RE: Best IP configuration for OpenBSD firewall/router

["Arturo \"Buanzo\" Busleiman" <buanzo () buanzo com ar>]

> From: Damon McMahon [mailto:inst_karma () hotmail com]
> Sent: Saturday, August 16, 2003 11:51 PM
> Subject: Best IP configuration for OpenBSD firewall/router

> Greetings,
hiya!

> I'm in the process of configuring an old Pentium 75 MHz box to act as an
> OpenBSD firewall/gateway for my small office LAN on a 192.168.0.0/24
> subnet (I have some *BSD experience with MacOS X).

Congratulations :)

> Is there any advantage of putting the firewall/gateway host on a
> different subnet - say, 192.168.1.0/24 - to the rest of the LAN, from a
> security perspective?

I would say there is no advantage. It is, well, an interesting difference,
but it makes no interesting sense to the security of your intranet.

Having access to the router, I mean, once an attacker is in there, makes
no difference. So, the security should be provided by other means. It
would be useful, of course, when you think about the addressing schema :).

> The easy option seems to put it on the same subnet, say 192.168.0.254
> (since 192.168.0.1 is already taken by the existing Windows 2000
> gatway); everything communicates with everything in this configuration.

Well, everything communicates with everything at MAC (not IP) level,
taking switches/hubs into account (check ettercap.sf.net). The subnet
change owuld only have a meaning at the IP level. Anyway, it's still a
router, and so it does still get all the packets, entering and leaving the
router :).

--
Arturo "Buanzo" Busleiman - www.buanzo.com.ar - GNU/Linux Documentation
GNU's es_AR Team Leader - PGP/GnuPG Key available at horowitz.surfnet.nl
Casilla de eMail _GRATIS_ de 21Mb Webmail/POP/IMAP/SMTP en www.daleclick.com




---------------------------------------------------------------------------
----------------------------------------------------------------------------