View Single Post
  #1   (View Single Post)  
Old 18th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default Replacing 3Com Router with OpenBSD

I have an issue with my high speed cable internet where my WAN IP stays the same for extended periods of time, which is both a blessing and a curse. It only changes 2 or 3 times a year when there is an extended power outage due to lightning storms or my ISP upgrades or restarts their gear. Changing ISP's isn't an option since it's either DSL which is only 1/20th the speed of my cable or dial-up.

The problem is I am continually being port scanned and tried to break into my network which my router security logs show. My router counteracts these attacks by going offline for 30 seconds and renewing the IP address. The problem is the IP address never changes due to the way my ISP is setup and this can sometimes happen 15 or more times an hour which makes trying to watch videos or use Netflix a futile and frustrating experience. I rotate the MAC address on my router by cloning the MAC addresses from my internal PC's, printers and game consoles to get a different IP but this only helps for short periods of time, say a few days to a week before it starts all over again. These attacks started happening about 6 months ago, at least that's when I started noticing them due network interruptions, and is steadily getting worse/more frequent as time goes on. The IP's attacking me usually trace back to countries that names end in "stan". That's when I started researching for a solution to this problem which lead me to OpenBSD.

My experience with Linux/UNIX on a scale of 1 to 10 is probably about a 5. I downloaded and installed OpenBSD 4.9 for the first time a couple of days ago and setup a basic firewall which seemed to work fine when I removed my router from the network. All internal PC's were able to use the internet and it almost seemed like everything was faster but that might just all be in my head. My BSD box only has SSH, DHCP and PF running. I never installed any of the X sets. One thing that happened instantly when I switched from my 3Com router to the BSD router was my Windows Home Server (don't laugh) instantly threw out a MITM attack message. A quick search showed that this can happen when the router IP address changes but I need to look into that a bit more. I will need to port forward a few ports to various internal IP's but for now the question is was my OpenBSD router nearly as secure as my 3Com router? I want to have a very secure firewall like my 3Com router but without the network interruptions it causes trying to thwart the attacks. Any help and suggestions would be greatly appreciated.

Thanks.

In case anyone wants my router specs it's a 3Com 3CRWER200-75

I've posted the contents of my dhcpd.conf and pf.conf files below so you can all see and tell me just how bad a job I did for security on my first attempt.
Code:
##############################################
#	$OpenBSD: dhcpd.conf,v 1.2 2008/10/03 11:41:21 sthen Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#
# Network:	192.168.1.0/255.255.255.0
# Domain name:	my.domain
# Name servers:		192.168.1.3 and 192.168.1.5
# Default router:	192.168.1.1
# Addresses:	192.168.1.32 - 192.168.1.127
#
authoritative;
option domain-name "bcs69.com";
option domain-name-servers 24.222.0.94, 24.222.0.95;
subnet 192.168.0.0 netmask 255.255.255.0 {
	option routers 192.168.0.55;
	range 192.168.0.225 192.168.0.250;
}
##############################################
Code:
##############################################
# pf.conf
# macros
int_if="re0"
tcp_services="{ 22, 113 }"
icmp_types="echoreq"
#
# options
set block-policy return
set loginterface re0
set skip on lo
#
# match rules
match out on egress inet from !(egress) to any nat-to (egress:0)
#
# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) port $tcp_services
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
##############################################

Last edited by Dr-D; 18th November 2018 at 02:50 AM. Reason: Please wrap code listings with [code] & [/code] tags...
Reply With Quote