OpenBSD Firewall architecture - BSD

This is a discussion on OpenBSD Firewall architecture - BSD ; Hello I'm new to OpenBSD, and relatively new to Linux. I would like to protect a small network with a PF firewall running on an OpenBSD system, and a Linux box doing content filtering through Squid and DansGuardian. The connection ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: OpenBSD Firewall architecture

  1. OpenBSD Firewall architecture

    Hello
    I'm new to OpenBSD, and relatively new to Linux. I would like to protect a
    small network with a PF firewall running on an OpenBSD system, and a Linux
    box doing content filtering through Squid and DansGuardian.
    The connection to the internet is an ISDN connection, and I have a SMC
    Barricade ISDN router.
    My question is twofold.
    1. How to I organise, topologically, these systems?
    2. How do I organise DHCP on them?
    My instinct is to have the ISDN router facing the internet, getting its IP
    address etc. from the ISP, and DHCP-ing to the first, "external" network
    interface on the OpenBSD system. Then the second, internal NIC in the
    OpenBSD system DHCPs to the LAN, of which the proxy server, doing content
    filtering, is a member. Is this correct? I would be grateful for any help
    offered, such as where to do DHCP and where to do static. I'd also
    appreciate a quick run down of what IP ranges to allow in the firewall, and
    what services to close. I'd also like to connect remotely to the firewall
    so that I don't need a monitor -- any advice on this would be appreciated. I
    understand it's not secure running a GUI on a firewall but I don't have the
    expertise yet to go into a command line interface and do configuring there.
    Many thanks,
    Gerard.
    --
    "Truth's a dog must to kennel; he must be whipped out when the Lady Brach
    may stand by the fire and stink" -- The Fool





  2. Re: OpenBSD Firewall architecture

    Begin
    On 2005-11-20, Son of the Speckled Chief wrote:
    > I'm new to OpenBSD, and relatively new to Linux. I would like to protect a
    > small network with a PF firewall running on an OpenBSD system, and a Linux
    > box doing content filtering through Squid and DansGuardian.
    > The connection to the internet is an ISDN connection, and I have a SMC
    > Barricade ISDN router.
    > My question is twofold.
    > 1. How to I organise, topologically, these systems?


    However you want. I'd go for ``simple''.


    > 2. How do I organise DHCP on them?


    I have a couple of ideas, the simplest of which involves five minutes
    work and that's it, but that doesn't mean that is what you want. How
    do you want to organise your ip address assignment management? Which
    features do you need, which do you want, and for how many machines is
    your setup? Depending on that, you have a couple of options.


    > My instinct is to have the ISDN router facing the internet, getting its IP
    > address etc. from the ISP, and DHCP-ing to the first, "external" network
    > interface on the OpenBSD system.


    I'd drop the router, stuff an ISDN card in the openbsd box, and go with
    that. If you must use the extra router, I'd just give it a fixed IP.
    Infrastructure like that usually has no real need for DHCP.

    DHCP is great for morons with laptops, and is convenient at most other
    ``user'' settings. I've also used it to ease server management, and
    it came in handy indeed when I needed to move the entire company to a
    different subnet (a public /24, twice in as many years, and now that I'm
    gone they ``reorganized'' again). That does not mean that you _have_ to
    use it on your pet network of three computers.


    [``please hold my hand'']
    > I understand it's not secure running a GUI on a firewall but I don't
    > have the expertise yet to go into a command line interface and do
    > configuring there. Many thanks, Gerard.


    Then get that expertise, soonest. There are plenty of resources on the
    'net that can help you with this. Dead tree versions presumably at your
    local bookstore, or else amazon or equivalent.

    If you really want someone else to help, drop by the local unix users
    group meeting. Or if you insist on custom detail, hire a consultant.


    --
    j p d (at) d s b (dot) t u d e l f t (dot) n l .
    This message was originally posted on Usenet in plain text.
    Any other representation, additions, or changes do not have my
    consent and may be a violation of international copyright law.

  3. Re: OpenBSD Firewall architecture

    jpd wrote:
    >...
    >>I understand it's not secure running a GUI on a firewall but I don't
    >>have the expertise yet to go into a command line interface and do
    >>configuring there. Many thanks, Gerard.

    >
    >
    > Then get that expertise, soonest. There are plenty of resources on the
    > 'net that can help you with this. Dead tree versions presumably at your
    > local bookstore, or else amazon or equivalent.
    >
    > If you really want someone else to help, drop by the local unix users
    > group meeting. Or if you insist on custom detail, hire a consultant.
    >


    OpenBSD does seem to have pretty good man pages. So, combine that with news
    groups and other suggestions pointed out, one should be able to get up to
    speed pretty quick.

+ Reply to Thread