eWeek used OpenBSD pf firewalls for OpenHACK

Contributed by jose on 2002-12-06 from the open-and-hack dept.

Bongo writes:

"The idea of inviting hackers to attack your web site is debatable, but eWeek did and used OpenBSD as their web server and firewall. They published the logs and configurations - pf included - here: http://www.eweek.com/article2/0,3959,743002,00.asp
I'm still downloading it (server backups) so I don't know what rules they used, but here is a real world example of what pf was used for."

This looks kind of cool, if only to get a few ideas and see what I can add to my toolbox. Anyone check this stuff out?

(Comments are closed)

Comments

By Anonymous Coward () on 2002-12-06 10:51 http://www.xs4all.nl/~wpd/symon/

It's nice to see they used symon, which can be found in the ports under sysutils/symon.
By Anonymous Coward () on 2002-12-06 13:10

I'm downloading the zip file right now (119 MB!) and it is crawlilng along at 7k/s - a 4 hour process. I don't think it is that popular, rather they must have some sort of bandwidth cap. Using zip instead of .tgz ....

Anyways, for new users, here is an example showing how a machine was set up and administered, includng changes to the various files in /etc. If you are getting started and wonder what to do after an install and reading afterboot, here are tips on administering, log files, pf, symon, and so on.

Too bad they don't run an article on how they set it up and the reasons for the choices they made.

I'm glad to see the additional publicity, which along with the UltraSparcIII bruha, can only lead to more CD sales, new users, mindless posts to misc@, and reactive flames. Somehow it seems like it is going to be an interesting month.
By Anonymous Coward () on 2002-12-06 14:56

Why not post the "interesting" stuff here. Same them some bandwidth usage and save most of us having to download 120MB just to look at a few K of data??
By Sam Wilson () numbsafari@yahoo.com on 2002-12-07 12:11 mailto:numbsafari@yahoo.com

Is it just me, or did the Microsoft submissions have a lot more polish than the Oracle submissions?

Especially this article:

http://www.eweek.com/article2/0,3959,746550,00.asp

Vendor-Client communication is probably one of the less obvious issues in security, and I hate to give M$ kudos for anything at all, but in this case, their professionalism deserves merit. It sounds like Oracle really didn't give this a lot of thought, which is disappointing considering how much they like to claim that they are "unbreakable". Granted, nobody really "broke in", but XSS bugs are the bain of web application security...
By That Tune () on 2002-12-07 14:24

There is an article on how the Openhack network was set up at
http://www.eweek.com/article2/0,3959,643205,00.asp

and the network diagram in pdf is available at
ftp://ftp.eweek.com/pub/eweek/pdf/printpub/19/41p38.pdf

Knowing where all the firewalls fit helps.

for those of you who wonder what to use on a DOS base d zip archive, unzip is your freind, not gunzip.
By Timothy Dyck, eWEEK Labs () timothy_dyck@ziffdavis.com on 2002-12-09 04:30 mailto:timothy_dyck@ziffdavis.com

One thing people will notice in the pf.conf files is some rules that explicitly allow reply traffic through the firewall when a "keep state" parameter on the incoming traffic rule should have taken care of this automatically.

Here's an example:

pass in on $int_if proto tcp from $mail_relay_ok_net to $int_if port smtp keep state label "int_if_in_$srcaddr->$dstaddr_$dstport"

pass in on $int_if proto udp from $name_server_ip port domain to $int_if keep state label "int_if_in_$srcaddr_$srcport->$dstaddr" # shouldn't need this line

When I watched the log of blocked packets, I'd find that a small number of reply packets were getting blocked until I added reply rules like the second one above. It appeared that pf was losing track of the state of certain incoming connections and so generated reply traffic wasn't being correctly associated with incoming traffic.

Anyone experienced this? It wasn't a big problem, but I shouldn't have needed those extra rules. This is with release OpenBSD 3.2.

Thanks,
Tim Dyck
eWEEK Labs

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]