|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
pf public wifi configuration for a laptop
I have openbsd on my laptop, have been using it for years.
It cuts my download speeds more than in half with PF active, but thats okay. Right now, I have a simple configuration for using public wifi that is very incompatible with my needs. i cant seem to connect to bittorrent though i guess even though i opened the port that I USE for bittorrent, that doesnt matter with so many people making me use other random ports. what can i do? its not as if i can just open every possible port, that'd' be hundreds if not more. my pf.conf: /etc/pf.conf Code:
Services = "{https,http,ntp,22222,ftp,ftp-data,sftp,18500}" ## Interfaces ## Ext_If ="re0" Ext_Wlan0 = "athn0" ## Hosts ## set skip on lo0 # skip rules on loopback device #block return # block stateless traffic #pass # establish keep-state block # block all traffic pass out quick from self # pass out outgoing traffic no more rules applied if hit is positive with quick rule pass in proto {tcp, udp} to self port $Services pass in proto icmp ## port build user does not need network block return out log proto {tcp udp} user _pbuild ## rules for xodo ## ##block out quick proto { tcp, udp } from self user firefox ##block out quick proto { tcp, udp } from self user chromeuser set block-policy return block in log quick proto tcp flags FUP/WEUAPRSF block in log quick proto tcp flags WEUAPRSF/WEUAPRSF block in log quick proto tcp flags SRAFU/WEUAPRSF block in log quick proto tcp flags /WEUAPRSF to be honest, the pf manual and documentation confuse me so maybe theres some functionality im missing here, i am not a unix expert, i just use openbsd because its easy and it works and linux/windows refuse to wrok on my machine |
|
|||
What client are you using? It's been a while since I've used bittorrent but I thought it only needed one inbound port.
|
|
|||
A pf.conf rule set is an implementation of a security policy. I have difficulties in reverse engineering your security policy from your rule set
So the question is what is your security policy? In other words: what do you allow the laptop user to do or access on the internet (web browsing, IRC chat, ssh out. etc) Do you want to allow parties on the internet to give access to your laptop (web serving, ftp serving, ssh remote access etc)? All packets from your laptop are allowed to go out : pass out quick from self Info about these outgoing connections are entered in a "state" table All incoming packets packet are checked whether they match an previous outgoing request in this state table. When they match these are allowed in without checking the rule set. The incoming packets of the current rule set are limited to a list of services: https,http,ntp,22222,ftp,ftp-data,sftp,18500 If you mean to limit the outgoing stuff to these services you better can do: Code:
pass out quick on egress inet proto tcp from any to any port $Services Then with a default blocking policy you are done Actually nearly done, because you also need their UDP equivalents (for NTP as well as TCP and UDP for dns) I have a 100mbit optic fiber connection so I know nothing about bittorent
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Hi. Just my 2 cents
Bittorrent uses random ports if they are not specified. If you specify a port it will use that port for incoming traffic but the traffic from you will be from random ports basically but that depends on the torrent. I used utorrent for a while (that was 10 years ago) and it had a wide range of settings. If you have slow speed on torrent then your settings are a bit off and you need to set it to the correct values. There was an old article about it on utorrent waaaaay back when it was not full of adds and mining stuff. (the basic stuff http://www.torrenttrackerlist.com/be...rent-settings/) but please dont use utorrent If you are behind a router you need to set up the router or you will not be able to be "active" you would only be able to achieve "passive" connection, 10 years ago i had a few headaches with this |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
WIRELESS CONFIGURATION WHEN WIFI NAME HAS SPACES | rdikarlus | OpenBSD General | 5 | 8th August 2020 03:39 PM |
setting up a laptop as WiFi host access point | gso | OpenBSD General | 7 | 27th July 2015 07:02 PM |
Atheros Wifi Configuration Error | Peter_APIIT | OpenBSD General | 2 | 27th June 2015 07:59 AM |
Public WiFi and accept screens | phyro | OpenBSD Installation and Upgrading | 10 | 10th January 2013 09:36 PM |
any consequences to moving a laptop-based installed disk to another different laptop | daemonfowl | OpenBSD General | 7 | 2nd August 2012 04:29 PM |