[olug] Home network, firewall, vpn design..

Daniel Linder dan at linder.org
Wed Feb 18 03:21:32 UTC 2004 

Ken said:

> Thanks, Phil.  While I'm at it, I just had one more thought/question:
> Could I add the ability to remotely manage the transparent pf using a
> 3rd interface (NIC) attached to my internal switch such as:
>
> Internet
>      |
>      |
>   (no ip)
> OpenBSD pf (ip/ssh)-<-
>   (no ip)              |
>      |                 |
> Linux/NAT Server       |
>      |                 |
>   Switch --->----->----
>      |
>     LAN
>
> Can you see any potential issues with this?  It would seem to me this
> would allow remote management without much security compromise since an
> attacker would need to pass through the firewall and into the internal
> network prior to being able to connect to the interface with an internal
> ip..

I don't know if there are any limitations that would cause this to not
work, but can you have the inside interface of the OpenBSD system that has
an IP address to listen only for traffic coming from the Linux/NAT server
going "to" that address on a predefined port?

Something like this:
eth0   (physical outside) == no IP address
eth1   (physical inside)  == no IP address
eth1.0 (virtual inside)   == IP address 10.0.0.1

Then you can have
1: SSHd on the OpenBSD system listen on the 10.0.0.1 address (via eth1.0)
2a: The "pf" firewall/filter will listen on eth0 and eth1 and pass through
what is permitted.
2b: The "pf" firewall/filter will permit in only traffic from the external
IP address (and MAC address?) of the Linux system coming in on eth1.0.

The advantage here is you don't have a third ethernet port into your
private network, but it will be a lot tricker to setup.

I haven't ever worked with OpenBSD and pf, but I have heard people praise
pf's flexibility...

If you do put in the third ethernet port (which is probably the most
straight forward and sane thing to do), you will want to make sure you
define the routing and pf filters so the third ethernet port (eth2) is
extremely restricted.  Hate to have some rogue packets come into your
network via the managment interface...

A third option could be setting up a serial console to your other Linux
workstation and just logging in that way. :)

-- 
Daniel Linder

More information about the OLUG mailing list