|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
||||
Below are my current pf.conf and dhcpd.conf files that I'm using for my OpenBSD 4.9 router. Is there anything I can or should add or remove to make it more secure?
####################################### # dhcpd.conf authoritative; option domain-name-servers 24.222.0.96; subnet 192.168.0.0 netmask 255.255.255.0 { option routers 192.168.0.1; range 192.168.0.100 192.168.0.150; } ####################################### ####################################### # pf.conf # macros int_if="xl0" whs="192.168.0.50" comp1="192.168.0.20" comp2="192.168.0.21" # options set block-policy drop set loginterface xl1 set skip on lo # match rules match in all scrub (no-df) match out on egress inet from !(egress) to any nat-to (egress:0) # filter rules block in log pass out quick antispoof quick for { lo $int_if } pass in on egress inet proto tcp to (egress) port 443 rdr-to $whs synproxy state pass in on egress inet proto tcp to (egress) port 5900 rdr-to $comp1 synproxy state pass in on egress inet proto tcp to (egress) port 5901 rdr-to $comp2 synproxy state pass in on $int_if ####################################### Not having my internet connection dropped many, many, many times throughout the day since switching to my BSD router is pretty sweet and makes for a lot less cursing during the day while I'm working on remote systems. The almost 5Mbps speed increase is nice too! |
|
||||
Quote:
Quote:
Enjoy!
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
||||
Well, for starters, change "pass in on $int_if" to "pass in log on $int_if" and run tcpdump -ttt -e /var/log/pflog on the firewall.
Then you can use your computers normally and watch tcpdump to see what ports and hosts are hit commonly. More than likely, you'll need outbound dns, http, https, ftp, ssh, ntp (if you use it), whatever games you need, netflix, etc... Set up "pass in on $int_if from any to any port { $port_list }", and nothing on your network will be allowed out unless it's in $port_list. Gotchas: http that uses non-standard ports (same for https), alternatively you could setup something like squid and only allow squid outbound access (overkill, probably), then point your machines to squid or setup pf to redirect to squid (if it's running locally). There's a lot you can do to increase security...the question is how much do you want to maintain?
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
|||
Unlike other posters here, I wouldn't recommend worrying about filtering outbound this early..
The intent of outbound filtering to prevent systems on your network from accessing the Internet, it really doesn't prevent anyone from tunnelling over common service ports, like port 80/443 for legitimate HTTP/HTTPS or even 53 for DNS. It's easier to control inbound than outbound, and for the most part, enforcing outbound is an issue of policy.. given that this is your home network you should have no problem informing guests of your rules, if any. |
|
||||
I happen to think that if there is one thing to filter outbound, it is SMTP. You can prevent infected Windows platforms from being effective spambots.
As you learn more about your networking requirements, you may find a desire to conduct traffic shaping. You'll find it discussed in the PF Users Guide chapter on queuing. |
|
||||
What's going on with the http://www.openbsd.org site? It's been down for several hours now. It's my main OpenBSD learning source.
|
|
|||
It happens occasionally, just use a mirror.
www.openbsd.org is hosted by the University of Alberta. openbsd.org is hosted in Theo's basement. This is a list of mirrors by country on the bottom of the main page, find one that's closest to you. |
|
||||
Quote:
I have been hearing of all these hacks in the past week, just can believe it's that easy. Can these things be prevented with OpenBSD, it's supposed to be the most secure OS. Why are more people using it? Thanks |
|
||||
Quote:
You get what you pay for. That goes for knowledge, too. If you invest the time to learn a system, you'll be rewarded with the satisfaction of understanding it AND the satisfaction of avoiding all of the common pitfalls of that system (which, for closed source, is mostly impossible). If you take the easy way out (and in terms of knowledge, MANY people do), be prepared to pay for that decision in other ways. It's that simple.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
||||
You asked a number of questions, CyberJet.
Quote:
Quote:
Quote:
Quote:
|
|
||||
Quote:
Our NetAdmin is a Cisco guy who's been replacing our ancient network infrastructure with Cisco gear left and right. He criticizes our main firewalls (Linux machines) almost daily (with reason)...and I can't help but find irony in the fact that we're blowing hundreds of thousands of dollars per year because our NetAdmin can be replaced and (by company admission) I cannot. It's stupid, but that's life in the corporate world.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
||||
Quote:
So I take it that PF can not inspect the packet and block escape characters contained with the SQL request? So therefore the SQL server has to be totally updated. Would that suffice? Regards, |
|
||||
Hmmm, I think it might be a heat issue because it just locked up again a few minutes after resetting it. When it was working well it was sitting on a desk with both side covers off and front drive bay panels removed. Now it's sitting up high on a shelf in the corner with the panels and bay covers all in place.
|
|
|||
Quote:
Quote:
|
|
||||
Quote:
Security is not a product. It its a process, and any chink in the armor can become a problem. You cannot have an assurance of security with any single tool alone. Did you attempt to use ddb as advised? |
|
||||
No. My suspicions tell me it's a heat problem so I will test to see if that was the problem first before delving into something I don't understand. It is quite hot where it is sitting.
I removed the case side panels, front drive bay panels, changed to a bigger heatsink and fan, changed the video card from an NVidia 32MB 4X AGP to a 1MB PCI S3, removed the floppy drive and CD-ROM drive and disabled all the hardware in the BIOS that isn't being used which is what I should have done from the get go. So now it's sitting up on its shelf again, wide open for air flow now with the very minimum of hardware and services running to serve its function. Watching this thread and reading others has made me revise my Linux/UNIX experience from a 5/10 to 3/10, maybe even 2. I have soooo much to learn, but I do enjoy playing with this stuff. The first time I tried out any *NIX OS was back in '95 when I just started getting into computers again. I didn't know the difference between a desktop and server OS so I was trying to use Redhat like I was Windows 3.1 which wasn't working out too well since I couldn't get a GUI loaded, so I gave up on *NIX because my brain was infected with Windows. Damn shame that is because I didn't look at Linux/UNIX again until 2003. Eight years of learning time gone. My first computer was a VIC20 back in the early 80's as a kid. I actually still have it and hookup it every now and then to play games on it. I had to rewire it for RCA audio and video though. I even bought a floppy drive for it a couple of years ago to transfer my games from cassette tapes to floppies because I was too impatient waiting for anything to load from tapes as you can imagine. After high school I went into construction so the last computer I touched was in '89, a dual floppy Apple II, before I got a PC in '94. A car accident left me paralyzed from the chest down in '93 so that's what led me back into the computer world. When I got my computer in '94 a friend set me up and when he turned it on I was completely blown away. I had never heard tell of Windows and didn't know what a hard drive was so I couldn't figure out what was happening and how all this stuff was getting on my screen because there was no boot disk in the floppy drive. I've come a long ways since that day, and still have a ways to go. I'm completely self taught. I have shelves of DOS and Windows books but now Linux and UNIX books are slowly taking over. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
3com 3c985B fiber card on openBSD | joshwade7 | OpenBSD General | 3 | 5th February 2010 09:29 PM |
OpenBSD amd64 or i386 for firewall/router | J65nko | OpenBSD General | 7 | 24th December 2009 09:06 PM |
DSL Router | Zvrk | NetBSD General | 1 | 18th June 2009 01:21 PM |
Using OpenBSD as a second router | paran0iaX | OpenBSD Security | 32 | 20th March 2009 04:51 AM |
Searching and replacing weird patterns on a file. | bigb89 | Programming | 8 | 6th December 2008 06:59 PM |