[KLUG Members] Quick openBSD question

[Kevin DeGraaf]

> I'm building a firewall for the office here, which has a few servers
> with live internet IPs, which need to have direct access: web servers,
> etc. Anyway, I'm following a doc here for a bridging firewall, and I
> think this is what I need... I guess it needs to be a bridge, to act
> as a go-between for the IPS that lie behind it.

Not necessarily.  IIRC, the bridging HOWTO specifically states that due to
the interaction between the bridging code and the firewalling code,
building a completely transparent bridging firewall is not possible at
this point.

Anyway, the best course of action would be to check with a network
engineer at your ISP; he may be able to give you one IP address outside of
the block your servers are in, and he may be willing to lay a static route
through this external IP for your block.  This is exactly how our office
at work is set up: our firewall has an external address of xxx.xx.200.154,
and all traffic for our block (xxx.xx.199.132/28) is routed through it.
It works very well, and I'd be happy to share my iptables script with you
privately.

Which ("iptables") brings me to my next point: screw OpenBSD and use Linux
on your firewall.  That [Free|Net|Open]BSD is "more secure" than Linux is
a mere urban legend.  A properly locked-down Linux box is NOT going to be
compromised.

Finally, if the above scenario is not an option (and I don't see why it
wouldn't be), you could look into running an RFC-1918 LAN (192.168.x.x),
using either IP aliasing or proxy ARP in combination with DNAT to solve
your problem... but I'd highly recommend doing it "properly" as I outlined
above.  I actually have a working alias/DNAT setup going on in my
apartment, if anyone's interested...

-------------
Kevin DeGraaf
http://www.kevindegraaf.net/