Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Firewall Implimentation - Recomendations
Special Forums Cybersecurity Firewall Implimentation - Recomendations Post 302090083 by DraconianTimes on Friday 22nd of September 2006 10:26:06 AM
Old 09-22-2006
Quote:
Originally Posted by pathological
But yes, it does go from Internet > Modem > Firewall (Hardware) > *.*.2.* Network. we have 2 outs form the firewall, the other one goes into another 2 network switch. (Replication) ... We get blasted with viruses like nobodies business, well we are BETTER now that we have some new firewall policies in place ... statics are more important, that is what my Bosses care about when they sign off on buying this stuff.
Well, OpenBSD is free so that price is always a winner in my book! As for hardware, this is of course dependent on the number of packets / size of the pipe you've got connected. An old pentium box will handle T1 speeds with relative ease. After you're read up on the basics of OpenBSD and pf, check out CARP - this allows you to have redundant OpenBSD firewalls which failover in the event of a problem, and it is very configurable.

From what you described above, it sounds like you're trying to achieve redundancy through a partial mesh... it is worth remembering that the "hardware firewall", modem and link to the ISP are all single points of failure which could make all your other efforts moot. BTW, what is this other hardware firewall? Diagram below shows how you might get OpenBSD/pf/CARP in place... but it also shows your single points of failure!

Image

Also, what measures are you taking to inspect traffic for malicious types? Are you running some form of mail/web inspection (MAILSweeper/WEBSweeper or maybe squid/postfix with clamav?)

Nick
 

9 More Discussions You Might Find Interesting

1. Cybersecurity

What Firewall do you use?

Just out of curiosity, I see a lot of people here use Linux IPTables as their firewall. Anyone here use something else like OpenBSD PF or *BSD IPF, IPFW? I'm quite fond of OpenBSD and their Packet Filters. I find their syntax much easier to manage and from my personal experience, I find them... (5 Replies)
Discussion started by: tarballed
5 Replies

2. Cybersecurity

Looking Out from Behind a Firewall

Would it be possible to restrict access to internet pages in the following way? A machine: IP = 128.1.17.123 Only pages from domains of the type "go.jp" and "ne.jp" are viewable. All others are not viewable or only partly viewable. B machine: IP = 128.1.17.146 Regardless of the domain... (4 Replies)
Discussion started by: mntamago
4 Replies

3. UNIX for Dummies Questions & Answers

Firewall Box

I am a novice to linux and unix and command line, I am willing to jump in head first. I have a couple older computers, one is a dell XPS with a P2 Proccessor and th other is a old old sony VIAO. I have a small home network 3 computers...i have my DSL modem then thats connected to my wireless... (2 Replies)
Discussion started by: Tabryan07
2 Replies

4. Shell Programming and Scripting

crone job implimentation

I wanted to enable one shell script in the cronetab,how to do crone tabe enabling pl help me:( regards, ramesh (1 Reply)
Discussion started by: Ramesh Vellanki
1 Replies

5. Cybersecurity

help with firewall

hi everyone I am a newbee to firewall scripting. cannot understand how to write rules per host. in ip6tables. anyone plz:( (2 Replies)
Discussion started by: xecutioner
2 Replies

6. AIX

Firewall

:b:Hi,, How do configure firewall in aix.. similar to linux iptable. Rgards, k.sumathi. (3 Replies)
Discussion started by: sumathi.k
3 Replies

7. SuSE

Firewall

Is there a command line interface to the firewall? (4 Replies)
Discussion started by: jgt
4 Replies

8. Linux

Firewall?

Dear All I have put my windows machine behind my centos firewall server with just one NIC. At now, the windows machine can ping 192.9.9.3 but cannot resolve valid url (like www.google.com). I have set DNS for it as well. Can you please let me know what is the missing step? Thank you (6 Replies)
Discussion started by: hadimotamedi
6 Replies

9. Cybersecurity

Firewall

Hey Guys, I am looking for a good firewall software to implement in medium/large office, with at least 150 users. I was hopping you guys could help me on this one. Regards, (4 Replies)
Discussion started by: andrevicente
4 Replies

LEARN ABOUT REDHAT

pfsync

PFSYNC(4)						   BSD Kernel Interfaces Manual 						 PFSYNC(4)

NAME

     pfsync -- packet filter state table logging interface

SYNOPSIS

     device pfsync

DESCRIPTION

     The pfsync interface is a pseudo-device which exposes certain changes to the state table used by pf(4).  If configured with a physical syn-
     chronisation interface, pfsync will send state changes out on that interface using IP multicast, and insert state changes received on that
     interface from other systems into the state table.

     By default, all local changes to the state table are exposed via pfsync.  However, state changes from packets received by pfsync over the
     network are not rebroadcast.  States created by a rule marked with the no-sync keyword are omitted from the pfsync interface (see pf.conf(5)
     for details).

     The pfsync interface will attempt to collapse multiple updates of the same state into one message where possible.	The maximum number of
     times this can be done before the update is sent out is controlled by the maxupd parameter to ifconfig (see ifconfig(8) and the example below
     for more details).

     Each packet retrieved on this interface has a header associated with it of length PFSYNC_HDRLEN.  The header indicates the version of the
     protocol, address family, action taken on the following states, and the number of state table entries attached in this packet.  This struc-
     ture is defined in <net/if_pfsync.h> as:

	   struct pfsync_header {
		   u_int8_t version;
		   u_int8_t af;
		   u_int8_t action;
		   u_int8_t count;
	   };

NETWORK SYNCHRONISATION

     States can be synchronised between two or more firewalls using this interface, by specifying a synchronisation interface using ifconfig(8).
     For example, the following command sets fxp0 as the synchronisation interface:

	   # ifconfig pfsync0 syncdev fxp0

     It is important that the underlying synchronisation interface is up and has an IP address assigned.

     By default, state change messages are sent out on the synchronisation interface using IP multicast packets.  The protocol is IP protocol 240,
     PFSYNC, and the multicast group used is 224.0.0.240.  When a peer address is specified using the syncpeer keyword, the peer address is used
     as a destination for the pfsync traffic, and the traffic can then be protected using ipsec(4).  In such a configuration, the syncdev should
     be set to the enc(4) interface, as this is where the traffic arrives when it is decapsulated, e.g.:

	   # ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0

     It is important that the pfsync traffic be well secured as there is no authentication on the protocol and it would be trivial to spoof pack-
     ets which create states, bypassing the pf ruleset.  Either run the pfsync protocol on a trusted network - ideally	a network dedicated to
     pfsync messages such as a crossover cable between two firewalls, or specify a peer address and protect the traffic with ipsec(4).

     For pfsync to start its operation automatically at the system boot time, pfsync_enable and pfsync_syncdev variables should be used in
     rc.conf(5).  It is not advisable to set up pfsync with common network interface configuration variables of rc.conf(5) because pfsync must
     start after its syncdev, which cannot be always ensured in the latter case.

EXAMPLES

     pfsync and carp(4) can be used together to provide automatic failover of a pair of firewalls configured in parallel.  One firewall handles
     all traffic - if it dies or is shut down, the second firewall takes over automatically.

     Both firewalls in this example have three sis(4) interfaces.  sis0 is the external interface, on the 10.0.0.0/24 subnet; sis1 is the internal
     interface, on the 192.168.0.0/24 subnet; and sis2 is the pfsync interface, using the 192.168.254.0/24 subnet.  A crossover cable connects the
     two firewalls via their sis2 interfaces.  On all three interfaces, firewall A uses the .254 address, while firewall B uses .253.  The inter-
     faces are configured as follows (firewall A unless otherwise indicated):

     Interfaces configuration in /etc/rc.conf:

	   network_interfaces="lo0 sis0 sis1 sis2"
	   cloned_interfaces="carp0 carp1"
	   ifconfig_sis0="10.0.0.254/24"
	   ifconfig_sis1="192.168.0.254/24"
	   ifconfig_sis2="192.168.254.254/24"
	   ifconfig_carp0="vhid 1 pass foo 10.0.0.1/24"
	   ifconfig_carp1="vhid 2 pass bar 192.168.0.1/24"
	   pfsync_enable="YES"
	   pfsync_syncdev="sis2"

     pf(4) must also be configured to allow pfsync and carp(4) traffic through.  The following should be added to the top of /etc/pf.conf:

	   pass quick on { sis2 } proto pfsync
	   pass on { sis0 sis1 } proto carp

     If it is preferable that one firewall handle the traffic, the advskew on the backup firewall's carp(4) interfaces should be set to something
     higher than the primary's.  For example, if firewall B is the backup, its carp1 configuration would look like this:

	   ifconfig_carp1="vhid 2 pass bar advskew 100 192.168.0.1/24"

     The following must also be added to /etc/sysctl.conf:

	   net.inet.carp.preempt=1

BUGS

     Possibility to view state changes using tcpdump(1) has not been ported from OpenBSD yet.

SEE ALSO

     bpf(4), carp(4), ifconfig(8), inet(4), inet6(4), ipsec(4), netintro(4), pf(4), pf.conf(5), protocols(5), rc.conf(5) ifconfig(8), ifstated(8),
     tcpdump(8)

HISTORY

     The pfsync device first appeared in OpenBSD 3.3.  The pfsync device was imported to FreeBSD 5.3.

BSD
								   June 6, 2006 							       BSD
All times are GMT -4. The time now is 10:58 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy