Date: Thu, 04 Nov 1999 09:49:36 -0700 From: Wes Peters <wes@softweyr.com> To: "Scott I. Remick" <scott@computeralt.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall questions Message-ID: <3821B920.F1A47745@softweyr.com> References: <4.2.2.19991104094637.00cdd9f0@mail.computeralt.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Scott I. Remick" wrote: > > 2) Is sendmail necessary on a firewall? I've removed all other > non-essential daemons already (r*, telnetd, ftpd, even inetd). The only > service running right now is ssh, which is the only way I communicate with > this system. I've never telnetted to it. If you want to be able to send mail into the firewall, yes. For outgoing mail, sendmail is called directly. Outgoing mail that has to be queued up, for whatever reason, won't be resent unless you have sendmail running as a daemon. > 3) What the heck would be using port 111? Strobe shows it as being alive > and listening. wes@homer$ grep 111 /etc/services sunrpc 111/tcp rpcbind #SUN Remote Procedure Call sunrpc 111/udp rpcbind #SUN Remote Procedure Call > 4) How do I properly set up routes for a dual-homed firewall where both > sides are within the same class C? This is the first time I've ever had to > play with routing and gateways. Manually. ;^) Make the inside address of the firewall the default route for all the other machines on the network. On the firewall machine itself, make the other end of the outside link the default route. That should take care of it. > 5) Where's the proper place to put your ipfw rules so they get reloaded on > every boot? rc.local? > > 6) Should www/ftp/dns/etc servers be inside the firewall, or in the DMZ? Yes. For DNS, put the primary inside the firewall and a secondary outside. WWW and FTP servers outside, so a penetration won't damage your internal network. Turn off all network login services except ssh on the servers outside the firewall, and on the firewall itself. BTW, Cheswick and Bellovin refer to your "firewall" machine as a "bastion host." You may want to read through a copy of their book, too. > What I'm ultimately trying to have is a system like the following: > > INTERNET <-> Router (A.B.C.1) <-> DMZ <-> (A.B.C.2) Firewall (A.B.C.3) <-> > internal_network (A.B.C.*) > > I've already got the firewall system up and going (FreeBSD 3.3 RELEASE), > with ssh 2.0.13 running. The necessary stuff to enable IPFW has been built > into the kernel per Handbook 6.4. Both network cards are installed, have > IPs, and appear operational. I've edited /etc/rc.firewall to match the IP > addresses on our network. I've added the following to /etc/rc.conf (IP > addresses and hosts have been changed): > > network_interfaces="ed0 ed1 lo0" > ifconfig_ed0="inet A.B.C.3 netmask 255.255.255.0" > ifconfig_ed1="inet A.B.C.2 netmask 255.255.255.0" > defaultrouter="A.B.C.1" > hostname="firewall.domain.com" > sendmail_enable="NO" > inetd_enable="NO" > gateway_enable="YES" > router_enable="YES" > router="routed" > router_flags="-q" > firewall_script="/etc/rc.firewall" > firewall_type="open" <---- YES I KNOW THIS IS BAD, I'm not ready to go > live yet. > firewall_enable="YES" > > So I feel like I'm making good progress. I'm getting a good understanding > of ipfw rules. But the routes thing has got me a bit stumped. I'm not > clear on what routing is being done by routed, what routing is being done > (if any) by ipfw (because rc.firewall has places for you to put in both > sides of your firewall), and what the difference in enabling routing and > enabling gateway is. You don't want to run routed, your network is far too simple for that. The machines inside the firewall use the inside address of the firewall, A.B.C.3, as their default route. The firewall machine and the servers in the DMZ use A.B.C.1 as their default route. For communications between your network and the DMZ, you may want to use proxy ARP on the firewall, or just enter host routes through the firewall machine. > I want anything destined for the internet to go out A.B.C.2 and anything > destined for the internal network to go out A.B.C.3. I figure I would then > set up routes to A.B.C.1 and any systems in the DMZ as individual routes > from A.B.C.2 correct? Oh well. Any advice? Tips? Suggestions? URLs? PDFs? > Books? Static host routes will work. Proxy arp might be easier to use. Take a look at choparp, in ports/net: DESCRIPTION choparp is a easy-to-use proxy arp daemon. It watches arp request pack- ets visible on the interface specified by argument if_name, and sends proxy arp reply to the sender if the arp request queries the MAC address (ethernet hardware address) for the network speicified by net_addr and net_mask. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3821B920.F1A47745>