On 4/3/24 12:19, Karel Lucas wrote:
> Hi all,
>
> I am creating a bridging firewall with OpenBSD and the following
> hardware:
> https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image&th=1.
> OpenBSD is already installed. I want to use ETH1 for the input from my
> ADSL modem, ETH2 and ETH3 for the output to my network. Furthermore, I
> would like to use ETH4 for the update/upgrade of the firewall. Remove
> the connection from ETH1, plug it into ETH4, and update/upgrade. Then
> the connection returns to ETH1. ETH4 therefore receives an IP address
> and ETH1,ETH2 and ETH3 not. But now the problem: as long as the network
> connection of the ADSL modem is in ETH4, my network, including the
> firewall, is no longer secured, and attackers can take advantage. I
> therefore wonder whether it is possible to let the data flow via ETH1
> and ETH4 first pass through PF before an update/upgrade is done via
> ETH4. This means that the bridging firewall will have two entrances, one
> without and one with an IP address. I would like to know if that is
> possible, or if there is another option.
>
There are lots of options, but I'm not seeing the point of the bridging
firewall here. Sounds like you are making things complicated and I'm
suspicious you won't be getting much benefit from it. I think you would
do much better with NAT.
But...pretending for the moment this is the right solution for you, if
you are already planning on physically moving to the box to do upgrades,
just download the installXX.img file on another machine, drop it on a
thumb drive, walk over to your bridge and reboot from the thumb drive
and upgrade, don't bother fiddling with cables.
I'm also pretty sure you can put an internal IP on one of the ports
other than the bridge, and copy the files and install from there. That
would have the benefit of remote administration, too.
Nick.
No comments:
Post a Comment