[olug] Home network, firewall, vpn design..

Ken emptymm at cox.net
Wed Feb 18 04:46:22 UTC 2004 

Daniel Linder wrote:
> Ken said:
> 
> 
>>Thanks, Phil.  While I'm at it, I just had one more thought/question:
>>Could I add the ability to remotely manage the transparent pf using a
>>3rd interface (NIC) attached to my internal switch such as:
>>
>>Internet
>>     |
>>     |
>>  (no ip)
>>OpenBSD pf (ip/ssh)-<-
>>  (no ip)              |
>>     |                 |
>>Linux/NAT Server       |
>>     |                 |
>>  Switch --->----->----
>>     |
>>    LAN
>>
>>Can you see any potential issues with this?  It would seem to me this
>>would allow remote management without much security compromise since an
>>attacker would need to pass through the firewall and into the internal
>>network prior to being able to connect to the interface with an internal
>>ip..
> 
> 
> I don't know if there are any limitations that would cause this to not
> work, but can you have the inside interface of the OpenBSD system that has
> an IP address to listen only for traffic coming from the Linux/NAT server
> going "to" that address on a predefined port?
> 
> Something like this:
> eth0   (physical outside) == no IP address
> eth1   (physical inside)  == no IP address
> eth1.0 (virtual inside)   == IP address 10.0.0.1
> 

Aside from the fact I would probably cry before getting the config for 
the virtual IP and and pf working right I can't see why it's not possible.

> Then you can have
> 1: SSHd on the OpenBSD system listen on the 10.0.0.1 address (via eth1.0)
> 2a: The "pf" firewall/filter will listen on eth0 and eth1 and pass through
> what is permitted.
> 2b: The "pf" firewall/filter will permit in only traffic from the external
> IP address (and MAC address?) of the Linux system coming in on eth1.0.
> 
> The advantage here is you don't have a third ethernet port into your
> private network, but it will be a lot tricker to setup.
> 
> I haven't ever worked with OpenBSD and pf, but I have heard people praise
> pf's flexibility...
> 
> If you do put in the third ethernet port (which is probably the most
> straight forward and sane thing to do), you will want to make sure you
> define the routing and pf filters so the third ethernet port (eth2) is
> extremely restricted.  Hate to have some rogue packets come into your
> network via the managment interface...

I was thinking a combination of assigning the management (ip'd) 
interface an internal (non-routable) address in conjuction with some 
tcpwrapper restrictions would keep this pretty secure.  Unless I'm 
missing something, someone would have to penetrate the Linux/NAT server 
behind the firewall before gaining entrance to the LAN and being able to 
communicate with the firewall mgmt interface.  If they get that far, 
then hosing the firewall is the least of my concerns.

> 
> A third option could be setting up a serial console to your other Linux
> workstation and just logging in that way. :)
> 
This would be KISS but then what _fun_ would that be?  Plus I do travel 
a fair amount so remote admin would be good thing and the P100 is loud 
so I'd like to keep it stuffed in the basement shop.

Thanks,
Ken

More information about the OLUG mailing list