DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 23rd August 2016
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Smile Controlling Streaming Using PF

Hi,

Can I control streaming of videos in my LAN using PF? I have OpenBSD 5.3 firewall.

Thanks
Reply With Quote
  #2   (View Single Post)  
Old 23rd August 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

  • What do you mean by "control"?
PF can block, pass, or shape traffic. If you intend to do any traffic shaping, your unsupported release of OpenBSD used a very different traffic queuing mechanism than is used in more recent releases.

On September 1, OpenBSD 6.0 will be released, and only releases 6.0 and 5.9 will be supported.
  • What do you mean by "streaming"?
PF manages network traffic by protocol, or, if using the TCP UDP protocols, by their origination and destination port numbers.

You must by able to identify the particular traffic in order to manage it.
Reply With Quote
  #3   (View Single Post)  
Old 23rd August 2016
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Thumbs up

Hi Jggimi,

Many thanks for your reply. I ment traffic shaping by the word "controlling" and ment watching videos online like YouTube by the word "streaming".

If there is a way to shape video streaming traffic with my OpenBSD 5.3 firewall please guide me for that.

Thanks
Reply With Quote
  #4   (View Single Post)  
Old 23rd August 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

You have two problems you must overcome. If you cannot overcome problem 1, there is no need to worry about problem 2.
  1. Instruct PF to recognize "watching video"

    Before you can shape traffic, you must be able to have PF recognize that traffic and distinguish it from any other traffic in your network.

    PF manages traffic by information available to the kernel about that traffic, found primarily in Layer 3 of the TCP/IP model: IP addresses, IP protocols, and TCP/UDP ports. However, none of this information directly relates to "watching video."

    There are many forms of "video streaming." Some are easy to distinguish from other traffic, such as IPTV multicast streaming to set top boxes. Other types of video traffic, such as HTML5 to a browser, cannot be distinguished from any other web traffic from Layer 3 information. It's TCP traffic from a server's source port 80 or 443.
  2. Unsupported software

    The subsystem for queing in OpenBSD 5.3 was called altq -- a new queuing system was implemented at OpenBSD 5.5, and altq was removed completely with OpenBSD 5.6. Your 5.3 pf.conf(5) man page discusses the altq queuing subsystem. But the FAQ and the PF Users Guide have moved on, and no longer do so.

    You can use cvs(1) to obtain a version of the FAQ and the PF User's Guide that matches your release, but it would likely be easier to move forward from your old, out-of-date OS than it would be to for you to try to do that.
If it helps, your "secure firewall" is missing 55 published security and reliability patches since support was dropped. Please, consider upgrading, or reinstalling.
Reply With Quote
  #5   (View Single Post)  
Old 24th August 2016
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Smile

Thanks a lot Jiggimi for your information. The main barrier that stop me from upgrading the firewall is the IPSEC VPN connection between my office and the remote office.

I came to know that the two locations should have the same firewall to keep the IPSEC VPN tunnel to function properly. I have the following questions to verify if I reinstall my firewall with the OpenBSD latest version :

1) Will the re-installation stops my IPSEC VPN connection since the remote office OpenBSD firewall has a different OS version (Beyond my control)?

2) What are the files that I should copy from my old firewall to the new firewall? ( pf.conf, sysctl.conf the entire ISAKMPD folder etc. )

3) Do I have to run any commands to activate the IPSEC VPN in the new firewall after I copy the content from the current live Firewall?

Thanks
Reply With Quote
  #6   (View Single Post)  
Old 24th August 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Your new questions deserve their own thread. One of the forum admins may split it into a new thread for you.

IPSec compatibility:

To my recollection, the only upgrade that affected IPSec compatibility between OpenBSD releases was from 4.6 to 4.7, as noted in the Upgrade Guide for 4.6 -> 4.7 here: http://www.openbsd.org/faq/upgrade47.html#hmac-sha2. Your release is beyond this issue.

I have reviewed the Upgrade Guides from 5.3 forwards, and do not see IPSec mentioned. But there was an announced change to IPSec at 5.8. From the release announcement at http://www.openbsd.org/58.html::
Quote:
The default Diffie-Hellman group for VPNs configured by ipsec.conf(5) has been changed to modp3072.
Whether this change would have any impact on you will depend on your (and your company's) specific implementation.

In addition, at 5.9, an additional cipher was added as a security improvement, per the release announcement http://www.openbsd.org/59.html:
Quote:
Chacha20-Poly1305 authenticated encryption mode has been implemented in the IPsec stack for the ESP protocol.
Because your IPSec connection is with a third party OS, the only way to confirm whether or not the changes in OpenBSD affect integration will be to test it.

I recommend you install a test OpenBSD 6.0 release system on a spare disk drive (such as a USB memory stick), and test your current IPSec configuration with the new release.

How to upgrade:

The OpenBSD project supports only one form of upgrade: between adjacent releases. You can follow each Upgrade Guide and upgrade from 5.3 to 5.4, then from 5.4 to 5.5, and so on. Each Upgrade Guide describes the exact steps to take, and any manual changes you will need to make. This includes syntax changes needed in any configuration files, such as pf.conf, though the changes to PF syntax since 5.3 affect queuing and debugging, and may not affect your configuration at all.

Because of the large number of releases you have missed, you may find reinstallation would be easier.

Last edited by jggimi; 24th August 2016 at 12:46 PM. Reason: typos
Reply With Quote
  #7   (View Single Post)  
Old 24th August 2016
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Default

Hi Jggimi,

Many thanks for your time for your guidance and information. As you aid I will install a fresh OpenBSD 6.0 version as a backup and I will test my IPSEC VPN tunnel and the PF. Will get back to you after the testing.

Thanking you again for your time and information
Reply With Quote
  #8   (View Single Post)  
Old 24th August 2016
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by Amithapr View Post
1) Will the re-installation stops my IPSEC VPN connection since the remote office OpenBSD firewall has a different OS version (Beyond my control)?

2) What are the files that I should copy from my old firewall to the new firewall? ( pf.conf, sysctl.conf the entire ISAKMPD folder etc. )

3) Do I have to run any commands to activate the IPSEC VPN in the new firewall after I copy the content from the current live Firewall?
Amithapr, if you want to discuss these questions, please start new threads for each question.

We attempt to limit threads to a single topic on this site because:
  • Readers will be at all levels of comprehension. To aid understanding, staying on a single topic helps everyone.
  • English is not the first language of all readers, so keeping discussion linear helps everyone.
We support discussion, but with a little bit of organization and discipline, more people will learn from the discussion, and be less frustrated in the process.

The coolest members on this site start new threads...

Reply With Quote
  #9   (View Single Post)  
Old 25th August 2016
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Default

Dear Ocicat,

I admit that I did a wrong thing. Hereon I will not do such things. Sorry for the thing that happened due to lack of knowledge and acting without thinking the forum policies.

Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Minidlna streaming to PS4 fossala OpenBSD Packages and Ports 3 13th November 2015 07:40 AM
pf - controlling port forwarding inside the network EverydayDiesel OpenBSD Security 11 4th July 2014 07:42 PM
linux streaming server c0mrade General software and network 0 27th June 2009 11:36 PM
Controlling a RS-232 Serial Console from a Shell Script ishikawanakano Programming 0 9th January 2009 10:00 PM
A P2P controlling tool at last - ipfw-classifyd s0xxx FreeBSD Ports and Packages 0 3rd August 2008 09:49 AM


All times are GMT. The time now is 10:16 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick