OpenBSD Journal

Appalachian Web Solutions chooses OpenBSD as its firewall

Contributed by jose on from the OpenBSD-in-production-mode dept.

Brandon Newport sent us a description of how they're putting OpenBSD based firewalls to use in their business:
"Appalachian Web Solutions, a Carolina based hosting and web design company, decides to use OpenBSD as their firewall."
Read on for a nice story of how they wound up deploying OpenBSD and PF in their network.

" My partner and I decided to evaluate different firewalls before actually putting anything into production. I have worked as a network and infrastructure security consultant for almost 10 years and have experience with various firewalls like Cisco PIX, CheckPoint Firewall-1, Gauntlet, and Raptor among a few lesser known firewalls. My partner has been a network, systems, and security administrator for 6 years and has worked with Linux, FreeBSD, Solaris, AIX and Windows Operating Systems as well as the firewalls CheckPoint Firewall-1 and Cisco PIX. We both knew that the firewall should be integrated into the system and if it was to be on an operating system, that operating system must be secure and have a good track record for security.

Our requirements were simple, we wanted a industry proven, stable, reliable, and most importantly secure firewall that was relatively easy to manage. We did not feel all these things were asking too much, so we also added speed. The firewall must be stateful, be able to watch for IP Options, Fragmented packets, and other strange anomalies such as port scans, etc. Both of us being comfortable with command line, we did not have a need for the firewall to have a graphical user interface (GUI).

We ruled windows out quickly with all the security issues released, which seems like a daily event. AIX, HP-UX, and Solaris were out of the question because the cost justification did not allow for such expensive platforms (especially being this hosting company was funded by us with no venture capitalist money). While CheckPoint does run on Linux we quickly ruled it out not only based on price but the number of vulnerabilities it has had in the past few years was among the highest of all the firewalls. It seemed as if it was between PIX and Linux running IPTABLES (we eliminated IPCHAINS because it is not stateful), we are familiar with the PIX interface and its strengths and weaknesses. We had someone willing to donate a PIX to us for our hosting company, and we did test it. The cost of maintenance and support was costly and we felt the cost justification for a commercial package was not feasible compared to the level of security that can be reached with an Open Source firewall. The technical merit of using a Cisco PIX was also greatly reduced when attempting to group similar objects. Cisco introduced grouped object into the 6.2.2 code for the PIX. The addition of objects into the groups is extremely antiquated compared to other firewalls that allow you to create group objects fairly easily. One who is familiar with writing basic shell scripts would have no problem creating objects (or variables) in Open Source based firewalls. PDM can be installed onto the PIX which add additional management capabilities via a web browser (and eases the pain of creating groups); however, we did not want to add any additional services to the firewall unless absolutely needed.

While we started looking into IPTABLES, I had used OpenBSD for a couple other projects and discussed with my partner the possibility of trying OpenBSD running PF as the firewall in comparison to Linux running IPTABLES. Both being security minded, a quick evaluation of the facts pointed out that OpenBSD has only had one exploit in over 7 years?very impressive by itself, but that was not quite enough to move that direction. Researching both OSes for quite sometime specifically with security in mind, everything pointed to OpenBSD. Several excerpts from "Building Linux and OpenBSD Firewalls" (Chapter 4) explain why OpenBSD is actually a better firewall than Linux, while the book may be a little dated on the versions of OSes and also limits its Linux distribution to only RedHat it does explain the fundamental reasons for choosing OpenBSD over Linux which is what we were looking for. A well written article at http://www.benzedrine.cx/pf-paper.html by Daniel Hartmeier explains that IPTABLES does not perform sequence number analysis. The sequence number analysis gives a little added security by reducing the amount of information an attacker knows about the systems. The fact that OpenSSH, OpenSSL and PF were all written by OpenBSD people, also assisted in the decision, but actually testing the firewall proving that it was more than capable of handling loads and still maintaining its composure was what changed our minds.

We implemented OpenBSD 3.1 into our environment and have never thought twice about it. We obviously had to patch a security hole (OpenSSH) and watch for any new vulnerabilities like any good administrator. The upgrade was done using CVS and there were no problems with the update.

While most hosting companies do not implement firewalls and only lock the systems down at the OS layer (or they should if they don?t), we did feel like this offers enough protection for our customers. We believe in best practices for security, which is to provide security in layers, the firewall being the first layer for our environment, second being the OS layer of each system, and third being the application level.

Now for the configuration (an example config will be listed at the end):

There are several things to note with PF, most importantly is the order of operations. Your /etc/pf.conf file must be in the following order or it will not work:

  1. Options
  2. Scrub
  3. NAT and RDR
  4. Rules or Filters

    The /etc/pf.conf file explained:

    1. Options:
      By default packets with IP options set will be blocked. This reduces the risk of ?OS fingerprinting? packages like nmap and queso. However if you have applications that require options (multicast, IGMP, etc) you can use allow-opt in the /etc/pf.conf file to enable the firewall to pass packets with options set.
    2. Scrub
      Packet normalization means clearing IP options and reassembling fragmented packets. Some operating systems and applications have trouble with fragmented packets, and typically there is no reason to have non-normalized packets allowed through a firewall. Normalization does come at a cost; it will require more memory and additional load on the system (this load is minimal).

      While scrubbing packets is a good idea, which direction do you scrub and on what interface? Always scrub on the outside (Internet) interface at a minimum. We suggest you scrub all inbound packets (inbound to each interface). Scrubbing outbound packets should not be necessary since that would be traffic originating from the firewall essentially.

      You will want to use the scrub in all as the second option.

    3. NAT and RDR
      Being we are a hosting company we did not require NAT since all our addresses are valid IP Addresses.
    4. Rules or Filters
      The meat of any firewall is the rules that protect the system but more importantly is the rules that allow access to systems. There are several philosophies on firewalls. The philosophy we use is to deny everything by default and only allow specifically what is needed. While many PF experts will explain how to do the rules we have tried to keep them logical in a FIFO type scenario such that the deny rule is last and all other rules are above. The first rule that it hits and matches it allows (if that is what the rules states) and the firewall stops with that packet other than to track its state.

      The first thing we must do is allow the system to talk to itself over the loopback interface. While this may seem unnecessary it has been my experience to allow the system to communicate with itself, otherwise some applications may not function correctly.

      Example: 

      pass in quick on lo0 all
pass out quick on lo0 all
      We also do not want to allow any IPv6 traffic to our site.

      Example: 

      block in quick inet6 all
block out quick inet6 all
      With many packet filter firewalls that are stateful many tools such as nmap can be used to determine what services are on systems behind the firewall. Utilizing FIN, URG and PSH flags some scanners can bypass a firewall looking for initializing flags such as SYN and allow attackers to see what is actually running on your servers. You will want to deny any packets that are FIN, URG, or PSH. Remember while you may want to restrict this on all interfaces the external interface is the most important place to block this type of traffic

      Example: 

      block in quick on $external_if inet proto tcp from any to any flags FUP/FUP
      You will want to restrict non-routable packets from entering your network from the outside. Below is a listing of some of the types of non-routable networks and their purpose.

      RFC1918 compliant addresses used for internal addresses 

      10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
      Microsoft DHCP default addresses 
      169.254.0.0/16
      Loopback Range 
      127.0.0.0/8
      Resverved for DOCS 
      192.0.2.0/24
      Sun cluster interconnect 
      204.152.64.0/23
      Broadcast 
      255.255.255.255/32
0.0.0.0/8
      You will see this on your network if you are doing DHCP. This comes from the client requesting and IP address.

      Multicast/Reserved Class D 

      224.0.0.0/4
      You now can create a variable that encompasses all these network objects into one easy to use object:

      Example: 

      nonroute={10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, 127.0.0.0/8, 
		192.0.2.0/24, 204.152.64.0/23, 255.255.255.255/32, 0.0.0.0/8,  
224.0.0.0/4}
      And your rule will look like the following to block all non-routable ip addresses:

      Example: 

      block in quick on $ext_if from $nonroute to any
block out quick on $ext_if from any to $nonroute
      Now you can create variables servers that have common services for example:

      Example: 

      nameservers={208.192.4.1/32, 208.192.4.2/32}
ftpservers={208.192.4.3/32}
webservers={208.192.4.5/32, 208.192.4.6/32, 208.192.4.7/32}
hosting={195.6.2.0/24}
      You can create variables for services that will be used across multiple servers (you can use the names of the services as they are listed in /etc/services, you can add your own services to /etc/services too):

      Example: 

      hosting_services={pop, smtp, ftp, www, https, mysql}
      Once this is completed you can create rules like the following:

      Example 

      pass in quick on $ext_if inet proto udp from any to $namservers port 53
pass in quick on $ext_if inet proto tcp from any to $ftpservers port { ftp, ftp-data }
pass in quick on $ext_if inet proto tcp from any to $webservers port { www, https }
pass in quick on $ext_if inet proto tcp from any to $hosting port $hosting_services
      On the TCP protocol you will want to restrict the initial packet to a SYN only. The way you can do this is to add S/SA to the end of a tcp rule like:

      Example: 

      pass in quick on $ext_if inet proto tcp from any to $ftpservers port { ftp, ftp-data } flags S/SA
      Now to add the stateful options to the firewall so it will remember what you have done:

      For UDP packets you will want to use "keep state" and on TCP packets you will want to utilize "modulate state". Because TCP packets are connection based, it is easy to hijack a TCP packet, for this reason PF has a modulate state option that increases the security over keep state. Modulate state generates a more random sequence number which makes hijacking packets more difficult (to find out more about OSes and sequence numbers visit http://razor.bindview.com/publish/papers/tcpseq.html).

      Example: 

      pass in quick on $ext_if inet proto tcp from any to $ftpservers port {ftp, ftp-data} flags S/SA modulate state
      Your inbound rules are almost complete except for one thing, where is your default block rule?

      Example: 

      block in quick on $ext_in all
      You will want to add the following outgoing rules for the return traffic: 
      block out on $ext_if all
pass out on $ext_if inet proto tcp all flags S/SA keep state
pass out on $ext_if inet proto udp all keep state
      Example /etc/pf.conf file 
      # Comment section for when rulebase was created modified, etc.  It is suggested to use a standard format for this like the following:
#
# DATE - USER
# Modification and why
#
#########################################################################################
#-------------------------
# Variables Section
#-------------------------
ext_if=?fxp0?
int_if=?fxp1?
dmz1_if=?fxp2?
#-------------------------------
# Non routable addresses
#-------------------------------
noroute={10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32, 
                169.254.0.0/16, 127.0.0.0/8, 0.0.0.0/8, 192.0.2.0/24, 
                204.152.64.0/23 127.0.0.0/8}
#------------------------------
# Corporate Servers
#------------------------------
firewall={208.192.4.1/32}
webservers={208.192.4.130/32}
securewebservers={208.192.4.131/32, 208.192.4.132/32}
nameservers={208.192.4.135/32, 208.192.4.136/32}
mailservers={208.192.4.140/32}
ftpservers={208.192.4.150/32}
#------------------------------
# Hosting/Virtual Servers
#------------------------------
hosting={208.192.5.0/24, 208.192.6.0/24, 208.192.7.0/24}
virtual_servers={208.192.10.0/24, 208.192.11.0/24}
#------------------------------
# Hosting Services
#------------------------------
basic_services={imap, pop3, smtp, www, https, ftp, ftp-data, mysql}
#************************************************************************
#************************************************************************
#	Firewall Rulebase Begin
#************************************************************************
#************************************************************************
#
#-----------------------------------------------------------------
#       Packet Normalization (deny fragmented packets)
#-----------------------------------------------------------------
scrub in all
#------------------------------------
#       Allow Loopback Packets
#------------------------------------
pass in quick on lo0 all
pass out quick on lo0 all
#---------------------------------
#       Drop Spoofed Packets
#---------------------------------
block in quick from $noroute to any
#-------------------------------
#   Drop wrong TCP Flags
#-------------------------------
block in quick on fxp0 inet proto tcp from any to any flags FUP/FUP
#-----------------------------------------
#       Corporate Firewall RULES
#-----------------------------------------
# Always document what the rules are doing you don?t know how long it will be before you look at them again ?
pass in quick on $ext_if proto tcp from any to $mailservers port {25, 143} flags S/SA modulate state
pass in quick on $ext_if proto tcp from any to $webservers port 80 flags S/SA modulate state
pass in quick on $ext_if proto tcp from any to $securewebservers port 443 flags S/SA modulate state
pass in quick on $ext_if proto udp from any to $nameservers port 53 keep state
#---------------------------------------------------
# FTP to webserver uncomment as needed
#---------------------------------------------------
pass in quick on $ext_if proto tcp from any to $ftpservers port {ftp, ftp-data} flags S/SA modulate state
#----------------------------------------------
# Webmin Rule uncomment as needed
#----------------------------------------------
#pass in quick on $ext_if proto tcp from any to $webservers port 10000 flags S/SA modulate state

#-------------------------------------
#       Hosting Firewall RULES
#-------------------------------------
pass in quick on $ext_if proto tcp from any to $host1vs port $basicservices flags S/SA modulate state
pass in quick on $ext_if proto udp from any to $hostnameservers port 53 keep state
#------------------------------
#       Catch All Rule
#------------------------------
block in on $ext_if from any to any
#--------------------------------------------------------------
#  Allow return traffic and connection from firewall
#--------------------------------------------------------------
pass out on $ext_if from any to any keep state
pass out on $int_if from any to any keep state
pass out on $host1_if from any to any keep state
      Once you have the /etc/pf.conf file generated you will want to install the rulebase and enable PF. 
      /sbin/pfctl -f /etc/pf.conf -e
      You may want to look at various aspects of what your firewall is doing?

      Show the statistics and counters for filter information 

      /sbin/pfctl -s info
      Display hit count for each rule 
      /sbin/pfctl -s rules -v
      Display state table information 
      /sbin/pfctl -s state
      Watch traffic 
      tcpdump -i pflog0
      We are constantly looking for ways to be more secure and efficient. Our next project is VPN connection point between our remote offices and our facilities using IPSEC.

      We recently migrated our firewall from OpenBSD 3.1 to OpenBSD 3.2 with no issues. The added stability and performance of the new version of PF was worth the wait. Appalachian Web Solutions has been extremely pleased with OpenBSD in their production environment.

      My partner and I, both feel confident that we have made a wise technical and business decision for our hosting company to ensure the security of our customers and the continued success of our business.

      Notes:
      IP addresses used throughout this article are randomly picked addresses.

      I would like to point out a couple of great resources that helped us get started with our firewall project:

      http://www.muine.org/~hoang/openpf.html
      Securing Small Networks with OpenBSD (all the articles) http://www.onlamp.com/lpt/a//bsd/2002/02/28/openbsd.html
      http://www.openbsd.org/faq
      http://www.inebriated.demon.nl/pf-howto/
      http://www.benzedrine.cx/pf.html

      Special Thanks to the OpenBSD team and Daniel Hartmeier the creator of PF in addition to the many other people that assisted both these projects.

      Brandon is one of the principals of Appalachian Web Solutions, LLC he is responsible for maintaining the security of the systems. He received his CISSP in February of 2001 and his GCIA in September of 2001; he continues to try to improve the security of Appalachian Web Solutions. While not working he spends time with his wife, four dogs, and cat. He can be reached at bnewport@appws.com.

      http://www.appws.com "

(Comments are closed)

Comments

  1. By Eduardo Alvarenga () eduardo at thrx dot dyndns dot org on mailto:eduardo at thrx dot dyndns dot org

    Comments

    1. By Eduardo Alvarenga () eduardo at thrx dot dyndns dot org on mailto:eduardo at thrx dot dyndns dot org

      Damn Return key! ;-).

      Well, I would like to congrat all of you guys from Appalachian Web Solutions for this excellent paper. Besides, I think it might be a good idea to put a link to this on yours website. I have used some of your tips on my OpenBSD-3.2-stable firewall and all worked wonderfully. The "block .... from any to any flags FUP/FUP" rule was a very nice tip ;). Now I can relax a little bit more while my little firewall keeps taking care of my 36 "poor" OpenBSD servers!

  2. By Anonymous Coward () on

    Lets see...
    - OpenBSD guys never "wrote" OpenSSL, but they have some good work and paranoia about it.
    - Your decision seems mostly based in money, no matter how much you know PIX. It sucks sucks sucks.
    Sorry man. I really like OpenBSD, but I will never write a lame article like this.
    Wrong way to advocate something.

    Comments

    1. By Justin () on

      They did not create OpenSSL but they did create OpenSSH, by far the most popular SSH implentation on the internet as determined by their scans:
      http://www.openssh.org/usage/ssh-stats.html

    2. By Anonymous Coward () on

      "no matter how much you know PIX. It sucks sucks sucks. I really like OpenBSD, but I will never write a lame article like this. Wrong way to advocate something."


      I had a great time reading your unsubstantiated statements.


      maybe we should begin convicting anyone without evidence of the crime?

    3. By Anonymous Coward () on

      - Your decision seems mostly based in money, no matter how much you know PIX. It sucks sucks sucks.

      What sucks? You're not speaking clearly.

      Cisco hardware is ridiculously overpriced. If they can do what they want to do for significantly less money, then why not?

      - Sorry man. I really like OpenBSD, but I will never write a lame article like this. Wrong way to advocate something.

      What are you talking about? Who asked you to write anything? Perhaps you shouldn't write at all.

      Comments

      1. By Anonymous Coward () on

        You are a fucktard. Go use linux or something.

    4. By Brandon Newport () bnewport@appws.com on mailto:bnewport@appws.com

      Everyone makes mistakes...sorry about the OpenSSL thing. We actually had been given the PIX. So it was not necessarily about the money for that factor. I have been installing firewall for almost 8 years. I do have quite a bit of firewall experience. I believe everyone has a right to their oppinion. I love the fact you stay anonymous rather than standing up for yourself like a man. Takes quite a man to bash someone for doing something or even attempting to when they themselves would never attempt to do the same thing.


      -b

      Comments

      1. By Anonymous Coward () on

        Don't mind him, it's just Darren, our pet troll... talks shite but has a heart o'gold and an unending devotion to the project.

        Cheers for the article, nice to see people actually thinking before choosing an OS.

        Comments

        1. By Anonymous Coward () on

          lol. I wouldn't be surprised. ;)

      2. By Anonymous Coward () on

        I'll buy your PIX. Email erica AT simpli DOT biz

    5. By Anonymous Coward () on

      You know you are an asshole. Never mind.

      Brandon, thank you for your input. Well done.

  3. By Noob () on

    I don't understand why 127.0.0.0/8 was placed in the noroute variable twice in the example pf.conf file?

    Thanks for contributing! I'm very happy you made the switch to OpenBSD.

    Comments

    1. By Brandon Newport () bnewport@appws.com on mailto:bnewport@appws.com

      Typo...seems like no matter how much you look over something you still miss something.

      Thanks

  4. By Marco Radzinschi () on


    Why are you doing modulate state on incoming packets ?

    I don't see the benefit of this, and it only adds to the load on the firewall.

    - Marco

    Comments

    1. By Brandon Newport () bnewport@appws.com on mailto:bnewport@appws.com

      I can see where you are coming from. The reason we did it on this particular firewall two fold:

      1) PCs are cheap and our firewall is fast and has more than enough memory to handle any additional load caused by the state modulation.
      2) Experiementing with modulate state vs keep state to see added security vs performance increase. To be honest we are still looking into this. We are hoping to release our results in the coming months.

      I understand the main benefit is mainly for protecting internal systems from the outside world, but we are trying to discover if there is any added benefit. Essentially we are trying to determine if the modulate state option increases the security of the ISN (more info here http://razor.bindview.com/publish/papers/tcpseq.html) on system that are not NATed.

      If you have any good info one way or the other, I would love to hear it. I believe that being good at security is to be open and always be willing to learn.

      Thanks,

      -brandon

      Comments

      1. By Anonymous Coward () on

        "keep state" allows to pick up connections after firewall restart, "modulate state" desynchronizes tcp sequences between both ends by adding random value to ISN, but compensates lack of random ISN's for end hosts - it is up to you to chose one that suits you best
        check this out to improve your rulesets
        http://www.nta-monitor.com/fact-sheets/fw-issues-table.htm

      2. By Marco Radzinschi () on


        Brandon,

        You are doing this backwards. State modulation on incoming packets has no benefit.

        You should be using keep state on external incoming connections, and modulate state on outgoing connections.

        From your ruleset, you seem to be doing this the wrong way.

        - Marco

        Comments

        1. By Anonymous Coward () on

          did you know that sequence numbers are generated on both sides of tcp ???

          Comments

          1. By Marco Radzinschi () on


            AC:

            Yes, I did know that sequence numbers are generated on both sides.

            But tell me, what is the benefit of randomizing an EXTERNAL host's ISN ?

            - Marco

            Comments

            1. By Anonymous Coward () on

              could you accept it as unwanted side-product of randomizing internal host's isn ???

        2. By Anonymous Coward () on

          While I may have missed something, I don't see where in the article he mentions what sort of access his customers have. It may be worthwhile to modulate external state to prevent insiders from attacking other insiders.

          Comments

          1. By Anonymous Coward () on

            TCP ISN's are hidden from normal users on any host by default, unles you assign them to some trusted group with access to bpf/pcap/whatever

            state modulation intercepts passing traffic and adds randomness to whatever ISN host presented

            state keeping does not do anything about it

            so:
            You can have more than one firewall with keep state, as connection ISN's are kept in sync

            Modulate state is almost always required when you plan to use hosts with non-random ISN's (read old) and to obscure ISN on other side of firewall so nobody can catch traffic on one side and spoof rst undetected on the other side of firewall

  5. By Chris Hedemark () chris@yonderway.com on http://yonderway.com

    ...the wrapping is crazy on this. Instead of letting my browser format the text, it is wrapping at crazy widths so I have to scroll sideways back and forth to read it. :-( This is true under both Mozilla and Safari browsers under OS X.

    Comments

    1. By Anonymous Coward () on

      You're right... this entire article (including comments) is way too wide on my 1600x1200 screen. I'm using konqueror...

    2. By Anonymous Coward () on

      I copied it into a word processor to make it easier to read.

    3. By Anonymous Coward () on

      Same on IE. And its not dependant upon resolution, looks like 120% of window or something.

    4. By Anonymous Coward () on

  6. By Anonymous Coward () on

    Now, I love OpenBSD just as much as the next guy, but chosing OBSD over PIX for a production firewall, for a hosting company seems to be a bit naive.

    What type of failover/High Availability will you be running on your OBSD firewall? Does this include statefull failover?
    How well does it deal with Active/Passive FTP, h323, rpc? I'm sure that you aren't going to tell a customer that they can not run a passive FTP server, because it's a security vulnerability...
    I run OpenBSD at home, and I have suggested it for many customers that can not afford an enterprise-class solution... but I would never EVER put a non-HA firewall into my infrastructure where 15 minutes of downtime could cost my company over $30k in credits to customers.

    If OpenBSD can get some sort of statefull failover capabilities, and some sort of integrated HA (VRRP, HSRP), I'll be doing the happy-dance as I rip out a Solaris/CPFW1-NG machine...
    Until then, I'll be doing ACLs on a PIX and configuring stonebeat for my sun box.

    Comments

    1. By Anonymous Coward () on

      In the 10+ years I have been installing firewalls for customers the ONLY times I have seen firewall HA actually used is when there was a network problem and it typically took down both HA firewalls. There have been absolutely NO times when I have seen a firewall go down for any other reason. So the whole HA thing is more insurance than anything. As far as the whole security thing even if they are not allowing customers to h323 and rcp (which I dont think would be needed) and they are telling their customers that they dont allow passive ftp for whatever reason, at least they are using a firewall. Ask you current hosting provider if they are protecting their systems with any type of firewall and I will be their answer will be no.

      Good luck to you guys at APPWS!

      Comments

      1. By Anonymous Coward () on

        I challenge your experience in ENTERPRISE CLASS firewalls.

        So, you are saying that you have NEVER seen a firewall fail? only network devices?

        Are you only installing firewalls for your customers' ISDN lines?

        I have installed at least 10 firewall clusters over the past year.... CLUSTERS, as in Active/Active.

        If you read my first posting, you would see that I use OpenBSD at home for my firewall, and I have used it for customers before. Unfortunatly, because of the lack of HA available in OBSD, I can not (with a straight face) recommend it to a customer (Unless they have $0 to work with).

        Whats the point of having any redundant setup, if your firewall is a single point of failure?

        Comments

        1. By Anonymous Coward () on

          Actually I have installed firewall is in active/active active/passive mode, when the only HA product for Checkpoint was Qualix HA+ on Solaris. I never said anything about network devices failing...what I said was I have never seen a firewall go dead for a hardware reason. MTBF is extremely high in most systems and all the HA is insurance. The only time I have seen a firewall bounce for no reason is due to misconfiguration on the firewall (like in the HA software) or a network anomily like system throughing out too much traffic on the line oh, say like the most recent MS_SQL worm....which in most cases bounced BOTH HA firewalls so the HA even in active/active mode did not help. I also use OpenBSD at home and some smaller companies but working for one of the Big 5 you cannot install OpenBSD only the big names PIX, FW-1, etc.

          And why are you installing clusters because that is what everyone is telling you should sell/install? How many firewall have you actually seen go down. Probably not too many. If a firewal does go dead it is typically in the first 30 days and the hardware should be replace anyway. But there were normally signs that let us know before..typically during installation to replace parts so it never went into production.

          A good thing to point out too, is how many customer put in cluster firewall but have only one Internet connection or dont do the research putting them on different SONET rings, etc....way too many!!! That kinda defeats the purpose of the cluster.

          I also agree that I only recommend PF to customers with $0 budget. However I do believe that OpenBSD is a better alternative than some commercial firewalls like (MS ISA) and is more secure than Linux's IPTables.

          As far as the connectivity I have installed firewall on OC-48s and below, inversed mux T1s, T3, dsl, cable modem, ISDN, and dialup.

          This guy's article does not say anything about redundant setup. They are probably a small company and working to increase redundancy as they make money. Which is a smart business move rather than spending everything you have on an HA firewall cluster ($30k+).

          Comments

          1. By Anonymous Coward () on

            I think that we're saying the same things, just in different ways.

            OpenBSD with PF is about #3 in my book.
            #1) PIX (and all it's incarnations FWSM and the standalone systems)
            #2) CPFW-1 (It's pretty much the industry standard for statefull firewall, and has about every bell/whistle you'd want), plus it is quite reliable.
            #3) OpenBSD w/ PF

        2. By Anonymous Coward () on

          Do you implicit that ENTERPRISE CLASS firewalls FAIL???

    2. By Anonymous Coward () on

      In the 10+ years I have been installing firewalls for customers the ONLY times I have seen firewall HA actually used is when there was a network problem and it typically took down both HA firewalls. There have been absolutely NO times when I have seen a firewall go down for any other reason. So the whole HA thing is more insurance than anything. As far as the whole security thing even if they are not allowing customers to h323 and rcp (which I dont think would be needed) and they are telling their customers that they dont allow passive ftp for whatever reason, at least they are using a firewall. Ask you current hosting provider if they are protecting their systems with any type of firewall and I will be their answer will be no.

      Good luck to you guys at APPWS!

    3. By Anonymous Coward () on

      Can you imagine - OpenBSD never fails around or over, ok ok, you can write something arpwatch-like for the case to automate a spare firewall getting in place of broken...( i can do this for you for $30k in 15 minutes )

      Comments

      1. By Anonymous Coward () on

        You could configure 10 obsd pcs on different backbones and write a simple script to failover. Cron it or daemonized. Why make things so complex with PIX HA, just to say "Hey I have setup such and such look at the size of mine". BS use your mind.

        Comments

        1. By Anonymous Coward () on

          Is the RIP resting in peace ???
          HA Ha hA - whatever...
          routed -q ... way to make $30k in 15 minutes

  7. By Anonymous One () on

    ..you will never know if you never try ..
    queso does not do anything special,
    ethercap is much alike, and uses existing connections for passive fingerprinting,
    nmap sends SYN+FIN (SF/SFRA) (fin scan) and nothing (/SFRA) (null scan), and something to udp port 0 (os scan)
    in your current config anyone can spoof packets as coming from your hosts from outside, thus freely spoofing anything udp-like etc...

    Comments

    1. By Matt () on

      I think you make an excellent point in saying that with the published ruleset anyone can spoof having an IP of one of his internal hosts. However, we all know how easily that can be fixed with OpenBSD's rule expansion.

      Besides, I don't think this was meant to be an exact copy of his firewall rules, only an example.

      Overall it didn't present any new info that I wasn't aware of, but it's always nice to see an article on this stuff. Can't hurt to see someone else's viewpoint every once in a while, you might pick up a tidbit here or there.

      Comments

      1. By Anumous One () on

        That important spoofing thing was missed in writeup, so i belive nobody took care about it...
        Exact or not - it does harm for anyone copying it for any practical purpose...
        You will never measure how well your firewall does unless you are being hit by actual attacks...

    2. By Anonymous Coward () on

      Silly Troll.

      block in on $ext_if from $internal_network to any

  8. By Anonymous Coward () on

    In a press release this morning from Capetown, Chief Matumbe Oganwobi explained: "Hmmm... me like Postfix - Sendmail bad juju"

    Comments

    1. By Anonymous Coward () on

      They also learned how to count past 4 all the way to 7 after they heard of one exploit in 7 years. These indigenous folks are the only tribe on the planet left who actually buys into the claim.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]