OpenBSD Journal

OpenBSD as a desktop using PF

Contributed by jose on from the personal-firewalls dept.

BigMoose writes: "I've been running OpenBSD since 2.7 and have had great reliable systems since. I have finally gotten into securing these systems (small home and community networks) using PF. I've only set up generic firewall rule sets and have been ok, and only upgraded verses patching. Now I am to a point where I am only focusing on security and these systems as it will be my full time job and I ahve some high school students to help me out. I also want to deploy one as a workstation at home on my cable modem connection. I know there are personal firewalls such as zone alarm and what not, but who has used PF on their desktop and what kind of ruleset do you have? I know I need to do more than
$blockIPs={10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,
   224.0.0.0/4,240.0.0.0/5,127.0.0.0/8,0.0.0.0}
What else should be considered for a desktop application?

~BigMoose"

My personal laptop rules are to scrub everything in, pass things out keeping state, and block everything in. Has served me well for years. Unfortunately, I don't know of any application to firewall mapping system like ZoneAlarm for OpenBSD, but it shouldn't be too hard to do that. Anyone have any suggestions for personal boxes, as oppposed to servers of some kind, that go beyond this simple ruleset?

(Comments are closed)


Comments
  1. By Anonymous Coward () on

    ... I'd suggest blocking everything that comes in, passing everything that goes out, and keeping state. Also scrubbing may be advisable.
    Maybe you'll want to allow inbound ssh connections from the rest of your LAN.

    Comments
    1. By chump () on

      This is exactly the setup I have been using and it works great. I have never had any problems, even with ftp connections and tunneled ssh connection and other things that can usually cause problems.

  2. By G () on

    systrace limits application/user ability to connect other hosts.

    sysutils/pftop ,
    pflogd of base system ?

    for access list see
    http://www.netconfigs.com/general/martians.htm
    there are some more for sure

    For desktop part:
    some anonymous ftp servers want you to run identd, this makes you connect to them much faster

    block return-rst in on ep0 inet proto tcp from
    !ep0 to ep0 port {113} label ftp-rst

    For X
    /etc/X11/xdm/Xservers
    change X to
    X -nolisten tcp

    Anyway examine netstat and remove obsolete services as you see fit.

  3. By supabeast () on

    I use the following simple config for my headless workstation/firewall that handles traffic for every machine . It's been up for almost a year on 3.2, and I haven't ever had any issues. It's just a few tweaks to the sample config file.

    # $OpenBSD: pf.conf,v 1.6 2002/06/27 07:00:43 fgsch Exp $
    #
    # See pf.conf(5) for syntax and examples
    #
    # replace ext0 with external interface name, 10.0.0.0/8 with internal network
    # and 192.168.1.1 with external address

    #Declarations
    EXT="tl0" #EXTERNAL INTERFACE
    INT="dc0" #LOCAL LAN INTERFACE
    LAN="192.168.0.0/24" #LOCAL LAN
    BADIPS="{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

    # Normalize: reassemble fragments and resolve or reduce traffic ambiguities

    scrub in all

    # nat: packets going out through ext0 with source address 10.0.0.0/8 will get
    # translated as coming from 192.168.1.1. a state is created for such packets,
    # and incoming packets will be redirected to the internal address.

    # nat on ext0 from 10.0.0.0/8 to any -> 192.168.1.1
    nat on tl0 from 192.168.0.0/24 to any -> tl0
    # Port forwarding for BitTorrent
    rdr on tl0 proto tcp from any to 68.48.xxx.xxx port 6881:6889 -> 192.168.0.42

    # RULESET FOR $INT
    pass in quick on $INT from any to any
    pass out log quick on $INT from any to any

    # Prevent spoofing for punched holes
    block in quick on $EXT from $BADIPS to any

    # Punch holes here
    pass in quick on $EXT inet proto tcp from any to any port 22
    flags S/SA keep state
    pass in quick on $EXT inet proto tcp from any to any port 113
    flags S/SA keep state
    #pass in quick on $EXT inet proto tcp from any to any port 110
    # flags S/SA keep state

    # OUTBOUND RULESET FOR $EXT
    # Prevent spoofing from our LAN
    block out quick on $EXT from any to $BADIPS

    # Let all tcp, udp and icmp traffic out and keep state so it can return.
    # Block any packets that are of other types at the border.
    pass out quick on $EXT inet proto tcp from any to any flags S/SA keep state
    pass out quick on $EXT inet proto udp from any to any keep state
    pass out quick on $EXT inet proto icmp from any to any keep state
    block out on $EXT from any to any

    # Our default MUST HAVE deny rule
    block in log quick on $EXT from any to any

    Comments
    1. By asenchi () asenchi@asenchi.com on http://www.asenchi.com

      I hope you don't mind but I am not sure about your ruleset. It works but I think you could do it a bit different. It maybe a little easier to read if you were to do something like this:

      # replace ext0 with external interface name, 10.0.0.0/8 with internal network
      # and 192.168.1.1 with external address

      #Declarations
      EXT="tl0" #EXTERNAL INTERFACE
      INT="dc0" #LOCAL LAN INTERFACE
      LAN="192.168.0.0/24" #LOCAL LAN
      TCP_P="{ 22 113 110 }"
      BADIPS="{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

      scrub in all (all = from any to any)

      # nat on ext0 from 10.0.0.0/8 to any -> 192.168.1.1
      nat on tl0 from 192.168.0.0/24 to any -> tl0
      # Port forwarding for BitTorrent
      rdr on tl0 proto tcp from any to 68.48.xxx.xxx port 6881:6889 -> 192.168.0.42

      block in log on $EXT all
      block out log on $EXT all

      # prevent spoofing
      block in log quick on $EXT from $BADIPS to any
      block out quick on $EXT from any to $BADIPS

      # rules for $INT
      pass in quick on $INT from $INT to $INT (This _I think_ will provide a bit more security)
      pass out log quick on $INT from $INT to any

      # allow these ports
      pass in quick on $EXT inet proto tcp from any to any
      port $TCP_P flags S/SA keep state

      # tcp
      pass out on $ext_if inet proto tcp all modulate state flags S/SA
      # udp
      pass out quick on $EXT inet proto udp from any to any keep state
      # icmp
      pass out quick on $EXT inet proto icmp from any to any keep state

      Sorry, I have been obsessed with pf rulesets for the past two months and have learned a lot. I am not great, but I have learned some. So I hope you don't mind me pointing this out...

      Thanks for indulging me,

      //curt

      Comments
      1. By G () on

        pass in quick on $INT from $INT to $INT (This _I think_ will provide a bit more security)

        this I think will allow spoofing as configured interface addresses route via local, without hitting the wire

      2. By G () on

        Yes and about "pass out quick" - modern backdoors connect to their master, not listen like old ones do

        Comments
        1. By asenchi () asenchi@asenchi.com on http://www.asenchi.com

          not sure I understand this "'pass out quick - modern backdoors connect to their master, not listen like old ones do"

          //curt

          Comments
          1. By StephenC () on

            I think what he means is that instead of a trojan sitting listening on a port waiting for a connection from bad server/people, the trojan makes an outgoing connection (that passes through the firewall with no questioning) to bad server/people. The control commands are then sent back through this channel.

            Its the reason to use proxies. Instead on firewalls allowing any traffic on an internal network through to the outside world the traffic must be sent via a trusted system the proxy. The proxy allows and single point of monitoring and control.

            Then again I could be wrong :)

            StephenC

            Comments
            1. By asenchi () asenchi@asenchi.com on mailto:asenchi@asenchi.com

              Ah, I see. So this would probably be better for $int

              pass out quick on $int from $int to $int keep state

              Or maybe without the keep state.

              //curt

            2. By G () on

              Strange, but you are right, that's why i suggested systrace

  4. By Free Bird () on

    How about this one: don't use OpenBSD a desktop! Use it as a server instead.

    Comments
    1. By tony () tony@libpcap.net on http://libpcap.net

      Why not? Now that it's switched to ELF and we have things like mplayer, mozilla/firebird, etc.. it makes a perfect desktop OS. I have OpenBSD-current and WinXP on a KVM switch. I use OpenBSD for everything, except Kazaa and Photoshop, which is why I have XP around.

      In fact, I just scored a Dell laptop for cheap that I'll be installing OpenBSD-current on today. Thank god wardriving is legal in NH! mwahaha.

      Comments
      1. By Anonymous Coward () on http://savannah.nongnu.org/projects/mldonkey

        Agree. For a KaZaA replacement i'd suggest MLdonkey. It includes support for various P2P networks, including the FastTrack network (aka the KaZaA network). I'm not sure wether this runs on OpenBSD. I don't see it in ports. A search on Google popped up various interested URL's. It does run fine on my Debian GNU/Linux desktop.

        Comments
        1. By Anonymous Coward () on

          I believe I saw it on the 'new ports' page. I've been using OBSD as my 'ix desktop since 2.5. It has been fine for me (after firewall/NAT, desktop is probably it's most common use -- I'm betting it beats out web-server...

        2. By Lars Hansson () on

          You only need to install the ocaml port then mldonkey will build and run just fine.

      2. By Anonymous Coward () on

        Couldn't you just run Photoshop on Linux with CrossOver Office?

        Comments
        1. By tony () tony@libpcap.net on mailto:tony@libpcap.net

          because:
          1) F linux
          2) support is minimal and slow.. too slow for any sort of productivity.

          Comments
          1. By Anonymous Coward () on

            However entertaining it is to run Microsoft applications on 'ix, I just don't see the point myself -- stick with dual booting, and you can play some kick ass games after your done with photoshop.

            However, I really think 'ix is a better choice for web-browsing/email (which qualifies as 'desktop' I guess). Yes, maybe a few a pages won't display correctly -- but your machine doesn't get trashed with spyware, viruses, and shit either (and don't say this only happens to morons -- lots of people have spouses to f'k up thier Windows installs for them).

            Comments
            1. By Free Bird () on

              lots of people have spouses to f'k up thier Windows installs for them

              Stay single, then! ;)

              Comments
              1. By tony () tony@libpcap.net on http://libpcap.net

                Or have them use OpenBSD w/ systrace on their email and www clients ;)

            2. By KeV (80.47.82.162) on

              > However entertaining it is to run Microsoft applications on 'ix, I just don't see the point myself -- stick with dual booting, and you can play some kick ass games after your done with photoshop.
              >
              >
              >
              > However, I really think 'ix is a better choice for web-browsing/email (which qualifies as 'desktop' I guess). Yes, maybe a few a pages won't display correctly -- but your machine doesn't get trashed with spyware, viruses, and shit either (and don't say this only happens to morons -- lots of people have spouses to f'k up thier Windows installs for them).
              >
              the sooner games run on 'ix like systems we can get real gaming without OS overhead and crappy console ports, which will improve the pixels for everyone or allow them to waste more for faster development. (Such as NFS CARBON)

              It will also allow more online players (like unreal on linux) which haven't increased in years Total Annihilation which is years and years old had 3d landscapes totally walkable and ai which worked for huge armies. Where are we today and it don't look that good. Hopefully supreme commander (sequel (naming rights )) will be brill but the website needing flash 8 with no alternative or content viewable without it does not encourage me.
              Hopefully this design flaw doesn't mean the game will also be flawed like so many running on windows, and now they want to waste latency on live adverts as well.

              VISTA is a joke and makes a pc look as crap as a console.

              we run what we run and not what EVERYONE wants us to. Why would you want to waste 512 mb of ram on data you don't use is beyond me anyway and if you do it's your loss.

              Games may usually look better and better but it doesn't mean that the development rate is always on the increase.

      3. By PCronin () pcronin@www.nospam.com on mailto:pcronin@www.nospam.com

        GIMP is in the ports tree... better then PhotoShop IMHO and it's free...

        I've been playing a bit (I'm now on 56k again ARGH!) with Gnutella, and have found just about everything i used to on Kazza... It might be a good altertitive.


        My only prob with my particular OBSD install is that for some reason some progs won't compile. Mostly complaining that they can't find (lib)iconv(.h) even though it's installed in the default location.

        RedHat emulation is installed.

        Anyone else ever run into this? It's preventing me from installing MPlayer, and a handfull of KDE apps.

        Comments
        1. By tony () tony@libpcap.net on http://libpcap.net

          as far as im concerned, GIMP is a piece of trash. I haven't tried out the devel branch, but the stable branch is useless to me. I admit, the Script-Fu stuff is cool for quick logos or whatever, but until GIMP gets the font support, layer dragging, anti-alias, etc. that Photoshop has, I'll keep using Photoshop. I'd love to be able to kick another win app to the curb, but until then....

          As far as your mplayer problems, I'm running -current and it installed fine, and plays videos fine. I suggest tracking current on workstations.. it always has the latest and greatest code, and -current is *very* stable. Usually if the OpenBSD team commits code that's iffy, you'll hear about it either on the mailing lists, or here.

          but so far i havent had any problems running -current for over a month now. my system is very stable w/ fluxbox, gaim, firebird/mozilla, gqmpeg, mysql, php4, etc.... :)

          Comments
          1. By PCronin () pcronin@www.nospam.com on mailto:pcronin@www.nospam.com

            I'll give -current a try.. I've never tried using CVS before, I'll let people know.

            As for GIMP, I'm not a serious gfx guy, so I found GIMP perfect for everything I was ever doing in PS.
            Plus it was free, and did run in Win32 when I was in that envrionment.

  5. By SFNative () on

    You might want to take a look at this:

    http://zhware.ath.cx/wiki/index.php/CompendiumOfPFRules

    The one marked "Workstation" should give you what you are looking for but go through the opthers as well. You may find some things you hadn't thought of.

    HTH

    Adam

  6. By Pete () on


    Instead of dropping RFC1918 type addresses, I think it's better to refer to a fuller listing of offically 'bad addresses'. This is better gleaned from draft-manning-dsua-04.txt for example from:
    http://www.isi.edu/~bmanning/dsua.html

    This is still a bit dated. but very useful. IMHO this kind of thing would be better to include in the share/misc than birthtoken type info (not sure on copyright for re-dist tho)

    Pete

    Comments
    1. By StephenC () on

      I see what your saying but keeping the list of "bad addresses" upto date could be a pain unless there is a way of automating the list from an authoritive source.

      My ISP makes use of 10.0.0.0/8 & 172.16.0.0/12 address for some of their services. Initially caused me some hassle when I was setting up my home firewall :) I can look back and laugh now :)

      StephenC

    2. By tedu () on

      http://puck.nether.net/~jared/papers/69-paper.html

    3. By Anonymous Coward () on

      http://www.cymru.com/Bogons/ (text aggregated list)
      wget or curl
      pf table
      a cron job
      :)

      This is much better suited to a perimeter firewall than a workstation, though. I wouldn't even bother with blocking stuff like this on a workstation -- you know what it's talking to anyway.

      Comments
      1. By Anonymous Coward () on

        a cron job

        Until your box gets owned and his firewall suddenly starts blocking odd addresses

    4. By Anonymous Coward () on

      Why bother blocking all those ranges.

      block in all

      simple

      then just allow what you need.

  7. By Anonymous Coward () on

    $blockIPs={10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,
    224.0.0.0/4,240.0.0.0/5,127.0.0.0/8,0.0.0.0}


    This is great on a perimeter firewall which is performing NAT for a private network.

    But if you do this on a workstation which is using private IP space, then you might not like the outcome. ; )

    Comments
    1. By Anonymous Coward () on

      That should read, "This is great on a perimeter firewall."

      Regardless of whether it's doing NAT or not.

    2. By asenchi () asenchi@asenchi.com on mailto:asenchi@asenchi.com

      couldn't you put a '!' in there? say I am on a network that is using 192.168.0.0/24 and i specifiy this rule:

      $blockIPs={10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,
      224.0.0.0/4,240.0.0.0/5,127.0.0.0/8,0.0.0.0}

      i can change it to ignore my network:

      $blockIPs={10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,
      !192.168.0.0/24 224.0.0.0/4,240.0.0.0/5,127.0.0.0/8,0.0.0.0}

      Comments
      1. By asenchi () asenchi@asenchi.com on mailto:asenchi@asenchi.com

        ok, the code didn't come out well, so add this:

        !192.168.0.0/24

        after this:

        $blockIPs={10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,

        wouldn't this work?

        //curt

        Comments
        1. By Anonymous Coward () on

          Not in that form. Look at what it expands to:

          block ... from 10.0.0.0/8 ...
          block ... from 172.16.0.0/12 ...
          block ... from ! 192.168.0.0/24 ...

          Oops -- just blocked everything that is NOT 192.168.0.0/24.

          It would be useable in table form, though.

  8. By Noob () on

    Shouldn't the D and E address space be refered to as:

    D & E - 224.0.0.0/3 to cover 224.0.0.0 -> 225.255.255.255

    or

    D - 224.0.0.0/4 to cover 224.0.0.0 -> 239.255.255.255
    E - 240.0.0.0/4 to cover 240.0.0.0 -> 255.255.255.255

    I'm just wondering, because I normally block 224.0.0.0/3

    Thanks ;-)

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]