OpenBSD PF
By Hoang Q. TRAN
OpenBSD FireWall Using PF
By Hoang Q. TRAN
IT is real Easy to configure an openbsd Gateway for a private network. Here is the folowing steps:
Lock down the box Install second ethernet card in the OpenBSD box Customize the kernel Enable packet forwarding, dhcp, firewall and network address translation Configure machines behind NAT Familiarize with pf Quality of Service (QoS) References
Lock down the boxThe first step to lock down the firewall box is to disable all unnecessary running services. Luckily, OpenBSD out of the box is really secure even with ident, comsat, daytime, time, rstatd and rusersd enabled in / etc / inetd. CONF. Comment Out Mentioned Services IN /ETC/INETD.CONF AND EDIT /ETC/RC.conf and make Sure Portmap, Sendmail and NTPD DAEMONS Are Disabled AS Well. Don't disable inetd as you Will Need It Later for FTP-Proxy .
Check_quotas = no
NTPD = NO
Sendmail_flags = no
SSHD is enabled out of the box. if you don't plan to use it, disable it with sshd_flags = no
Once you disabled unnecessary services, go to unixcircle to remotely port scan your own box from the outside. Be careful when you do this behind a firewall box as the port scan script will scan the firewall instead. If you have another box, use nmap to Scan the Box from the inside.
Get The Latest OpenBSD Security Patches and Manually Apply or Download All The Patches in One File or Use Anoncvs To Synchronize To Stable Release and Build from Source.
Make Sure You Check Out The 3.2 Stable Branch with -ropenbsd_3_2. OtherWise, You're Checking Out The `` Current '' Branch Instead.
Finally, Readup On Sans's The Twenty Most Critical Internet Security VulneRabilities (Updated)
Install second Ethernet card in the OpenBSD boxUse any supported ethernet card for the second NIC in the OpenBSD machine. One card will be given a public IP address (assigned by your ISP or obtained dynamically, eg, with DHCP) and the other will be given An IP Address IN A Non-Routable Network. Your Choices for Private Network Addresses Must Come from One of these Ranges (See RFC 1918): 10.0.0.1 - 10.255.255.254 Netmask 255.0.0.0
172.16.0.1 - 172.31.255.254 Netmask 255.240.0.0
192.168.0.1 - 192.168.255.254 Netmask 255.255.0.0
Assume The First Card Is `` EP ", Create /etc/hostname.ep0 with the following x.x.x.x Netmask X.x.x.x where x.x.x is what you should Above.
# First nic - private
192.168.1.1 Netmask 255.255.255.0 Media 10baset
And if you have a static ip address for the second nic, you naturally need to have it configured as well.
# SECOND NIC with PUBLIC IP ADDRESS
123.221.8.1 Netmask 255.190.280.0 Media 10baset
BE SURE To INDICATE A CORRECT IP Address And Netmask for Both Interfaces. Once You Have The a Private Network Address Range for your Inside Machines, Stay with That Same Range.
WhatVer Address You Choose for the First Interface In The OpenBSD Gateway Becomes The Default Gateway IP Address For All Machines on The Inside Private Network.
.
Retrieve The Kernel Source and Unpack IT As:
# tar xzvf srcs.tar.gz -c / usr
(kernel Source Unpacking Output ...)
...
Or Use Anoncvs to Get Just The Kernel Source IT:
# setenv cvsroot anoncvs@anoncvs.ca.openbsd.org: / cvs
# CD / USR
# cvs -q get -ropenbsd_3_2 -p src / sys
CHECKING OUT Files Output ...)
...
# cd / sys / arch / i386 / confi usually name the kernel to the machine hostname, but you can give it. Edit The Kernel Config File:
Remove any hardware related options that are not relevant to your machine. One way to find out what to keep is to consult the dmesg output and remove all the rest. For all available kernel options, refer to GENERIC in the same directory as your kernel file And / Sys / Conf / Generic or Man Options (4).
Save The Kernel Config File and the Compile and Install IT:
# Config FireWall
# cd ../compile/firewall
# Make Depend; Make
(keilding Output ...)
...
# CP / BSD /BSD.OLD
# CP BSD / BSD
# reboot
THIS WILL RETAIN THE OLD.OLD JUST IN CASETHING HAS GONE AWRY with the new one and the box doesn't boot. If That happens you can type 'bsd.old' at the boot: prompt to boot the old Kernel.
Enable Packet Forwarding, DHCP, FireWall and Network Address TranslationTo Enable Packet Forwarding UNComment The Following Line in /etc/sysctl.conf and for Extra Protection, Enable Encryption On Swap Pages:
Net.inet.ip.Forwarding = 1 # 1 = permit forwarding (routing) of Packets
vm.swapencrypt.enable = 1 # 1 = Encrypt Pages That Go To SWAP
TO Enable High Performance Data TransferS on Hosts According To
Enabling High Performance Data TransferS on Hosts, Add The Following To /etc/sysctl.conf:
# 1. Path MTU Discovery: enabled by Default
# 2. TCP EXTENSION (RFC1323): Enabled by Default
# 3. Increase TCP Window Size for Increase In Network Performance
Net.inet.tcp.recvspace = 65535
Net.inet.tcp.sendspace = 65535
# 4. Sack (RFC2018): Enabled by Default
And if you receive your Routable Address Assignment Dynamically Through DHCP:
# echo dhcp> /etc/hostname.EP1THE DHCP Server Will Assign THE IP, NETMASK AND DEFAULT GATEWAY for Interface `` EP1 ''. /etc/resolv.conf Will Be created with `` Search '' and `` nameservers '' Statements from the ISP.
Filter rule:
Starting with OpenBSD 3.2, Filter and Nat Rules Are Combined INTO /ETC/PF.conf. The order of /etc/pf.conf is real important and the format of /etc/pf.conf must follow this Order:
Options
2. Scrub
3. NAT & RDR
4. Filter
IF The default action is pass.
Network address translation rule:
For Clients Behind Nat To Work, 1 Nat and 1 RDR Rule Is Sufficient:
# Nat Internal IP Addresses of Range 192.168.1.0/24 To External Routable
# I p on ep1 interface
Nat on EP1 from 192.168.1.0/24 to any -> EP1
# Translate Outgoing FTP Control Connections To Send Them To Localhost
# for proxying with ftp-proxy (8) Running on port 8081
Rdr on EP0 Proto TCP from any to any port 21 -> 127.0.0.1 port 8081
FTP-Proxy Runs Inside ENETD, ADD The Following Line to /etc/inetd.conf in Order for FTP Clients Behind Nat To Work By Going Through FTP-Proxy Daemon:
127.0.0.1:8081 Stream TCP NOWAIT ROOT / USR / LIBEXEC / FTP-Proxy FTP-Proxy
As a result, ftp port and port 8081 will be opened. Ftp-proxy supports -w option which will use tcp_wrappers to control source ftp client as well as destination ftp server access control based on /etc/hosts.allow and / etc / hosts , Assume Source FTP Client IP 192.168.1.2 Doesn't Have Permission To Use FTP, A Similar Log Entry In / Var / Log / Messages When Attempted to Reach Ftp.Netbsd.org
Sep 14 15:55:38 FireWall FTP-Proxy [20970]: TCPWRAPPERS REJECTED: 192.168.1.2 -> ftp.netbsd.org
An Example of a Working /etc/pf.conftransparent proxy:
If The a mail server as 192.168.1.2 and a dns server as 192.168.1.3 Inside the private network, use `` rdr '' to transparent proxying. Since Nat Happens Before `` `', a` `Pass in' 'IS .
/etc/pf.conf:
# Redirect incoming smtp traffic to mail server behind Nat
Rdr on ep1 proto tcp from any to 157.161.48.183/32 port 25 -> 192.168.1.2 port 25
# Redirect incoming domain traffic to DNS Server Behind Nat
Rdr on ep1 proto {tcp, udp} from any to 157.161.48.183/32 port 53-> 192.168.1.3 port 53
Finally, enable pf in /etc/rc.conf:
Pf = yes # packet filter / nat / logging use pflogd
Configure machines behind NATAll the machines on the private network should be configured to use the address of the private interface of the OpenBSD box as the default gateway To set the internal boxes to the default OpenBSD gateway on various operating systems with IP address:. 192.168. 1.1
AIX: edit /etc/rc.net and add / usr / sbin / route add 192.168.1.1 Gateway >> $ logfile 2> & 1
Freebsd: edit /etc/rc.conf and add defaultrouter = "192.168.1.1"
HP-UX: Edit /etc/rc.config.d/netconf and add route_gateway [0] = "192.168.1.1"
Linux redhat: edit / etc / sysconfig / network and add gateway = 192.168.1.1
NetBSD: Echo "192.168.1.1"> / etc / mygate
OpenBSD: Echo "192.168.1.1"> / etc / mygate
Solaris: Echo "192.168.1.1"> / etc / defaultrouter
Win2k: start-settings-> control panel-> network and dial-up connections-> local area network->
Properties-> Internet Protocol (TCP / IP) -> Default Gateway-> 192.168.1.1If you do not want to reboot to pick up the IP address for the default gateway, use `` route '' to manually add the default route .
AIX: Route Add 0 192.168.1.1
HP-UX: Route Add 192.168.1.1
FreeBSD, NetBSD, OpenBSD, Solaris: Route Add Default 192.168.1.1
Linux Redhat: Route Add Default GW 192.168.1.1
Firewall IS Online, You Should Start Reading Pf.conf (5), Nat.conf (5), FTP-Proxy (8), PFCTL (8), PF (4) AND
The OpenBSD Packet Filter Howto. Also Consult
Ipfilter-Howto Since Both
Pf and IP Filter Have 90% Identical Syntax. One Noticable Difference IS OpenBSD Pf Doesn't Support IP Filter `` Keep Frags '' Syntax. The alternative is to use `` scrub '' statement.
Each time /etc/pf.conf or /etc/nat.conf are modified, you have to reload them using pfctl. Reloading these rules will flush all current active connections. Unlike IPFilter, pf needs to enable nat and pf rules manually.
FLUSH CURRENT NAT Rules & Reload:
# / sbin / pfctl -f nat && / sbin / pfctl -n /etc/pf.conf
Flush Current Filter Rules & Reload:
# / sbin / pfctl -f rules&& / sbin / pfctl -r /etc/pf.conf
Show Filter Information (Statistics and Counters):
# pfctl -s info
To Display THE CURRENT LIST OF Active Map / Redirect Filters and Active Sessions:
# / sbin / pfctl -s state
To Find Out The `` Hit "statistic for each individual rule in /etc/pf.conf:
# / sbin / pfctl -s rules -v
Watch Port Scans Going by On The Screen:
/ var / log / pflog is a binary file generated by pflogd so you can't just view it. Use tcpdump instead:
# TCPDUMP -I PFLOG0
Read the log for pf activity:
# tcpdump -n -e -ttt -r / var / log / pflogquality of service (QoS)
Bandwidth Limiting:
OpenBSD 3.2 has ALTQ integrated in the base system The kernel generic kernel is also compiled with options ALTQ so you're ready to use Otherwise, download the latest KAME snap kit which has ALTQ bundle from:.. Http: //www.kame. Net / retrieve.html
Now, to configure a token bucket regulator (TBRCONFIG) for the interface ep1 to rate The Pipe from 100Mbps to 10Mbps for outgoing connection:
# TBRCONFIG EP1 10M AUTO
EP1: Tokenrate 10.00m (BPS) Bucketsize 12.21K (Bytes)
#
To Remove The Installed token Bucket Regulator on EP1:
# TBRCONFIG -D EP1
Deleded token Bucket Regulator On EP1
#
Class-based queuing (CBQ):
Fromman Options (4) Description of CBQ:
CBQ achieves both partitioning and sharing of link bandwidth by hierarchically structured classes. Each class has its own queue and is assigned its share of bandwidth. A child class can borrow bandwidth from its parent class as long as excess bandwidth is available.
Here is an esample of a working /etc/altq.conf. /Etc/altq.conf is read by altqd so to enable it on startup, edit /etc/rc.conf and change altqd_flags = no to altqd_flags = "" Just MANUALLY START Altqd. Altqd Won't Start If There Are Errors in /etc/altq.conf. Watch / Var / Log / Messages for Any Information.
Here's The Class Hierarchy: CBq.txt
#
# EP1: Interface to a 10m Link
#
#
Interface EP1 BANDWIDTH 10M CBQ
Class CBQ EP1 ROOT NULL PBANDWIDTH 100
#
# Meta Classes
#
Class CBQ EP1 CTL_CLASS ROOT PBANDWIDTH 4 Control
Class CBQ EP1 DEF_CLASS ROOT BORROW PBANDWIDTH 95 DEFAULT
#
# Allocate Bandwidth for:
# firstclass: 70%
# BusinessClass: 15%
# generalclass: 5%
#
Class CBQ EP1 Firstclass Def_class Borrow PbandWidth 70Class CBQ EP1 BusinessClass Def_class Borrow PbandWidth 15
Class CBQ EP1 GeneralClass Def_class Borrow PbandWidth 5
#
# Allocate Bandwidth for FirstClass (TCP) Data Classes:
# TCP: 28%
# SMTP: 10%
# http: 30%
# DNS: 2%
#
Class CBQ EP1 TCP FIRSTCLASS BORROW PBANDWIDTH 28 RED
FILTER EP1 TCP 0 0 0 0 0 6 # Other TCP
Class CBQ EP1 SMTP Firstclass Borrow PbandWidth 10 Red
FILTER EP1 SMTP 0 0 0 25 6 # SMTP
FILTER EP1 SMTP 0 25 0 0 6 # SMTP
Class CBQ EP1 HTTP FIRSTCLASS BORROW PBANDWIDTH 30 Red
Filter EP1 HTTP 0 0 0 80 6 # http
Filter EP1 HTTP 0 80 0 0 6 # http
Class CBQ EP1 DNS FIRSTCLASS BORROW PBANDWIDTH 2 RED
Filter EP1 DNS 0 0 0 53 6 # DNS
Filter EP1 DNS 0 53 0 0 6 # DNS
#
# Allocate Bandwidth for BusinessClass (UDP) CLASSES:
# udp: 10%
# DNS: 5%
#
Class CBQ EP1 UDP BusinessClass Borrow PbandWidth 10 Red
Filter EP1 UDP 0 0 0 0 17 # udp
Class CBQ EP1 DNS BusinessClass Borrow PbandWidth 5 Red
Filter EP1 DNS 0 0 0 0 53 17 # DNS
Filter EP1 DNS 0 53 0 0 17 # DNS
#
# Allocate Bandwidth for Generalclass (ICMP) Classe:
# ICMP: 5%
#
Class CBQ EP1 ICMP Generalclass Borrow PbandWidth 5 Red
FILTER EP1 ICMP 0 0 0 0 1 # ICMP
Now, Run Altqstat and Monitor The Bandwidth. You Should See Something Similar Here:
CBQ Stat
Weighted Fair Queueing (WFQ):
To use weighted fair queueing, add the folload to kernel file.
Option altq_wfq
.
TO Enable Wfq on Interface "EP0" and "EP1", add the fol y!.
Interface EP0 BANDWIDTH 10M WFQ
Interface EP1 BANDWIDTH 10M WFQ
The Following Command Can Be Used to Monitor The Wfq Statistics.
Altqstat -i EP1
You Should See Something Similar:
% altqstat
Altqstat: WFQ on Interface EP1
WFQ ON EP1: 256 Queues Are Used
[QID] Weight Qsize (KB) SENT (PKTS) (KB) DROP (PKTS) (KB) BPS
[141] 100 0 14 1 0 0 0.09K
[103] 100 0 2 0 0 0 0.09K
[131] 100 0 11 1 0 0 0
[155] 100 0 10 0 0 0 0
[124] 100 0 9 0 0 0 0
[184] 100 0 5 0 0 0 0
[12] 100 0 2 0 0 0 0
[0] 100 0 0 0 0 0 0
[1] 100 0 0 0 0 0 0
[2] 100 0 0 0 0 0 0
First-in First-Out Queueing (FIFOQ):
To use first-in first-out queueing, add the following to kernel file.
Option altq_fifoq
TO Enable Fifoq on Interface EP1, Add The Following Line to your altq.conf (5) And Start Altqd.
Interface EP1 BANDWIDTH 10M FIFOQ
Run altqstat and you shouth see Something Similar:
% altqstat
Altqstat: FIFOQ on Interface EP1
Q_LEN: 0 Q_Limit: 50 Period: 2
Xmit: 2 pkts (108 Bytes) Drop: 0 pkts (0 bytes)
THROUGHPUT: 0.17kbps
Q_LEN: 0 Q_Limit: 50 Period: 2
Xmit: 2 pkts (108 Bytes) Drop: 0 pkts (0 bytes)
THROUGHPUT: 0BPS
...
Random Early Detection (RED):
Since Red Is Part of Altq, No Kernel Option IS Required.to Enable Random Early Detection On Interface EP1, Add The Following Line to Your Altq.conf (5) And Start Altqd.
Interface EP1 BANDWIDTH 10M Red
Run altqstat and you shouth see Something Similar:
% altqstat
Altqstat: Red On Interface EP1
Weight: 512 INV_PMAX: 10 Qthresh: (5,15)
Q_LEN: 0 (AVG: 0.00), Q_Limit: 60
Xmit: 1 Pkts, Drop: 0 Pkts (forced: 0, Early: 0)
THROUGHPUT: 0.09kbps
Weight: 512 INV_PMAX: 10 Qthresh: (5,15)
Q_LEN: 0 (AVG: 0.00), Q_Limit: 60
Xmit: 1 Pkts, Drop: 0 Pkts (forced: 0, Early: 0)
THROUGHPUT: 0BPS
...
Diffserfv Traffic Conditioner (CDNR):
> From man options (4):
Traffic Conditioners Are Components To Meter, Mark, or Drop Incoming Packets According To Some Rules. AS OPPOSED TO Queueing Disciplines, Traffic Conditioners Handle Incoming Packets at an Input Interface.
To Use Conditioner to Drop Incoming Packets from a Particular IP Address, Add The Following to Kernel File.
Option altq_cdnr
TO Enable Conditioner on Interface EP1, Add The Following Line to Your Altq.conf (5) And Start Altqd.
#
Interface EP1
#
# Drop All Packets Coming in from version 255.255.255.255 (fictious)
#
Conditioner EP1 DROPPER
Filter EP1 DROPPER 0 0 255.255.255.255 0 0
Run Altqstat to Monitor The Drop Packets:
% altqstat
Altqstat: cdnr on interface _fxp0
Actions:
Pass: 471 Drop: 3 Mark: 0 Next: 0 Return: 0 None: 0
Actions:
Pass: 501 Drop: 3 Mark: 0 Next: 0 Return: 0 None: 0
...
Priority Queueing (Priq):
> From man options (4):
Priq Implements A Simple Priority-based queueing. A Higher Priority Class Is Always Served First.
High number has higher priority. Maximum value is 15 and minimum value is 0. Default is 0. A higher priority class is always served first in PRIQ. Priority must be unique for the interface.To use priority queueing to prioritize based on type of packet Add the following to kernel file.
Option Altq_Priq
TO Enable Priority Queueing on Interface EP1, Add The Following Line to your altq.conf (5) And Start Altqd.
#
# Prioritize Based on protocol:
#
# TCP: HIGH PRIORITY
# udp: medium priority
# ICMP: Low Priority
# tahers: bottom priority
#
Interface EP1 BANDWIDTH 10M PRIQ
#
Class Priq EP1 HIGHEST_CLASS NULL PRIORITY 3
FILTER EP1 HIGHEST_CLASS 0 0 0 0 6
Class Priq EP1 Medium_Class Null Priority 2
Filter EP1 MedIUM_Class 0 0 0 0 17
Class Priq EP1 Lowest_class Null Priority 1
Filter EP1 Lowest_Class 0 0 0 0 1
Class Priq EP1 BOTTOM_CLASS NULL PRIORITY 0 DEFAULT
% altqstat
Altqstat: Priq On Interface EP1
EP1:
[highest_class] Handle: 0xE09FD0C0 PRI: 3
Measured: 0.34kbps Qlen: 0 Period: 180
Packets: 180 (25637 bytes) DROPS: 0
[Medium_Class] Handle: 0xE09F1D40 PRI: 2
Measured: 0bps Qlen: 0 Period: 25
Packets: 25 (1997 Bytes) Drops: 0
[Lowest_class] Handle: 0xE09FDCC0 PRI: 1
Measured: 0bps Qlen: 0 Period: 19
Packets: 19 (1862 BYTES) DROPS: 0
[bottom_class] Handle: 0xE09A4680 PRI: 0
Measured: 0bps Qlen: 0 Period: 0
Packets: 0 (0 bytes) DROPS: 0
...
References
Daniel Hartmeier The Author of Pf and His Original Page:
http://www.benzedrine.cx/pf.html
The OpenBSD Packet Filter HowTo
http://www.inebriated.demon.nl/pf-howto/
Ipfilter How-to:
http://www.unixcircle.com/ipf/
Address Allocation for Private Internets:
http://www.muine.org/rfc/rfc1918.txt
The IP Network Address Translator (NAT):
http://www.muine.org/rfc/rfc1631.txtttraditional IP Network Address Translator (Traditional NAT)
http://www.muine.org/rfc/rfc3022.txt
Altq
http://www.csl.sony.co.jp/~kjc/software.html#altq
CBQ:
http://www.aciri.org/floyd/cbq.html
HFSC:
Http://www-2.cs.cmu.edu/~ Hzhang/hfsc/main.html
RED:
http://www.aciri.org/floyd/red.html
RIO:
Http://diffserv.lcs.mit.edu/paper/exp-alloc-ddc-wf.pdf
Blue:
http://thefengs.com/wuchang/blue/
DiffServ:
Http://www.ietf.org/html.charters/diffserv-charter.html
The TWENTY MOST CRITICILIT Security VulneRabilities (Updated)
http://www.sans.org/top20/
Last Update: OCT 20, 2003
Copyright © 2000-2003 Unixcircle
Contact Webmaster@unixcircle.com
