|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Gettting Total Control of My LAN with OpenBSD 6.1
Hi,
I did a fresh installation of Open BSD 6.1 to get the total control of the internet usage for my LAN. I had OpenBSD 5.3 earlier. With the new installation I was able to build an IPSEC tunnel and configure firewall rules to some extent. I need your help to achieve the following requirements 1) Implementing QOS ( if I can get a link which describes CBQ and PRIQ with examples it is much appreciated. ) 2) Could I restrict some sites ex: facebook totally ? If so please give me information on that. 3) Could I control access to some sites like FB by implementing a schedule on PF ? If so please give me information on that. 4) Could I implement an IPS on my latest OpenBSD firewall? If so please give me information on that. Thanks |
|
||||
Quote:
Peter also has an online tutorial, but it is not as detailed as his book. Quote:
Quote:
Quote:
|
|
|||
I use <table> in pf to restrict websites by their ip or cidr whichever i prefer.
Currently we filter all non-US ip's with pf, which works almost instantaneously. |
|
||||
That approach is full of holes, of course, as using a public proxy can defeat it, and you're also blocking *everything*, including email servers, etc...
If the primary concern is blocking users from surfing facebook, amithapr may be able to leverage relayd for that and not have to resort to a ASN block =) Really depends on exactly what level of lockdown is required. I have teenagers who have proven that social media is far too strong a temptation over getting homework done, so I've had a get creative in my approaches.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
||||
Quote:
Code:
# Block Ad Server domains. local-zone: "doubleclick.net" redirect local-data: "doubleclick.net A 127.0.0.1" local-zone: "googlesyndication.com" redirect local-data: "googlesyndication.com A 127.0.0.1" local-zone: "googleadservices.com" redirect local-data: "googleadservices.com A 127.0.0.1" local-zone: "google-analytics.com" redirect local-data: "google-analytics.com A 127.0.0.1" local-zone: "ads.youtube.com" redirect local-data: "ads.youtube.com A 127.0.0.1" local-zone: "adserver.yahoo.com" redirect local-data: "adserver.yahoo.com A 127.0.0.1" local-zone: "ask.com" redirect local-data: "ask.com A 127.0.0.1" |
|
||||
It seems like the DNS approach would reduce network chatter and server load. I wonder if that efficiency might be reasonably attractive to some users such that it is worth considering?
It might be helpful to understand the scenario/context:
|
|
|||
Quote:
"Total control", right? |
|
|||
Dear All,
Thanks a lot for your valuable information. I will try those and give the feedback. Thanks again |
|
|||
Quote:
I don't know how this approach plays with websites behind Cloudflare reverse proxy.
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase |
|
||||
Quote:
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
|||
Hi,
I referred Book of PF Third Edition ,then added the following rules to my PF. As in my OpenBSD 5.3 firewall which used the old ALTQ with CBQ, only one queue is active all the time for OpenBSD 6.1 also. I wonder whether I'm doing a major mistake By applying queues, I wanted to give priority to some of my workstations in the LAN by allocating half of the bandwidth, when those workstations are connected to the internet. WHAT SHOULD I DO TO ACTIVATE BOTH QUEUES ? Code:
ext_if="bge1" ext_ip="x.x.x.x" bmpc_wks="{y.y.y.22/32, y.y.y.23/32, y.y.y.24/32}" queue mainq on $ext_if bandwidth 4M queue std parent mainq bandwidth 2M default queue bmpc parent mainq bandwidth 2M #Rules for LAN -AL match out on $ext_if proto { tcp,udp,icmp,esp } from x.x.x.0/24 nat-to ($ext_if) static-port #Rules for Boardroom,Meetingroom,Projector workstations #pass out on $ext_if proto {tcp, udp} from $bmpc_wks to any port>=80 queue bmpc match out on $ext_if proto {tcp, udp} from $bmpc_wks to any port>=80 queue bmpc set prio 7 match out on $ext_if proto {tcp, udp} from $int_if to any port>=80 queue std set prio 3 Code:
QUEUE BW SCH PRIO PKTS BYTES DROP_P DROP_B QLEN BORROW SUSPEN P/S B/S mainq on rl0 4M 0 0 0 0 0 0 0 std 2M 766 190048 0 0 0 55 13053 bmpc 2M 0 0 0 0 0 0 0 |
|
|||
Hi Jggimi,
Please find the pf.conf file of the OpenBSD 6.1 Firewall herewith. Thanks |
|
|||
Hi,
I hope you will help me to get this QoS feature working ! I feel I'm doing some fundamental mistake during configuration since, this did not work on my old OpenBSD 5.3 version as well. Thanks |
|
||||
I don't see anything obvious, so I am left to guessing. You are attempting to use both queue names and priorities, and that might be the problem. Try removing your 'set prio' from your match rules, so that you are definitively using the queue name only. Queues are documented as being "sticky" on match rules, priorities are not, and setting the priority may override using named queues.
(You do not need to use "/32" to define single IP addresses.) Last edited by jggimi; 12th September 2017 at 11:05 AM. Reason: typo |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Fan Control in OpenBSD? | sparky | OpenBSD General | 18 | 4th April 2014 12:54 PM |
Security Hacker Had Total Control Over DigiNotar Servers, Report | J65nko | News | 0 | 1st November 2012 08:10 PM |
five reasons why OpenBSD is recommended to total newbies | daemonfowl | OpenBSD General | 20 | 25th February 2012 12:03 AM |
Alix6e1 LED control in openbsd | Sigi | OpenBSD General | 1 | 20th November 2011 08:24 PM |
Fan control in OpenBSD | Angevin | OpenBSD General | 6 | 20th November 2009 03:06 AM |