Introduction

The first part of this article has given an overview of DSL, how it works with NetBSD and how you can set it up. Now after you have installed setup your shiny new DSL connection, some considerations should be made about being online and utilizing the connection while preparing for the less friendly side of "The Net". This part of the article gives an overview of ways to use your DSL machine as gateway for your home or office network, and goes through the basic steps to setup and maintain security to machines connected directly to the Internet.

Using your Internet access from more than one machine

* Masquerading many machines behind a single gateway

If you have several machines in your home or office network, make the other machines use it. With NAT (or "IP masquerading", as it's called in another universe), multiple machine can be hidden behind one gateway machine. The machines behind the gateway can use their own, private network numbers (usually form the 10/24 or 192.168/16 subnets), and the gateway will translate the private, internal adresses to the public, external address of the gateway machine (hence NAT => Network Address Translation, see Image #3). Any replies made to requests sent out will be translated before sent back to the client. One of the characteristics of this scheme is that a client machine needs to establish a connection, and no outside machine can connect beyond the NAT gateway. From the security point of view this is absolutely desirable. From a practical view, it might be needed to forward single ports to inside machines, e.g. to let them handle WWW or FTP requests.

Image #3: (click to enlarge!)

Please check the following links for further details. Providing an in-depth description of of NAT is beyond the scope of this article:

• A simple NAT setup (http://www.de.netbsd.org/Documentation/network/#simplenat)
• Network Address Translation (NAT) FAQ (http://radon.static.net/~armenb/ipnat.html)

* Setup proxies for services: www (squid), ftp, ...

Setting up NAT allows several computers to share one network connection, multiplexed via a NATing gateway. One other thing you will want to setup after NAT is a caching proxy, to only fetch any web pages (and images, etc.) if they haven't been fetched by someone from your internal network recently. In that case the proxy will safe the data to disk, and return that saved data later when the same file is requested again, see Image #4. This scheme is most efficient with static web pages and images, and it can lead to a dramatic decrease of network ressource usage.

Image #4: (click to enlarge!)

Basic Online Security

Now that you have your machine online, you should take the usual care for ensuring your system's security. Probably the most important points are:
• Make sure all your accounts have passwords set. Check with the vipw(8) command and look for a empty second column, i.e. "::" after the login name. Accounts that aren't protected by passwords allow easy intrusion into your system, and with a local account, further compromise if your data and local network is possible.

• Do not work as root. Create yourself a user account using useradd(8), and use that for web browsing, reading mail, being on IRC, etc. This lowers the risk of someone exploiting one of your programs and gaining control over your whole system considerably. Plus, a "root" should have something better to do than e.g. hang out on IRC - at least that's the common saying from the ages when Unix was a real multiuser operating system ;-)

• Stop services you don't need. Many system services can be switched on/off via /etc/rc.conf and /etc/inetd.conf. Go through them, and make sure that your system doesn't start any system services that you do not intend to make accessible via the net. Also check /etc/rc.local for any network daemons that may get started there, and disable them if you don't need or thrust them.

• Limit services with TCP wrappers. If you want to offer some services that you don't fully trust (e.g. ftp or telnet) but that you still want to make available to a limited list of machines/users, you can restrict these if the service has support for TCP wrappers. In NetBSD, all services started via inetd.conf do so, as well as other services like portmap, sendmail, etc. Using two config files, /etc/hosts.allow and /etc/hosts.deny, it is possible to allow/deny services on a per-host or per-user base. Please see the hosts_access(5) manpage for more in-depth information.

• Setup firewalling rules: If you want more fine grained control over which machines can access which of your services, or if a service that you want to run and restrict to some hosts doesn't know about TCP wrappers, setting up firewalling may be appropriate. That way, every incoming (and outgoing) packet can be scanned for a wide range of attributes. Available are source and destionation IP and port number, header flags (SYN, ...), ICMP types and many more. Giving an introduction on firewalls is beyond the scope of this document, please see ipf.conf(5) and /usr/share/examples/ipf for more information. Information on configuring IP Filter can be found in the IP Filter Based Firewalls HOWTO (http://www.obfuscation.org/ipf/ipf-howto.txt) and on the IP Filter homepage (http://www.ipfilter.org).

While the above list gives some general guidelines, it cannot be complete. There are always new holes and ways to attack a system that are discovered, and being aware of that is the first step to damage prevention. Monitor general security mailing lists like the CERT list (see http://www.cert.org/) or bugtraq (see http://www.securityfocus.com/), keep an eye on the lists that your operating system's vendor provides, and don't forget to upgrade your services' software if any problems are found.

Educate yourself and any possible users of your machines about security!