Date: Thu, 4 Nov 1999 10:54:19 -0500 (EST) From: Jim Flowers <jflowers@ezo.net> To: "Scott I. Remick" <scott@computeralt.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall questions Message-ID: <Pine.BSI.3.91.991104101854.10312A-100000@lily.ezo.net> In-Reply-To: <4.2.2.19991104094637.00cdd9f0@mail.computeralt.com>
index | next in thread | previous in thread | raw e-mail
See below
Jim Flowers <jflowers@ezo.net>
#4 ISP on C|NET, #1 in Ohio
On Thu, 4 Nov 1999, Scott I. Remick wrote:
> Hello. I'm working on my first firewall, and have a few questions:
>
> 1) I've purchased the O'Reilly book "Building Internet Firewalls", and have
> printed out chapters 6.4 and 16 from the handbook. However, is there any
> other guide that describes in better detail how to do what I am doing?
> (read on for details)
Good start!
>
> 2) Is sendmail necessary on a firewall? I've removed all other
> non-essential daemons already (r*, telnetd, ftpd, even inetd). The only
> service running right now is ssh, which is the only way I communicate with
> this system. I've never telnetted to it.
Not necessary but useful as a relay between outside (Internet) and inside
mail-hub. Look at fwtk for a wrapped approach using smap and smapd.
>
> 3) What the heck would be using port 111? Strobe shows it as being alive
> and listening.
Here's a handy way to learn about well-known ports.
trapper# grep 111 /etc/services
sunrpc 111/tcp rpcbind #SUN Remote Procedure Call
sunrpc 111/udp rpcbind #SUN Remote Procedure Call
>
> 4) How do I properly set up routes for a dual-homed firewall where both
> sides are within the same class C? This is the first time I've ever had to
> play with routing and gateways.
Routing is a big subject. You just need static routes, not routing
software like routed or gated. Just remember that in order to traverse a
router you have to have a way to identify groups of addresses. That
involves subnets. Best to get another book and read it. Use a small
subnet for a perimeter network. 8 addresses is about right for most.
>
> 5) Where's the proper place to put your ipfw rules so they get reloaded on
> every boot? rc.local?
rc.firewall - copy OPEN to a name of your choosing and modify it, then
identify it in rc.conf.
>
> 6) Should www/ftp/dns/etc servers be inside the firewall, or in the DMZ?
I prefer the DMZ as they are sacrificial hosts and you are always aware
of their exposure there. Better to not let packets travel between the
Internet and your inside network.
>
> What I'm ultimately trying to have is a system like the following:
>
> INTERNET <-> Router (A.B.C.1) <-> DMZ <-> (A.B.C.2) Firewall
(A.B.C.3) <-> > internal_network (A.B.C.*)
Try:
(A.B.C.3) +
|
| <-> | Bastion Host|
|
| + (A.B.C.9)
INTERNET <-> | Router | <-> | Firewall | <-> internal+network
| |
(A.B.C.1)--+ +-(A.B.C.2)
Most intuitive setup is to use inbound filters only. You know where they
are coming from. Put Internet->DMZ and DMZ-Internet filters in Router.
Deny Internet->Firewall and Firewall->Internet. Put DMZ->internal and
internal->DMZ on Firewall and deny Router <-> internal. Redundancy.
>
> I've already got the firewall system up and going (FreeBSD 3.3 RELEASE),
> with ssh 2.0.13 running. The necessary stuff to enable IPFW has been built
> into the kernel per Handbook 6.4. Both network cards are installed, have
> IPs, and appear operational. I've edited /etc/rc.firewall to match the IP
> addresses on our network. I've added the following to /etc/rc.conf (IP
> addresses and hosts have been changed):
>
> network_interfaces="ed0 ed1 lo0"
> ifconfig_ed0="inet A.B.C.3 netmask 255.255.255.0"
> ifconfig_ed1="inet A.B.C.2 netmask 255.255.255.0"
Can't route between ed0 and ed1. Same subdomain.
> defaultrouter="A.B.C.1"
> hostname="firewall.domain.com"
> sendmail_enable="NO"
> inetd_enable="NO"
> gateway_enable="YES"
> router_enable="YES"
> router="routed"
> router_flags="-q"
Don't bother with routing software. Use static routes.
> firewall_script="/etc/rc.firewall"
> firewall_type="open" <---- YES I KNOW THIS IS BAD, I'm not ready to go
> live yet.
> firewall_enable="YES"
>
> So I feel like I'm making good progress. I'm getting a good understanding
> of ipfw rules. But the routes thing has got me a bit stumped. I'm not
> clear on what routing is being done by routed, what routing is being done
> (if any) by ipfw (because rc.firewall has places for you to put in both
> sides of your firewall), and what the difference in enabling routing and
> enabling gateway is.
Routing is done in the kernal. Route is used to manage static routes.
Routed is unnecessary. Ipfw doesn't do routing.
>
> I want anything destined for the internet to go out A.B.C.2 and anything
> destined for the internal network to go out A.B.C.3. I figure I would then
> set up routes to A.B.C.1 and any systems in the DMZ as individual routes
> from A.B.C.2 correct? Oh well. Any advice? Tips? Suggestions? URLs? PDFs?
> Books?
Use a default route to point towards the Internet using the next direct
connected address.
>
> What I'm planning on doing is, once I've got the routes set up properly,
> then having my system point to the firewall as the gateway instead of the
> current router (I assume this would be the proper procedure for everyone
> once we're ready to go live) and then start tweaking ipfw rules. That way,
> everyone can remain functional until I have it set up proper. Then I'll
> tell the router to only communicate to the firewall, plug the router
> directly into A.B.C.2 w/ a cross-over cable (I'd use a separate hub if I
> were to set up other hosts in a DMZ, and then adjust everyone else's
> default gateway to be the firewall.
>
> I'm sure I'm missing a lot here and have a bunch of stuff wrong. Please
> advise.... thanks! :)
Might be easiest to do away with all but one box and configure natd using
private addresses on it until the routing concepts are mastered.
> -----------------------
> Scott I. Remick scott@computeralt.com
> Network and Information (802)388-7545 ext. 236
> Systems Manager FAX:(802)388-3697
> Computer Alternatives, Inc. http://www.computeralt.com
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.91.991104101854.10312A-100000>