PF One box + two NIC's = firewall

Butterfly

Butterfly

Hey all,
I plan to set up a firewall. One box, with two NIC's in between the router and the rest of the LAN.
One NIC looks towards the router, the other looks inward...
It may slow things down (a bit) but it may make things (a lot) safer.
A web based interface to administer would be great too...
Is there a tutorial to do that so I can learn something new?
Thanks a ton
🥀Melissa🥀
 
Butterfly said:
and the rest of the LAN.
Click to expand...
Depending on how your LAN is wired you may need to consider how much CPU power your firewall needs. Is your ISP using PPPoE modem with bridging?
What class service do you have? Gigabit? You need to consider your current network. What acts as Gateway/DHCP server? Are you running those on this firewall?

A dedicated firewall with PF/dnsmasq is what I use but it does act as a single point of failure. My switches still route but any new connections cannot connect.

I learned from the Book of Pf and I recommend it. Even a used copy or earlier edition.
I learned on 2nd Edition while 3rd Edition is currently in print. 4th Edition is on pre-order. An update to a 10 year old version.

Book of PF, 3rd Edition

The Book of PF, 3rd Edition is the essential guide to building a secure network with PF, the OpenBSD packet filtering tool.
nostarch.com nostarch.com
 
At home my router/firewall is a miniPC with only one NIC configured with vlan + 2 switches vlan aware. One switch is upstairs and the other downstairs. Works great.
 
facedebouc said:
At home my router/firewall is a miniPC with only one NIC configured with vlan + 2 switches vlan aware. One switch is upstairs and the other downstairs. Works great.
Click to expand...
Yep, that's something I'd plan on doing. I'd take two NIC's just because I think it's easier (read: something I understand)...but, yep, that's where I need to go. I'd need to have my LAN disconnected once in a while...
 
Butterfly said:
I'd take two NIC's just because I think it's easier
Click to expand...
Absolutely best for first experience. On a headless device I would say 3 interfaces. One for admin interface in case you lock your self out with pf rules.
The Book of PF has sections for FreeBSD as well as OpenBSD. A physical book is nice because you can annotate it. There were many things I did not need.
Same with book editions. Core program is the same but new blocking methods like blacklistd will probably be in the 4th Edition.

One thing I have learned over the years. You really want Intel interfaces on your firewall.... LAGG if you have the interfaces.
 
Butterfly said:
A web based interface to administer would be great too...
Click to expand...
Don't know about a web- or GUI-based admin interface. But editing the pf.conf file is not very difficult.

Is there a tutorial to do that so I can learn something new?
Click to expand...
There are zillions of tutorials for using PF. As long as you start with the easy stuff (just NAT and filtering), it is very very easy.

Phishfry said:
Absolutely best for first experience. On a headless device I would say 3 interfaces. One for admin interface in case you lock your self out with pf rules.
Click to expand...
The advice for having a 3rd port is not bad. I've been running firewalls since roughly 1998, first on Linux (dedicated machine), then on OpenBSD and FreeBSD. The machines were never quite headless ... they always had a keyboard and VGA attached, but they were in the basement. I don't remember having to walk down to the basement because I screwed up the PF rules too bad. It may have happened occasionally, but if so, it must have been very rare. But you need to have a plan in place for when it happens.

The Book of PF has sections for FreeBSD as well as OpenBSD.
Click to expand...
Second the suggestion of getting a book, or finding a tutorial that is in book form, and explains the fundamentals (like TCP versus UDP, packet reassembly, SYN, and so on).

And a warning: OpenBSD and FreeBSD both use the PF system for packet filtering (FreeBSD also has other packet filter systems); but the syntax has diverged over the last decade between them, so make sure the book or tutorial you use is FreeBSD specific.
 
You must log in or register to reply here.
Back
Top