DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4 Weeks Ago
psypro psypro is offline
Shell Scout
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 138
Default Openbsd NAT router + pf + suricata

I will update this post a I progress toward working setup. So I myself can use it next time i re install, or might somebody else googling.
I am no expert. Hope somebody will find a thing or two to improve, and comment on it.

I have a OpenBSD firewall with PF. It get fiber broadband in on em3.
I have a network internal usage em2 (dont want tor / p2p, )
I have a network for guests re0 (dont want tor / p2p )



Thanks to :

https://www.solrac.nl/openbsd-firewall-pf/


Part 1: Enable NAT

/etc/sysctl.conf

Code:
net.inet.ip.forwarding=1
Use this code to check it is enabled:
(I used hours trying different pf.conf, when this was the problem)

Code:
sysctl | grep forward
Should read :

Code:
net.inet.ip.forwarding=1


Part 2 : PF

/etc/pf.conf

Code:
# Create blocks that are variable
ext_if="em3"
int_if="em2"
int_if2="re0"
icmp_types="echoreq"


# Bruters

table <bruters> persist file "/etc/bruters"

block quick from <bruters>

#Badhosts -DE
table <badhosts> persist file "/etc/badhosts"

block in quick on egress from <badhosts> 


#Badstuff
table <badstuff> persist file "/etc/badstuff"

block drop out log (all) quick on $ext_if from any to <badstuff>

#Max new ssh connections 4 pr 7200s, pr ip
pass quick proto tcp from any to any port 22 \
        flags S/SA keep state \
        (max-src-conn 5, max-src-conn-rate 4/7200, \
        overload <bruters> flush global)
 
# Skip all loopback traffic
set skip on lo
 
# Perform NAT on external interface
match out on $ext_if from $int_if:network to any nat-to $ext_if
match out on $ext_if from $int_if2:network to any nat-to $ext_if

# Define default behavior
block in
pass out keep state
 
# Allow inbound traffic on internal interface
pass quick on $int_if
pass quick on $int_if2

 
# Protect against spoofing
antispoof quick for { lo $int_if $int_if2 }
 
# Allow other traffic
pass in on $ext_if proto tcp to ($ext_if) port ssh flags S/SA keep state

# Let suricata listen
pass out quick on egress inet proto tcp to port 80 divert-packet port 700
Part 3

Script to download IP of bad actors from blocklist.de and send these to badhosts.

Code:
#! /bin/ksh

ftp https://lists.blocklist.de/lists/all.txt

cat all.txt  > /etc/badhosts

pfctl -f /etc/pf.conf

exit


Part 4 Suricata

Code:
pkg_add suricata
Code:
suricata-update
Code:
rcctl set suricata flags -i em3


[/HTML]

Last edited by psypro; 3 Weeks Ago at 07:15 PM.
Reply With Quote
  #2   (View Single Post)  
Old 3 Weeks Ago
psypro psypro is offline
Shell Scout
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 138
Default

With this command suricata will start in command line.

Code:
suricata -c suricata.yaml -s signatures.rules -i re0
Code:
 
3/11/2020 -- 19:28:15 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - could not open: "/etc/suricata/classification.config": No such file or directory
3/11/2020 -- 19:28:15 - <Error> - [ERRCODE: SC_ERR_OPENING_FILE(40)] - please check the "classification-file" option in your suricata.yaml file
3/11/2020 -- 19:28:15 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/etc/suricata/reference.config": No such file or directory
3/11/2020 -- 19:28:15 - <Error> - [ERRCODE: SC_ERR_OPENING_FILE(40)] - please check the "reference-config-file" option in your suricata.yaml file
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/app-layer-events.rules
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/decoder-events.rules
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/dns-events.rules
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/files.rules
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/http-events.rules
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/smtp-events.rules
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/stream-events.rules
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/tls-events.rules
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern signatures.rules
3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 9 rule files specified, but no rule was loaded at all!
3/11/2020 -- 19:28:15 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
But rcctl suricata fails.

Code:
rcctl start suricata              
suricata(failed)
Code:
 rcctl -d start suricata           
doing _rc_parse_conf
doing _rc_quirks
suricata_flags >-i em3rcctl set suricata flags -i em3<
doing rc_check
suricata
doing rc_start
doing _rc_wait start
doing rc_check
3/11/2020 -- 19:40:16 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
3/11/2020 -- 19:40:16 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl for 'em3rcctl': Device not configured (6)
3/11/2020 -- 19:40:16 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl for 'em3rcctl': Device not configured (6)
3/11/2020 -- 19:40:16 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata.pid. Aborting!
doing _rc_rm_runfile
(failed)

Last edited by psypro; 3 Weeks Ago at 06:41 PM.
Reply With Quote
  #3   (View Single Post)  
Old 3 Weeks Ago
psypro psypro is offline
Shell Scout
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 138
Default

rm suricata pid file. Then it starts witt rcctl.

suricata is starting to fil in information in /var/log/suricata/fastlog
Reply With Quote
  #4   (View Single Post)  
Old 3 Weeks Ago
jb_daefo jb_daefo is offline
Spam Deminer
 
Join Date: May 2008
Posts: 292
Default

Can you detail the types of NIC on that machine that are involved in this router setup?
__________________
FreeBSD 12.1-STABLE
Reply With Quote
  #5   (View Single Post)  
Old 3 Weeks Ago
psypro psypro is offline
Shell Scout
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 138
Default

Code:
ifconfig
(removed public ip)

Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
	index 7 priority 0 llprio 3
	groups: lo
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
	inet 127.0.0.1 netmask 0xff000000
em0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	lladdr 00:1b:21:18:10:18
	index 1 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	lladdr 00:1b:21:18:10:19
	index 2 priority 0 llprio 3
	media: Ethernet autoselect (none)
	status: no carrier
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	lladdr 00:1b:21:18:10:20
	index 3 priority 0 llprio 3
	media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
	status: active
	inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
em3: flags=808843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF4> mtu 1500
	lladdr XXXXXXXXXXX
	index 4 priority 0 llprio 3
	groups: egress
	media: Ethernet autoselect (100baseTX full-duplex)
	status: active
	inet XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	lladdr c0:3f:d5:ee:9d:0b
	index 5 priority 0 llprio 3
	media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
	status: active
	inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
enc0: flags=0<>
	index 6 priority 0 llprio 3
	groups: enc
	status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
	index 8 priority 0 llprio 3
	groups: pflog
Reply With Quote
  #6   (View Single Post)  
Old 3 Weeks Ago
psypro psypro is offline
Shell Scout
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 138
Default

I added :
stream:
checksum-validation: auto


Auto will turn off checksum-validation if it keep giving errors from what I understand.
Why is it recommended to turn in ON? and then drop the packages.
If one are to use checksum-validation it cant be offloaded to hardware, and in OpenBSD this is stander for hardware with intel em driver and re driver to do.



Code:
Outbound packets don't have a correct checksum yet due to checksum offloading,
therefore suricata will log "SURICATA TCPv4 invalid checksum" and ignore these
packets. To workaround this set the following in suricata.yaml:

	stream:
	  checksum-validation: yes

Also adjust the configuration to drop packets:

	- drop:
	  enabled: yes
Reply With Quote
  #7   (View Single Post)  
Old 3 Weeks Ago
psypro psypro is offline
Shell Scout
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 138
Default

Part from suricata.yaml

Add own IP.

Code:
## Step 1: inform Suricata about your network
##

vars:
  # more specific is better for alert accuracy and performance
  address-groups:
    HOME_NET: "[192.168.1.0/24,192.168.0.0/24]"
    #HOME_NET: "[192.168.0.0/16]"
    #HOME_NET: "[10.0.0.0/8]"
    #HOME_NET: "[172.16.0.0/12]"
    #HOME_NET: "any"

    EXTERNAL_NET: "!$HOME_NET"
    #EXTERNAL_NET: "any"

    HTTP_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    DNS_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    AIM_SERVERS: "$EXTERNAL_NET"
    DC_SERVERS: "$HOME_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    MODBUS_CLIENT: "$HOME_NET"
    MODBUS_SERVER: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"

  port-groups:
    HTTP_PORTS: "80"
    SHELLCODE_PORTS: "!80"
    ORACLE_PORTS: 1521
    SSH_PORTS: 22
    DNP3_PORTS: 20000
    MODBUS_PORTS: 502
    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
    FTP_PORTS: 21
    VXLAN_PORTS: 4789
    TEREDO_PORTS: 3544
Reply With Quote
  #8   (View Single Post)  
Old 3 Weeks Ago
SimpL SimpL is offline
New User
 
Join Date: Nov 2020
Location: Hungary at the moment
Posts: 6
Default

Hi psypro,

Did you write the suricata settings into /etc/rc.d/suricata? If you did not then rcctl daemon wont start, and it does not know where your config files are.
Hope this helps.

BR
SimpL

Last edited by SimpL; 3 Weeks Ago at 09:03 AM.
Reply With Quote
  #9   (View Single Post)  
Old 3 Weeks Ago
psypro psypro is offline
Shell Scout
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 138
Default

#cat /etc/rc.conf.local
dhcpd_flags=
pkg_scripts=suricata
suricata_flags=-d 700
unbound_flags=

# rcctl check suricata
suricata(ok)
Reply With Quote
Old 3 Weeks Ago
SimpL SimpL is offline
New User
 
Join Date: Nov 2020
Location: Hungary at the moment
Posts: 6
Default

Wrong file there Psypro
I ment this:
/etc/rc.d/suricata

#!/bin/ksh
#
# $OpenBSD: suricata.rc,v 1.2 2018/02/15 16:19:41 ajacoutot Exp $

daemon="/usr/local/bin/suricata -D -c /etc/suricata/suricata.yaml -s /var/suricata/rules/suricata.rules -i XXXXXXX(the network card u want suricata to run on)"

. /etc/rc.d/rc.subr

rc_cmd $1

This file is responsible for suricata daemon
If you dont set this then the daemon wont work properly
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
VLAN's with OpenBSD router Zmyrgel OpenBSD Security 5 15th February 2019 11:41 AM
Using OpenBSD directly without a router bsd007 OpenBSD Security 21 2nd December 2017 03:19 PM
User rips OpenBSD as a router jjstorm OpenBSD General 5 17th April 2016 11:27 PM
OpenBSD 5.7 Router Issues Peter_APIIT OpenBSD General 8 18th June 2015 06:31 AM
Using OpenBSD as a second router paran0iaX OpenBSD Security 32 20th March 2009 04:51 AM


All times are GMT. The time now is 11:27 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick