I don't know what OpenBSD is doing these days, but if you want ipfiler, there
is the main site, which I found linked on the NetBSD.org page:
http://coombs.anu.edu.au/~avalon/ip-filter.html
and a totally incredible howto:
http://www.obfuscation.org/ipf/ipf-howto.txt
Freesco is neat, I use it, as do half the noluggers, I suppose. I have the
netbsd firewall project (http://www.dubbele.com) running at a location. The
packaged deal is more that adequate, with pre-written rules and configured to
be secure, a plug-and-play operation, even easier than freesco. However,
putting that up will not teach you anything about BSD, really. I wanted to
take the time to learn more about BSD, so I put up a regular install of
NetBSD, and built the firewall from scratch. I learned a lot going though the
docs and doing things myself.
I haven't gone through the entire howto yet, but I gleaned enough to make my
stuff fairly secure. What I can tell you, though, is that the howto takes
standard packet filtering theory, and applies it to ipfilter, step by step.
I've seen the same stuff in a book written for ipchains, which I read
half-way through.
As far as the network diagram goes, I changed a few things here and there
since I drew it up last spring. The basic layout is the same, but I have less
machines than planned, and my workstation no longer boots to That Other
Operating System. My wife's box has become my server, and she has a dedicated
winbox (ugh, not my choice).
--Joey
Thou spake:
>Speaking of firewalls. I am thinking of trying freesco but perhaps I would
>also like to take a good luck at openbsd 3.0. What kind of example scripts
>can I look at (in ipchains/tables and ipf/pf format) to get an idea ahead of
>time of what I can tweak?
>
>Thanks,
>
>ml
>
>On Monday 17 December 2001 19:40, you wrote:
>> Why do you think this is so bad? It's obvious he meant it to be publically
>> available. It doesn't give an attacker anything useful. And it's nott
>> like this lan is anything atypical with some intriguing back door. There
>> are only two ways in:
>> 1) through his netbsd firewall. You don't need an image of the LAN to
>> discover he's running a netbsd firewall. If there's a bug in NetBSD
>> that's exploitable, it'l be exploited if he doesn't plug it first.
>> And once an attacker's in, there's no mystery to discovering the other
>> PCs (if they're even interested in the internal LAN.
>> 2) sitting at a terminal in his house.
>>
>> On Mon, Dec 17, 2001 at 03:44:36PM -0800, Bryant Stewart wrote:
>> > Hey Joey,
>> >
>> > http://joeykelly.dhs.org/goodies/Codifer_LAN.gif
>> >
>> > Do you think that you should leak this critical
>> > information onto the net?? Someone here might get
>> > board on a Friday night and start to have a bit of
>> > fun...
>> >
>> > Bryant Stewart
>> >
>> > __________________________________________________
>> > Do You Yahoo!?
>> > Check out Yahoo! Shopping and Yahoo! Auctions for all of
>> > your unique holiday gifts! Buy at http://shopping.yahoo.com
>> > or bid at http://auctions.yahoo.com
>> > ___________________
>> > Nolug mailing list
>> > nolug@nolug.org
-- Joey Kelly < Minister of the Gospel | Computer Networking Consultant > http://joeykelly.dhs.org "When Government fears the people, it's liberty. When people fear the Government, it's tyranny." -- Benjamin Franklin ___________________ Nolug mailing list nolug@nolug.orgReceived on 12/17/01
This archive was generated by hypermail 2.2.0 : 12/19/08 EST