- Posts: 301
- Thank you received: 3
OpenBSD
18 years 3 months ago #15993
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
Replied by Bublitz on topic Re: OpenBSD
Slowly but surely im adding more and more to my config hopefully soon ill have a working box.
I am definantly having trouble wrapping my brain around Packet filtering. Im used to cisco access list go from top to bottom its simple for me. Once a rule hits an allow BOOM its allowed, if it reaches the bottom the deny all kills it
allow this
allow that
allow dude
deny all
Open BSD right now for testing all I want to do is deny all traffic incoming from WAN or ext_if1 except Terminal Services.
ext_if1 = "vr1"
ext_if2 = "vr2"
int_if = "vr0"
lan_net = "10.45.5.0/24"
nat on vr1 from vr0:network to any -> (vr1)
rdr pass on $ext_if1 proto tcp from any to any port 3389 -> 10.45.5.15
rdr pass on $ext_if1 proto udp from any to any port 3389 -> 10.45.5.15
block in $ext_if1 all
Is this fuctional?
WAN is dhcp so I used that nat setup.
Then used port forwarding with the pass option to ignore the block in $ext_if1 all
any other traffic wont meet the requirments of my Terminal server port forwarding and will be blocked.
I am definantly having trouble wrapping my brain around Packet filtering. Im used to cisco access list go from top to bottom its simple for me. Once a rule hits an allow BOOM its allowed, if it reaches the bottom the deny all kills it
allow this
allow that
allow dude
deny all
Open BSD right now for testing all I want to do is deny all traffic incoming from WAN or ext_if1 except Terminal Services.
ext_if1 = "vr1"
ext_if2 = "vr2"
int_if = "vr0"
lan_net = "10.45.5.0/24"
nat on vr1 from vr0:network to any -> (vr1)
rdr pass on $ext_if1 proto tcp from any to any port 3389 -> 10.45.5.15
rdr pass on $ext_if1 proto udp from any to any port 3389 -> 10.45.5.15
block in $ext_if1 all
Is this fuctional?
WAN is dhcp so I used that nat setup.
Then used port forwarding with the pass option to ignore the block in $ext_if1 all
any other traffic wont meet the requirments of my Terminal server port forwarding and will be blocked.
The Bublitz
Systems Admin
Hospice of the Red River Valley
18 years 3 months ago #15995
by d_jabsd
Replied by d_jabsd on topic Re: OpenBSD
That should be functional. NAT rules are processed first, filter rules second.
PF uses last match instead of first match like cisco ACLs. Using the 'quick' keyword halts further processing and makes it act like first match.
That being said, you will want to be careful with your rule order and use of 'quick'
You will also want to take care that you don't block the loopback interface. you can use pass rules for this or skip the interface.
Outbound needs to be considered as well.
Here is my ruleset. its not real complex but gets the job done. It does not contain any NAT rules however but they could easily be put in. This ruleset allows all icmp, tftp, ssh, http, ttcp, and blocks everything else.
[code:1]
ext_if="em0"
int_if="em1"
set skip on { lo $int_if }
scrub in
block in
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if proto icmp to ($ext_if)
pass in on $ext_if proto udp to ($ext_if) port 69
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
pass in on $ext_if proto tcp to ($ext_if) port http keep state
pass in on $ext_if proto tcp to ($ext_if) port 5001 keep state
[/code:1]
This ruleset is by no means perfect. It was thrown together quickly and it has been a few years since i messed with pf, so much has been forgotten.
I have no idea if the antispoof rule is processed, since i am skipping the loopback and internal interfaces.
I'll try to dig deaper and let you know if i get some time. Somewhere, I have much larger ruleset from an old system that was doing much more. If i can find it, i'll post it.
PF uses last match instead of first match like cisco ACLs. Using the 'quick' keyword halts further processing and makes it act like first match.
That being said, you will want to be careful with your rule order and use of 'quick'
You will also want to take care that you don't block the loopback interface. you can use pass rules for this or skip the interface.
Outbound needs to be considered as well.
Here is my ruleset. its not real complex but gets the job done. It does not contain any NAT rules however but they could easily be put in. This ruleset allows all icmp, tftp, ssh, http, ttcp, and blocks everything else.
[code:1]
ext_if="em0"
int_if="em1"
set skip on { lo $int_if }
scrub in
block in
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if proto icmp to ($ext_if)
pass in on $ext_if proto udp to ($ext_if) port 69
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
pass in on $ext_if proto tcp to ($ext_if) port http keep state
pass in on $ext_if proto tcp to ($ext_if) port 5001 keep state
[/code:1]
This ruleset is by no means perfect. It was thrown together quickly and it has been a few years since i messed with pf, so much has been forgotten.
I have no idea if the antispoof rule is processed, since i am skipping the loopback and internal interfaces.
I'll try to dig deaper and let you know if i get some time. Somewhere, I have much larger ruleset from an old system that was doing much more. If i can find it, i'll post it.
18 years 3 months ago #16002
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
Replied by Bublitz on topic Re: OpenBSD
/etc/mygate
Doesn't exist I suppose I need to create it. The openbsd manual says to put in an ip adress in the mygate file for your gateway....um I have a lan interface and a wan. What interface is the gateway set for ?
EDIT
Woot im typing this now using my openbsd firewall.
added a 0.0.0.0 0.0.0.0 vr1 route in my hostname.vr0.
For some reason when I use the command route show.....nothing shows except the header showing no data tho.
netstat -rn shows routes is my route show command bugged?
Now the next thing im going to try is using ssh to connect to this firewall instead of a monitor.
Doesn't exist I suppose I need to create it. The openbsd manual says to put in an ip adress in the mygate file for your gateway....um I have a lan interface and a wan. What interface is the gateway set for ?
EDIT
Woot im typing this now using my openbsd firewall.
added a 0.0.0.0 0.0.0.0 vr1 route in my hostname.vr0.
For some reason when I use the command route show.....nothing shows except the header showing no data tho.
netstat -rn shows routes is my route show command bugged?
Now the next thing im going to try is using ssh to connect to this firewall instead of a monitor.
The Bublitz
Systems Admin
Hospice of the Red River Valley
- cyberglitch
- Offline
- New Member
Less
More
- Posts: 6
- Thank you received: 0
18 years 3 months ago #16005
by cyberglitch
Replied by cyberglitch on topic Re: OpenBSD
You may want to look at
www.fwbuilder.org/
this is a fun and simple way of building fire walls without doing to much damage.
And it works with routers too.
just my .02
And it works with routers too.
just my .02
18 years 3 months ago #16049
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
Replied by Bublitz on topic Re: OpenBSD
My firewall has been running for a few days and its going good. Got it mounted in my rack and the nat rules I made are working. In a couple months Ill be adding another internet connection to it and setting up a round robin between the connections. I'm adding more features as I go and im able to do most of it my self since the directions are good.
Couple things I can't seem to figure out.
1. Deleting my mail sent to me by openbsd....lol i can't believe i'm stuck on this (=. I used the help on the mail and I must be missing something. I can read and send mail..Just can't delete it
2. Dynamic DNS - There is a command for this, but I need something that checks every so often so I dont need to manually run the command to update my dns. The site i'm going to use is freedns.afraid.org not sure if they good or not. So im having trouble tracking this down. What package to use with openbsd and that will wrok with freedns.afraid.org . Any ideas on this?
Couple things I can't seem to figure out.
1. Deleting my mail sent to me by openbsd....lol i can't believe i'm stuck on this (=. I used the help on the mail and I must be missing something. I can read and send mail..Just can't delete it
2. Dynamic DNS - There is a command for this, but I need something that checks every so often so I dont need to manually run the command to update my dns. The site i'm going to use is freedns.afraid.org not sure if they good or not. So im having trouble tracking this down. What package to use with openbsd and that will wrok with freedns.afraid.org . Any ideas on this?
The Bublitz
Systems Admin
Hospice of the Red River Valley
Time to create page: 0.138 seconds