Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 4 Nov 1999 10:54:19 -0500 (EST)
From:      Jim Flowers <jflowers@ezo.net>
To:        "Scott I. Remick" <scott@computeralt.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Firewall questions
Message-ID:  <Pine.BSI.3.91.991104101854.10312A-100000@lily.ezo.net>
In-Reply-To: <4.2.2.19991104094637.00cdd9f0@mail.computeralt.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
See below

Jim Flowers <jflowers@ezo.net>
#4 ISP on C|NET, #1 in Ohio

On Thu, 4 Nov 1999, Scott I. Remick wrote:

> Hello.  I'm working on my first firewall, and have a few questions:
> 
> 1) I've purchased the O'Reilly book "Building Internet Firewalls", and have 
> printed out chapters 6.4 and 16 from the handbook.  However, is there any 
> other guide that describes in better detail how to do what I am doing? 
> (read on for details)

Good start!

> 
> 2) Is sendmail necessary on a firewall?  I've removed all other 
> non-essential daemons already (r*, telnetd, ftpd, even inetd).  The only 
> service running right now is ssh, which is the only way I communicate with 
> this system.  I've never telnetted to it.

Not necessary but useful as a relay between outside (Internet) and inside 
mail-hub. Look at fwtk for a wrapped approach using smap and smapd.

> 
> 3) What the heck would be using port 111?  Strobe shows it as being alive 
> and listening.

Here's a handy way to learn about well-known ports.

trapper# grep 111 /etc/services
sunrpc          111/tcp    rpcbind      #SUN Remote Procedure Call
sunrpc          111/udp    rpcbind      #SUN Remote Procedure Call

> 
> 4) How do I properly set up routes for a dual-homed firewall where both 
> sides are within the same class C?  This is the first time I've ever had to 
> play with routing and gateways.

Routing is a big subject.  You just need static routes, not routing 
software like routed or gated.  Just remember that in order to traverse a 
router you have to have a way to identify groups of addresses.  That 
involves subnets.  Best to get another book and read it.  Use a small 
subnet for a perimeter network. 8 addresses is about right for most.

> 
> 5) Where's the proper place to put your ipfw rules so they get reloaded on 
> every boot? rc.local?

rc.firewall - copy OPEN to a name of your choosing and modify it, then 
identify it in rc.conf.

> 
> 6) Should www/ftp/dns/etc servers be inside the firewall, or in the DMZ?

I prefer the DMZ as they are sacrificial hosts and you are always aware 
of their exposure there.  Better to not let packets travel between the 
Internet and your inside network.

> 
> What I'm ultimately trying to have is a system like the following:
> 
> INTERNET <-> Router (A.B.C.1) <-> DMZ <-> (A.B.C.2) Firewall 
(A.B.C.3) <-> > internal_network (A.B.C.*)

Try:

                  (A.B.C.3) +      
                            |
                      | <-> | Bastion Host|
                      |
                      |                + (A.B.C.9) 
INTERNET <-> | Router | <-> | Firewall |  <-> internal+network
                      |     |
           (A.B.C.1)--+     +-(A.B.C.2)

Most intuitive setup is to use inbound filters only.  You know where they 
are coming from.  Put Internet->DMZ and DMZ-Internet filters in Router.  
Deny Internet->Firewall and Firewall->Internet.  Put DMZ->internal and 
internal->DMZ on Firewall and deny Router <-> internal.  Redundancy.  

> 
> I've already got the firewall system up and going (FreeBSD 3.3 RELEASE), 
> with ssh 2.0.13 running.  The necessary stuff to enable IPFW has been built 
> into the kernel per Handbook 6.4.  Both network cards are installed, have 
> IPs, and appear operational.  I've edited /etc/rc.firewall to match the IP 
> addresses on our network.  I've added the following to /etc/rc.conf (IP 
> addresses and hosts have been changed):
> 
> network_interfaces="ed0 ed1 lo0"
> ifconfig_ed0="inet A.B.C.3  netmask 255.255.255.0"
> ifconfig_ed1="inet A.B.C.2  netmask 255.255.255.0"

Can't route between ed0 and ed1.  Same subdomain.

> defaultrouter="A.B.C.1"
> hostname="firewall.domain.com"
> sendmail_enable="NO"
> inetd_enable="NO"
> gateway_enable="YES"
> router_enable="YES"
> router="routed"
> router_flags="-q"

Don't bother with routing software.  Use static routes.

> firewall_script="/etc/rc.firewall"
> firewall_type="open"    <---- YES I KNOW THIS IS BAD, I'm not ready to go 
> live yet.
> firewall_enable="YES"
> 
> So I feel like I'm making good progress.  I'm getting a good understanding 
> of ipfw rules.  But the routes thing has got me a bit stumped.  I'm not 
> clear on what routing is being done by routed, what routing is being done 
> (if any) by ipfw (because rc.firewall has places for you to put in both 
> sides of your firewall), and what the difference in enabling routing and 
> enabling gateway is.

Routing is done in the kernal.  Route is used to manage static routes.  
Routed is unnecessary.  Ipfw doesn't do routing.

 > 
> I want anything destined for the internet to go out A.B.C.2 and anything 
> destined for the internal network to go out A.B.C.3.  I figure I would then 
> set up routes to A.B.C.1 and any systems in the DMZ as individual routes 
> from A.B.C.2 correct?  Oh well.  Any advice? Tips? Suggestions? URLs? PDFs? 
> Books?

Use a default route to point towards the Internet using the next direct 
connected address.

> 
> What I'm planning on doing is, once I've got the routes set up properly, 
> then having my system point to the firewall as the gateway instead of the 
> current router (I assume this would be the proper procedure for everyone 
> once we're ready to go live) and then start tweaking ipfw rules.  That way, 
> everyone can remain functional until I have it set up proper.  Then I'll 
> tell the router to only communicate to the firewall, plug the router 
> directly into A.B.C.2 w/ a cross-over cable (I'd use a separate hub if I 
> were to set up other hosts in a DMZ, and then adjust everyone else's 
> default gateway to be the firewall.
> 
> I'm sure I'm missing a lot here and have a bunch of stuff wrong.  Please 
> advise.... thanks! :)

Might be easiest to do away with all but one box and configure natd using 
private addresses on it until the routing concepts are mastered.

> -----------------------
> Scott I. Remick			scott@computeralt.com
> Network and Information		(802)388-7545 ext. 236
> Systems Manager			FAX:(802)388-3697
> Computer Alternatives, Inc.		http://www.computeralt.com
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.91.991104101854.10312A-100000>