Date: Mon, 3 Jun 2002 07:01:51 +1200 (NZST) From: Andrew McNaughton <andrew@scoop.co.nz> To: Michael Richards <michael@fastmail.ca> Cc: security@FreeBSD.ORG Subject: Re: Subnet Security Message-ID: <20020603060419.N96186-100000@a2> In-Reply-To: <3CFA5A6C.000009.72128@ns.interchange.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 2 Jun 2002, Michael Richards wrote: > I've got a firewall and need to set up a subnet so the servers on it > have a much more restrictive ruleset than the other subnet. I'm not > 100% sure how to do it but here is the info. > > firewall: > outside > fxp0 -> 192.168.72.31 netmask 0xffffffc0 gw 192.168.72.1 > fxp1 -> 192.168.79.1 netmask 0xffffff00 > xl0 -> 192.168.79.120 netmask 0xfffffff0 > > secure webserver: > fxp0 -> 192.168.79.112 netmask ??? gw ??? > We own a /24 block of IPs represented here as 192.168.79/24. For > historical reasons the secure subnet I'm trying to set up here is > stuck in the middle of the range. > > The machines are all plugged into the same switch as well as the > firewall's fxp1 and xl0. xl0 is to be the secure one and it's set up > as a vlan. The ports for the secure servers will be tagged as the > same vlan as xl0 is plugged into. This is wrong. A switch should only sit on one network. you want an extra switch for your server subnet. You might be able to get things to talk to each other with a single switch, but you've bought yourself little security. eg arpspoof in the dsniff port. > Here is what I'm wondering: > a) Is this scheme possible with the netmasks I've defined? It would > seem that 192.168.79.1 overlaps 192.168.79.120 in terms of netmasks. > Does FreeBSD simply use the interface with the most restrictive > netmask? No problem. Most specific route takes priority. > b) what netmask and gw should I be using for the secure webserver? As I understand it, the secure webserver is in 192.168.79.120/24. From that it follows that the netmask should be that of the subnet (/24) and the gateway should be the IP of the router which connects it to the world - the router's address for this purpose should be the one within the subnet, because until the router is defined, there is no route to any of its other addresses. So the gateway address should be defined as 192.168.79.120. > c) will routing figure this out automagically or would it need to be > statically defined? If so how? Your webserver should probably be set up with a static route. Routers can pick up routing information from each other automatically, but this isn't done for other machines on the network, except insofar as this is what things like DHCP do. You could use something like DHCP, but this is not really dynamic information, so DHCP would just be an extra thing to go wrong with no real benefit. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020603060419.N96186-100000>