Contributed by jose on from the open-and-hack dept.
"The idea of inviting hackers to attack your web site is debatable, but eWeek did and used OpenBSD as their web server and firewall. They published the logs and configurations - pf included - here: http://www.eweek.com/article2/0,3959,743002,00.aspThis looks kind of cool, if only to get a few ideas and see what I can add to my toolbox. Anyone check this stuff out?I'm still downloading it (server backups) so I don't know what rules they used, but here is a real world example of what pf was used for."
(Comments are closed)
By Anonymous Coward () on http://www.xs4all.nl/~wpd/symon/
By Anonymous Coward () on
Anyways, for new users, here is an example showing how a machine was set up and administered, includng changes to the various files in /etc. If you are getting started and wonder what to do after an install and reading afterboot, here are tips on administering, log files, pf, symon, and so on.
Too bad they don't run an article on how they set it up and the reasons for the choices they made.
I'm glad to see the additional publicity, which along with the UltraSparcIII bruha, can only lead to more CD sales, new users, mindless posts to misc@, and reactive flames. Somehow it seems like it is going to be an interesting month.
By Anonymous Coward () on
By Sam Wilson () numbsafari@yahoo.com on mailto:numbsafari@yahoo.com
Especially this article:
http://www.eweek.com/article2/0,3959,746550,00.asp
Vendor-Client communication is probably one of the less obvious issues in security, and I hate to give M$ kudos for anything at all, but in this case, their professionalism deserves merit. It sounds like Oracle really didn't give this a lot of thought, which is disappointing considering how much they like to claim that they are "unbreakable". Granted, nobody really "broke in", but XSS bugs are the bain of web application security...
By That Tune () on
http://www.eweek.com/article2/0,3959,643205,00.asp
and the network diagram in pdf is available at
ftp://ftp.eweek.com/pub/eweek/pdf/printpub/19/41p38.pdf
Knowing where all the firewalls fit helps.
for those of you who wonder what to use on a DOS base d zip archive, unzip is your freind, not gunzip.
By Timothy Dyck, eWEEK Labs () timothy_dyck@ziffdavis.com on mailto:timothy_dyck@ziffdavis.com
Here's an example:
pass in on $int_if proto tcp from $mail_relay_ok_net to $int_if port smtp keep state label "int_if_in_$srcaddr->$dstaddr_$dstport"
pass in on $int_if proto udp from $name_server_ip port domain to $int_if keep state label "int_if_in_$srcaddr_$srcport->$dstaddr" # shouldn't need this line
When I watched the log of blocked packets, I'd find that a small number of reply packets were getting blocked until I added reply rules like the second one above. It appeared that pf was losing track of the state of certain incoming connections and so generated reply traffic wasn't being correctly associated with incoming traffic.
Anyone experienced this? It wasn't a big problem, but I shouldn't have needed those extra rules. This is with release OpenBSD 3.2.
Thanks,
Tim Dyck
eWEEK Labs