IP configuration for OpenBSD firewall/router DeGennaro, Gregory (Aug 18)
  - RE: Best IP configuration for OpenBSD firewall/router Edward Rustin (Aug 19)
- Re: Best IP configuration for OpenBSD firewall/router Arturo "Buanzo" Busleiman (Aug 18)
- RE: Best IP configuration for OpenBSD firewall/router Meidinger Chris (Aug 19)