[TriLUG] Drop and insert transparent firewall (OpenBSD)
Aaron S. Joyner
aaron at joyner.ws
Sun May 2 11:27:24 EDT 2004
Jon Carnes wrote:
>How about a third network card in the box and if you need to send a
>warning, have the system bring that NIC on-line and send out a warning,
>then take the NIC off-line again?
>
This is sort of like what I had in mind, although for simplicity I'd
probably just bring up a temporary IP address on the internal interface,
and send the warning from there. Unless that 3rd NIC was on a separate
network (unlikely) then it probably wouldn't make much difference from a
security stand point if it were the nic passing all of the traffic, or a
different nic on the same subnet. As an added benefit (if you have
enough addresses) you might bring up that nic with a random IP address,
from a small range of say 3 or 4, to make it a little harder to predict
an address you'd be able to attach to that belongs to the firewall.
Snort for network ID and something like your hidden partition
suggestion, or even Samhain or Tripwire would work well for local ID.
It's just something we didn't go to the trouble to implement, given the
box's complete lack of direct network accessibility.
Aaron S. Joyner
More information about the TriLUG
mailing list