DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th February 2010
Simon Simon is offline
Port Guard
 
Join Date: Jan 2010
Posts: 30
Default prove need for a firewall

Hello,
I want to prove the need of a firewall.
Im trying a test :

((SimpleModemRouteurWifi ST780WL))----fxp0---|OpenBSD 4.6|

The speedTouch Thomson ST780WL (192.168.1.254): 4ports (switch), no open ports so no services used on the lan.

OpenBSD Machine has only one network card (192.168.1.250).
An other machine (wifi connection : 192.168.1.64)

My pf.conf:
skip on lo
block in log on egress

To see what is happening :
Im doing : tcpdump -nettti pflog0
Im waiting ...

Last edited by Simon; 10th February 2010 at 12:35 PM. Reason: more precisions
Reply With Quote
  #2   (View Single Post)  
Old 10th February 2010
Simon Simon is offline
Port Guard
 
Join Date: Jan 2010
Posts: 30
Default logs

I can see only ports : 53, igmp... nothing else...
Reply With Quote
  #3   (View Single Post)  
Old 10th February 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Knowing nothing about your ST780WL, and, that your environment is configured with NAT before reaching the OpenBSD box -- you will not normally see incoming packets to your public Internet IP address on your OpenBSD platform, unless a state has been previously established -from- your OpenBSD platform.

NAT routers can be set to forward inbound traffic to specific UDP and TCP ports, or forward specific protocols that do not have ports, and some can also forward all traffic, using a feature typically called "DMZ", though the name and capabilities offered vary from one NAT device to another, depending on vendor.

Otherwise, all you've proved is that simple stateful NAT, offered by thousands of diferent off-the-shelf devices, provides intrinsic "firewall"-like capability, which is one of its basic value propositions.
Reply With Quote
  #4   (View Single Post)  
Old 10th February 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

The Speedtouch probably has a built-in firewall. That is why you don't see that much.

If you want to see a lot you have to change
Code:
block in log on egress
into
Code:
block log all
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 10th February 2010
Simon Simon is offline
Port Guard
 
Join Date: Jan 2010
Posts: 30
Post Conclusion

The speedtouch have no ports forwarding activated.
The computers on the lan has just internet connection (Out).
They use mail, and web surfing. Their mailserver is their ISP smtp.orange.fr.
And of course, this model has a small firewall integrated like Linksys, Netgear do. So my conclusion, if a company has a configuration like that, the use of an OpenBSD BOX (pf) is not very important. What do you think about that ? Perhaps i said a stupid remark, correct me ! ;-)

Last edited by Simon; 10th February 2010 at 07:10 PM. Reason: more precisions
Reply With Quote
  #6   (View Single Post)  
Old 10th February 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

A reason for still using a OpenBSD firewall is that it can enforce the policy that mail has to go through the smtpd.orange.fr server.
Code:
block log all
pass out quick on egress inet proto tcp from $INT:network \ smtp.orange.fr  port smtp
All mail sent out by a comprised Windows box will now be stopped and logged. And it is very nice to know which box exactly has been doing that. You want to make sure the it is not the one of the accountant or the person who does bank payments.

On my home OBSD firewall I also run a caching and authoritative nameserver. That saves some Internet traffic.

A small company also could benefit from running Squid, a caching proxy for www and ftp. But that would better be run on a separate machine.

A separate firewall also could enforce the "internet usage policy". For example no Ebay, Facebook or Twitter during working hours, only during lunch time.

The firewall in the Speedtouch is nice to have for protection. But if you want to know exactly what kind of traffic is going out from your LAN to the Internet a dedicated firewall has a lot of advantages.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 10th February 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

As you have "proved" through your test -- NAT alone provides some firewall-like capabilities, all by itself.

But NAT does not provide traffic shaping, traffic overload protection, program controlled redirection, or any of the other myriad capabilities of a program controlled router that acts as a firewall. If none of those advanced capabilities are of value to you, then using OpenBSD as a firewalling router might not be of value to you.

But in your test, OpenBSD was an end-use computer, not a router. You were merely proving to yourself that NAT acts as a limited capability firewall. You were testing your NAT router, not OpenBSD, and your test was not evaluating OpenBSD at all.
Reply With Quote
  #8   (View Single Post)  
Old 11th February 2010
Simon Simon is offline
Port Guard
 
Join Date: Jan 2010
Posts: 30
Default reasons

Hi

*I attached a small image to represent what i done.
I done this test to see a network without a firewall (for example : our famous OpenBSD) what is coming from "egress"?... That's all.
To see that, i just took a machine with one NIC, an OpenBSD System, and a simple pf ruleset. After a tcpdump to see what happens in entry.

My conclusion, is for a home user, or a small company(who doesn't need "Internet filtering use" and have no service to provide), implement an OpenBSD is not vital.
Attached Images
File Type: png network.png (14.3 KB, 70 views)
Reply With Quote
  #9   (View Single Post)  
Old 11th February 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
...OpenBSD is not vital.
It that is your belief, then don't use it. The OpenBSD Project has never tried to be all things to all people. See www.openbsd.org/goals.html
Reply With Quote
Old 11th February 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by Simon View Post
My conclusion, is for a home user, or a small company(who doesn't need "Internet filtering use" and have no service to provide), implement an OpenBSD is not vital.
The topology used proves nothing.
  • A system with only one interface can only filter what is coming into itself. It will provide no value to any other device found in the segment in terms of filtering. Whatever nasty traffic is floating about your internal LAN segment has already breached the barrier between the Internet & your local network.
  • Typical firewall use has traffic flowing through it which will be filtered. This requires at least two interfaces. Diagrammatically:
    Code:
    Internet --- firewall --- switch --- end-point systems
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Needs for a firewall milo974 OpenBSD Security 1 31st December 2009 03:00 PM
PF firewall bsdnewbie999 OpenBSD General 3 28th April 2009 12:35 PM
Firewall on (A)DSL modems JMJ_coder General software and network 10 30th January 2009 12:31 AM
Simple Firewall with PF jones FreeBSD General 3 7th November 2008 02:02 AM
Web GUI for firewall ? giga FreeBSD General 6 8th May 2008 05:10 AM


All times are GMT. The time now is 07:08 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick