Contributed by
jose
on
from the personal-firewalls dept.
BigMoose
writes:
"I've been running OpenBSD since 2.7 and have had great reliable systems since. I have finally gotten into securing these systems (small home and community networks) using PF. I've only set up generic firewall rule sets and have been ok, and only upgraded verses patching. Now I am to a point where I am only focusing on security and these systems as it will be my full time job and I ahve some high school students to help me out. I also want to deploy one as a workstation at home on my cable modem connection. I know there are personal firewalls such as zone alarm and what not, but who has used PF on their desktop and what kind of ruleset do you have? I know I need to do more than
What else should be considered for a desktop application?
~BigMoose"
My personal laptop rules are to scrub everything in, pass things out keeping state, and block everything in. Has served me well for years. Unfortunately, I don't know of any application to firewall mapping system like ZoneAlarm for OpenBSD, but it shouldn't be too hard to do that. Anyone have any suggestions for personal boxes, as oppposed to servers of some kind, that go beyond this simple ruleset?
(Comments are closed)
Comments
By
Anonymous Coward ()
on
... I'd suggest blocking everything that comes in, passing everything that goes out, and keeping state. Also scrubbing may be advisable.
Maybe you'll want to allow inbound ssh connections from the rest of your LAN.
Comments
By
chump ()
on
This is exactly the setup I have been using and it works great. I have never had any problems, even with ftp connections and tunneled ssh connection and other things that can usually cause problems.
By
G ()
on
systrace limits application/user ability to connect other hosts.
sysutils/pftop ,
pflogd of base system ?
for access list see
http://www.netconfigs.com/general/martians.htm
there are some more for sure
For desktop part:
some anonymous ftp servers want you to run identd, this makes you connect to them much faster
block return-rst in on ep0 inet proto tcp from
!ep0 to ep0 port {113} label ftp-rst
For X
/etc/X11/xdm/Xservers
change X to
X -nolisten tcp
Anyway examine netstat and remove obsolete services as you see fit.
By
supabeast ()
on
I use the following simple config for my headless workstation/firewall that handles traffic for every machine . It's been up for almost a year on 3.2, and I haven't ever had any issues. It's just a few tweaks to the sample config file.
# $OpenBSD: pf.conf,v 1.6 2002/06/27 07:00:43 fgsch Exp $
#
# See pf.conf(5) for syntax and examples
#
# replace ext0 with external interface name, 10.0.0.0/8 with internal network
# and 192.168.1.1 with external address
#Declarations
EXT="tl0" #EXTERNAL INTERFACE
INT="dc0" #LOCAL LAN INTERFACE
LAN="192.168.0.0/24" #LOCAL LAN
BADIPS="{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# Normalize: reassemble fragments and resolve or reduce traffic ambiguities
scrub in all
# nat: packets going out through ext0 with source address 10.0.0.0/8 will get
# translated as coming from 192.168.1.1. a state is created for such packets,
# and incoming packets will be redirected to the internal address.
# nat on ext0 from 10.0.0.0/8 to any -> 192.168.1.1
nat on tl0 from 192.168.0.0/24 to any -> tl0
# Port forwarding for BitTorrent
rdr on tl0 proto tcp from any to 68.48.xxx.xxx port 6881:6889 -> 192.168.0.42
# RULESET FOR $INT
pass in quick on $INT from any to any
pass out log quick on $INT from any to any
# Prevent spoofing for punched holes
block in quick on $EXT from $BADIPS to any
# Punch holes here
pass in quick on $EXT inet proto tcp from any to any port 22
flags S/SA keep state
pass in quick on $EXT inet proto tcp from any to any port 113
flags S/SA keep state
#pass in quick on $EXT inet proto tcp from any to any port 110
# flags S/SA keep state
# OUTBOUND RULESET FOR $EXT
# Prevent spoofing from our LAN
block out quick on $EXT from any to $BADIPS
# Let all tcp, udp and icmp traffic out and keep state so it can return.
# Block any packets that are of other types at the border.
pass out quick on $EXT inet proto tcp from any to any flags S/SA keep state
pass out quick on $EXT inet proto udp from any to any keep state
pass out quick on $EXT inet proto icmp from any to any keep state
block out on $EXT from any to any
# Our default MUST HAVE deny rule
block in log quick on $EXT from any to any
I hope you don't mind but I am not sure about your ruleset. It works but I think you could do it a bit different. It maybe a little easier to read if you were to do something like this:
# replace ext0 with external interface name, 10.0.0.0/8 with internal network
# and 192.168.1.1 with external address
# nat on ext0 from 10.0.0.0/8 to any -> 192.168.1.1
nat on tl0 from 192.168.0.0/24 to any -> tl0
# Port forwarding for BitTorrent
rdr on tl0 proto tcp from any to 68.48.xxx.xxx port 6881:6889 -> 192.168.0.42
block in log on $EXT all
block out log on $EXT all
# prevent spoofing
block in log quick on $EXT from $BADIPS to any
block out quick on $EXT from any to $BADIPS
# rules for $INT
pass in quick on $INT from $INT to $INT (This _I think_ will provide a bit more security)
pass out log quick on $INT from $INT to any
# allow these ports
pass in quick on $EXT inet proto tcp from any to any
port $TCP_P flags S/SA keep state
# tcp
pass out on $ext_if inet proto tcp all modulate state flags S/SA
# udp
pass out quick on $EXT inet proto udp from any to any keep state
# icmp
pass out quick on $EXT inet proto icmp from any to any keep state
Sorry, I have been obsessed with pf rulesets for the past two months and have learned a lot. I am not great, but I have learned some. So I hope you don't mind me pointing this out...
Thanks for indulging me,
//curt
Comments
By
G ()
on
pass in quick on $INT from $INT to $INT (This _I think_ will provide a bit more security)
this I think will allow spoofing as configured interface addresses route via local, without hitting the wire
By
G ()
on
Yes and about "pass out quick" - modern backdoors connect to their master, not listen like old ones do
not sure I understand this "'pass out quick - modern backdoors connect to their master, not listen like old ones do"
//curt
Comments
By
StephenC ()
on
I think what he means is that instead of a trojan sitting listening on a port waiting for a connection from bad server/people, the trojan makes an outgoing connection (that passes through the firewall with no questioning) to bad server/people. The control commands are then sent back through this channel.
Its the reason to use proxies. Instead on firewalls allowing any traffic on an internal network through to the outside world the traffic must be sent via a trusted system the proxy. The proxy allows and single point of monitoring and control.
Why not? Now that it's switched to ELF and we have things like mplayer, mozilla/firebird, etc.. it makes a perfect desktop OS. I have OpenBSD-current and WinXP on a KVM switch. I use OpenBSD for everything, except Kazaa and Photoshop, which is why I have XP around.
In fact, I just scored a Dell laptop for cheap that I'll be installing OpenBSD-current on today. Thank god wardriving is legal in NH! mwahaha.
Agree. For a KaZaA replacement i'd suggest MLdonkey. It includes support for various P2P networks, including the FastTrack network (aka the KaZaA network). I'm not sure wether this runs on OpenBSD. I don't see it in ports. A search on Google popped up various interested URL's. It does run fine on my Debian GNU/Linux desktop.
Comments
By
Anonymous Coward ()
on
I believe I saw it on the 'new ports' page. I've been using OBSD as my 'ix desktop since 2.5. It has been fine for me (after firewall/NAT, desktop is probably it's most common use -- I'm betting it beats out web-server...
By
Lars Hansson ()
on
You only need to install the ocaml port then mldonkey will build and run just fine.
By
Anonymous Coward ()
on
Couldn't you just run Photoshop on Linux with CrossOver Office?
because:
1) F linux
2) support is minimal and slow.. too slow for any sort of productivity.
Comments
By
Anonymous Coward ()
on
However entertaining it is to run Microsoft applications on 'ix, I just don't see the point myself -- stick with dual booting, and you can play some kick ass games after your done with photoshop.
However, I really think 'ix is a better choice for web-browsing/email (which qualifies as 'desktop' I guess). Yes, maybe a few a pages won't display correctly -- but your machine doesn't get trashed with spyware, viruses, and shit either (and don't say this only happens to morons -- lots of people have spouses to f'k up thier Windows installs for them).
Comments
By
Free Bird ()
on
lots of people have spouses to f'k up thier Windows installs for them
Or have them use OpenBSD w/ systrace on their email and www clients ;)
By
KeV (80.47.82.162)
on
> However entertaining it is to run Microsoft applications on 'ix, I just don't see the point myself -- stick with dual booting, and you can play some kick ass games after your done with photoshop.
>
>
>
> However, I really think 'ix is a better choice for web-browsing/email (which qualifies as 'desktop' I guess). Yes, maybe a few a pages won't display correctly -- but your machine doesn't get trashed with spyware, viruses, and shit either (and don't say this only happens to morons -- lots of people have spouses to f'k up thier Windows installs for them).
>
the sooner games run on 'ix like systems we can get real gaming without OS overhead and crappy console ports, which will improve the pixels for everyone or allow them to waste more for faster development. (Such as NFS CARBON)
It will also allow more online players (like unreal on linux) which haven't increased in years Total Annihilation which is years and years old had 3d landscapes totally walkable and ai which worked for huge armies. Where are we today and it don't look that good. Hopefully supreme commander (sequel (naming rights )) will be brill but the website needing flash 8 with no alternative or content viewable without it does not encourage me.
Hopefully this design flaw doesn't mean the game will also be flawed like so many running on windows, and now they want to waste latency on live adverts as well.
VISTA is a joke and makes a pc look as crap as a console.
we run what we run and not what EVERYONE wants us to. Why would you want to waste 512 mb of ram on data you don't use is beyond me anyway and if you do it's your loss.
Games may usually look better and better but it doesn't mean that the development rate is always on the increase.
GIMP is in the ports tree... better then PhotoShop IMHO and it's free...
I've been playing a bit (I'm now on 56k again ARGH!) with Gnutella, and have found just about everything i used to on Kazza... It might be a good altertitive.
My only prob with my particular OBSD install is that for some reason some progs won't compile. Mostly complaining that they can't find (lib)iconv(.h) even though it's installed in the default location.
RedHat emulation is installed.
Anyone else ever run into this? It's preventing me from installing MPlayer, and a handfull of KDE apps.
as far as im concerned, GIMP is a piece of trash. I haven't tried out the devel branch, but the stable branch is useless to me. I admit, the Script-Fu stuff is cool for quick logos or whatever, but until GIMP gets the font support, layer dragging, anti-alias, etc. that Photoshop has, I'll keep using Photoshop. I'd love to be able to kick another win app to the curb, but until then....
As far as your mplayer problems, I'm running -current and it installed fine, and plays videos fine. I suggest tracking current on workstations.. it always has the latest and greatest code, and -current is *very* stable. Usually if the OpenBSD team commits code that's iffy, you'll hear about it either on the mailing lists, or here.
but so far i havent had any problems running -current for over a month now. my system is very stable w/ fluxbox, gaim, firebird/mozilla, gqmpeg, mysql, php4, etc.... :)
I'll give -current a try.. I've never tried using CVS before, I'll let people know.
As for GIMP, I'm not a serious gfx guy, so I found GIMP perfect for everything I was ever doing in PS.
Plus it was free, and did run in Win32 when I was in that envrionment.
The one marked "Workstation" should give you what you are looking for but go through the opthers as well. You may find some things you hadn't thought of.
HTH
Adam
By
Pete ()
on
Instead of dropping RFC1918 type addresses, I think it's better to refer to a fuller listing of offically 'bad addresses'. This is better gleaned from draft-manning-dsua-04.txt for example from:
http://www.isi.edu/~bmanning/dsua.html
This is still a bit dated. but very useful. IMHO this kind of thing would be better to include in the share/misc than birthtoken type info (not sure on copyright for re-dist tho)
Pete
Comments
By
StephenC ()
on
I see what your saying but keeping the list of "bad addresses" upto date could be a pain unless there is a way of automating the list from an authoritive source.
My ISP makes use of 10.0.0.0/8 & 172.16.0.0/12 address for some of their services. Initially caused me some hassle when I was setting up my home firewall :) I can look back and laugh now :)
http://www.cymru.com/Bogons/ (text aggregated list)
wget or curl
pf table
a cron job
:)
This is much better suited to a perimeter firewall than a workstation, though. I wouldn't even bother with blocking stuff like this on a workstation -- you know what it's talking to anyway.
Comments
By
Anonymous Coward ()
on
a cron job
Until your box gets owned and his firewall suddenly starts blocking odd addresses
By Anonymous Coward () on
Maybe you'll want to allow inbound ssh connections from the rest of your LAN.
Comments
By chump () on
By G () on
sysutils/pftop ,
pflogd of base system ?
for access list see
http://www.netconfigs.com/general/martians.htm
there are some more for sure
For desktop part:
some anonymous ftp servers want you to run identd, this makes you connect to them much faster
block return-rst in on ep0 inet proto tcp from
!ep0 to ep0 port {113} label ftp-rst
For X
/etc/X11/xdm/Xservers
change X to
X -nolisten tcp
Anyway examine netstat and remove obsolete services as you see fit.
By supabeast () on
# $OpenBSD: pf.conf,v 1.6 2002/06/27 07:00:43 fgsch Exp $
#
# See pf.conf(5) for syntax and examples
#
# replace ext0 with external interface name, 10.0.0.0/8 with internal network
# and 192.168.1.1 with external address
#Declarations
EXT="tl0" #EXTERNAL INTERFACE
INT="dc0" #LOCAL LAN INTERFACE
LAN="192.168.0.0/24" #LOCAL LAN
BADIPS="{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# Normalize: reassemble fragments and resolve or reduce traffic ambiguities
scrub in all
# nat: packets going out through ext0 with source address 10.0.0.0/8 will get
# translated as coming from 192.168.1.1. a state is created for such packets,
# and incoming packets will be redirected to the internal address.
# nat on ext0 from 10.0.0.0/8 to any -> 192.168.1.1
nat on tl0 from 192.168.0.0/24 to any -> tl0
# Port forwarding for BitTorrent
rdr on tl0 proto tcp from any to 68.48.xxx.xxx port 6881:6889 -> 192.168.0.42
# RULESET FOR $INT
pass in quick on $INT from any to any
pass out log quick on $INT from any to any
# Prevent spoofing for punched holes
block in quick on $EXT from $BADIPS to any
# Punch holes here
pass in quick on $EXT inet proto tcp from any to any port 22
flags S/SA keep state
pass in quick on $EXT inet proto tcp from any to any port 113
flags S/SA keep state
#pass in quick on $EXT inet proto tcp from any to any port 110
# flags S/SA keep state
# OUTBOUND RULESET FOR $EXT
# Prevent spoofing from our LAN
block out quick on $EXT from any to $BADIPS
# Let all tcp, udp and icmp traffic out and keep state so it can return.
# Block any packets that are of other types at the border.
pass out quick on $EXT inet proto tcp from any to any flags S/SA keep state
pass out quick on $EXT inet proto udp from any to any keep state
pass out quick on $EXT inet proto icmp from any to any keep state
block out on $EXT from any to any
# Our default MUST HAVE deny rule
block in log quick on $EXT from any to any
Comments
By asenchi () asenchi@asenchi.com on http://www.asenchi.com
# replace ext0 with external interface name, 10.0.0.0/8 with internal network
# and 192.168.1.1 with external address
#Declarations
EXT="tl0" #EXTERNAL INTERFACE
INT="dc0" #LOCAL LAN INTERFACE
LAN="192.168.0.0/24" #LOCAL LAN
TCP_P="{ 22 113 110 }"
BADIPS="{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
scrub in all (all = from any to any)
# nat on ext0 from 10.0.0.0/8 to any -> 192.168.1.1
nat on tl0 from 192.168.0.0/24 to any -> tl0
# Port forwarding for BitTorrent
rdr on tl0 proto tcp from any to 68.48.xxx.xxx port 6881:6889 -> 192.168.0.42
block in log on $EXT all
block out log on $EXT all
# prevent spoofing
block in log quick on $EXT from $BADIPS to any
block out quick on $EXT from any to $BADIPS
# rules for $INT
pass in quick on $INT from $INT to $INT (This _I think_ will provide a bit more security)
pass out log quick on $INT from $INT to any
# allow these ports
pass in quick on $EXT inet proto tcp from any to any
port $TCP_P flags S/SA keep state
# tcp
pass out on $ext_if inet proto tcp all modulate state flags S/SA
# udp
pass out quick on $EXT inet proto udp from any to any keep state
# icmp
pass out quick on $EXT inet proto icmp from any to any keep state
Sorry, I have been obsessed with pf rulesets for the past two months and have learned a lot. I am not great, but I have learned some. So I hope you don't mind me pointing this out...
Thanks for indulging me,
//curt
Comments
By G () on
this I think will allow spoofing as configured interface addresses route via local, without hitting the wire
By G () on
Comments
By asenchi () asenchi@asenchi.com on http://www.asenchi.com
//curt
Comments
By StephenC () on
Its the reason to use proxies. Instead on firewalls allowing any traffic on an internal network through to the outside world the traffic must be sent via a trusted system the proxy. The proxy allows and single point of monitoring and control.
Then again I could be wrong :)
StephenC
Comments
By asenchi () asenchi@asenchi.com on mailto:asenchi@asenchi.com
pass out quick on $int from $int to $int keep state
Or maybe without the keep state.
//curt
By G () on
By Free Bird () on
Comments
By tony () tony@libpcap.net on http://libpcap.net
In fact, I just scored a Dell laptop for cheap that I'll be installing OpenBSD-current on today. Thank god wardriving is legal in NH! mwahaha.
Comments
By Anonymous Coward () on http://savannah.nongnu.org/projects/mldonkey
Comments
By Anonymous Coward () on
By Lars Hansson () on
By Anonymous Coward () on
Comments
By tony () tony@libpcap.net on mailto:tony@libpcap.net
1) F linux
2) support is minimal and slow.. too slow for any sort of productivity.
Comments
By Anonymous Coward () on
However, I really think 'ix is a better choice for web-browsing/email (which qualifies as 'desktop' I guess). Yes, maybe a few a pages won't display correctly -- but your machine doesn't get trashed with spyware, viruses, and shit either (and don't say this only happens to morons -- lots of people have spouses to f'k up thier Windows installs for them).
Comments
By Free Bird () on
Stay single, then! ;)
Comments
By tony () tony@libpcap.net on http://libpcap.net
By KeV (80.47.82.162) on
>
>
>
> However, I really think 'ix is a better choice for web-browsing/email (which qualifies as 'desktop' I guess). Yes, maybe a few a pages won't display correctly -- but your machine doesn't get trashed with spyware, viruses, and shit either (and don't say this only happens to morons -- lots of people have spouses to f'k up thier Windows installs for them).
>
the sooner games run on 'ix like systems we can get real gaming without OS overhead and crappy console ports, which will improve the pixels for everyone or allow them to waste more for faster development. (Such as NFS CARBON)
It will also allow more online players (like unreal on linux) which haven't increased in years Total Annihilation which is years and years old had 3d landscapes totally walkable and ai which worked for huge armies. Where are we today and it don't look that good. Hopefully supreme commander (sequel (naming rights )) will be brill but the website needing flash 8 with no alternative or content viewable without it does not encourage me.
Hopefully this design flaw doesn't mean the game will also be flawed like so many running on windows, and now they want to waste latency on live adverts as well.
VISTA is a joke and makes a pc look as crap as a console.
we run what we run and not what EVERYONE wants us to. Why would you want to waste 512 mb of ram on data you don't use is beyond me anyway and if you do it's your loss.
Games may usually look better and better but it doesn't mean that the development rate is always on the increase.
By PCronin () pcronin@www.nospam.com on mailto:pcronin@www.nospam.com
I've been playing a bit (I'm now on 56k again ARGH!) with Gnutella, and have found just about everything i used to on Kazza... It might be a good altertitive.
My only prob with my particular OBSD install is that for some reason some progs won't compile. Mostly complaining that they can't find (lib)iconv(.h) even though it's installed in the default location.
RedHat emulation is installed.
Anyone else ever run into this? It's preventing me from installing MPlayer, and a handfull of KDE apps.
Comments
By tony () tony@libpcap.net on http://libpcap.net
As far as your mplayer problems, I'm running -current and it installed fine, and plays videos fine. I suggest tracking current on workstations.. it always has the latest and greatest code, and -current is *very* stable. Usually if the OpenBSD team commits code that's iffy, you'll hear about it either on the mailing lists, or here.
but so far i havent had any problems running -current for over a month now. my system is very stable w/ fluxbox, gaim, firebird/mozilla, gqmpeg, mysql, php4, etc.... :)
Comments
By PCronin () pcronin@www.nospam.com on mailto:pcronin@www.nospam.com
As for GIMP, I'm not a serious gfx guy, so I found GIMP perfect for everything I was ever doing in PS.
Plus it was free, and did run in Win32 when I was in that envrionment.
By SFNative () on
http://zhware.ath.cx/wiki/index.php/CompendiumOfPFRules
The one marked "Workstation" should give you what you are looking for but go through the opthers as well. You may find some things you hadn't thought of.
HTH
Adam
By Pete () on
Instead of dropping RFC1918 type addresses, I think it's better to refer to a fuller listing of offically 'bad addresses'. This is better gleaned from draft-manning-dsua-04.txt for example from:
http://www.isi.edu/~bmanning/dsua.html
This is still a bit dated. but very useful. IMHO this kind of thing would be better to include in the share/misc than birthtoken type info (not sure on copyright for re-dist tho)
Pete
Comments
By StephenC () on
My ISP makes use of 10.0.0.0/8 & 172.16.0.0/12 address for some of their services. Initially caused me some hassle when I was setting up my home firewall :) I can look back and laugh now :)
StephenC
By tedu () on
By Anonymous Coward () on
wget or curl
pf table
a cron job
:)
This is much better suited to a perimeter firewall than a workstation, though. I wouldn't even bother with blocking stuff like this on a workstation -- you know what it's talking to anyway.
Comments
By Anonymous Coward () on
Until your box gets owned and his firewall suddenly starts blocking odd addresses
By Anonymous Coward () on
block in all
simple
then just allow what you need.
By Anonymous Coward () on
224.0.0.0/4,240.0.0.0/5,127.0.0.0/8,0.0.0.0}
This is great on a perimeter firewall which is performing NAT for a private network.
But if you do this on a workstation which is using private IP space, then you might not like the outcome. ; )
Comments
By Anonymous Coward () on
Regardless of whether it's doing NAT or not.
By asenchi () asenchi@asenchi.com on mailto:asenchi@asenchi.com
$blockIPs={10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,
224.0.0.0/4,240.0.0.0/5,127.0.0.0/8,0.0.0.0}
i can change it to ignore my network:
$blockIPs={10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,
!192.168.0.0/24 224.0.0.0/4,240.0.0.0/5,127.0.0.0/8,0.0.0.0}
Comments
By asenchi () asenchi@asenchi.com on mailto:asenchi@asenchi.com
!192.168.0.0/24
after this:
$blockIPs={10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,
wouldn't this work?
//curt
Comments
By Anonymous Coward () on
block ... from 10.0.0.0/8 ...
block ... from 172.16.0.0/12 ...
block ... from ! 192.168.0.0/24 ...
Oops -- just blocked everything that is NOT 192.168.0.0/24.
It would be useable in table form, though.
By Noob () on
D & E - 224.0.0.0/3 to cover 224.0.0.0 -> 225.255.255.255
or
D - 224.0.0.0/4 to cover 224.0.0.0 -> 239.255.255.255
E - 240.0.0.0/4 to cover 240.0.0.0 -> 255.255.255.255
I'm just wondering, because I normally block 224.0.0.0/3
Thanks ;-)