DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th December 2013
Ogonz Ogonz is offline
New User
 
Join Date: Dec 2013
Posts: 1
Default PF on OpenBSD54, VM

Greetings to all,

I am a complete newbie at OpenBSD and its my first time posting in this forum.
I do read a lot of IT books and the one I am reading at the moment is on OpenBSD (Absolute OpenBSD Michael W Lucas). I did not study IT and do not have a job in IT. I am just passionate about technology (Networking, Security in particular) and try to get by, by documenting myself as much as I can. I am also very curious and like to know how things work (Can be cumbersome sometimes.)
Anyways, I hesitated a while before posting on the forum as I do not have a technical issue (everything is working to my satisfaction) but more a comprehension of PF in a virtual environment. I do not wish to waste anyone's time; so feel free to tell me to bug off if you believe that my set up is just crap.
The set up I have is not a production set up and it is just a personal project in order to be more secure on the internet. This set up is also intended for mobility realm; ie, laptops.

I am using OpenBSD54 in VMWare 10. The host is Windows 8.1. I have two NIC installed in my Virtual Machine; em0 and em1 and I am doing NAT with static IP addresses for em0 and em1. I choose NAT for security and practicality. Outside access seems to be less likely to the VM. No need to deal with DHCP as NAT handles everything with static IP addresses. This project is intended for mobile computing such as laptops, so the NAT avoid to have to deal with all different router (exotic setup) out there.
For my internal setup in the OpenBSD server, I have my own internal DNS server running. I am using unbound and NSD combined. So in short, the internal DNS server is, authoritative, validating, recursive caching. I have added squid proxy for security reasons. I am doing caching through Squid as well. This help a lot with the small bandwidth. Everything there is working great.
Finally, I added PF in the internal server.

em0: 192.168.126.134/24 (NAT)
em1: 192.168.178.128/24 (Host Only)
Code:
 ################ My Rules #######################
## Variables ##
ExtNic  = "em0"
ExtIp  = "( " $ExtNic " )"
IntIp  = "em1"

## Gather Stats for main interface ##
set loginterface em0

## Ignore loopback"
set skip on lo

## Normalisation ##
# scrub in all

## Default is deny ##
block log all

## Outgoing traffic ##
pass out on $ExtNic proto { tcp, udp } from $ExtIp to any keep state

## Allow ICMP ##
pass proto icmp all

## Allow DNS ##
pass in on $ExtNic proto { tcp, udp } from any to $ExtIp port { 53, 4952 }  keep state
pass out on $ExtNic proto { tcp, udp } from $ExtIp to any port { 53, 4952 } keep state

## Allow SQUID ##
pass in on $ExtNic proto { tcp, udp } from any to $ExtIp port 8080 keep state
pass out on $ExtNic proto { tcp, udp } from $ExtIp to any port 8080 keep state

## Allow SSH ##
pass in on $ExtNic proto tcp from any to $ExtIp port 22 keep state
pass out on $ExtNic proto tcp from $ExtIp to any port 22 keep state

## Bridge em0 with em1
pass out on em0 from em1:network to any nat-to (em0)

################ End of My Rules #################
Code:
#anchor "relayd/*"

block           # block stateless traffic
pass            # establish keep-state

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
I enable packet forwarding --> net.inet.ip.forwarding=1 in /etc/sysctl.conf

I have bridge em0 with em1 and its performing NAT so all traffic seems to be coming from em0. This setup is working well but the real question is ' is it really useful for the intended purpose ?'. When I monitor em0 for traffic
'# tcpdump -netttti em0', I see traffic from the vm gateway (192.168.126.0/24) to em0 showing my connection through ssh putty from my host (192.168.188.20) and that is it.
How could I have all network traffic diverted to PF (VM OpenBSD) from the host (Windows) ?
Would it possible that PF handle traffic from DNS (unbound and nsd) and SQUID ? I doubt it but in case there is way that would be nice

PS: I checked SQUID and Unbound and I have no issue with caching.

I hope I did not lack of clarity as being a newbie, it is sometimes difficult to express my train of thoughts in clear and concise IT jargon.

Kind Regards,

zongo saiba

Last edited by ocicat; 18th December 2013 at 01:11 PM. Reason: Please use [code] & [/code] tags when posting textfile output.
Reply With Quote
  #2   (View Single Post)  
Old 18th December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Hello, and welcome!
Quote:
I am a complete newbie at OpenBSD...
We all were, at one time.

It was not clear to me what you meant by this:
Quote:
I have bridge em0 with em1...
Above, you defined them as being on different subnets. Did you mean you used a bridge(4) device in OpenBSD, or did you intend to state that you bridged one of these two virtual NICs with your host's network?
Quote:
How could I have all network traffic diverted to PF (VM OpenBSD) from the host (Windows) ?
That's a Windows and/or VMWare question.
Reply With Quote
  #3   (View Single Post)  
Old 19th December 2013
qmemo's Avatar
qmemo qmemo is offline
Real Name: He
Package Pilot
 
Join Date: Jul 2008
Location: The big B
Posts: 141
Default

Quote:
Originally Posted by Ogonz View Post
How could I have all network traffic diverted to PF (VM OpenBSD) from the host (Windows) ?
This might give you pointers, just so you know; this is not BSD specific solution....just a pointer

Hope that helps
__________________
If 386BSD had been available when I started on Linux, Linux would probably never had happened." --Linus Torvald
Reply With Quote
Reply

Tags
opebsd54, pf, vm

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 08:00 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick