|
|||
prove need for a firewall
Hello,
I want to prove the need of a firewall. Im trying a test : ((SimpleModemRouteurWifi ST780WL))----fxp0---|OpenBSD 4.6| The speedTouch Thomson ST780WL (192.168.1.254): 4ports (switch), no open ports so no services used on the lan. OpenBSD Machine has only one network card (192.168.1.250). An other machine (wifi connection : 192.168.1.64) My pf.conf: skip on lo block in log on egress To see what is happening : Im doing : tcpdump -nettti pflog0 Im waiting ... Last edited by Simon; 10th February 2010 at 12:35 PM. Reason: more precisions |
|
|||
logs
I can see only ports : 53, igmp... nothing else...
|
|
|||
The Speedtouch probably has a built-in firewall. That is why you don't see that much.
If you want to see a lot you have to change Code:
block in log on egress Code:
block log all
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Conclusion
The speedtouch have no ports forwarding activated.
The computers on the lan has just internet connection (Out). They use mail, and web surfing. Their mailserver is their ISP smtp.orange.fr. And of course, this model has a small firewall integrated like Linksys, Netgear do. So my conclusion, if a company has a configuration like that, the use of an OpenBSD BOX (pf) is not very important. What do you think about that ? Perhaps i said a stupid remark, correct me ! ;-) Last edited by Simon; 10th February 2010 at 07:10 PM. Reason: more precisions |
|
|||
A reason for still using a OpenBSD firewall is that it can enforce the policy that mail has to go through the smtpd.orange.fr server.
Code:
block log all pass out quick on egress inet proto tcp from $INT:network \ smtp.orange.fr port smtp On my home OBSD firewall I also run a caching and authoritative nameserver. That saves some Internet traffic. A small company also could benefit from running Squid, a caching proxy for www and ftp. But that would better be run on a separate machine. A separate firewall also could enforce the "internet usage policy". For example no Ebay, Facebook or Twitter during working hours, only during lunch time. The firewall in the Speedtouch is nice to have for protection. But if you want to know exactly what kind of traffic is going out from your LAN to the Internet a dedicated firewall has a lot of advantages.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
As you have "proved" through your test -- NAT alone provides some firewall-like capabilities, all by itself.
But NAT does not provide traffic shaping, traffic overload protection, program controlled redirection, or any of the other myriad capabilities of a program controlled router that acts as a firewall. If none of those advanced capabilities are of value to you, then using OpenBSD as a firewalling router might not be of value to you. But in your test, OpenBSD was an end-use computer, not a router. You were merely proving to yourself that NAT acts as a limited capability firewall. You were testing your NAT router, not OpenBSD, and your test was not evaluating OpenBSD at all. |
|
|||
reasons
Hi
*I attached a small image to represent what i done. I done this test to see a network without a firewall (for example : our famous OpenBSD) what is coming from "egress"?... That's all. To see that, i just took a machine with one NIC, an OpenBSD System, and a simple pf ruleset. After a tcpdump to see what happens in entry. My conclusion, is for a home user, or a small company(who doesn't need "Internet filtering use" and have no service to provide), implement an OpenBSD is not vital. |
|
||||
Quote:
|
|
|||
Quote:
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Needs for a firewall | milo974 | OpenBSD Security | 1 | 31st December 2009 03:00 PM |
PF firewall | bsdnewbie999 | OpenBSD General | 3 | 28th April 2009 12:35 PM |
Firewall on (A)DSL modems | JMJ_coder | General software and network | 10 | 30th January 2009 12:31 AM |
Simple Firewall with PF | jones | FreeBSD General | 3 | 7th November 2008 02:02 AM |
Web GUI for firewall ? | giga | FreeBSD General | 6 | 8th May 2008 05:10 AM |