DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th November 2009
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 170
Default PF mods

Greetings all, I was reading on the changes to PF and found this below interesting. Wondering if anyone had any updated 4.6 pf.conf rules they would like to share.

I had removed my scrub option from 4.5 conf to work with 4.6, any examples of "one kind of packet reassmbly" and "match" syntax. Thx.

Quote:
Removed pf(4) scrub rules, and only do one kind of packet reassembly. Regular rules can now have per-rule scrub options. Also new "match" keyword and a small speedup.
P.S. Hopefully im not the only one out there that is VERY happy that PF is enabled by default finally?
__________________
The more you learn, the more you realize how little you know ....

Last edited by There0; 18th November 2009 at 07:17 AM.
Reply With Quote
  #2   (View Single Post)  
Old 18th November 2009
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 170
Default

In case anyone was wondering what the scrub rule was the I was using that worked in 4.5 and not in 4.6 is below.

Quote:
########## Scrub options
# scrub in on { $EXT } fragment reassemble
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
  #3   (View Single Post)  
Old 18th November 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Code:
match in on $internal_nic scrub (no-df random-id)
match in on $external_nic scrub (reassemble tcp)
Reply With Quote
  #4   (View Single Post)  
Old 19th November 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by jggimi View Post
Code:
match in on $internal_nic scrub (no-df random-id)
match in on $external_nic scrub (reassemble tcp)
jggimi,

The context being a firewall with an inside and an outside interface, with regard to matching and fixing-up the packets on an inbound flow vs. an outbound flow, is fixing-up the RANDOM-ID on INBOUND on the INSIDE interface, as your match rules exemplifies, preferred to fixing-up it up on the OUTBOUND transit on the OUTSIDE interface? Or does it matter?

Thanks,
/Scott
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
  #5   (View Single Post)  
Old 19th November 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

It may or may not matter. This example was from my home network, The reason I chose inside for randomization was there is WiFi, here, protected without WEP/WAP, but protected with IPSec or SSH. Sometimes, a Senior Executive (a.k.a. my wife) wants to get on without fiddling with her IPSec client, or doesn't realize it is disengaged or inoperative. She is allowed to connect unencrypted, and the only financial data she touches uses SSL.

Hence, my attempt to eliminate a common area of weakness, under the assumption that her management fiat is more powerful than both technical correctness and sanity.
Reply With Quote
  #6   (View Single Post)  
Old 19th November 2009
roundkat roundkat is offline
Shell Scout
 
Join Date: May 2008
Posts: 115
Default

Quote:
Originally Posted by jggimi View Post
Hence, my attempt to eliminate a common area of weakness, under the assumption that her management fiat is more powerful than both technical correctness and sanity.
Sounds like my house..
__________________
All posts sent on ReCycled Electrons...
Reply With Quote
  #7   (View Single Post)  
Old 19th November 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by jggimi View Post
...under the assumption that her [wife] management fiat is more powerful than both technical correctness and sanity.
Geese, all my my dog [Labrador] wants is a tennis ball.

But I suppose wife (despite fiat) has its advantages too.



Thanks,

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
  #8   (View Single Post)  
Old 19th November 2009
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 170
Default

Should I be glad I am not married?

Thx for the examples Jggimi, I am wondering where you get all this updated info from? must be many sources? I scour quite frequently and own many ebooks but have not seen this for PF yet.

Is there any resources I maybe missing for data like this? I am assuming the mailing list have the most uptodate and correct information?

Thx again for sharing, I know how much time and effort it takes to get through processes like this, and then find the patience and energy to share.
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
  #9   (View Single Post)  
Old 19th November 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

I presume that jggimi reads the source-changes mailing list, either daily or weekly/monthly bulk digests.

http://www.openbsd.org/mail.html
http://marc.info/?l=openbsd-cvs

Another possibility is that he follows the 'current' FAQ, which is something people should look at occasionally.. always good to prepare for the future.

http://www.openbsd.org/faq/current.html

As you can see, 4.7 will introduce changes to pf that break traditional 'rdr' and 'nat' pseudo-translation-actions entirely.

Man pages are also a good idea, the new match action is documented in pf.conf(5).

Beware of outdated books, the developers never promised backwards compatibility.. use the PF FAQ instead.
Reply With Quote
Old 19th November 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I follow misc@, ports@, tech@, the OpenBSD Journal, and the Following -current FAQ.

(tech@ is interesting to read, but I have rarely posted there. As Michael Lucas wrote in Absolute OpenBSD, if your post doesn't include a patch, tech@ is the wrong list for it.)

I also read cvs logs. I get the daily source and ports change CVS summaries, but rarely read them, and should probably cancel my subscriptions.

I also read slashdot, and then poke around in the source code or CVS logs if something interesting appears there about a subsystem. Case in point: on the day this week that slashdotters went nuts over SSL's latest MITM exploit, and all of the concerns about which distribution of Linux which patch available when, and which distributions might not have one for a while .... I checked the logs and noted the fix was already in -current, and the log mentioned a workup in progress for -stable.
Reply With Quote
Old 22nd November 2009
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 170
Default

Thank you both for your replies, there was 2 there that I did not have on my list
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:59 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick