Andreas Huber
|
Posted: July 21, 2009 10:52 by Andreas Huber
|
|
I'm planning to use ISC for my home server. It will have some ISCs with services for the internet (using NAT in the DSL-router) but also some ISCs with local-only services. How could I use ipf to restrict the traffic from going out of the net? The router has a fixed IP address (192.168.1.1 in a /24 net). Thanks & Regards Andreas |
How to limit an ISC to local network
7 posts
Replies: 6 - Last Post: September 11, 2009 13:55
by: Andreas Huber
by: Andreas Huber
showing 1 - 7 of 7
Glenn Brunette
|
Posted: July 28, 2009 20:41 by Glenn Brunette
|
| Do you have a diagram of what you are trying to achieve? |
|
Andreas Huber
|
Posted: August 10, 2009 08:47 by Andreas Huber
|
This image show the Server I'm trying to set up. The global zone / ISC Dock is shown in yellow, the ISCs in green. I'm using a DSL-Router to connect to the Internet which spans a WLAN. The ISC Dock and the router both have fixed IPs in this WLAN. As you can see, there are (currently three) forwarded ports on the router which provide services on the Internet (using DynDNS). There will be more services (e.g. a file server and a media/streaming server), which should only be available on the local WLAN.![[http://andunix.net/_media/project/isc_at_home/overview.png]](http://andunix.net/_media/project/isc_at_home/overview.png "http://andunix.net/_media/project/isc_at_home/overview.png") |
|
Glenn Brunette
|
Posted: August 17, 2009 13:17 by Glenn Brunette
|
|
Andreas, thank you for the diagram - it helps quite a bit. Unfortunately, with the ISC preview code available today you can not completely automate this. You could do most of what you are trying to do, but you would need to set up a bit of the Crossbow networking yourself. I have been looking into updates to the ISC code to make the networking configuration a lot more flexible, but I do not have any code to share right now. This initial preview has all of the ISCs created on a single etherstub (virtual switch). |
|
Andreas Huber
|
Posted: August 17, 2009 15:21 by Andreas Huber
|
|
Hi Glenn, I know that I have to route the "inner" connections (like apache -> glassfish) over another etherstub. And as I have forseen some confusion when having multiple etherstubs, I have written a little dladm2dot script which visualizes the virtual network: http://andunix.net/solaris/dladm2dot But this topic is about another problem. As you can see, the box has also ports on the bottom which are not forwarded to the internet. As they are not configured in the router, they shouldn't be accessible. To have double security, I'm trying to configure the firewall to exclude the router's IP address from the ipf.conf Let's say, the router has the IP 192.168.0.1 and the server has 192.168.0.10. The rule for http would be: pass in quick on e1000g0 proto tcp from any to 192.168.0.10 port = 80 keep state Would this be correct for the file (smb) server? block in quick on e1000g0 proto tcp from 192.168.0.1 to 192.168.0.10 port = 445 keep state pass in quick on e1000g0 proto tcp from any to 192.168.0.10 port = 445 keep state Could I add this rule after all publich ports to block any following rule from the router's address? block in quick from 192.168.0.1 to any |
|
Glenn Brunette
|
Posted: September 02, 2009 13:26 by Glenn Brunette
|
|
Andreas, please accept my apologies for the delay in responding. I am not sure why I do not get e-mail notification about posts to this forum. To answer your question I think I may need a few more details. Are you using a single physical Ethernet interface on both sides (top and bottom of your diagram)? If yes, are you using the same subnet for both Internet facing and internal services? If yes, I assume you are using port forwarding on your router to allow external/Internet requests to reach the ISC? Can you confirm or clarify? Secondly, what is your security concern. Are you only attempting to block access from the router (or perhaps requests originating beyond the router?) Do you know what IP addresses can access port 445 for example? If you know this in advance, you can allow those and block all others. Please let me know. g |
|
Andreas Huber
|
Posted: September 11, 2009 13:55 by Andreas Huber
|
|
Hi Glenn, sorry for also not answering, I was on holday. I don't think that there is an e-mail notification in this forum; I'm using RSS to monitor it. For given conditions (flat layout, given hardware, minimize power consumption), the infrastructure is suboptimal. I only have one subnet at home, which is a WLAN (pulling ehternet cables through the livingroom is no option an the router is an Apple Airport Express). Second, a Mac OS X "server" for recording TV and the OpenSolaris server share their hardware (for hardware and power consumption costs). This results to the following layout. The DSL is terminated by the DSL-Router with no firewall, just NAT to WLAN (using WPA1&2). There is a Mac mini running Mac OS X and the TV-recorings software. On the Mac mini, there also runs VMware, which provides a virtual hardware for OpenSolaris. So yes, there is only one interface and it uses bridging. All clients in the WLAN shoud be able to use all services, the clients from the internet should only be able to use special services (e.g. ports 22, 80, 443). I don't trust the DSL-router, as with NAT-Traversal there could be big holes in the NAT. As one principle of the ISC is that everything is forbidden which is not allowed, I want to close the services from the router. Thanks, A. |
showing 1 - 7 of 7
Replies: 6 - Last Post: September 11, 2009 13:55
by: Andreas Huber
by: Andreas Huber
