OpenBSD firewall with only one physical NIC

[idosch]

Hello,

I would like to setup a firewall which has only one physical NIC using the 'alias' parameter in 'ifconfig'. Are there any security risks using this configuration in comparison to a configuration with two physical NICs?

Thanks in advance, Ido.

[J65nko]

In http://www.daemonforums.org/showthread.php?t=4367 I give an example of a pf ruleset protecting a desktop machine with only one NIC.

To protect a network or multiple machines, you really need 2 NICs else it won't work

[idosch]

The question isn't whether it can be done or not, but whether is there a security risk in doing so.

Why do you say I need two NICs in order to protect a network of multiple machines? I can simply connect the firewall, the modem and the rest of the machines to a switch.

[J65nko]

If something is not possible, it is useless to wonder whether it has security risks

How are you going to prevent the machines from not using the modem directly, and thus bypass your one NIC firewall?

[jggimi]

Draw a picture for us, Idosch. Explain how you envision several devices on the same physical subnet can be protected from each other, merely by having yet another device on the same physical subnet running OpenBSD.

All ALIAS does is permit a NIC to respond to an ARP request for multiple addresses. Each alias address -must- be within the subnet, else the gateway router will not even ask. If you changed the gateway's routing table and added a pseudo-subnet that you then "routed" to the OpenBSD platform, how would it then forward packets on? NAT? You'll need to draw this out, and describe both layer 2 frames (Ethernet) as well as layer 3 (IP). Doing that exercise will tell you whether or not this will work, or, will give you more specific questions to ask.

[idosch]

I see. I'll probably buy a RJ45 to USB adapter in-order to overcome this problem.

Thanks for the answers, Ido.