Re: commercial router vs. openbsd

From: Cris Harrison <Webmaster(at)phoenixcomm.net>
Date: Sat Mar 22 2003 - 21:45:50 EST

At 09:41 AM 3/18/2003 +0000, Arne Woerner wrote:
>Hi!
>
>I am not subscribed to this mailing list. So I would be glad if

Arne
I have read some of the other comments.... well I run a Sun/SPARC shop and yes I don't use Solaris on the firewall.... I was a reviewer of the Solaris Hardening attempt a few years back SOL7or 8 I don't remember witch. Solaris is really nice internal I can get a X from any box on any other box... BUT its like Swiss Cheese
I had just built a new U2 box for our DB, plus fresh installs or Apache, and Perl as I do not like where they end up.. and then I have to worry about what compiler etc, and then they dont end up in /usr/local/apache. Well any way before the end of the week China Worm got on my box! Thank god that I found out befor the box
went live....
So the short ans is:
1. use OpenBSD with pf... we are using a SPARC 5 with a Quad Network Card in it.
2. DONT put IP address on the interfaces and use a BRIDGE! (ie then you run in the 2nd Layer on the ISO stack)
3. DONT let users log into the firewall box ( the money you save is not worth the internal haker)
4. DONT run apps from the firewall ports NEVER, NEVER!!

here well show you....

we have a 1/4 class C lets say our -
router lan side is 205.45.12.1
NAT ROUTER #1 205.45.12.2
NAT ROUTER #1 205.45.12.3

Let start the DMZ       205.45.12.10  NS1, TIC1
                                         11 NS2, TIC2
                                         12 SMTP
                                         13 POP
                                         15 www
                                         16 customer Virt web space
                                         17 support web, ftp
                                         18 RADIUS & LDAP Server
Lets put in some
customers IPs                           25-60
upper 32 ips for Dial Up Serv         223 - up

Now question 3 where to put the shell acounts!! or chat bots, etc.... If you are a realy evil person like my self I dont trust ANYBODY go to DIG #2

DIG #1 {{{{ Internet}}} -- [router or dsl modem] ---- [ FIREWALL] ----qe0 DMZ (web, NS1,2,3, NTP1, NTP2, FTP, SSH etc...

                                                                                  ----qe1 
to NAT ROUTER #1 192.168.0.x  for our pc's
                                                                                  ----qe2 

to NAT ROUTER #2 192.168.1.x for billing outbound, and db admin, net security

                                                                                  ----qe3 
to Automation Server work with active fw stuff & NIFFERS..(RMON)
                                                                                  ----le0 

base address of box used for, log outputs etc....

DIG #2 lets have some fun...
this is not for the meek....
[[[Inet}}} --- [CISCO 7000 Router] -- [10/100 SW] -- {FIREWALL} the rest is cool.... oh yes now the dmz rage is 1 - 126 with mask

                 |       |               | 
      255.255.255.128
                 |       |               |
                 |       |               |
                 |       |               {NET SCOUT - RMON PROBE}
                 |       |
                 |       {DIAL UP SERVER} 96 ports works with T1 inbound,
                 |               Needs to authenticate with our RADIUS server
                 |               So this block is .225 - 254 and a mask of 
255.255.255.224
                 |
                 {SHELL & CHAT BOTS}
                         This block is .193 - 222 with the 255.255.255.24 mask
                         This keeps the dialup users & bots on there own...

This leaves you a 1/4 class for what ever..... and now all I have to do is only open the address & ports that a service is used on, Not the whole dam box....

Cris Harrison
"Sex, Drugs and UNIX"
www.phoenixcomm.net Received on Sat Mar 22 21:47:40 2003