On 4/3/24 18:19, Karel Lucas wrote:
I want to use ETH1 for the input from my
ADSL modem, ETH2 and ETH3 for the output to my network. Furthermore, I
would like to use ETH4 for the update/upgrade of the firewall. Remove
the connection from ETH1, plug it into ETH4, and update/upgrade. Then
the connection returns to ETH1. ETH4 therefore receives an IP address
and ETH1,ETH2 and ETH3 not. But now the problem: as long as the network
connection of the ADSL modem is in ETH4, my network, including the
firewall, is no longer secured, and attackers can take advantage. I
therefore wonder whether it is possible to let the data flow via ETH1
and ETH4 first pass through PF before an update/upgrade is done via
ETH4. This means that the bridging firewall will have two entrances, one
without and one with an IP address. I would like to know if that is
possible, or if there is another option.
I'm not entirely sure about how bridging works on OpenBSD and PF, but
the answer, from a network point of view, would be "Don't make ETH4 part
of the same bridge as ETH1-3, and apply a basic, restrictive ruleset to
ETH4, allowing only for the update traffic to/from $self".
(I hope I'm not missing something basic here)
