Date: Mon, 9 Dec 2002 13:17:15 -0600 From: Eric Timme <timothy@voidnet.com> To: freebsd-security@freebsd.org Subject: gateway security? Message-ID: <200212091317.15077.timothy@voidnet.com>
next in thread | raw e-mail | index | archive | help
Hi everyone, I was wondering if someone could point me in the direction of some discussions of general security in a LAN environment with a FreeBSD machine doing NAT/firewalling? I haven't had a ton of luck browsing the archives and finding any discussions. I've read over the general primer, but would like to read about some actual deployment of security when your headless gateway sits in a dark closet, accumulating dust. Currently I have a pretty restrictive set of firewall rules in place, allowing only http and ssh traffic from the outside, and I require DES public/private keys for ssh access. There is a single user account on the gateway, and root logins are disallowed from all but console. The gateway is doing a single NFS export of my public_html directory for easy access from an internal FreeBSD gateway. As for current security, it is a little lacking, but I am planning to wipe and reinstall now that winter break affords me some freedom from schoolwork. I have the following settings in my partitioning scheme (ad0 is 1.5 gig, and with this partitioning scheme I just barely fit, and use ad1 for additional space), and use secure level 2 for daily operations. /dev/ad0s1a / rw,nosuid /dev/ad0s1e /tmp rw,noexec,nosuid /dev/ad0s1g /usr ro /dev/ad1s1e /usr/obj ro /dev/ad0s1d /usr/home rw,noexec,nosuid /dev/ad1s2e /usr/home/timothy/public_html rw,nosuid /dev/ad0s1h /usr/local ro,nosuid /dev/ad0s1f /var rw,noexec,nosuid I've been using snort with a remote acid installation with alright success, but it has never quite worked right, and am considering junking it, simply because I don't see a lot of other people using it, and it has only been of marginal success, spending more time picking up proxy scans from IRC and false positives than anything else. I'm planning to deploy aide with a write protected diskette, but would like some advice as to other products to look into; I don't access the machine regularly, aside from the NFS mount of my public_html directory, so would like to find something that could email me status updates daily, or bi-daily, ala the daily messages, which I currently forward to myself, to help reassure me nobody is poking around in it. Thanks for any pointers you can give me. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200212091317.15077.timothy>