Re: home network
On 5/16/06, Terry <[EMAIL PROTECTED]> wrote: Page 2 gives the policies/functionality I would like to have. I want the system to be secure but I would also like to be able to admin the system from the outside. You want your cake AND you want to eat it? Ambitious! Mostly, there is the threat of SSH brute forcers, which is annoying but trivial to defend against (don't let people pick dumb passwords on any exposed box). Occasionally, there is the chance of an SSH pre-auth remote root vuln, but I sort of doubt it, I hear OpenSSH's privsep is hard to beat. http://tyson.homeunix.org/net.pdf Nice diagram. It appears you like OpenBSD. :-) I assume you are using all OpenBSD because you want a really secure network. Let me ask you to rethink it. My $.02 is that a homogenous network will be very secure, unless the one platform you use has a fatal flaw. It also won't be as functional, since you can only run software ported to that OS. You should read the "monoculture" paper, although some people found the metaphor and analogy misleading, I found it to be somewhat common sense. If I were you, I'd at least consider having one internal system that can run Xen and/or VMWare (I honestly don't know if OpenBSD can) and then you can at least boot other OSes to play with them. There's a lot of good ideas and neat things out there, and OpenBSD is not the supreme font of them all. Or do OpenBSD until you master it, or reach diminishing returns, or get bored, then consider reinstalling one of them with something else. I can't decide if it would be best for the firewall to be transparant or not. If you're talking about bridging, then that's in direct conflict with your desire to admin it from the outside. The only way to admin a bridging firewall is on the keyboard and monitor directly attached to it. It is also impossible to download any packages/ports, or do just about anything than filter/pass packets. I find it somewhat irritating, like cutting off my hands so that someone else can't use them to stab me in the eye. If you're talking about transparent proxying, be sure that your proxy supports all the kinds of transactions. For example, squid supports all the HTTP transaction types that I know of, but some message-oriented HTTP proxies (privoxy) don't support CONNECT, so some things like streaming media won't work, and it's really irritating to have to console into the firewall and disable that stuff, re-enable it when you're done, etc. Also, the admin computer listed isn't absolutely necessary but I thought it might be a good way to help me admin the system from the outside. In what way? If you're outside, you're not on the admin box. Chaining to the admin box and back to the firewall box... it's not clear what problem that solves that connecting directly to the firewall doesn't. Also, I'm still looking into learning how to use the Linksys WRT54G in "bridge mode." As I understand it, I will need to do this. I don't see why. It can operate as a router just fine. However, the stock firmware really isn't designed to do what you're trying to do. Consider installing OpenWRT or dd-WRT: http://openwrt.org/ http://www.dd-wrt.com/dd-wrtv2/index.php Note that by default in the stock firmware, the LAN ports are bridged together already. I am not sure if the WAN port is bridged or not. I wanted my LAN to be able to connect to the administrative web interface, and to be the network uplink, but had trouble doing both. I ended up putting in routes for 1/1 and 128/1 to get all the traffic routed where I wanted, but a simpler solution is to turn the web interface on for the WAN port. If you ever need to reset the WRT to factory defaults you'll need to be on the LAN port again, because the WAN port doesn't have the web interface enabled by default. And oh yeah, don't use 192.168.0/24 for your internal network. Pick something rare, like one of the RFC 1918 "class B" blocks, because the WRT uses 192.168.0/24 and some cable ISPs use 10/8 internally. Save yourself a lot of trouble and pick something relatively unique. -- "Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
Re: home network
On Tue, May 16, 2006 at 11:41:51AM -0500, Travis H. wrote: > You want your cake AND you want to eat it? Ambitious! Perhaps a little too ambitious for my level of experience. ;p Thanks for the input. I think I'll simplify the plan a little till I can get more experience with pf. -- Terry L. Tyson Jr. http://tyson.homeunix.org
Re: home network
Re: the linksys wrt54g Just plug one of the LAN ports into your existing network and leave the WAN unused. Turn off the DHCP server and give the linksys device a proper IP on your network. The stock firmware supports this. This is how I am bridging the wireless linksys network to my wired lan. On May 16, 2006, at 12:41 PM, Travis H. wrote: Also, I'm still looking into learning how to use the Linksys WRT54G in "bridge mode." As I understand it, I will need to do this. I don't see why. It can operate as a router just fine. However, the stock firmware really isn't designed to do what you're trying to do. Consider installing OpenWRT or dd-WRT:
Re: home network
On Tue, May 16, 2006 at 09:31:39PM -0400, Lou wrote: > Re: the linksys wrt54g > > Just plug one of the LAN ports into your existing network and leave > the WAN unused. > Turn off the DHCP server and give the linksys device a proper IP on > your network. > The stock firmware supports this. This is how I am bridging the > wireless linksys network to > my wired lan. It works. ;) Thanks for the tip. Now, when I get my wireless nic tomorrow, I'll see how the wireless part works. -- Terry L. Tyson Jr. H:281.427.0077 W:832.325.3838 http://tyson.homeunix.org
Re: home network
On 5/16/06, Travis H. <[EMAIL PROTECTED]> wrote: > I can't decide if it would be best for the firewall to be transparant > or not. If you're talking about bridging, then that's in direct conflict with your desire to admin it from the outside. The only way to admin a bridging firewall is on the keyboard and monitor directly attached to it. It is also impossible to download any packages/ports, or do just about anything than filter/pass packets. I find it somewhat irritating, like cutting off my hands so that someone else can't use them to stab me in the eye. Not entirely true. You can certainly put an IP on the interfaces that are participating in the bridge (I do exactly that to admin one of my firewalls that I need transparency at layer 3 with). And the fact that there are IPs on those interfaces don't prevent them from still serving their purpose as a bridge. --Bill
Re: home network
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Travis H. wrote: > If you're talking about bridging, then that's in direct conflict with > your desire to admin it from the outside. The only way to admin a > bridging firewall is on the keyboard and monitor directly attached to > it. It is also impossible to download any packages/ports, or do just > about anything than filter/pass packets. Not necessarily. You could run a TTY on a serial port and connect to it from another trusted computer via a null-modem cable and a terminal emulator (or run SLIP and set up an IP link). Alternately, you could slap an extra NIC into the bridge, assign it an IP address, and make it accessible from a trusted host inside the network. If this trusted host is accessible from outside, then you can effectively administer the bridge from outside your perimeter using either method. Note that I've never done either of these on OpenBSD (actually, I've never set up a bridge on any operating system), but I see no reason why they wouldn't work. Rennie -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEasjfIvU5mZP08HERAg0aAJ9aj7zcWrAawZqXgbfK2P740YNVewCg3zGQ n03OOhZwPWOJgcUtLzWNbTk= =hALI -END PGP SIGNATURE-
Re: home network
Just plug one of the LAN ports into your existing network and leave the WAN unused. Turn off the DHCP server and give the linksys device a proper IP on your network. The stock firmware supports this. This is how I am bridging the wireless linksys network to my wired lan. It works. ;) Thanks for the tip. Now, when I get my wireless nic tomorrow, I'll see how the wireless part works. Really? I found that my traffic to the internet wasn't getting routed when I did this. Hmm. I'll have to try again. -- "Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
Re: home network
On 5/19/06, Travis H. <[EMAIL PROTECTED]> wrote: > Just plug one of the LAN ports into your existing network and leave > the WAN unused. Really? I found that my traffic to the internet wasn't getting routed when I did this. Oh... yeah, it has to have an IP on my LAN... which is not 192.168.1/24. So now I have to do NAT on that interface to talk to the web console, or set pf up as a bridge on that interface. Hrml. -- "Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
Re: home network
On Fri, May 19, 2006 at 04:06:17AM -0500, Travis H. wrote: > On 5/19/06, Travis H. <[EMAIL PROTECTED]> wrote: > >> Just plug one of the LAN ports into your existing network and leave > >> the WAN unused. > >Really? I found that my traffic to the internet wasn't getting routed > >when I did this. > > Oh... yeah, it has to have an IP on my LAN... which is not 192.168.1/24. > > So now I have to do NAT on that interface to talk to the web console, > or set pf up as a bridge on that interface. Hrml. I was able to get directly to the web intervace with my laptop connected to one of the ports. I gave the wrt 192.168.1.9 and then put that address into firefox and there it was. I didn't have to do anything special. -- Terry L. Tyson Jr. http://tyson.homeunix.org
Re: home network
On Fri, May 19, 2006 at 08:40:35AM -0500, Travis H. wrote: > On 5/19/06, Terry <[EMAIL PROTECTED]> wrote: > >I was able to get directly to the web intervace with my laptop > >connected to one of the ports. I gave the wrt 192.168.1.9 and then put > >that address into firefox and there it was. I didn't have to do > >anything special. > > That's because the machine you were using to connect to it had > an IP in 192.168.1/24. If it didn't, you'd have to use NAT or configure > the WRT to route to that network, or set up an IP alias temporarily > or something along those lines. > > That's because two computers on the same LAN still can't talk > unless they're on the same IP/netmask. That's because they > don't "know" that the other network is local. > > Also, if you ever have to reset it, then you're going to have to plug > the laptop in again, since it will revert to 192.168.1.1, which I assume > is already used in your network. Thanks for the heads up. :) -- Terry L. Tyson Jr. http://tyson.homeunix.org
Re: Home Network Setup
I recommend that you use the RFC1918 class B block. 172.16-32.x.x I've seen networks that use 10/8 or 192.168/16 internally, and if you have something like a laptop that needs to travel between your network and others, things can get hairy when IP addresses conflict. I've had to renumber my entire network on at least one occasion due to conflicts with my ISP, and it's a pain. -- "Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484