[olug] Home network, firewall, vpn design..
Ken
emptymm at cox.net
Wed Feb 18 02:39:25 UTC 2004
Phil Brutsche wrote:
> Ken wrote:
>
>> My primary objective with the OpenBSD firewall was to be "cheap &
>> secure" and make use of the P100. Obviously the P100 would make a
>> pretty crappy VPN server so I had wanted to use the resources on the
>> internal Linux server for that without directly exposing it to the
>> internet.
>
>
> Don't underestimate how fast one of those things can be. PIX-501s are
> actually about the same CPU speed, and the PC has a better PCI bus and
> memory subsystem.
>
>> So, in light of that I have one other idea.. I've been doing some
>> reading on using OpenBSD/pf as a Transparent Packet Filter with no NAT
>> or IP address: http://ezine.daemonnews.org/200207/transpfobsd.html
>
>
> [...]
>
>> So, trying again, does anyone have any thoughts on this? I've never
>> tried running a transparent packet filter but have to admit it seem
>> rather enticing (and cool). I'd be especially curious to know if
>> anyone could still see a potential conflict with the VPN..
>
>
> As long as you configure the pf rules right it won't make much of a
> difference. You just need to make sure you let through UDP 500 (for IKE
> key exchange) and IP protocols 50 and 51.
>
Thanks, Phil. While I'm at it, I just had one more thought/question:
Could I add the ability to remotely manage the transparent pf using a
3rd interface (NIC) attached to my internal switch such as:
Internet
|
|
(no ip)
OpenBSD pf (ip/ssh)-<-
(no ip) |
| |
| |
Linux/NAT Server |
| |
| |
Switch --->----->----
|
|
LAN
Can you see any potential issues with this? It would seem to me this
would allow remote management without much security compromise since an
attacker would need to pass through the firewall and into the internal
network prior to being able to connect to the interface with an internal
ip..
Thanks,
Ken
More information about the OLUG
mailing list