DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
Old 20th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default

First speed test on the Duron 950 was 19.8Mbps. Woohoo!
Reply With Quote
Old 20th June 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

I had a similar experience with an 8-port SMC Barricade router. I'd upgraded the connection with our ISP, and we didn't get any additional speed out of it. I discovered that the SMC just didn't have the horsepower to keep up, so I replaced it with a 400 MHz Ultra5 running OpenBSD. Problem solved.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
Old 20th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default

Below are my current pf.conf and dhcpd.conf files that I'm using for my OpenBSD 4.9 router. Is there anything I can or should add or remove to make it more secure?

#######################################
# dhcpd.conf
authoritative;
option domain-name-servers 24.222.0.96;
subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.1;
range 192.168.0.100 192.168.0.150;
}
#######################################


#######################################
# pf.conf
# macros
int_if="xl0"
whs="192.168.0.50"
comp1="192.168.0.20"
comp2="192.168.0.21"

# options
set block-policy drop
set loginterface xl1
set skip on lo

# match rules
match in all scrub (no-df)
match out on egress inet from !(egress) to any nat-to (egress:0)

# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp to (egress) port 443 rdr-to $whs synproxy state
pass in on egress inet proto tcp to (egress) port 5900 rdr-to $comp1 synproxy state
pass in on egress inet proto tcp to (egress) port 5901 rdr-to $comp2 synproxy state
pass in on $int_if
#######################################

Not having my internet connection dropped many, many, many times throughout the day since switching to my BSD router is pretty sweet and makes for a lot less cursing during the day while I'm working on remote systems. The almost 5Mbps speed increase is nice too!
Reply With Quote
Old 20th June 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Quote:
Originally Posted by Dr-D View Post
Below are my current pf.conf and dhcpd.conf files that I'm using for my OpenBSD 4.9 router. Is there anything I can or should add or remove to make it more secure?
That's pretty good for a SOHO setup. You might control outbound if you wanted to tighten security more.

Quote:
Originally Posted by Dr-D View Post
Not having my internet connection dropped many, many, many times throughout the day since switching to my BSD router is pretty sweet and makes for a lot less cursing during the day while I'm working on remote systems. The almost 5Mbps speed increase is nice too!
Glad to hear it! I know quite a few people who have had an OpenBSD router that has lasted them just shy of forever, and they haven't bothered upgrading it because it works so well day-to-day. I would advise at least keeping it within the "supported" region (i.e. last two releases), though.

Enjoy!
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
Old 21st June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default

Quote:
Originally Posted by rocket357 View Post
You might control outbound if you wanted to tighten security more.
I might need a push in the right direction on this. What should I be looking to control on outbound?
Reply With Quote
Old 21st June 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Well, for starters, change "pass in on $int_if" to "pass in log on $int_if" and run tcpdump -ttt -e /var/log/pflog on the firewall.

Then you can use your computers normally and watch tcpdump to see what ports and hosts are hit commonly.

More than likely, you'll need outbound dns, http, https, ftp, ssh, ntp (if you use it), whatever games you need, netflix, etc...

Set up "pass in on $int_if from any to any port { $port_list }", and nothing on your network will be allowed out unless it's in $port_list.

Gotchas: http that uses non-standard ports (same for https), alternatively you could setup something like squid and only allow squid outbound access (overkill, probably), then point your machines to squid or setup pf to redirect to squid (if it's running locally).

There's a lot you can do to increase security...the question is how much do you want to maintain?
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
Old 21st June 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Unlike other posters here, I wouldn't recommend worrying about filtering outbound this early..

The intent of outbound filtering to prevent systems on your network from accessing the Internet, it really doesn't prevent anyone from tunnelling over common service ports, like port 80/443 for legitimate HTTP/HTTPS or even 53 for DNS.

It's easier to control inbound than outbound, and for the most part, enforcing outbound is an issue of policy.. given that this is your home network you should have no problem informing guests of your rules, if any.
Reply With Quote
Old 21st June 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I happen to think that if there is one thing to filter outbound, it is SMTP. You can prevent infected Windows platforms from being effective spambots.

As you learn more about your networking requirements, you may find a desire to conduct traffic shaping. You'll find it discussed in the PF Users Guide chapter on queuing.
Reply With Quote
Old 21st June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default

What's going on with the http://www.openbsd.org site? It's been down for several hours now. It's my main OpenBSD learning source.
Reply With Quote
Old 21st June 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

It happens occasionally, just use a mirror.

www.openbsd.org is hosted by the University of Alberta.
openbsd.org is hosted in Theo's basement.

This is a list of mirrors by country on the bottom of the main page, find one that's closest to you.
Reply With Quote
Old 21st June 2011
CyberJet's Avatar
CyberJet CyberJet is offline
Real Name: Ramon
BSD Student
 
Join Date: Feb 2009
Location: Miami FL
Posts: 98
Default

Quote:
Originally Posted by BSDfan666 View Post
It's almost overkill, and I'm talking about the 900MHz Athlon, many people using OpenBSD use whatever they had available at the time.. I've been using a Pentium 3 for a few years now, before that it was a AMD K6-2 and before that a P1 and my first one was an i486. I only replaced them due to hardware problems usually, they could handle the network load fine.

A lot of people use OpenBSD on critical systems, you won't have a lot of problems doing so at home.. not if you're willing to put the time into it.
I'm very interested in setting up a bullet proof OpenBSD firewall. Is this possible?
I have been hearing of all these hacks in the past week, just can believe it's that easy. Can these things be prevented with OpenBSD, it's supposed to be the most secure OS. Why are more people using it?

Thanks
Reply With Quote
Old 21st June 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Quote:
Originally Posted by CyberJet View Post
Can these things be prevented with OpenBSD, it's supposed to be the most secure OS. Why are[nt?] more people using it?
I've always held the belief that the human brain is capable of learning much, much more than a computer can (sure, a computer can retain billions of bits of data, but can a computer change how it operates by analyzing said data? Not unless it's been coded to do so by a human brain!). As such, I tend to come down heavily on people who intentionally choose to use an inferior product so they don't have to learn anything...so take this with a grain of salt.

You get what you pay for. That goes for knowledge, too. If you invest the time to learn a system, you'll be rewarded with the satisfaction of understanding it AND the satisfaction of avoiding all of the common pitfalls of that system (which, for closed source, is mostly impossible). If you take the easy way out (and in terms of knowledge, MANY people do), be prepared to pay for that decision in other ways. It's that simple.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
Old 21st June 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

You asked a number of questions, CyberJet.
Quote:
I'm very interested in setting up a bullet proof OpenBSD firewall. Is this possible?
Yes and no. Just because the OS is "Secure by Default" does not mean that any particular implementation of it in production is - or is not - susceptible to intrusion. Provisioning decisions, application deployments, infrastructure design, security policy decisions and adherence ... all play a role. For example, application-layer security issues (such as SQL injection attacks) are not addressed by an OpenBSD firewall, if the attacker's packets are passed by PF.
Quote:
I have been hearing of all these hacks in the past week, just can believe it's that easy.
Security problems in IT occur all the time. You're just "hearing" about these because they are publicized.
Quote:
Can these things be prevented with OpenBSD, it's supposed to be the most secure OS.
I think I answered that above, with a definite "maybe".
Quote:
Why aren't more people using it?
Fixed that for you. 1) It isn't a panacea, it solves some problems, but is not all things to all people, for all applications. 2) It isn't advocated as the cure-all for the masses. It's barely advocated at all. Awareness is low. 3) It is free, and many commercial operations find themselves unable to use free software without managing support risks themselves.
Reply With Quote
Old 21st June 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Quote:
Originally Posted by jggimi View Post
It is free, and many commercial operations find themselves unable to use free software without managing support risks themselves.
This is a particularly painful point for me. I'm the Unix guru where I work. I'm surrounded by developers and IT staff who know Linux well, and we can't switch to BSD for anything because "If you get hit by a bus, Jonathon, who's going to manage these systems?" (Note: the company where I work is a Linux shop...so free software isn't the issue).

Our NetAdmin is a Cisco guy who's been replacing our ancient network infrastructure with Cisco gear left and right. He criticizes our main firewalls (Linux machines) almost daily (with reason)...and I can't help but find irony in the fact that we're blowing hundreds of thousands of dollars per year because our NetAdmin can be replaced and (by company admission) I cannot.

It's stupid, but that's life in the corporate world.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
Old 21st June 2011
CyberJet's Avatar
CyberJet CyberJet is offline
Real Name: Ramon
BSD Student
 
Join Date: Feb 2009
Location: Miami FL
Posts: 98
Default

Quote:
Originally Posted by jggimi View Post
For example, application-layer security issues (such as SQL injection attacks) are not addressed by an OpenBSD firewall, if the attacker's packets are passed by PF.
Thanks for your great insight. I'm just trying to learn, it's very clear to me that you guys know what you are talking about.

So I take it that PF can not inspect the packet and block escape characters contained with the SQL request? So therefore the SQL server has to be totally updated. Would that suffice?

Regards,
Reply With Quote
Old 21st June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default

Damn it, it locked up on me again. The first time it locked up was on the AMD 5200+ box. Now it's running on the AMD Duron 950MHz box.
Reply With Quote
Old 21st June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default

Hmmm, I think it might be a heat issue because it just locked up again a few minutes after resetting it. When it was working well it was sitting on a desk with both side covers off and front drive bay panels removed. Now it's sitting up high on a shelf in the corner with the panels and bay covers all in place.
Reply With Quote
Old 21st June 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by CyberJet View Post
So I take it that PF can not inspect the packet and block escape characters contained with the SQL request?
Investigating the packet contents to the level described means that pf(4) would need to knowingly parse SQL. This would be layer 7 (with knowledge of the application...) activity, & I doubt if this will ever be integrated into pf(4) -- if for no other reason, this would significantly & adversely affect performance.
Quote:
So therefore the SQL server has to be totally updated. Would that suffice?
No. A database server is to process the queries it is given. If SQL injection is a concern, the application's logic will have to ensure that it can't be done with whatever (limited) interface is provided to the outside.
Reply With Quote
Old 21st June 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by CyberJet View Post
Thanks for your great insight. I'm just trying to learn, it's very clear to me that you guys know what you are talking about.

So I take it that PF can not inspect the packet and block escape characters contained with the SQL request? So therefore the SQL server has to be totally updated. Would that suffice?
I used SQL injection as one possible example, out of limitless possibilities. http://xkcd.com/327/ is a humorous example of one. This is an application specific weakness from poor programming practices.

Security is not a product. It its a process, and any chink in the armor can become a problem. You cannot have an assurance of security with any single tool alone.

Quote:
Originally Posted by Dr-D View Post
Damn it, it locked up on me again. The first time it locked up was on the AMD 5200+ box. Now it's running on the AMD Duron 950MHz box.
Did you attempt to use ddb as advised?
Reply With Quote
Old 21st June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default

Quote:
Originally Posted by jggimi View Post
Did you attempt to use ddb as advised?
No. My suspicions tell me it's a heat problem so I will test to see if that was the problem first before delving into something I don't understand. It is quite hot where it is sitting.

I removed the case side panels, front drive bay panels, changed to a bigger heatsink and fan, changed the video card from an NVidia 32MB 4X AGP to a 1MB PCI S3, removed the floppy drive and CD-ROM drive and disabled all the hardware in the BIOS that isn't being used which is what I should have done from the get go. So now it's sitting up on its shelf again, wide open for air flow now with the very minimum of hardware and services running to serve its function.

Watching this thread and reading others has made me revise my Linux/UNIX experience from a 5/10 to 3/10, maybe even 2. I have soooo much to learn, but I do enjoy playing with this stuff.

The first time I tried out any *NIX OS was back in '95 when I just started getting into computers again. I didn't know the difference between a desktop and server OS so I was trying to use Redhat like I was Windows 3.1 which wasn't working out too well since I couldn't get a GUI loaded, so I gave up on *NIX because my brain was infected with Windows. Damn shame that is because I didn't look at Linux/UNIX again until 2003. Eight years of learning time gone.

My first computer was a VIC20 back in the early 80's as a kid. I actually still have it and hookup it every now and then to play games on it. I had to rewire it for RCA audio and video though. I even bought a floppy drive for it a couple of years ago to transfer my games from cassette tapes to floppies because I was too impatient waiting for anything to load from tapes as you can imagine.

After high school I went into construction so the last computer I touched was in '89, a dual floppy Apple II, before I got a PC in '94. A car accident left me paralyzed from the chest down in '93 so that's what led me back into the computer world.

When I got my computer in '94 a friend set me up and when he turned it on I was completely blown away. I had never heard tell of Windows and didn't know what a hard drive was so I couldn't figure out what was happening and how all this stuff was getting on my screen because there was no boot disk in the floppy drive. I've come a long ways since that day, and still have a ways to go. I'm completely self taught. I have shelves of DOS and Windows books but now Linux and UNIX books are slowly taking over.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
3com 3c985B fiber card on openBSD joshwade7 OpenBSD General 3 5th February 2010 09:29 PM
OpenBSD amd64 or i386 for firewall/router J65nko OpenBSD General 7 24th December 2009 09:06 PM
DSL Router Zvrk NetBSD General 1 18th June 2009 01:21 PM
Using OpenBSD as a second router paran0iaX OpenBSD Security 32 20th March 2009 04:51 AM
Searching and replacing weird patterns on a file. bigb89 Programming 8 6th December 2008 06:59 PM


All times are GMT. The time now is 10:57 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick