DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th April 2010
idosch idosch is offline
New User
 
Join Date: Apr 2010
Posts: 3
Default OpenBSD firewall with only one physical NIC

Hello,

I would like to setup a firewall which has only one physical NIC using the 'alias' parameter in 'ifconfig'. Are there any security risks using this configuration in comparison to a configuration with two physical NICs?

Thanks in advance, Ido.
Reply With Quote
  #2   (View Single Post)  
Old 24th April 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

In http://www.daemonforums.org/showthread.php?t=4367 I give an example of a pf ruleset protecting a desktop machine with only one NIC.

To protect a network or multiple machines, you really need 2 NICs else it won't work
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 24th April 2010
idosch idosch is offline
New User
 
Join Date: Apr 2010
Posts: 3
Default

The question isn't whether it can be done or not, but whether is there a security risk in doing so.

Why do you say I need two NICs in order to protect a network of multiple machines? I can simply connect the firewall, the modem and the rest of the machines to a switch.
Reply With Quote
  #4   (View Single Post)  
Old 24th April 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

If something is not possible, it is useless to wonder whether it has security risks

How are you going to prevent the machines from not using the modem directly, and thus bypass your one NIC firewall?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 24th April 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Draw a picture for us, Idosch. Explain how you envision several devices on the same physical subnet can be protected from each other, merely by having yet another device on the same physical subnet running OpenBSD.

All ALIAS does is permit a NIC to respond to an ARP request for multiple addresses. Each alias address -must- be within the subnet, else the gateway router will not even ask. If you changed the gateway's routing table and added a pseudo-subnet that you then "routed" to the OpenBSD platform, how would it then forward packets on? NAT? You'll need to draw this out, and describe both layer 2 frames (Ethernet) as well as layer 3 (IP). Doing that exercise will tell you whether or not this will work, or, will give you more specific questions to ask.
Reply With Quote
  #6   (View Single Post)  
Old 25th April 2010
idosch idosch is offline
New User
 
Join Date: Apr 2010
Posts: 3
Default

I see. I'll probably buy a RJ45 to USB adapter in-order to overcome this problem.

Thanks for the answers, Ido.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
DIY OpenBSD Firewall Appliance mikesg OpenBSD Security 34 6th January 2010 06:17 AM
OpenBSD amd64 or i386 for firewall/router J65nko OpenBSD General 7 24th December 2009 09:06 PM
PF firewall bsdnewbie999 OpenBSD General 3 28th April 2009 12:35 PM
import physical freeBSD into VMWARE (ESX) server as a vServer ccc FreeBSD General 6 3rd October 2008 07:04 AM
OpenBSD firewall resources J65nko OpenBSD Security 0 1st June 2008 02:28 AM


All times are GMT. The time now is 07:35 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick