DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd August 2010
jepettrey jepettrey is offline
New User
 
Join Date: Aug 2010
Posts: 7
Thanked 0 Times in 0 Posts
Default How do I enable IP protocol 47 (GRE) and TCP port 1723?

I need to enable IP protocol 47 (GRE) and open TCP port 1723 on an OpenBSD 4.3 firewall so that I can allow Windows VPN traffic to pass.

Can anybody tell me how to do this? This is an incredibly amateur question I am aware but I've never worked with OpenBSD before and am in need of some assistance.


Thanks!
Reply With Quote
  #2   (View Single Post)  
Old 2nd August 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,432
Thanked 214 Times in 189 Posts
Default

The tool used with OpenBSD for firewall operations is PF -- Packet Filter. However there have been many changes since your version of the OS, which is unsupported.

There have been many, many changes to PF, so you will need older, out-of-date documentation.

I will build and attach a 4.3 version of the PF User's Guide for you, it will take a few minutes. Meanwhile...

The man pages for 4.3 might be on your system, or might not. Here are links to the two you will absolutely need for reference to PF, for 4.3:

pf.conf(5)
pfctl(8)

Last edited by jggimi; 2nd August 2010 at 09:05 PM. Reason: clarity
Reply With Quote
  #3   (View Single Post)  
Old 2nd August 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,432
Thanked 214 Times in 189 Posts
Default

Here is the PF user's guide for 4.3, in HTML form. it will unpack into a pf/ folder structure, point your browser at pf/index.html
Attached Files
File Type: tgz pf-users-guide-4.3.tgz (663.6 KB, 271 views)
Reply With Quote
  #4   (View Single Post)  
Old 2nd August 2010
jepettrey jepettrey is offline
New User
 
Join Date: Aug 2010
Posts: 7
Thanked 0 Times in 0 Posts
Default

I appreciate your help. I've just started this job and am planning to upgrade the systems.

I'll start another thread later to see about upgrading this system.

Thanks for your help, I really appreciate it.
Reply With Quote
  #5   (View Single Post)  
Old 2nd August 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,432
Thanked 214 Times in 189 Posts
Default

Upgrading can be done release-to-release only.

4.3->4.4->4.5->4.6->4.7 and in a couple of months, 4.8.

This is automated, but there are some semiautomatic steps, most of which can be done with sysmerge(8), which is not in 4.3, but is in 4.4 and above. Follow each release's upgrade guide. Or, conduct a fresh installation, and rebuild your firewall and other services.
Reply With Quote
  #6   (View Single Post)  
Old 2nd August 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Doing incremental upgrades like that is very tedious, but, releases are made every 6 months so if one leaves a system to stagnate for several releases, they end up making it harder to upgrade.

A fresh installation would probably be the best route to take, but, that won't preserve any changes made to the system.

Maintaining a system that was configured by someone else is a enormous job if you have no familiarity with the system, or what services it was providing for your employers network.. I do hope for your sake that the previous maintainer left behind lots of documentation, so you can replicate the configuration.

4.8 will be released soon, in a few months, so hopefully this will give you time to become familiar with this system, and OpenBSD in particular, hopefully making this migration a lot less painful in the future, just remember to keep it regularly maintained and upgraded.
Reply With Quote
  #7   (View Single Post)  
Old 3rd August 2010
jepettrey jepettrey is offline
New User
 
Join Date: Aug 2010
Posts: 7
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by BSDfan666 View Post
Doing incremental upgrades like that is very tedious, but, releases are made every 6 months so if one leaves a system to stagnate for several releases, they end up making it harder to upgrade.

A fresh installation would probably be the best route to take, but, that won't preserve any changes made to the system.

Maintaining a system that was configured by someone else is a enormous job if you have no familiarity with the system, or what services it was providing for your employers network.. I do hope for your sake that the previous maintainer left behind lots of documentation, so you can replicate the configuration.

4.8 will be released soon, in a few months, so hopefully this will give you time to become familiar with this system, and OpenBSD in particular, hopefully making this migration a lot less painful in the future, just remember to keep it regularly maintained and upgraded.


There is no documentation to speak of unfortunately so this isn't going to be a very fun process. I think I might just go through the tedious process of updating from 4.3 > 4.4 > ... > 4.8.

I would rather do that than risk breaking something that is critical as this is a production firewall.

IT professionals that don't properly document things are very frustrating. Sure you're adding job security, but you're also preventing yourself from getting promoted or taking a vacation.

Oh well, what can you do...
Reply With Quote
  #8   (View Single Post)  
Old 3rd August 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

That's sad, but at least this gives you the opportunity to outshine your predecessor, try and document the changes he made from the "vanilla" installation of 4.3.

I do believe that this system should be upgraded, but, doing so without first doing some initial research would be a mistake.. it may be running 3rd party software from the ports tree or things they manually compiled (..or wrote) and a premature upgrade could theoretically break things and leave you in a awkward situation of trying to restore functionality of what is essentially a "black box" to you.

I fear that you may have bitten off more than you can chew, I would not want to be in your situation.. but we'll do our best to help you with any questions you may have, but 4.3 is generations ago and it may time time for us to formulate something resembling a response.

Good luck!

Last edited by BSDfan666; 3rd August 2010 at 12:27 AM.
Reply With Quote
  #9   (View Single Post)  
Old 3rd August 2010
jepettrey jepettrey is offline
New User
 
Join Date: Aug 2010
Posts: 7
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by BSDfan666 View Post
That's sad, but at least this gives you the opportunity to outshine your predecessor, try and document the changes he made from the "vanilla" installation of 4.3.

I do believe that this system should be upgraded, but, doing so without first doing some initial research would be a mistake.. it may be running 3rd party software from the ports tree or things they manually compiled (..or wrote) and a premature upgrade could theoretically break things and leave you in a awkward situation of trying to restore functionality of what is essentially a "black box" to you.

I fear that you may have bitten off more than you can chew, I would not want to be in your situation.. but we'll do our best to help you with any questions you may have, but 4.3 is generations ago and it may time time for us to formulate something resembling a response.

Good luck!

It's not a super complex network so I think I should be okay in terms of handling the situation...I just need to be careful with how I approach things.

I probably could build a new firewall to the best of my ability in regards to how the network appears to be configured and then just find out that what is broken and what needs to be fixed. However, I haven't worked with OpenBSD before so I'd rather use this as a learning opportunity and establish a new skillset.

This seems like a pretty helpful forum, I'm glad I made my way here. Thanks again for the advice thus far.
Reply With Quote
Old 3rd August 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,834
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by jepettrey View Post
I probably could build a new firewall to the best of my ability in regards to how the network appears to be configured and then just find out that what is broken and what needs to be fixed. However, I haven't worked with OpenBSD before so I'd rather use this as a learning opportunity and establish a new skillset.
This sounds like you have put some thought into it, but you should also factor in the exceedingly short shelf life of firewall software.

Given that the purpose of firewalls is to plug/thwart many of the vectors malevolent souls exploit to either get past security roadblocks or perform malicious acts, making sure firewall software is current & patched should be a paramount goal.

Also if I recall correctly, there were significant performance enhancements made to both OpenBSD 4.2 & 4.4. Once you become familiar with the terrain, moving to 4.7 (& OpenBSD 4.8 will be released in November...) should be high on your list of things to get done.
Reply With Quote
Old 3rd August 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,432
Thanked 214 Times in 189 Posts
Default

The firewall script (/etc/pf.conf, usually) will tell you how the thing acts as a firewall. That cannot be moved, unchanged, to 4.7, but the upgrade guides along the way will explain what changes will need to be made.

The /etc/hostname.* files will give you your network configuration. The hostname.if(5) man page will help you understand those files.

The pkg_info(1) command will tell you all 3rd party software installed on your platform through the packages/ports system, described in FAQ 15.

The sysctl.conf(5) file will show any "knobs" that might have been turned -- routers/firewalls, for instance, should have ip forwarding enabled there.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf & remote desktop protocol cerulean FreeBSD General 7 4th August 2011 10:14 PM
Enable SNMP? dzudja100 FreeBSD Ports and Packages 1 20th May 2010 05:52 PM
Firefox 3 - Adding magnet: protocol whetphish FreeBSD General 1 22nd November 2009 07:24 PM
boot bug with USB enable nORKy FreeBSD Installation and Upgrading 5 12th June 2008 04:56 PM


All times are GMT. The time now is 04:44 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick