[buug] Convert Linux Gateway to OpenBSD

Charles Howse chowse at charter.net
Fri Oct 25 17:29:00 PDT 2002 

OK, all good so far.

Now, I have had a severe attack of the 'dumbass' today...
If you don't mind, it would help me immensely if you would walk me
through the steps to get my new machines to the point you mention when
talking about installing snapshots to stay secure.

When I look at ftp.openbsd.org/pub/OpenBSD/snapshots/i386, all I see are
*32.tgz files.
Should I start by installing those?

Then what, and how, to stay secure?  Just patch manually or do a
complete reinstall of the newest snapshot?
Seems to me like all that reinstalling and reconfiguring would be a pain
in the ass.

Also, nobody every commented on my original plan to try and develop a
means to do a scripted install of the OS and config files.  Is this
possible in BSD?...it is in Linux.

> -----Original Message-----
> From: buug-admin at weak.org [mailto:buug-admin at weak.org] On 
> Behalf Of f.johan.beisser
> Sent: Friday, October 25, 2002 7:07 PM
> To: Charles Howse
> Cc: buug at weak.org
> Subject: RE: [buug] Convert Linux Gateway to OpenBSD
> 
> 
> On Fri, 25 Oct 2002, Charles Howse wrote:
> 
> > What are your thoughts on the following:
> >
> > My little network will have a DMZ.
> 
> ok. it's already behind nat. the DMZ will be of limited usefulness.
> 
> here's why: you have 1 public IP. if you map ports over to 
> specific machines you're still only exposing one or two 
> ports. it's not going to render you that much more secure 
> than having everything sitting in one local network..
> 
> this doesn't mean the design is bad, it's a good design, just 
> requiring more resources to implement than your original design.
> 
> > The first question I have for this scenario concerns the 
> sub netting 
> > for the network.
> > BTW: sub netting is my short suit.
> > I'm totally at a loss here...should all the machines be on the same 
> > network - 255.255.0.0?
> 
> no. i would either A) assign a complete class C (heh, 
> pre-CIDR stuff amuses me) to each segment, or B) subnet one. 
> what good is settin everything to be in the same subnet when 
> you're attempting to keep things separate?
> 
> since you're playing with private IP space, go for the /24. 
> it'll be easier to handle.
> 
> so, 192.168.1.0 and the DMZ would be 192.168.2.0, for 
> example. the netmask for either 255.255.255.0. this just 
> makes everything easier to deal with, especially once it's in 
> private IP space.
> 
>   <gateway>
>      |
>      +---{DMZ}-<publicly accessable servers (192.168.1.0/24)>
>      |
>      +---{Windoze}-<private machines (192.168.2.0/24)>
> 
> -------/ f. johan beisser /--------------------------------------+
>   http://caustic.org/~jan                      jan at caustic.org
> 	"Champagne for my real friends, real pain for
> 	  my sham friends." -- Tom Waits
> 
> 
> 
> _______________________________________________
> Buug mailing list
> Buug at weak.org
> http://www.weak.org/mailman/listinfo/buug
>

More information about the buug mailing list