On 28/05/2019 11:12, Janne Johansson wrote: > Den sön 26 maj 2019 kl 10:03 skrev Walt <neurobot...@protonmail.ch>: > >> I like having a firewall that would pretty much require someone physically >> entering the computer room in order to attack the firewall. With OpenBSD, >> your firewall can control your network traffic without having an IP address >> at all. >> One thing that you could try is to use the OpenBSD VM as the firewall, but >> don't assign any IP address to the firewall. The Win7 VM would have the >> actual IP address, but the OpenBSD VM would control the network. >> I am curious if there is any way to attack the firewall if it has no IP >> addresses. >> > If you build it like the emails before listed, you still have the attack > surface of the whole OS that runs VirtualBox, then the whole codebase of > Virtualbox on top of that before you reach your obsd ip-less > un-maintainable VM to "protect you" from evil packets.
In advance it's been mentioned many times is this list that bridge-only (IP-less) firewall is not a recommended setup. Start with this: https://marc.info/?l=openbsd-misc&m=124056858519840&w=2 I'm sure you will find valuable info there like the post from Henning@ (pf dev): "yes. lots of idiots do it. bridging is stupid. don't. there are cases where you can't avoid it, but deliberately? about as clever as knowingly drinking methanol." First of all it's harder to detect problems, configuration errors. There might be performance issues as well since you're utilizing the bridge interface (not sure if it's still a case) IP/routing adds another layer of protection. The packets must pass the network layer 3 of the firewall. Layer 2 attacks are not easy to protect from or even to detect sometimes. Not having an IP on the firewall is no better than having an IP firewall with no open services or no open services on the external interface. G
