[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OpenBSD Firewalls?

To: "Brent Reich" <brent@rascallion.com>, <misc@openbsd.org>
Subject: RE: OpenBSD Firewalls?
From: "David Crawshaw" <david@zentus.com>
Date: Tue, 16 Jan 2001 02:16:13 +1000
Importance: Normal

Well, I have a rather interesting situation that has eventually lead me to
OpenBSD. I'm currently playing with using parts of the FWTK, but I'm finding
it doesn't always seem to do the complete job (like transparent SSL proxying
for one).

The problem comes in I have internal users trying to get out, and servers I
want people to get in on, and I want the proxies to be as transparent as
possible. IPFilter is a great packet filter, and I thought the book Building
Firewalls with Linux and OpenBSD was a great introduction to that.
Unfortunately, with the Trojans around today, a packet filter isn't enough,
so I'm looking at a combination of a few different things.

The FWTK website lists a couple of interesting things, including a nice
trick with split DNS and sendmail. I'd suggest reading up on it, as I'm
going to attempt it with QMail to keep my Win2K mail server.

http://www.fwtk.org/fwtk/docs/documentation.html#3.1

I'm also considering using Squid instead of Apache for the content
filtering, but at the moment, Apache wins.

While on holiday I was able to make a copy of Apache Win32 act as a standard
proxy for a web browser, and I got reverse proxying going. The documents on
www.apache.org are obviously written by developers, and not the easiest to
discern, but I eventually worked it out from then.

I considered Dante as a SOCKS server (http://www.inet.no/dante/), but
instead, I'm just going to use plug-gw from FWTK. It gives me better control
in the end. As MSN Messenger and the like all have set destinations, I'll
write those destinations into plug-gw, to make it just a bit more difficult
for any less than friendly applications. :)

If anyone can suggest something I'm missing, please point it out, but as far
as I can tell, this is about as good as I can do without forking over huge
amounts of money (which I don't have) for a commercial firewall. It's all
proven technology. The world's willing to rave over the OS, I hear mostly
good things about IPFilter, and FWTK was I believe, the first Application
Proxy.

Sorry for making it long winded, but I'm just trying to get across
everything so far I've found. Have fun, and if you find some magical free
package that raps all of this together with one simple well designed
graphical interface, don't forget to send me an e-mail. ;-)

----
David Crawshaw
www.neuronforge.com

> -----Original Message-----
> From: owner-misc@openbsd.org
> Subject: RE: OpenBSD Firewalls?
>
> 	David, thank you for the excellent explanation, that is exactly
> what i am trying to achieve. Are you using tools out of FWTK or some other
> suite? And you were not kidding on how this kind of project will balloon
> out of proportion on you quickly =) Would you be willing to share with us
> (or at least me personally) some advice on how you have gone about your
> project so far or at least some of the major pitfalls to avoid?
>
>
> --
> Brent Reich
> brent@rascallion.com
>
>
> On Mon, 15 Jan 2001, David Crawshaw wrote:
>
> > From: David Crawshaw <david@zentus.com>
> > Subject: RE: OpenBSD Firewalls?
> >
> > I'd assume he's talking about an application firewall as one that does
> > application filtering. Like FWTK www.fwtk.org, a set of proxies
> that make
> > sure only what is meant to go out through the firewall is allowed.
> >
> > So for instance, if people are allowed to make outgoing Telnet
> connections
> > from your network, that a Trojan doesn't use it for other purposes.
> >
> > Packet Filters, even stateful ones are never enough. Unfortunately,
> > application firewalls are very hard to set up.
> >
> > I'm at the moment trying to implement a totally transparent set
> of outgoing
> > proxies for my users with NAT, and some transparent reverse
> proxies so I can
> > run some web/mail servers, and Split DNS to do proper mail
> forwarding with
> > QMail.
> >
> > I jumped into this without realizing how big a project it is.
> But, you've
> > got to do what you've got to do, on the shoe string you have. :-)
> >
> > ----
> > David Crawshaw
> > www.neuronforge.com
> >
> >
> > > -----Original Message-----
> > > From: owner-misc@openbsd.org
[mailto:owner-misc@openbsd.org]On Behalf Of
> > Marco S Hyman
> > Sent: Monday, January 15, 2001 5:42 PM
> > To: Brent Reich
> > Cc: Chuck Yerkes; misc@openbsd.org
> > Subject: Re: OpenBSD Firewalls?
> >
> >
> > Brent Reich writes:
> >  > cost-effective firewall. preferably on one box. ipfilter seems to be
a
> >  > excellent starting point, especially if clients can work in a
scenario
> >  > where we can deny all in. however this is rarely the case.
> > Once we start
> >  > opening holes in the firewall a packet filter starts to lose its
> >  > potency. what i was looking for is an opensource  application
firewall
> >
> > Excuse my ignorance.   Please define the functional difference between
> > what you call a "packet filter" and what you call an "application
> > firewall".
> > Also, in what way does a "packet filter" lose potency?
> >
> > // marc

References:
- RE: OpenBSD Firewalls?
  - From: Brent Reich <brent@rascallion.com>

Prev by Date: Re: Zope and OpenBSD 2.8 news?
Next by Date: Re: Zope and OpenBSD 2.8 news?
Prev by thread: RE: OpenBSD Firewalls?
Next by thread: Re: OpenBSD Firewalls?
Index(es):
- Date
- Thread