DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 18th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 38
Thanked 0 Times in 0 Posts
Default Replacing 3Com Router with OpenBSD

I have an issue with my high speed cable internet where my WAN IP stays the same for extended periods of time, which is both a blessing and a curse. It only changes 2 or 3 times a year when there is an extended power outage due to lightning storms or my ISP upgrades or restarts there gear. Changing ISP's isn't an option since it's either DSL which is only 1/20th the speed of my cable or dial-up.

The problem is I am continually being port scanned and tried to break into my network which my router security logs show. My router counteracts these attacks by going offline for 30 seconds and renewing the IP address. The problem is the IP address never changes due to the way my ISP is setup and this can sometimes happen 15 or more times an hour which makes trying to watch videos or use Netflix a futile and frustrating experience. I rotate the MAC address on my router by cloning the MAC addresses from my internal PC's, printers and game consoles to get a different IP but this only helps for short periods of time, say a few days to a week before it starts all over again. These attacks started happening about 6 months ago, at least that's when I started noticing them due network interruptions, and is steadily getting worse/more frequent as time goes on. The IP's attacking me usually trace back to countries that names end in "stan". That's when I started researching for a solution to this problem which lead me to OpenBSD.

My experience with Linux/UNIX on a scale of 1 to 10 is probably about a 5. I downloaded and installed OpenBSD 4.9 for the first time a couple of days ago and setup a basic firewall which seemed to work fine when I removed my router from the network. All internal PC's were able to use the internet and it almost seemed like everything was faster but that might just all be in my head. My BSD box only has SSH, DHCP and PF running. I never installed any of the X sets. One thing that happened instantly when I switched from my 3Com router to the BSD router was my Windows Home Server (don't laugh) instantly threw out a MITM attack message. A quick search showed that this can happen when the router IP address changes but I need to look into that a bit more. I will need to port forward a few ports to various internal IP's but for now the question is was my OpenBSD router nearly as secure as my 3Com router? I want to have a very secure firewall like my 3Com router but without the network interruptions it causes trying to thwart the attacks. Any help and suggestions would be greatly appreciated.

Thanks.

In case anyone wants my router specs it's a 3Com 3CRWER200-75

I've posted the contents of my dhcpd.conf and pf.conf files below so you can all see and tell me just how bad a job I did for security on my first attempt.
Code:
##############################################
#	$OpenBSD: dhcpd.conf,v 1.2 2008/10/03 11:41:21 sthen Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#
# Network:	192.168.1.0/255.255.255.0
# Domain name:	my.domain
# Name servers:		192.168.1.3 and 192.168.1.5
# Default router:	192.168.1.1
# Addresses:	192.168.1.32 - 192.168.1.127
#
authoritative;
option domain-name "bcs69.com";
option domain-name-servers 24.222.0.94, 24.222.0.95;
subnet 192.168.0.0 netmask 255.255.255.0 {
	option routers 192.168.0.55;
	range 192.168.0.225 192.168.0.250;
}
##############################################
Code:
##############################################
# pf.conf
# macros
int_if="re0"
tcp_services="{ 22, 113 }"
icmp_types="echoreq"
#
# options
set block-policy return
set loginterface re0
set skip on lo
#
# match rules
match out on egress inet from !(egress) to any nat-to (egress:0)
#
# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) port $tcp_services
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
##############################################

Last edited by ocicat; 29th July 2011 at 02:07 AM. Reason: Please wrap code listings with [code] & [/code] tags...
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
3com 3c985B fiber card on openBSD joshwade7 OpenBSD General 3 5th February 2010 09:29 PM
OpenBSD amd64 or i386 for firewall/router J65nko OpenBSD General 7 24th December 2009 09:06 PM
DSL Router Zvrk NetBSD General 1 18th June 2009 01:21 PM
Using OpenBSD as a second router paran0iaX OpenBSD Security 32 20th March 2009 04:51 AM
Searching and replacing weird patterns on a file. bigb89 Programming 8 6th December 2008 06:59 PM


All times are GMT. The time now is 02:23 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick