Firewall Services and Setup

[TechBoyJK]

Hello!

I am assembling a server farm and I have a few questions about the firewall. I firmly feel that openbsd is going to be the best choice, and I have a single processor firewall being built for the task. It will have a P4 Xeon 1.2 Ghz with 512DDR ram and dual 9 gig scsi drives on a raid config (mirrored). I have already setup a FreeBSD server, and am very comfortable using Unix stuff. However, my experience setting up this freebsd server was in a home network environment and was simple webpages and ftp.

All site hardware / software maintenance will be done on site by another more qualified individual, but I will definately be the lead admin. I dont have a concern for setting up a vpn or telnet/ssh tunnel so I know the fills up a huge problem/concern/hole. However, clients will be uploading pictures, sound files, and movie files via forms through coldfusion, so that opens up a similar concern. I would like to store my log files on the same firewall server but on a seperate partition so that I can sandbox it from the rest of the machine. Should I, since it is easy, setup seperate partitions for different classes of logs, or seperate it in any other matter just because I can? Is there any reason it can possibly have a negative effect?

Before I get into any other details, let me outline the server farm situation

1. Firewall on OpenBSD via IPtables
2. Webserver (main static pages, site graphics, etc.) on FreeBSD via Apache
3. Coldfusion Enterprise Server on Windows 2000 Server
4. Coldfusion Enterprise Server on Windows 2000 Server
5. Database Server on Windows 2000 Server via MS SQL 2000
6. Database Server on Windows 2000 Server via MS SQL 2000
7. Database Server on Windows 2000 Server via MS SQL 2000
8. Database Server on Windows 2000 Server via MS SQL 2000
9. Community Server on Linux via PHP (message boards, etc. feedback)
10. Email Server on FreeBSD via qmail.
11. Photo Server on FreeBSD
12. Photo Server on FreeBSD


I need a firewall to protect all of this. I want to use Open BSD as I said and I plan to use IPTables. What else do I need? A mandatory services list would be awesome, so if any body has any ideas, please let me know. I have a background in general programming, and I understand the command line fully (i dont know the commands by heart) so all I really need is a point in the right direction.

Another idea I had was to install as many nics as I could (using gigabit) and directlly link the main servers of the farm to the firewall, instead of going through a switch. It can be done, but is it a wise idea, and how would I direct someone to set it up?

I'm about to set my plans in concrete (breakable) so I really want to make some final decisions on this web site's infrastructure. If anybody has any comments or general advice, drop me a line.

Thank you very much,

TechBoyJK

 

[n0cmonkey]

Originally posted by: TechBoyJK
Hello!

I am assembling a server farm and I have a few questions about the firewall. I firmly feel that openbsd is going to be the best choice, and I have a single processor firewall being built for the task. It will have a P4 Xeon 1.2 Ghz with 512DDR ram and dual 9 gig scsi drives on a raid config (mirrored). I have already setup a FreeBSD server, and am very comfortable using Unix stuff. However, my experience setting up this freebsd server was in a home network environment and was simple webpages and ftp.

What SCSI raid card are you going to use?

All site hardware / software maintenance will be done on site by another more qualified individual, but I will definately be the lead admin. I dont have a concern for setting up a vpn or telnet/ssh tunnel so I know the fills up a huge problem/concern/hole. However, clients will be uploading pictures, sound files, and movie files via forms through coldfusion, so that opens up a similar concern. I would like to store my log files on the same firewall server but on a seperate partition so that I can sandbox it from the rest of the machine. Should I, since it is easy, setup seperate partitions for different classes of logs, or seperate it in any other matter just because I can? Is there any reason it can possibly have a negative effect?

Keeping logs on a firewall probably isnt the best idea. I would create a log host and keep all logs there. But on the firewall machine, /var will be the most important partition basically.

I need a firewall to protect all of this. I want to use Open BSD as I said and I plan to use IPTables.

You need to do more research. OpenBSD uses Packet Filter. IPTables does not work on OpenBSD, only linux.

What else do I need? A mandatory services list would be awesome, so if any body has any ideas, please let me know. I have a background in general programming, and I understand the command line fully (i dont know the commands by heart) so all I really need is a point in the right direction.

I could give you a huge list of things I would be running on the system, but it all depends on you and yuor staff.

Another idea I had was to install as many nics as I could (using gigabit) and directlly link the main servers of the farm to the firewall, instead of going through a switch. It can be done, but is it a wise idea, and how would I direct someone to set it up?

It sounds like you have too manny systems for this to be effective. Plus it limits your upgrade options.

 

[TechBoyJK]

I do have plans to purchase a current copy of OpenBSD and at least walk my self through setting it up at least once.

The typical server setup, besides some small changes from machine to machine (hard drive size, ram)


Intel SR2300 2U Rackmount Chassis with redundant 500 watt power supplies

Intel Westville SE7500WV2 Dual Xeon Motherboard

One (1) Intel P4 1.8GHz Xeon processor

1Gb Total (2x 512mb) PC2100 ECC Registered DDR Memory.

Dual Intel 10/100/1000 Server Adapters

Onboard Video Controller

Dual Channel Ultra 160 integrated

Intel SRCMRU Raid Controller

Two (2) 36gb Ultra 160 SCSI Hot Swap Hard Drives

CD-ROM /Floppy Combo


Thanks for the heads up on IPTables/OpenBSd, as I have made posts about this before and noone ever pointed out that IPTables will not work with OpenBSD. From what I hear lately, PacketFilter is the top dog anyway, so I better read up on that!

If anybody wants to list the services they think should be mandatory, please do so. If my "staff" has a problem with any of this, I will deal with it later.

About hooking the servers up directly to the firewall via crossover cables, is it even worth it? I thought it may increase performance a little, or are switches (probably a 24 port gigabit ethernet switch) fast enough that it doesnt really matter? Or should I instead directly link the Coldfusion servers directly to the databases they will be working with? Can you map out a location all the way to the device and port you want the connection to made with?

I appreciate the guidance respectfully, as knowledge gained from this post may be priceless!

 

[n0cmonkey]

Originally posted by: TechBoyJK
I do have plans to purchase a current copy of OpenBSD and at least walk my self through setting it up at least once.

Do an FTP install, and unless you are going to be setting this up this month, wait till next month to get the 3.2 cd. 🙂

Thanks for the heads up on IPTables/OpenBSd, as I have made posts about this before and noone ever pointed out that IPTables will not work with OpenBSD. From what I hear lately, PacketFilter is the top dog anyway, so I better read up on that!

PF is pretty simple. I had a working firewall config in about half an hour.

If anybody wants to list the services they think should be mandatory, please do so. If my "staff" has a problem with any of this, I will deal with it later.

Normail Unix proceses mostly. Nothing special. Kill inetd and you are basically set.

About hooking the servers up directly to the firewall via crossover cables, is it even worth it? I thought it may increase performance a little, or are switches (probably a 24 port gigabit ethernet switch) fast enough that it doesnt really matter? Or should I instead directly link the Coldfusion servers directly to the databases they will be working with? Can you map out a location all the way to the device and port you want the connection to made with?

I would personally get 2 switches. The order from the net connection would be: router, firewall, switch, web servers, switch backend stuff.

 

[TechBoyJK]

I was reading a few how to's on hardening OpenBSD, but they all mention IP Filter, not packet filter. I'm still searching though, and I am looking through google for it. One mentioned recompiling the kernel for a firewall/bridge mode, but Im still looking at that. I am hoping to figure out all of the required info beforehand (ip addresses, layouts, subnets) and then be able to setup the firewall in one sitting.

Maybe installing the extra nics wouldnt be worth it since if I ever wanted to mod the server farm, it would cause extra difficulty, especially if I was forced to do it in a rush.

Do the server specs look ok? Would you use any other hardware? Does the firewall specs look ok? We plan to have a large amount of traffic at would like to be able to handle several thousand connections simultaneously. Most connections will be for static HTML populated with database queries (aka auction site), and the databases will be as segregated as possible. Since many high volume off the shelf firewalls only have 100-300mhz processors with 32-128 megs of ram, I figured a 1.2GHZ XEON P4 with 512DDR ram would make a "kick butt" firewall. 50,000 simultaneous connections would be nice.

 

[n0cmonkey]

IPF is the older firewall. PF is the newer. openbsd.org will have some docs for you. The hardware looks fine. You will obviously have to do some load testing, maybe a little src hacking (always fun 😉), and double check your firewall rules to make sure they are in a goood order, but it should work.