Date: Mon, 9 Dec 2002 13:17:15 -0600 From: Eric Timme <timothy@voidnet.com> To: freebsd-security@freebsd.org Subject: gateway security? Message-ID: <200212091317.15077.timothy@voidnet.com>
next in thread | raw e-mail | index | archive | help
Hi everyone, I was wondering if someone could point me in the direction o= f=20 some discussions of general security in a LAN environment with a FreeBSD=20 machine doing NAT/firewalling? I haven't had a ton of luck browsing the=20 archives and finding any discussions. I've read over the general primer,= but=20 would like to read about some actual deployment of security when your=20 headless gateway sits in a dark closet, accumulating dust. Currently I have a pretty restrictive set of firewall rules in place, all= owing=20 only http and ssh traffic from the outside, and I require DES public/priv= ate=20 keys for ssh access. There is a single user account on the gateway, and = root=20 logins are disallowed from all but console. The gateway is doing a singl= e=20 NFS export of my public_html directory for easy access from an internal=20 FreeBSD gateway. As for current security, it is a little lacking, but I am planning to wip= e and=20 reinstall now that winter break affords me some freedom from schoolwork. = I=20 have the following settings in my partitioning scheme (ad0 is 1.5 gig, an= d=20 with this partitioning scheme I just barely fit, and use ad1 for addition= al=20 space), and use secure level 2 for daily operations. /dev/ad0s1a / rw,nosuid =20 /dev/ad0s1e /tmp rw,noexec,nosuid =20 /dev/ad0s1g /usr ro =20 /dev/ad1s1e /usr/obj ro /dev/ad0s1d /usr/home rw,noexec,nosuid =20 /dev/ad1s2e /usr/home/timothy/public_html rw,nosuid /dev/ad0s1h /usr/local ro,nosuid =20 /dev/ad0s1f /var rw,noexec,nosuid =20 I've been using snort with a remote acid installation with alright succes= s,=20 but it has never quite worked right, and am considering junking it, simpl= y=20 because I don't see a lot of other people using it, and it has only been = of=20 marginal success, spending more time picking up proxy scans from IRC and=20 false positives than anything else. I'm planning to deploy aide with a write protected diskette, but would li= ke=20 some advice as to other products to look into; I don't access the machine= =20 regularly, aside from the NFS mount of my public_html directory, so would= =20 like to find something that could email me status updates daily, or bi-da= ily,=20 ala the daily messages, which I currently forward to myself, to help reas= sure=20 me nobody is poking around in it. Thanks for any pointers you can give me. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200212091317.15077.timothy>