[olug] Home network, firewall, vpn design..

Nathan D. Rotschafer nrotschafer at geniussystems.net
Wed Feb 18 04:40:58 UTC 2004 

One thing to consider is the mount of traffic you will be passing.  I highly
recommend PCI NICs.  That cable would provide the ability for someone to get
into you internal network with some trickery.  If that risk is acceptably
low then do it.  If not then just use a KVM or manage through a serial cable
(available on linux now).

Nate

-----Original Message-----
From: olug-bounces at olug.org [mailto:olug-bounces at olug.org] On Behalf Of Ken
Sent: Tuesday, February 17, 2004 8:39 PM
To: Omaha Linux User Group
Subject: Re: [olug] Home network, firewall, vpn design..

Phil Brutsche wrote:
> Ken wrote:
> 
>> My primary objective with the OpenBSD firewall was to be "cheap & 
>> secure" and make use of the P100.  Obviously the P100 would make a 
>> pretty crappy VPN server so I had wanted to use the resources on the 
>> internal Linux server for that without directly exposing it to the 
>> internet.
> 
> 
> Don't underestimate how fast one of those things can be.  PIX-501s are 
> actually about the same CPU speed, and the PC has a better PCI bus and 
> memory subsystem.
> 
>> So, in light of that I have one other idea..  I've been doing some 
>> reading on using OpenBSD/pf as a Transparent Packet Filter with no NAT 
>> or IP address: http://ezine.daemonnews.org/200207/transpfobsd.html
> 
> 
> [...]
> 
>> So, trying again, does anyone have any thoughts on this?  I've never 
>> tried running a transparent packet filter but have to admit it seem 
>> rather enticing (and cool).  I'd be especially curious to know if 
>> anyone could still see a potential conflict with the VPN..
> 
> 
> As long as you configure the pf rules right it won't make much of a 
> difference.  You just need to make sure you let through UDP 500 (for IKE 
> key exchange) and IP protocols 50 and 51.
> 

Thanks, Phil.  While I'm at it, I just had one more thought/question: 
Could I add the ability to remotely manage the transparent pf using a 
3rd interface (NIC) attached to my internal switch such as:

Internet
     |
     |
  (no ip)
OpenBSD pf (ip/ssh)-<-
  (no ip)              |
     |                 |
     |                 |
Linux/NAT Server      |
     |                 |
     |                 |
  Switch --->----->----
     |
     |
    LAN

Can you see any potential issues with this?  It would seem to me this 
would allow remote management without much security compromise since an 
attacker would need to pass through the firewall and into the internal 
network prior to being able to connect to the interface with an internal 
ip..

Thanks,
Ken
_______________________________________________
OLUG mailing list
OLUG at olug.org
http://lists.olug.org/mailman/listinfo/olug

More information about the OLUG mailing list