The amount of things that are possible with pf, including but not limited to:
- scrubbing packets (changing the packet's random identifiers to be _more_ random to help protect hosts behind the firewall with bad random number generators)
- complete on-the-fly reassembly of tcp connections (so no fragments pass through the filter that could bypass the rules)
- simple and *incredibly* powerful class-based queueing
- the ability to stack class based queues with in priority based queues, as deep as your requirements require
- rulesets that allow you to actually filter on interface by name, as opposed to changing that interface to an IP when the rule is imported (as iptables does with simple rules)
- the list goes on and on
The ability to boot entirely to a serial console as well as push the BIOS out is just icing on the cake (Linux is capable of doing this as well, it's only not as well documented because it's a less common setup). I have to say, the box that Jason and I setup for transparent firewalling is very much an "ideal" firewall in my mind. It's next to impossible that it would be the first machine on your network to be compromised, and it's the gatekeeper to protecting the rest of the machines.
About the only thing we could have added that we didn't have, would be some form of Intrusion Detection or Prevention software. I'm not sure how we would handle convenient alerting of intrusions, as it can't readily send mail. I wonder how difficult it would be to originate a spoofed smtp connection from that machine sourced from a machine inside the network destined for a machine outside the network. Another option would of course be a simple dial-up modem and only page under extreme circumstances. Perhaps another serial connection to a machine running a daemon on that port, that would allow you to connect and send mail. Okay, that's about the extent of my ideas and ramblings. Just a few thoughts. :)
Aaron S. Joyner
On May 2, 2004, at 12:37 AM, Jason Tower wrote:
the other neat thing about this setup is that it can be *very* minimalistic. the box that jon referenced is using a 1gb disk with 70% free space, 32mb ram w/ 20mb free and 6 runnng processes.
management is also different from most linux setups. since it has no IP
addresses on either interface, you can't ssh to it. instead, you ssh
to another host and run minicom which communicates with the firewall
via a serial port. this particular hardware has the ability to direct
the bios display to a serial port, so you can actually see the bootup
info and even change bios options remotely. pretty slick :-)
props to aaron joyner who helped with the setup and configuration of this particular device.
jason
On Saturday 01 May 2004 19:35, Jon Carnes wrote:--Jason Tower showed me a neat trick the other day - using OpenBSD to insert a Firewall/packet filter transparently into an existing network.
The firewall uses no ip addresses and sits between the router and the companies external switch. The external switch has various boxen attached - each of which uses an external IP address. All the external IP addresses are in use, so the firewall/packet filter had to be inserted without using any additional IP's.
This does the trick rather nicely: http://www.openbsd.org/faq/faq6.html#Bridge
Enjoy!
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
