DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 28th June 2019
plukimi plukimi is offline
New User
 
Join Date: Jun 2019
Posts: 4
Default Dual firewalls inside PF?

Hi, I am a newbie in OpenBSB and learning to use OPENBSD 6.5. I have NUC6CAYH box with ax88179 USB 3.0 to Ethernet for setting up a secure gateway for my household.

I am wondering if it is possible to have two separated firewalls inside single NUC6CAYH box? I mean one firewall to control NIC traffic that connected to modem box; and other firewall to control ax88179 USB 3.0 to Ethernet traffic that connect to wireless router box by using the separate rulesets and tables inside PF. In between firewalls I will setup Privoxy (web content filtering) server and maybe IDPS if there are enough CPU & memory juices inside NUC6CAYH box to protect my young children on the internet including prevent the data leakages into internet.

Please advise, thank you.
Reply With Quote
  #2   (View Single Post)  
Old 28th June 2019
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

You probably don't need two firewalls. Rules may be applied per network interface. If you really going to do something advanced you may use multiple rtables/rdomains, but probably it is not necessary.

Privoxy is currently less useful than it used to be, because of secure connections (HTTPS) and HTTP/2 protocol. Maybe try DNS-based blocklists?
https://www.privoxy.org/faq/misc.html#SSL
https://www.privoxy.org/faq/misc.html#HTTP2
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #3   (View Single Post)  
Old 28th June 2019
plukimi plukimi is offline
New User
 
Join Date: Jun 2019
Posts: 4
Default

Hi E1-531g,

Thank you for your quick response. I will have a go with a single firewall as you have suggested. Then may add the second firewall later to see how it goes. In my original plan for having two controlled firewalls because the most common static ports 25, 53, 80, 110, 443, 445, etc. are always opened to allow malware software attack for any unauthorised data leaks, botnets, backdoor access, etc. for sending back to bad guys or even rouge spooks/hackers who knows. That is why I was thinking a firewall to control ax88179 USB 3.0 to Ethernet traffic to wireless router box could close all these static ports in firewall’s end and use proxy’s customised port numbers. Firewall to control NIC traffic that connected to modem box may open these ports through the firewall’s filtered known IP addresses to support Privoxy and email gateway. Hope this make more sense. :-)

If Privoxy becoming less useful, is there any other better web content filtering software tool to support openbsd platform? Just curious thanks.
Reply With Quote
  #4   (View Single Post)  
Old 28th June 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Hello, and welcome!

I have two firewalls, in two separate servers, configured for high availability with carp(4):

{Internet} - [fw1/fw2] - {local networks}

Another multi-firewall topology is to isolate tiers for different services, such as a tier for DMZ servers:

{Internet} - [fw1] - {DMZ servers} - [fw2] - {servers and workstations}

In this latter configuration, the innermost servers would only communicate with the servers in the DMZ - as an example, a database server only permitted to communicate with webservers in the DMZ tier.

---

Edited to add: for a tiered solution, the same physical router can be deployed as the firewall between different tiers, using a single PF ruleset - but only with unique pairs of NICs. VLANs can be deployed when the infrastructure includes an IEEE 802.1Q VLAN-capable switch. "Router-on-a-stick" or "Firewall-on-a-stick" solutions with a single physical NIC and 2, 4, or more vlan(4) NICs become possible.

Last edited by jggimi; 28th June 2019 at 03:15 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Backdoor in NetScreen firewalls gives attackers admin access, VPN decrypt ability. e1-531g News 5 19th December 2015 11:42 AM
FreeBSD PlayStation 4 is FreeBSD inside J65nko News 1 26th June 2013 11:31 PM
Two open source web application firewalls announced J65nko News 0 15th February 2011 12:55 AM
Can anybody recommend a book for learning how to work with OpenBSD firewalls? jepettrey OpenBSD Security 6 24th November 2010 02:28 PM
Couple of network questions (NAT, firewalls) ivanatora FreeBSD General 10 21st July 2008 05:26 PM


All times are GMT. The time now is 03:47 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick