DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th August 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Thanked 0 Times in 0 Posts
Default are these pf.conf settings correct ?

Hi
This my first attempt to touch pf.conf .. if there is something foolish please don't be aggressive.
Following FAQ 6 , I have :
in hostname.wpi0 :
Code:
dhcp NONE NONE NONE
in hostname.bce0 :
Code:
up media 10base2
in hostname.bridge0 :
Code:
add wpi0
add bce0
up
* Are these settings correct to allow http ssh and ftp ?

Code:
pass in quick on bce0 all
pass out quick on bce0 all
block in  on wpi0 all
block out on wpi0 all

pass in quick on wpi0 proto tcp from any to any port {22, 80, 21} \
     flags S/SA keep state
* I'd like to allow amule too , how could I set pf.conf to tighten security while still be able to use the p2p client ?

Thank you very much !!
Reply With Quote
  #2   (View Single Post)  
Old 24th August 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Thanked 0 Times in 0 Posts
Default

Maybe I should pass udp as well , to allow dhcp ..
Reply With Quote
  #3   (View Single Post)  
Old 24th August 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by daemonfowl View Post
in hostname.bce0 :
Code:
up media 10base2
Coax?
Reply With Quote
  #4   (View Single Post)  
Old 24th August 2012
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,708
Thanked 214 Times in 189 Posts
Default

ocicat, that's from daemonfowl blindly copying and pasting from FAQ 6.9, without comprehension. Only NIC names were changed.

The bce(4) NIC and the bmtphy(4) PHY do not have 10Base2 Ethernet media adapters.

---

The PF configuration shown is identical to the FAQ's -- except for the addition of the FTP control port 21. There is no ftp-proxy, nor passing of a range of ports for data connections.

daemonfowl
, FTP is a complex protocol; so complex it has its very own chapter in the PF User's Guide. What you have posted will not work for FTP.
Reply With Quote
  #5   (View Single Post)  
Old 24th August 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Thanked 0 Times in 0 Posts
Default

Quote:
ocicat, that's from daemonfowl blindly copying and pasting from FAQ 6.9, without comprehension. Only NIC names were changed.
That's right Teacher ! & I hope you're not shocked .. well it's really my 1st attempt to play ith pf :-)
I've changed that line .. 'up' is enough so it will use autoselect (defaults) .. but if you deem simplication is better I may do without the bridge.

There was a contribution by oko , an example of a working pf.conf that maybe I can elaborate on to meet my needs and my needs for a box are : http/ftp/ssh/ plus being able to use p2p (amule & bitorrent)
Here is oko's sample pf.conf :
Code:
ext_if="rl0"

tcp_services = "{ssh, imaps, smtp, 587, domain, ntp, www, https}"
udp_services= "{domain, ntp}"


set skip on lo
set loginterface $ext_if

scrub in all random-id fragment reassemble

block return in log all
block out all

antispoof quick for $ext_if


pass out quick on $ext_if proto tcp to any port $tcp_services
pass out quick on $ext_if proto udp to any port $udp_services
Reply With Quote
  #6   (View Single Post)  
Old 24th August 2012
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,708
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by daemonfowl View Post
...an example of a working pf.conf that maybe I can elaborate ...
No. Do not copy and paste something you do not understand. Let me quote from another post of mine, from last year. I don't think you've seen it.
Quote:
Originally Posted by jggimi View Post
...I am concerned by what I have seen in the pf.conf you have posted. It appears that you have copied and pasted a pf.conf file from some "how-to" you found on the Internet.... I am guessing that you did not realize [your error] because you copied and pasted from someone else's configuration file, and then hoped things would work for you. Let us quote from Peter Hansteen's The Book of PF:
Quote:
Just to hammer this in, please repeat after me:

The Pledge of the Network Admin


"This is my network.
It is mine
or technically my employer’s,
it is my responsibility
and I care for it with all my heart
there are many other networks a lot like mine,
but none are just like it.

I solemnly swear
that I will not mindlessly paste from HOWTOs."
If you are unable to understand and explain a configuration change you are making, then you are doing something wrong.
Reply With Quote
  #7   (View Single Post)  
Old 24th August 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by daemonfowl View Post
I hope you're not shocked ..
Rather, disappointed.

daemonfowl, you will find in the OpenBSD community very little sympathy for those who simply cut-&-paste others work having little to no comprehension of what it does.
Quote:
There was a contribution by oko , an example of a working pf.conf that maybe I can elaborate on to meet my needs...
...& how do you know that it is a working pf.conf? With which version of OpenBSD? Have you confirmed functionality through use of tcpdump(8)?
Reply With Quote
  #8   (View Single Post)  
Old 24th August 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Thanked 0 Times in 0 Posts
Default

I agree that copy/paste is not the right way to learn
I see those examples as starting points for me to first *start* walking ..
at this moment I ned to set my still immature pf.conf to allow p2p ?
Do I have to first learn about p2p and tcp ip to start using pf.conf ??
OpenBSD is a shoreless sea as is Unix .. how can I use it to serve me this ? at this time ?
As to learning it is and must be a life process but every mortal has their own tempo/rhythm/ pace .. I believe myself to have the slowest .. and yet I'm not psychologically ( :-) ) ready to stop using a great OS just because it's hard for me .. that's it.
(There are lots of people -I'm sure- who are having the same -if not worse- issue but abstain from exposing it here or there :-) not to be ridiculed .. well only the shy and the boastful who wouldn't learn a thing )
Reply With Quote
  #9   (View Single Post)  
Old 25th August 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by daemonfowl View Post
I agree that copy/paste is not the right way to learn
Yet, we see evidence of it again & again with you...
Quote:
how can I use it to serve me this ?
Read. Study. Don't try to find shortcuts. Two places to begin are:
Reply With Quote
Old 25th August 2012
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,708
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by daemonfowl View Post
at this moment I ned to set my still immature pf.conf to allow p2p ?
You would need to have a very clear understanding of the protocols and ports used by your p2p application, so that you can determine what exact traffic you wish to allow, and what traffic you wish to deny.
Quote:
Do I have to first learn about p2p and tcp ip to start using pf.conf ??
Yes. TCP/IP networking knowledge is an absolute requirement. PF's purpose is to manage network traffic. You must set the rules, based on your knowledge of that traffic. Your traffic will be unique. Copy/Paste/Hope is not a path to success.
Reply With Quote
Old 25th August 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

And for fans of dead trees, the following is the best book I have read on the general theory of TCP/IP:

http://www.amazon.com/Routing-TCP-Vo...rds=jeff+doyle

Reply With Quote
Old 25th August 2012
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,708
Thanked 214 Times in 189 Posts
Default

Here is someone who "manages" what he does not understand. Do you want to be like him?



Do you truly wish to make network decisions in ignorance? You could harm more than your own systems. An improperly configured network is a network which may be open to attack, and could be used as a vector to launch attacks on other networks. You may not care about your own systems. But you should be a responsible Internet citizen and not -- through willful ignorance -- cause problems for others.
Reply With Quote
Old 16th September 2012
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

As a suggestion, you should annotate your pf.conf file with your own thoughts, understandings, and misgivings. Drill down on every line to understand WHY it is there. pf is there to guard your system, so if you can't vet your guards, how can you be sure they are guarding you?

One misgiving that is repeated in the OpenBSD community is that a great deal of software (generally speaking here) is written for feature and functionality first, and then has security added later. This is a terrible approach, and is one major reason why you don't see tons of new software in the OpenBSD system. Translate that into your use of the system itself (and in this case securing the system via pf), and you can see that it's better to be sure you are secure first, and then able to do all the fun stuff that you want to do.

If you contribute pf.conf files to others for review, having it well annotated can not only help them get 'up to speed' on your setup faster, but it can also show them that you are sure about certain things and not sure about others. Correcting a misunderstanding here (even if you were 'sure' about it) is a much more gracious event than correcting a 'cut-n-paste' situation.

Also, pf can be quite complex- asking a question here about a single function or line is not a bad thing at all (given proper context, of course), and may provide the ability to show the rest of the forum how a particular thing should be done in pf. It also tends to keep people focused .
__________________
Network Firefighter
Reply With Quote
Old 17th September 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Thanked 0 Times in 0 Posts
Default

Quote:
Correcting a misunderstanding here (even if you were 'sure' about it) is a much more gracious event than correcting a 'cut-n-paste' situation.
Thank you so much ! I agree .. I had in mind starting first from -to my mind- a more generic working sample and start reshaping it to meet my needs .. just as when a kid leaning html is first given a basic skeleton then invited to better it .. It's not that I was looking for a ready-made pf.conf to be always used and/or for all boxes .. I still believe examples are vital for learning and not everyone is capable of putting theory into practice the first time ..
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
is this a correct attitude ? daemonfowl OpenBSD General 6 28th March 2012 08:31 PM
sysctl.conf settings not loading on boot Kuboaa FreeBSD General 2 18th November 2010 08:35 AM
Correct tag for ports & docs vigol FreeBSD Ports and Packages 1 6th December 2009 02:06 PM
Network settings guitarscn OpenBSD General 13 18th February 2009 01:45 AM
Problem loading (the correct) libX11.so.6 phreud FreeBSD General 3 10th November 2008 11:13 AM


All times are GMT. The time now is 09:52 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick