|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
||||
If memory serves correctly, there's a fairly good tutorial/how-to using authpf and a redirect to a virtual webserver to show an unauthorized host they're blocked .... in Dru Levigne's "BSD Hacks" book. Memory may not serve correctly; but as I'm currently using it or something similar, I'll post what I have here.
The client ssh configurations (putty or openssh) use dynamic tunneling with an sshd-provided SOCKS proxy, so once configured, they browse the web through the proxy for encrypted communication. For openssh, it's a "DynamicForward <port#>" -- putty has a dynamic tunnel configuration in its GUI. The browsers just use a SOCKS proxy at 127.0.0.1:<port#> Excerpt from pf.conf: Code:
table <authpf_users> persist counters . . . nat-anchor "authpf/*" . . . # # redirect unauthorized IP users to a local web page # no rdr proto tcp from {<authpf_users> <other_approved_users> } to any port www rdr pass log proto tcp from $internal_net to any port www \ -> 127.0.0.1 port 8080 . . . rdr-anchor "authpf/*" . . . binat-anchor "authpf/*" . . . # Allow ssh on internal net just to the firewall, for authpf: # pass in log on $internal_nic proto tcp to $internal_nic port ssh . . . anchor "authpf/*" Here's an excerpt from /var/www/conf/httpd.conf: Code:
Listen 127.0.0.1:8080 . . . <VirtualHost 127.0.0.1:8080> ServerAdmin none DocumentRoot /var/www/auth ErrorDocument 404 /index.html </VirtualHost> Last edited by jggimi; 16th April 2009 at 11:50 AM. |
|
|||
I presume you meant OpenSSH in that last postscript, I don't make extensive use of Wireless technology.. but tunnelling over SSH is remarkably easy and should work from anywhere that allows you to connect directly with your remote server.
One thing that most people fail to realize is OpenSSH supports several different methods of tunnelling connections.
Here are some juicy examples, hopefully I can explain them without implying an existing knowledge of tunnelling. 1) Setting up a SOCKS 4 or 5 proxy for Firefox or Pidgin.. many programs can use a SOCKS proxy. $ ssh -N -f -D 8686 oko@home.workstation
2) Implicitly port tunnelling is also pretty easy, but it is a bit more involved.. knowing the domain name of the remote server and the service port they use is important. In this example, I'll create 2 tunnels for Yahoo Messenger service.. one for the pager service, the other for file transfers. $ ssh -N -f -L 5051:scs.msg.yahoo.com:5050 -L 81:filetransfer.msg.yahoo.com:80 oko@home.workstation The -N -f options have been discussed, but -L is new.. this literally means listen.. and it does, the numbers indicated by bold are local port numbers that SSH will be listening on.. whereas the text in italics refers to the remote hosts. In this case, you'll have to go into the Account dialogue in Pidgin and configure the Advanced protocol settings for your yahoo account.. substitute scs.msg.yahoo.com and filetransfer.msg.yahoo.com with localhost and change their port numbers to 5051 and 81 respectively. 3) This last method is the most complicated, it involves setting up what is basically a genuine tunnel between your mobile system and the remote SSH server, network connectivity can flow unfettered across this one tunnel. Unfortunately this is moderately more complicated.. a tunnel involves the tun(4) device, routing table changes and other potentially confusing configuration changes. $ ssh -N -f -w 0:0 root@home.workstation The -w argument specifies a point-to-point tunnel, 0 indicates that ssh should bind to tun0, whereas 0 indicates the remote SSH servers tunnel device. As I said, one notable problem is this functionality requires that the remote gateway be configured to act as a NAT gateway, this will require pf.conf(5) rules and some subtle changes to sshd_config(5) to allow such tunnelling, look for the PermitTunnel option.. it does not work in Match blocks, this unfortunately means that you'll need to allow root authentication if you have it disabled. Both the servers tun device and your local one will need to be configured presuming they're created and the connection establishes successfully.. once you've confirmed that it is you can assign an IP address to the tunnel devices and then start figuring out routing. On home.workstation, configure tun0 with an IP address and a /30 subnet (2 hosts): $ sudo ifconfig tun0 inet 172.16.0.1 netmask 255.255.255.252 On the mobile system, do the same.. except use 192.16.0.2: $ sudo ifconfig tun0 inet 172.16.0.2 netmask 255.255.255.252 This should at least establish a working tunnel between the two systems, but it's hardly everything that needs to be done. I admit I haven't tested this specific method of tunnelling personally, but hopefully the fundamentals are outlined successfully. Good luck, I look forward to seeing someone correct the plethora of mistakes I made here. EDIT: jggimi is faster then me, considerably so. |
|
||||
There should be several guides online about setting things up with IPSec; for Windows, Linux, and various BSDs; OpenBSD also has a nice manuals that would help out in doing it: ipsec(4), ipsec.conf(5), ipsecctl(8), sasyncd(8), and isakmpd(8)
(I'm a little lacking in hardware for using such solutions, or I would add a thread to the guides forum if we don't already have one)
__________________
My Journal Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''. |
|
||||
Quote:
Network with SSH but her approach is limited. These look like good reads. I read them before but now I will try to set it up http://www.onlamp.com/pub/a/bsd/2004...ifi_ipsec.html http://www.section6.net/wiki/index.p...ork_with_IPSec Last edited by Oko; 16th April 2009 at 08:26 AM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
openBSD IPSEC gateway w/WINDOWS XP roadwarrior | s2scott | OpenBSD Security | 7 | 13th January 2009 11:01 AM |
Securing ftp access | AlexDudko | FreeBSD Security | 6 | 12th January 2009 09:21 PM |
Ipsec freebsd openbsd failure | kasse | OpenBSD General | 3 | 31st December 2008 01:42 AM |
IPsec on openbsd | hitete | OpenBSD Installation and Upgrading | 1 | 12th July 2008 01:57 AM |
DMZ for two networks users... | maurobottone | OpenBSD Security | 6 | 2nd June 2008 02:57 PM |