|
|||
pf.conf help?
Hi guys;
I use wireless modem. How do I structure the security wall. I want my IP address not to go out when I use a VPN. Can you write a PF rule for me? The traffic will go through the VPN and the normal internet will not come out when the attack and the attacking VPN are disconnected. I'm ignorant about security. I do not know PF. Can you help me please? My pf.conf Code:
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $ # # See pf.conf(5) and /etc/examples/pf.conf wlan_if="ra0" set skip on lo block return # block stateless traffic pass # establish keep-state # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 # Port build user does not need network block return out log proto {tcp udp} user _pbuild antispoof for { lo0 $wlan_if } inet match in all scrub (no-df random-id) |
|
||||
I would rephrase that, and say that you are ignorant about network protocols, because this desire is implausible:
Quote:
PF filters traffic. It does not "hide" IP addresses that are required to send and receive traffic, and won't help you meet your desire. The way that VPN services market "hiding" your address is by configuring their remote gateway to use Network Address Translation (NAT), which will translate your IP address to one that originates on the remote gateway.But this only obfuscates your IP address -- it does not "hide" it from anyone with access to the remote gateway's logs, such as might occur during legal discovery or from a search conducted by law enforcement. And at all times, the third party VPN provider has access to your IP address, and to all data that transits the tunnel, and any data encrypted by the tunnel endpoints as they have the keys for any ciphers used between VPN endpoints. The company has to have all of this in order to establish and maintain the tunnel. ---- Edited to add: The Tor Project is designed to make endpoint IP address discovery more difficult, primarily for anonymous browsing. https://en.wikipedia.org/wiki/Tor_(anonymity_network) http://openports.se/meta/tor-browser Last edited by jggimi; 22nd January 2018 at 07:36 PM. Reason: Added comments about the Tor Project, then corrected a link and clarified them |
|
|||
"Let the Pro's due the work for you" ?
Like the Pro's at ---> "Equifax Tm" |
|
|||
Quote:
But seriously... The poster said they want to use a VPN not Tor and know nothing about making PF work with VPN. They want someone to write the rules for them, so obviously they aren't interested in learning PF. They aren't going to get help here with that, so they have the following options: 1) Learn PF which is hard. No average user is going do that and lets be honest, most don't have the ability to get it right first time. So if they try it they will mess up and expose their IP to the people they do not want to see it. This could have legal consequences for them. 2) Go to a VPN that supports OpenBSD. I only know of one that says they support OpenBSD, but I have no idea if they are skilled or reputable. 3) Uninstall OpenBSD and return to Linux, or worse Windows/Apple as these OS are supported by one reputable VPN that I know of, while OpenBSD is too small for them to support. OpenBSD + VPN + PF will get you doxxed if you don't have the skills to use it properly. If you don't have the determination or time to get those skills take option 2 or 3. |
|
||||
As follow-up:
The purpose of a VPN is to permit authentication, data assurance, and (optionally) privacy between nodes residing on an untrusted network. VPN technologies vary, but in all cases the member nodes of the VPN must be able to address communication to each other. IP ADDRESS MUST BE KNOWN. The communication internal to a VPN includes authentication and other security mechanisms to provide assurance to the member nodes that the data is authentic and unchanged. It may also include encryption to provide a measure of privacy. External inspection of the VPN traffic WILL disclose the addresses of the member nodes, whether encryption is used or not. Any data that transits the VPN and continues on to the Internet no longer has any expectation of authentication, data assurance, or privacy except as offered by the communication protocols deployed in the application (e.g: HTTPS over TCP). In Network Address Translation (NAT), sending and receiving IP addresses are substituted by the router as packets are forwarded in each direction. This is commonly used in local networks where multiple devices share a single IP address on the Internet: [local devices] - [NAT router] - the Internet If a VPN network is used with a NAT router to transship data through the Internet, such as by a "VPN Service Provider", the connections are similar: [VPN nodes] - [NAT router] - the Internet |
|
|||
No one wants Tor if they are willing to pay $50-$100 per year for a VPN. Everyone already knows that Tor is free and easy to use.
Quote:
Quote:
Quote:
If you do something really bad they aren't going to jail for you, thats for sure and Tor isn't safe in that regard either. The secret services of all major countries have methods for identifying Tor users. They specifically target and infect Firefox and Tor browsers with programs that make tracking their users dead easy. |
|
|||
Quote:
I understand it is encrypted when it goes from your computer to the VPN and when it leaves the VPN it becomes normal Internet traffic again. I have read that VPN users are seen as a big political threat by governments like China and Russia, because they have free access to information, so they banned all VPN operators. I also understand there have been similar calls to ban them in the UK. So if a VPN doesn't prevent its users from identification, why don't they move in and arrest the political dissidents? Quote:
Seriously it is not meaningful for me to have this discussion with you, as I don't have your knowledge. But I do know one VPN provider who could discuss this with you meaningfully. Would you be willing to post in their forums? I would be interested to see how they respond.. They also offer Tor use with the VPN. You connect to them with Tor so not even they know who you are. Last edited by Prevet; 23rd January 2018 at 04:58 PM. |
|
|||
Quote:
If it is from the outside and many connecting people are using that I think it would be not enough to be seen as ultimate proof/evidence for doing something. Maybe a clue, but not as 100% incriminating evidence. m users has m (can be more if one user has more devices) connections -> VPN service -> n TCP connections let n = 2000 and m = 700 Without logs from the inside we don't know which output connection maps to which input connection. There may be other clue and evidence. These connections can be less and less likely to look random over time somebody is using VPN. There may be some patterns when connecting to services. But in many cases still it is better than connecting directly. And state-actors should, theoretically, only use their spying capabilities when it comes to national security, not the regular criminal cases. There are some doubts about that - in some cases there are some strange things suggesting intelligence agencies gave "tip" to police. But let's say that somebody is just torrenting occasionally some pirated movie, because for some reasons geoblocking is preventing him from buying license legally - this is not a case where police is going to put significant resource to track somebody.
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase |
|
||||
Quote:
Quote:
--- Let's assume the VPN traffic is encrypted, and use my example above, with a NAT router. Let us assume that the NAT router is a member node of the VPN [VPN nodes including the NAT router] - the Internet Let us also assume that packets are logged going into and out of the service provider, and that the investigator is only interested in packets going back and forth to a single public webserver, such as daemonforums.org. The investigator filters for traffic between the VPN's router and this webserver (IP address 95.170.82.241). Each packet is logged to the millisecond. She then filters the VPN traffic logs for matching traffic over the VPN. How? By timestamp. Let us assume she looks within several milliseconds of any inbound webserver traffic for outbound VPN packets. Since she will also know which VPN technology is being used, she may also be able to compare packet lengths to obtain very good clarity on what VPN traffic matches the public Internet traffic. The same sort of analysis can be performed on packets heading to the webserver -- the VPN logs will just be some milliseconds ahead of the public traffic. The protocols used for the public traffic can sometimes make this easy - such as TCP SYN/ACK packets. She can now determine with a high degree of certainty the IP addresses using that VPN to communicate with this website. Quote:
|
|
||||
Quote:
Quote:
Quote:
Quote:
|
|
|||
Quote:
In their sales pitch some VPNs go to great pains to say they do not log and have no data to give anyone that might demand it, while others say they do log. So if they are taking their customer's money while doing the exact opposite of what their sales pitch says, they are committing fraud and should be prosecuted. I find it hard to believe they must all be crooks, but the way the world is turning so Orwellian, I wouldn't be surprised if it was true. Even if they are government controlled they still have their uses, like putting a protective barrier between ordinary citizens and other citizens, as well as corporate entities who want to collect everything they can on individuals and sell it. Quote:
The VPN I mention also accept crypto currencies through Tor. They also give you 3 VPN connections so you can divide up your traffic. I assume that would make it even harder to track the ones that use it. |
|
|||
Quote:
https://www.theguardian.com/world/20...line-anonymity |
|
||||
Consider what a log is, and how one is created.
All the local networks I manage happen to log information about every packet that flows through every interface. It's easy to set up tools to do that, with no appreciable overhead on the collecting systems.[1] I'm certain my upstream ISPs all log all this traffic as well, using the same technology.[1] Like me, they probably don't store the data payloads. Lke me, they store only metadata about the packets, such as IP addresses. Protocols. Packet lengths. Timestamps. Connecting interfaces. Connecting systems. Why? It's common to do this because it helps with performance management, helps with problem determination, and helps with capacity planning. It's simply part of managing a network and server infrastructure. It's normal. It's standard. It's best practice. The service provider may or may not have logs. But their upstream ISPs almost certainly do, as otherwise they wouldn't be able to manage their network services very well. Even if they aren't currently logging data, a regulator or law enforcement agency may very well be able to compel the ISP to begin that collection. Quote:
--- [1] NetFlow statistics. On OpenBSD, this is easy to collect and record centrally from all my routers and servers. See the pflow(4) man page. I use the net/nfsen package to provide graphical analysis as well as drive detailed reporting through net/nfdump. Here are some NfSen screenshots. |
|
|||
Quote:
I have to say that I'd just got OpenBSD set up the way I liked it, then the Intel bug is exposed, so my main machine is now off line. Then I learned about the Intel Management Engine and also learned that AMD has started doing the same shady things. I agree with Stallman that it is ME, not Meltdown that is the real scandal that no one is talking about, so now I'm thinking my machine can never be used for anything important online again. As long as this kind of thing is tolerated on our computers, all talk of security is just LARPing IMO. We may as well be using Windows and Apple spyware. What do we have left at this point? Open source is still free? For how much longer will our Intel overlords allow that situation to continue on their CPUs? lol |
|
|||
@jggimi
I Sorry, I could not explain. When the VPN connection is disconnected, I do not want to go online with the Web browser. Is not PF needed? If you do not have a VPN, I do not want your Internet..! @Prevet It will be nice to get Books and Notes. I checked the address you gave me. He helped me. I use "Riseup and ProtonVPN". It's good with OpenBSD for the moment. Thank you for the other writings. I read it and understood it a little better. I will be researching and reading books to learn more about this subject. |
|
||||
Quote:
It is my understanding that the VPN technology used by ProtonVPN is OpenVPN. OpenVPN uses UDP or TCP connections, the standard port number is 1194 with either protocol. Yes, PF can limit all inbound and outbound traffic on the physical interface to TCP or UDP that connects with that port number. It can then permit all "internet" destined traffic to use the tap(4) tunnel device created by OpenVPN on OpenBSD. However, you may need some open connectivity to the Internet in order to establish the OpenVPN connection to your service provider, such as domain name services. Is your connection to your service provider by domain name, or by IP address? You may also need some open connectivity to establish your system's IP address. DHCP is the most common protocol used to obtain dynamic IP address and routing information. Last edited by jggimi; 24th January 2018 at 04:01 PM. |
|
|||
@jggimi;
No domain services. I'm a normal internet user. I have use "Dnscrypt + Unbound"! I do not know if this information is necessary, but I have to write. I do not want to visit sites when my VPN connection is broken.! If the VPN connection is lost, I do not want to go to the internet with the Web browser. Until VPN connection is restored. I do not want your web sites to see the real IP address. |
|
|||
Quote:
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Where should I put my config? "rc.conf" or "rc.conf.local"? | fender0107401 | OpenBSD General | 2 | 2nd April 2012 02:53 AM |
Help with pf.conf | A_Sorenby | OpenBSD Security | 14 | 21st June 2011 09:52 PM |
Pf.conf | erict35 | OpenBSD Security | 1 | 30th January 2010 10:19 PM |
pf.conf | lumiwa | FreeBSD Security | 11 | 20th September 2008 01:01 AM |
difference between rc.conf and loader.conf | disappearedng | FreeBSD General | 5 | 3rd September 2008 05:54 AM |