DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 11th January 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default Network Firewall Architecture

Dear All,

I had set up a ADSL connection with the following architecture.

Modem - OpenBSD(NAT + PPPOE) - LAN

Recently, I had subscribe to Coaxial Cable Connection 10 Mbps. I believe the configuration must change due to the internet connection is made at the Cable Modem rather than at OpenBSD box. My Coaxial Cable modem is Motorola surfboard sbg901.

From this website, it does need to set up OpenBSD in bridge mode which I don't like because there is no IP address for network interface which causes no services can start up and bind to the network interface.
Thus, I don't like this network architecture.

Therefore, I'm think need to setup my firewall like this.


Cable Modem (Disable DHCP and Disable WLAN) - OpenBSD(rl0 and rl1) - LAN

Questions:

I don't know whether the NAT is perform on Cable Modem or OpenBSD box.


Please enlighten me on this. Thanks.
Reply With Quote
  #2   (View Single Post)  
Old 11th January 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,972
Default

It appears that the Motorola SBG901 does not have a "bridge" mode. Instead, you would use its "Advanced DMZ Host Page" and configure one device (your OpenBSD router) to manage an internal subnet, per page 49 of its manual. Both the SBG901 and your router would use NAT, but the only device on the SBG901's "customer" Ethernet segment would be your OpenBSD device.
Code:
{Internet} - [SBG901] - {customer Ethernet} - [OpenBSD] - {your managed network}
All the "Advanced DMZ" service appears to do is forward all unsolicited TCP or UDP traffic, so that individual ports do not need to be forwarded.
Reply With Quote
  #3   (View Single Post)  
Old 11th December 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default

Dear jggmi,

Recently, I 'm think of change ISP. Thus, I wonder how this network setup going to work with OpenBSD.

Questions:
There is no dedicated ip assigned to individual.
The connection is dial automatically AFAIK.
How to perform NAT since there is no pppoe interface (External Interface)?

How to achieve packet filtering with OpenBSD?

Last edited by Peter_APIIT; 11th December 2015 at 10:51 AM.
Reply With Quote
  #4   (View Single Post)  
Old 11th December 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,972
Default

When you have a dynamic IP address assigned, subject to change, you use parenthesis symbols: "(" and ")" around the device name or macro representing the device. This represents its currently assigned address or addresses.

Here is an example of a rule that uses parenthesis around a device to represent its currently assigned address, which may change at any time.
Code:
match out on $external_nic from !($external_nic) nat-to ($external_nic)
Please refer to the PF User's Guide chapter on Filtering, which discusses the option in detail and gives more examples of this type of usage. There is additional documentation in the pf.conf(5) man page, also.

Last edited by jggimi; 11th December 2015 at 03:40 PM. Reason: clarity, typos
Reply With Quote
  #5   (View Single Post)  
Old 20th December 2015
mikygee mikygee is offline
Port Guard
 
Join Date: Oct 2011
Posts: 15
Default

Hello,
When you are in bridge mode you can set up an IP address.
Like ifconfig br0
You might try to take a random public address for your Openbsd so that you can reach it from the LAN (of course you won't be able to reach it from the internet)
OpenBSD(rl0 and rl1) - Cable Modem (Disable DHCP and Disable WLAN) - LAN
Reply With Quote
  #6   (View Single Post)  
Old 20th December 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,972
Default

For clarity, an external ISP gateway device (such as a DSL modem) operating in "bridge mode" is different from an OpenBSD bridge(4) interface. To my understanding, OpenBSD bridge(4) interfaces are not applicable to Peter's question.

---

OpenBSD bridge(4) interfaces, when used, are not assigned IP addresses, only member interfaces may be assigned addresses. See the BRIDGE section of the ifconfig(8) man page for provisioning guidance.
Reply With Quote
Reply

Tags
openbsd

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
What is your preference when it come to architecture? Mr-Biscuit Off-Topic 3 5th January 2011 08:09 PM
FreeBSD FreeBSD 8 is getting new routing architecture clone News 0 10th November 2009 06:38 PM
problem with Architecture Selection badguy OpenBSD Packages and Ports 4 11th October 2009 12:51 AM
Vista network issues behind PF Firewall cerulean Other OS 3 10th November 2008 10:36 PM
Alternative Architecture Laptops JMJ_coder General Hardware 6 7th October 2008 05:05 PM


All times are GMT. The time now is 12:27 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick