[RndTbl] Main firewall / router for public facing subnet

Trevor Cordes trevor at tecnopolis.ca
Mon Mar 30 23:06:13 CDT 2020

On 2020-03-30 Alberto Abrao wrote:
> Doing it for a single external IP is manageable to me, the thing is
> the leap in doing it for multiple public IPs. I do know I have some
> heavy reading ahead, and I look forward to it. Any recommendations
> are very much appreciated.

That part is easier than you think.  I haven't done it yet, mainly
because I'm too cheap to spring for a plan with multiple statics, but
I'm pretty sure you'll just set up your single interface to listen on
multiple IPs.  Then use routing and/or packet-mangling-de-jour methods
to forward them to the correct internal boxes.  After firewall-checks,
of course.

Easy for statics, but you might not be able to do more than 1 of your
DHCP dynamic on that interface, though??  Unless you can setup a 2nd
"fake" MAC on the same interface?  Others can chime in.

> I used to do one-box-for-everything as well, mostly because I didn't 
> have a lot of equipment to begin with. However, I see lots of people 
> talking about security, and I can see having things on separate

I'm of the opinion that if you're a wizard it really doesn't matter if
it's all one box or not.  If they p0wn your firewall, chances are
they'll then hop into whatever internal, less protected, box they want
anyhow without much trouble.  The key is to not get p0wned.  I'm talking
from a personal and micro-business standpoint: for corporate of course
you'll want to throw money at separating everything.

It's hard enough, and expensive enough, trying to keep X quality (read:
ECC) boxes going, let alone X+1 boxes (and more +1's for every new
task).  I'd rather have 1 boss ECC system that I know won't give me
grief do everything than a handful of cheap / small / esoteric boxes
(probably with no ECC).  It's my philosophy.  I understand it's not
shared by the writers of best practices.  YMMV.

If you've already learned OpenBSD and like it, of course stick with it,
unless you've hit limitations.  As for iptables vs pfsense, I've yet to
run into a scenario tc/iptables/etc can't do, and I do some pretty
wacky esoteric stuff on many boxes.  However, here's a great example of
why you'd like Fedora rather than CentOS: the newer, handy iptables
features are generally bleeding edge and only to be found in distros
that give you the bleeding kernel.  If you're on the typical
multi-year-old RHEL kernel then you may find that what you want to do
isn't possible.

More information about the Roundtable mailing list