Re: OpenBSD Firewall architecture

From: jpd (read_the_sig_at_do.not.spam.it.invalid)
Date: 11/20/05

  • Next message: Gregory Toomey: "Re: Azureus on OpenBSD" 
    Date: 20 Nov 2005 01:14:25 GMT

    Begin <IIPff.349$j7.22110@news.indigo.ie>
    On 2005-11-20, Son of the Speckled Chief <gplally@o2.ie> wrote:
    > I'm new to OpenBSD, and relatively new to Linux. I would like to protect a
    > small network with a PF firewall running on an OpenBSD system, and a Linux
    > box doing content filtering through Squid and DansGuardian.
    > The connection to the internet is an ISDN connection, and I have a SMC
    > Barricade ISDN router.
    > My question is twofold.
    > 1. How to I organise, topologically, these systems?

    However you want. I'd go for ``simple''.

    > 2. How do I organise DHCP on them?

    I have a couple of ideas, the simplest of which involves five minutes
    work and that's it, but that doesn't mean that is what you want. How
    do you want to organise your ip address assignment management? Which
    features do you need, which do you want, and for how many machines is
    your setup? Depending on that, you have a couple of options.

    > My instinct is to have the ISDN router facing the internet, getting its IP
    > address etc. from the ISP, and DHCP-ing to the first, "external" network
    > interface on the OpenBSD system.

    I'd drop the router, stuff an ISDN card in the openbsd box, and go with
    that. If you must use the extra router, I'd just give it a fixed IP.
    Infrastructure like that usually has no real need for DHCP.

    DHCP is great for morons with laptops, and is convenient at most other
    ``user'' settings. I've also used it to ease server management, and
    it came in handy indeed when I needed to move the entire company to a
    different subnet (a public /24, twice in as many years, and now that I'm
    gone they ``reorganized'' again). That does not mean that you _have_ to
    use it on your pet network of three computers.

    [``please hold my hand'']
    > I understand it's not secure running a GUI on a firewall but I don't
    > have the expertise yet to go into a command line interface and do
    > configuring there. Many thanks, Gerard.

    Then get that expertise, soonest. There are plenty of resources on the
    'net that can help you with this. Dead tree versions presumably at your
    local bookstore, or else amazon or equivalent.

    If you really want someone else to help, drop by the local unix users
    group meeting. Or if you insist on custom detail, hire a consultant. 

    -- 
  j p d (at) d s b (dot) t u d e l f t (dot) n l .
  This message was originally posted on Usenet in plain text.
  Any other representation, additions, or changes do not have my
  consent and may be a violation of international copyright law.
  • Next message: Gregory Toomey: "Re: Azureus on OpenBSD"

    Relevant Pages