On 4/3/24 18:19, Karel Lucas wrote:
> I want to use ETH1 for the input from my
> ADSL modem, ETH2 and ETH3 for the output to my network. Furthermore, I
> would like to use ETH4 for the update/upgrade of the firewall. Remove
> the connection from ETH1, plug it into ETH4, and update/upgrade. Then
> the connection returns to ETH1. ETH4 therefore receives an IP address
> and ETH1,ETH2 and ETH3 not. But now the problem: as long as the network
> connection of the ADSL modem is in ETH4, my network, including the
> firewall, is no longer secured, and attackers can take advantage. I
> therefore wonder whether it is possible to let the data flow via ETH1
> and ETH4 first pass through PF before an update/upgrade is done via
> ETH4. This means that the bridging firewall will have two entrances, one
> without and one with an IP address. I would like to know if that is
> possible, or if there is another option.
I'm not entirely sure about how bridging works on OpenBSD and PF, but
the answer, from a network point of view, would be "Don't make ETH4 part
of the same bridge as ETH1-3, and apply a basic, restrictive ruleset to
ETH4, allowing only for the update traffic to/from $self".
(I hope I'm not missing something basic here)
No comments:
Post a Comment