DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th March 2013
phyro phyro is offline
Port Guard
 
Join Date: Sep 2010
Posts: 27
Thanked 0 Times in 0 Posts
Default pf filtering

Hi,

Just wanted to find out if anyone can help me figure something out...

I'm under the understanding that a linux system using its ipchains rule sets can not tell the difference between traffic on its ports?

where as OpenBSD's PF can.

My first question is.

Lets suppose every port is nailed down tight on a linux system, except port 80
someone with know how could possibly use ssh over port 80 and send files via a secure copy to a foreign server using encryption over an open (or any port) punching right through a firewall.

Would PF provide any better protection against that?


the other question I had was if anyone knew of a resource that provides a good comparison between the capabilities and short comings of a linux based system vs OpenBSD's PF? (everything I found was out of date)

Thanks,
Reply With Quote
  #2   (View Single Post)  
Old 19th March 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by phyro View Post
Hi,

Just wanted to find out if anyone can help me figure something out...

I'm under the understanding that a linux system using its ipchains rule sets can not tell the difference between traffic on its ports?

where as OpenBSD's PF can.
I'm not sure what you are stating here regarding your understanding. PF conducts layer 3 (IP and its protocols) inspection, stateful processing, and filtering... and for bridge(4) interfaces only, can filter layer 2 Ethernet frames by MAC address. For some protocols, additional filtration is possible, such as with TCP and UDP protocols, PF can filter by sending or receiving port numbers.

Keep in mind, PF does not inspect data payloads, only the suite of IP protocols and their packet headers.
Quote:
Lets suppose every port is nailed down tight on a linux system, except port 80
someone with know how could possibly use ssh over port 80 and send files via a secure copy to a foreign server using encryption over an open (or any port) punching right through a firewall.

Would PF provide any better protection against that?
If I understand what you are asking, the general answer is "No." Keep in mind:
SSH traffic uses the TCP protocol. PF does not inspect the data in the TCP packets, only the headers and behavior. So, if your PF rules permit outgoing TCP traffic to any address with a TCP destination port 80, PF will permit that traffic.

My customer's network at my $DAYJOB does not permit Internet access except via proxy servers for any platform outside its DMZs. Those proxy servers require URLs and a limited set of communcation protocols -- http, https, and ftp -- with inspection of those URLs for approved/restricted content.

Could even that be circumvented? Sure. I haven't tried, as I want to keep my $DAYJOB, but there are tools that can "tunnel" SSH sessions over HTTPS, such as security/corkscrew.

Quote:
the other question I had was if anyone knew of a resource that provides a good comparison between the capabilities and short comings of a linux based system vs OpenBSD's PF? (everything I found was out of date)
All of the firewall tools in active development are going to be moving targets.

It may be heresy to suggest this ... but I recommend using a toolset that you can understand and are comfortable using, and that you can test to ensure it is working as you intended. Whether that's a Linux based solution or not. Having a manageable, tested, and functioning solution is more important than the specific technology or the underlying OS. If it's configured properly, that tool should be able to provide better control, security, and management facilities than an off the shelf SOHO NAT router or embedded "firewall" product.

Personally, I prefer PF.
Reply With Quote
  #3   (View Single Post)  
Old 19th March 2013
phyro phyro is offline
Port Guard
 
Join Date: Sep 2010
Posts: 27
Thanked 0 Times in 0 Posts
Default

awesome thanks, ill stick with pf, but it sounds like i should work on some squid to prevent machiveious traffic.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Content Filtering with OpenBSD alpha202ej OpenBSD Security 4 21st December 2011 01:38 PM
PF - packets filtering by length? magnesik OpenBSD Security 3 3rd July 2011 12:46 PM
What tool for dynamic I.P filtering unixjingleman OpenBSD Security 1 2nd March 2011 11:31 AM
Web content filtering Crypt FreeBSD Security 14 14th December 2008 02:38 PM


All times are GMT. The time now is 11:54 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick