DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3rd January 2011
unixjingleman unixjingleman is offline
Fdisk Soldier
 
Join Date: Jan 2011
Posts: 70
Default dmz and firewall questions

Hi there
I'm totally new to OpenBSD. I do have 2 years UNIX experience via Linux. I'm currently wanting to set up a network with 2 servers in a DMZ in order to separate them from an internal network. I want to use an OpenBSD dedicated firewall. This firewall will have 3 network interfaces on it. One network interface will connect to the external router/modem(router and modem in one box), one interface will connect to the DMZ and the other interface will connect to the internal network. The router/modem lets you put, i think it's 1 or 2, interfaces in a DMZ. But, when i think of any of the dedicated firewall's or servers' interfaces it doesn't make sense to me to put any of them in the router/modem's DMZ( I'm think it would be better for the dedicated firewall's and the servers' interfaces to have static private I.Ps ie 192.168.2.4 etc right?). What i mean is that even if, as far as the router/modem is concerned, none of the interfaces were in a DMZ, the area where the servers are would still effectively be a perimeter network and with such a set up would still be, effectively,a DMZ, right?. If i should put any of these interfaces in this DMZ please let me know which one.
Thank you for your time. This is really not a joke i am in fact still a UINX n00b
regards Unixjingleman
Reply With Quote
  #2   (View Single Post)  
Old 3rd January 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by unixjingleman View Post
But, when i think of any of the dedicated firewall's or servers' interfaces it doesn't make sense to me to put any of them in the router/modem's DMZ( I'm think it would be better for the dedicated firewall's and the servers' interfaces to have static private I.Ps ie 192.168.2.4 etc right?).
I can only assume that you are getting some dynamic DHCP address assigned from your provider. That's fine. The external interface on your firewall can be configured for dynamic addresses.

Otherwise, you are correct. A firewall must be configured with different subnets on the different interfaces. The interface used for your private network can use private addresses. You have the choice of either setting up each internal host with static IP addresses on their interfaces, or you can configure a DHCP server within your internal network to assign dynamic address.

As a newcomer to OpenBSD & pf(4), you will save yourself significant time & aggravation by studying the official FAQ including the PF User's Guide along with the pf(4) manpage. The only third-party introduction to pf(4) worth the the time to study is Hansteen's manuscript:

http://home.nuug.no/~peter/pf/
Reply With Quote
  #3   (View Single Post)  
Old 3rd January 2011
unixjingleman unixjingleman is offline
Fdisk Soldier
 
Join Date: Jan 2011
Posts: 70
Default

Thank you very much for your reply. So the dedicated firewall(OpenBSD box) can do NAT and dhcp for the servers(in the DMZ) and the hosts on the internal network?. So should i put the interface that connects the OpenBSD dedicated firewall to the external router/modem(router and modem in one) in the DMZ of the external router/modem?. Then the servers in the DMZ of the dedicated firewall(OpenBSD box)?.
Reply With Quote
  #4   (View Single Post)  
Old 3rd January 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by unixjingleman View Post
So the dedicated firewall(OpenBSD box) can do NAT and dhcp for the servers(in the DMZ) and the hosts on the internal network?.
Yes, however, there is an advantage to separating functionality (firewall & DHCP) if you have the hardware.
Quote:
So should i put the interface that connects the OpenBSD dedicated firewall to the external router/modem(router and modem in one) in the DMZ of the external router/modem?.
Your modem/router was designed to be used as a single device serving multiple functions. By inserting another box running OpenBSD & pf(4), you are deprecating the firewall functionality of your modem/router. As such, I would connect the OpenBSD firewall's external address to the modem/router's internal DMZ interface.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Two PF questions sparker OpenBSD Security 5 9th November 2009 08:01 AM
Some Questions ?? ultranothing OpenBSD Security 6 4th September 2009 04:59 PM
Silly questions about Mac OS X? tutosun Other BSD and UNIX/UNIX-like 12 31st December 2008 03:45 PM
ZFS thoughts and questions mtx FreeBSD General 3 28th November 2008 07:27 AM
Firewall Hardware Questions gunderwood OpenBSD General 3 15th May 2008 03:50 AM


All times are GMT. The time now is 02:14 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick