DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
Old 13th January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,645
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by joostvgh View Post
... 60 students...
Ah, well then, students will defeat your proposed block, if they have the time and interest.
Quote:
I just want to block rapidshare so everyone can enjoy internet
I will bet rapidshare is not the problem, but that torrent and other p2p traffic is. And the latter is best managed via traffic shaping, rather than blocking.
Quote:
i even doubt anyone here knowing what dns means..
Do not assume ignorance, where there is a will to defeat blocking, there will be many ways to do so.
Quote:
in the case that openbsd = dhcp + dns i should also enable NAT imo.
You keep using that word. I do not think it means what you think it means.

NAT adds no value in the topology you described.
Reply With Quote
Old 13th January 2010
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

As a matter of fact, I DO know what NAT is. As a thesis I implemented NIProxy (network intelligence) which is a network traffic shaping device. So please stop saying I don't know what NAT is.

If I have a router with DHCP range 192.168.0.1 / 24, and then I add a Openbsd with 2 interfaces, first 192.168.0.2, second (as DHCP) 192.168.1.1/24, then I need to use NAT for all clients which have a 192.168.1.1/24 IP. Otherwise the first router will get packets from 192.168.1.1/24 which should come from 192.168.0.2!

and blocking p2p/torrent is not that hard. I'll take your bet rapidshare is (currently) the only problem here..

ps: it's not the government here.. I take it there are no hackers, nor do the students have interest/time to do this stuff. Without any knowledge of computers you just can't start "hacking" or cracking or whatever. I used to try it when I didn't study ICT yet.

But ok I take it you are critical and I thank you for it, it's the best way.
So if this won't work, what do you suggest..?
Reply With Quote
Old 13th January 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

As jggimi and others have said, you're trying to solve a policy problem with technical means.

This is not a technical issue, inform the students/faculty that 'rapidshare' is not permitted on your network.. instead of silently blocking traffic you don't approve of (..inherently impossible), tell them the rules.

You're opening a door to the world, turning it into window will not stop people from trying to go outside.

Hope that helps.
Reply With Quote
Old 13th January 2010
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by BSDfan666 View Post
This is not a technical issue, inform the students/faculty that 'rapidshare' is not permitted on your network.. instead of silently blocking traffic you don't approve of (..inherently impossible), tell them the rules.
Your whole post is correct. This has already been told to everyone here, but they won't listen. I am not a manager here but I can get acces to the server.
I'm just sick of the lack of internet..

I appreciate your reply, but imo you can compare it to asking anyone not to steal, commit crime, .. and counting on it..
Reply With Quote
Old 13th January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,645
Thanked 214 Times in 189 Posts
Default

Something doesn't quite add up, when I put:
Quote:
i am quite new to this by the way..
together with
Quote:
As a matter of fact, I DO know what NAT is. As a thesis I implemented NIProxy (network intelligence) which is a network traffic shaping device. So please stop saying I don't know what NAT is.
The ASCII "picture" of your network, repeated here:
Quote:
(internet)-(81.242.5.xxx - router - 192.168.0.1)-(192.168.0.x - openbsd - 192.168.1.1)-(192.168.1.x - clients)
is what I based my judgement on, which shows the OpenBSD platform acting as a second router. IF instead, the topology is one where the OpenBSD platform is on the same physical network as the externally facing router and your sixty students, with two NICs on different IP subnets on the same physical network then there will be a lot of packet replication, but NAT is still not of value, AFAICT.

Since nothing I have told you is acceptable, or apparently applicable to your environment, then by all means, do whatever you wish. It is your network, and, when you break it, you get to keep the pieces.
Reply With Quote
Old 13th January 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

Yes, if you have one Internet connection with a single public IP address, you need NAT to give those sixty people internet access.

How is the network infrastructure now?

RE: Hasselt
My nephew studied there Hassels is not that far from where I live, Budel, only 1 km from Hamont.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 13th January 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Quote:
Originally Posted by joostvgh View Post
Your whole post is correct. This has already been told to everyone here, but they won't listen. I am not a manager here but I can get acces to the server.
I'm just sick of the lack of internet..

I appreciate your reply, but imo you can compare it to asking anyone not to steal, commit crime, .. and counting on it..
I never said you should just tell them the rules and ignore violations, just like someone who commits a crime.. they must face the consequences.

Make it crystal clear that they will have their network privileges taken away.. or even better, say they could even get kicked out of school.

This is really a test of wits, are you (..or the institute you work for) willing to follow through with punishing those who violate network rules?

Have these students sign something, making them aware of the rules and reprecusons.. if this is a wireless network, is there any sort of verification that they are even enrolled students? maybe this is a network security problem.

Good luck..
Reply With Quote
Old 13th January 2010
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

I am new to openbsd, but i am familiar with the terminology of networking.

I surely accept everything you (jggimi) say and I respect and confide your opinion since your knowlodge/experience >>> mine. I just think we are having a miscommunication.


furthermore I dont understand the difference between the 2 situations you described.
there is no difference in openbsd acting as 2nd router and being on the same physical network. it's both..

http://student.uhasselt.be/~0421625/toplogy.png -> this is the infrastructure

openbsd is DHCP and DNS here. So I think I need NAT on openbsd too..?

ps: since the modem/router is provided by the ISP i cant access it.. Only through putty telnet, but I dont have username/pw


@bsdfan666: I am not really in a position to 'punish' anyone because I am a student too, I am nor owner nor manager..
Reply With Quote
Old 13th January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,645
Thanked 214 Times in 189 Posts
Default

NAT is already functioning on your external facing router. All of your RFC 1918 addresses are already using NAT, therefore. An additional NAT address consolidation adds no value.

Yes, we are having communication difficulties, though your English is probably better than mine, and I am a native speaker.
Reply With Quote
Old 13th January 2010
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

so then the 1st router/modem will receive packets with ip.src = 192.168.1.x while its range is 192.168.0.1/24 .. I expected this to fail..
Reply With Quote
Old 13th January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,645
Thanked 214 Times in 189 Posts
Default

Welcome to IP routing.

Add an entry to the routing table in the external facing router, that routes packets destined for 192.168.1/24 via the OpenBSD address on the 192.168.0/24 network.
Reply With Quote
Old 13th January 2010
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by joostvgh View Post
ps: since the modem/router is provided by the ISP i cant access it.. Only through putty telnet, but I dont have username/pw

Reply With Quote
Old 13th January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,645
Thanked 214 Times in 189 Posts
Default

Well then, you can either have belgacom.be or skynet.be add that routing table entry to the router, or, give you local control so you can do it yourself.

Failing that 10 minute telephone conversation with their support staff (+32 2 202-4111), you can implement a second layer of NAT, which will introduce additional complexity for management, diagnostics, and administration.
Reply With Quote
Old 14th January 2010
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

i'm now going to configure the openbsd.
i didnt activate dns nor dhcp.
so i have 2 interfaces, hostname.if0 and hostname.if1

so now i am wondering what ip's they need to be set.
can i enter a static ip?

if0 = connected to router, so i would enter DCHP NONE NONE NONE in hostname.if0 .
is this correct? or do i need to put 'inet ...' in it too?

second, what ip can if1 have? is it the same range? do i need to make it static?
i dont know what to put in it and the manuals/guide/faq are unclear about it imo..
Reply With Quote
Old 14th January 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,876
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by joostvgh View Post
if0 = connected to router, so i would enter DCHP NONE NONE NONE in hostname.if0 .
is this correct? or do i need to put 'inet ...' in it too?
All that is required is "dhcp". This is discussed in Section 6.4.1 of the FAQ.

Your post also references hostname.if0 & hostname.if1. This is incorrect, however, you will find this in the documentation where "if" is used as a placeholder. Unlike Linux which identifies each Ethernet interface as "eth0", "eth1", etc., the *BSD family uses the specific driver used for the installed NIC. For example, in a Thinkpad laptop I use, the driver installed by the kernel is bge(4). This means that I have the following when setting up DHCP on this particular interface:

$ cat /etc/hostname.bge0
dhcp

You will find what drivers are used in your system by studying the output of dmesg(8).
Quote:
second, what ip can if1 have? is it the same range?
If this system is acting as a router, the subnets defined on each interface must be different. If you are unfamiliar with subnets, the following Wikipedia article is a start:

http://en.wikipedia.org/wiki/Subnetwork

However, note that understanding the topic well takes more than a five minute scan.
Quote:
do i need to make it static?
It will need to be static even if you have another DHCP server serving IP addresses on the internal network. The reason why is because this will be the gateway address used by all internal clients. If it is dynamically set, then all clients attached to this internal network will need to know the address if & when it ever changes. This is problematic to manage, and because of this, routers typically have statically assigned addresses.

The reason the external interface is set for a dynamic address is because this is the option your ISP is providing. You might be able to get a static IP address from your ISP, but typically static IP address mean higher monthly fees.

Most likely, you will want to use private addresses on your internal network as defined by RFC 1918:

http://www.faqs.org/rfcs/rfc1918.html

If you are unfamiliar with private addressing, read the following in Wikipedia:

http://en.wikipedia.org/wiki/Private_network
Reply With Quote
Old 14th January 2010
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

thx for the quick reply.
i just used if0 and if1 as references, i know about the names. sorry for the misunderstanding.
first I didn't want to activate the dhcp service.
though as you say, internal pc's need to set it as their default gateway. since I don't have access to my modem, I can't change it
this is why I need to have the if1 (internal) to act as dhcp and use NAT (since I can't access the modem to adjust the routing tables).

imo, todo:
if0 (interface to modem): I have to make the ip static because of NAT from if1 to if0
if1 (interface to internal network): I have to make the ip static (192.168.1.1) and enable DHCP to set it as default gateway
Reply With Quote
Old 14th January 2010
Loki Loki is offline
Port Guard
 
Join Date: Nov 2008
Location: Sydney
Posts: 11
Thanked 0 Times in 0 Posts
Default I'm late like the White Rabbit but here is a new choice

I am surprised that nobody suggested the solution that I use to do loads of DNS spoofing for other reasons. e.g. adblocking, malicious sites etc.

There is an OpenBSD package called dsniff which contains a program called dnsspoof. That intercepts any attempts to contact any DNS (on or beyond the firewall) and returns 127.0.0.1 (or whatever you choose) for any request that matches a rule in its conf file. Other requests pass unhindered.

The conf file allows wildcards which is great but you can unwittingly do silly things like blocking ad* which will mean you can't get to adsl.com.

It is just so easy to get and to use that I'm amazed at how little it is used.
Reply With Quote
Old 15th January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,645
Thanked 214 Times in 189 Posts
Default

Joostvgh would have has the same topology issues (routing/NAT) and easy circumventions (tunneling of DNS, private lookups, etc.) It is, in effect, merely replacing a DNS server with a server that acts like one.

But it -seems- it would be easier to adapt to the entire domain and changes within the domain as they occur than PF's more limited DNS resolution only at rule-load.

Last edited by jggimi; 15th January 2010 at 04:46 AM.
Reply With Quote
Old 16th January 2010
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 764
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by joostvgh View Post
hi,

i have installed openbsd 4.6.

i would like to block rapidshare by adding some DNS record..
I am not an expert on the subject. To me it looks like the best way to do what you
want is by forcing users to use your proxy server and then filtering content or in this case specific web-site by configuring proxy server.
Reply With Quote
Old 17th January 2010
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

thx for the tips. system is up and running now!

dsniff does exactly what i was looking for.

thx everyone for the help!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Blocking MySpace roddierod Other OS 3 12th April 2009 09:39 PM
PF Blocking VPN Traffic plexter OpenBSD Security 6 23rd January 2009 05:25 PM
pf blocking php mail ijk FreeBSD Security 7 30th October 2008 08:33 PM
FreeBSD 7 and RapidShare mfaridi FreeBSD General 9 20th October 2008 01:32 AM
PF Blocking schrodinger OpenBSD Security 6 6th October 2008 10:33 PM


All times are GMT. The time now is 11:13 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick