DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 1st September 2017
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 67
Lightbulb Gettting Total Control of My LAN with OpenBSD 6.1

Hi,

I did a fresh installation of Open BSD 6.1 to get the total control of the internet usage for my LAN. I had OpenBSD 5.3 earlier.

With the new installation I was able to build an IPSEC tunnel and configure firewall rules to some extent.

I need your help to achieve the following requirements

1) Implementing QOS ( if I can get a link which describes CBQ and PRIQ with examples it is much appreciated. )

2) Could I restrict some sites ex: facebook totally ? If so please give me information on that.

3) Could I control access to some sites like FB by implementing a schedule on PF ? If so please give me information on that.

4) Could I implement an IPS on my latest OpenBSD firewall? If so please give me information on that.

Thanks
Reply With Quote
  #2   (View Single Post)  
Old 1st September 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,893
Default

Quote:
Originally Posted by Amithapr View Post
1) Implementing QOS ( if I can get a link which describes CBQ and PRIQ with examples it is much appreciated. )
You are asking about traffic shaping, or traffic queueing. OpenBSD replaced the ALTQ queueing system you were using, starting at at 5.5. The replacement includes an always-on priority queuing mechanism, and queues for bandwidth management. These are both discussed in the pf.conf(5) man page, but the best resource will be Peter Hansteen's The Book of PF.

Peter also has an online tutorial, but it is not as detailed as his book.
Quote:
2) Could I restrict some sites ex: facebook totally ?
If a site has a known single IP address or small set of fixed IP addresses, yes. But you cannot do this with Facebook, Google, or other large services which have ever-changing, massive pools of IP addresses.
Quote:
3) Could I control access to some sites like FB by implementing a schedule on PF ?
Per my answer above, not with Facebook. But yes, the cron(8) subsystem allows you to schedule the execution of commands and you can change portions of your ruleset with PF anchors, or you could replace the entire ruleset, and you can kill active states as well with pfctl(8) and its -K/-k options. The cron(8) subsystem is fully described in its main man page and the SEE ALSO man pages. PF anchors are described in the PF User's Guide and in Peter's book and tutorial.
Quote:
4) Could I implement an IPS on my latest OpenBSD firewall?
Not at this time. Snort is available as a package, but on OpenBSD it is implemented as an IDS rather than an IPS, because it is not integrated with PF. Suricata is another IDS/IPS but at the moment it is only a work in progress for OpenBSD, and my guess is if it is successfully ported it will be as an IDS only.
Reply With Quote
  #3   (View Single Post)  
Old 1st September 2017
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 118
Default

I use <table> in pf to restrict websites by their ip or cidr whichever i prefer.
Currently we filter all non-US ip's with pf, which works almost instantaneously.
Reply With Quote
  #4   (View Single Post)  
Old 1st September 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,893
Default

If one can keep track of the thousands of Facebook server IP addresses, PF tables could be used. It is the former that is difficult, not the latter.
Reply With Quote
  #5   (View Single Post)  
Old 1st September 2017
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Put this in a script:

echo "table <facebook> {" > /some/path/facebook.com
whois -h whois.radb.net '!gas32934' | grep '/' | tr ' ' ',' >> /some/path/facebook.com
echo "}" >> /some/path/facebook.com

Ensure pf loads /some/path/facebook.com and contains something like:

block return in from any to <facebook>

Periodically re-run the script for any IP range updates.

It's a sledgehammer approach. It isn't perfect, but it has worked for me.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
  #6   (View Single Post)  
Old 1st September 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,893
Default

Using Merit's routing registry database and converting the public AS to CIDR groups? I hadn't thought of that. It is an interesting approach, and may meet amithapr's needs.
Reply With Quote
  #7   (View Single Post)  
Old 1st September 2017
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

That approach is full of holes, of course, as using a public proxy can defeat it, and you're also blocking *everything*, including email servers, etc...

If the primary concern is blocking users from surfing facebook, amithapr may be able to leverage relayd for that and not have to resort to a ASN block =)

Really depends on exactly what level of lockdown is required. I have teenagers who have proven that social media is far too strong a temptation over getting homework done, so I've had a get creative in my approaches.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
  #8   (View Single Post)  
Old 1st September 2017
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
just passing through
 
Join Date: Oct 2013
Location: EST USA
Posts: 238
Default

Quote:
Originally Posted by Amithapr View Post
2) Could I restrict some sites ex: facebook totally ? If so please give me information on that.
Might this be done through the DNS system rather than the firewall? For example, if unbound were configured as an authoritative, validating, recursive caching DNS for the LAN and /var/unbound/etc/unbound.conf contained a section like this:
Code:
        # Block Ad Server domains. 
        local-zone: "doubleclick.net" redirect
        local-data: "doubleclick.net A 127.0.0.1"
        local-zone: "googlesyndication.com" redirect
        local-data: "googlesyndication.com A 127.0.0.1"
        local-zone: "googleadservices.com" redirect
        local-data: "googleadservices.com A 127.0.0.1"
        local-zone: "google-analytics.com" redirect
        local-data: "google-analytics.com A 127.0.0.1"
        local-zone: "ads.youtube.com" redirect
        local-data: "ads.youtube.com A 127.0.0.1"
        local-zone: "adserver.yahoo.com" redirect
        local-data: "adserver.yahoo.com A 127.0.0.1"
        local-zone: "ask.com" redirect
        local-data: "ask.com A 127.0.0.1"
[assuming facebook.com were similarly added to this section] would this accomplish the goal?
Reply With Quote
  #9   (View Single Post)  
Old 1st September 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,893
Default

Any client that can set its own domain server address(es) could circumvent that. I don't know of any that can't set this.
Reply With Quote
Old 1st September 2017
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
just passing through
 
Join Date: Oct 2013
Location: EST USA
Posts: 238
Default

It seems like the DNS approach would reduce network chatter and server load. I wonder if that efficiency might be reasonably attractive to some users such that it is worth considering?

It might be helpful to understand the scenario/context:
  • How hostile is the environment? - Is it sufficient to simply bolster an agreed upon social contract?
  • Are the client machines controlled by the LAN administrator?
Reply With Quote
Old 2nd September 2017
TronDD TronDD is offline
Package Pilot
 
Join Date: Sep 2014
Posts: 149
Default

Quote:
Originally Posted by jggimi View Post
Any client that can set its own domain server address(es) could circumvent that. I don't know of any that can't set this.
You could allow domain traffic to only what you want clients to use. Or use a rdr-to rule and force them there regardless of what they set.

"Total control", right?
Reply With Quote
Old 2nd September 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,893
Default

I should have thought of that.

Reply With Quote
Old 2nd September 2017
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 67
Thumbs up

Dear All,

Thanks a lot for your valuable information. I will try those and give the feedback.

Thanks again
Reply With Quote
Old 2nd September 2017
e1-531g e1-531g is offline
VPN Cryptographer
 
Join Date: Mar 2014
Posts: 354
Default

Quote:
Originally Posted by rocket357 View Post
That approach is full of holes, of course, as using a public proxy can defeat it, and you're also blocking *everything*, including email servers, etc...

If the primary concern is blocking users from surfing facebook, amithapr may be able to leverage relayd for that and not have to resort to a ASN block =)

Really depends on exactly what level of lockdown is required. I have teenagers who have proven that social media is far too strong a temptation over getting homework done, so I've had a get creative in my approaches.
Some companies like Google use servers outsourced for them by other companies (it means other AS number) to handle traffic to regional domains. For example google.com is blocked by your script, but google.pl is not always blocked. To seal this leak use information stored in public DNS servers via dig(1) tool and then concatenate CIDRs with CIDRs retrieved by whois(1).
I don't know how this approach plays with websites behind Cloudflare reverse proxy.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
Old 3rd September 2017
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Quote:
Originally Posted by e1-531g View Post
Some companies like Google use servers outsourced for them by other companies (it means other AS number) to handle traffic to regional domains. For example google.com is blocked by your script, but google.pl is not always blocked. To seal this leak use information stored in public DNS servers via dig(1) tool and then concatenate CIDRs with CIDRs retrieved by whois(1).
I don't know how this approach plays with websites behind Cloudflare reverse proxy.
Proxies and CDNs pose a particularly sticky problem with this approach. It shouldn't be relied upon as a silver bullet, but it may find a place within a bigger scheme to block traffic.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
Old 7th September 2017
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 67
Default

Hi,

I referred Book of PF Third Edition ,then added the following rules to my PF. As in my OpenBSD 5.3 firewall which used the old ALTQ with CBQ, only one queue is active all the time for OpenBSD 6.1 also. I wonder whether I'm doing a major mistake

By applying queues, I wanted to give priority to some of my workstations in the LAN by allocating half of the bandwidth, when those workstations are connected to the internet.


WHAT SHOULD I DO TO ACTIVATE BOTH QUEUES ?

Code:
ext_if="bge1"
ext_ip="x.x.x.x"

bmpc_wks="{y.y.y.22/32, y.y.y.23/32, y.y.y.24/32}"

queue mainq on $ext_if bandwidth 4M
queue std parent mainq bandwidth 2M default
queue bmpc parent mainq bandwidth 2M

#Rules for LAN -AL
match out on $ext_if proto { tcp,udp,icmp,esp } from x.x.x.0/24 nat-to ($ext_if) static-port

#Rules for Boardroom,Meetingroom,Projector workstations
#pass out on $ext_if proto {tcp, udp} from $bmpc_wks to any port>=80 queue bmpc
match out on $ext_if proto {tcp, udp} from $bmpc_wks to any port>=80 queue bmpc set prio 7
match out on $ext_if proto {tcp, udp} from $int_if to any port>=80 queue std set prio 3
Code:
QUEUE                             BW SCH  PRIO     PKTS    BYTES   DROP_P   DROP_B QLEN BORROW SUSPEN     P/S     B/S
mainq on rl0                      4M                  0        0        0        0    0                     0       0
 std                              2M                766   190048        0        0    0                    55   13053
 bmpc                             2M                  0        0        0        0    0                     0       0
Reply With Quote
Old 7th September 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,893
Default

Post your complete ruleset, rather than a fragment.
Reply With Quote
Old 7th September 2017
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 67
Default

Hi Jggimi,

Please find the pf.conf file of the OpenBSD 6.1 Firewall herewith.

Thanks
Attached Files
File Type: conf pf.conf (4.6 KB, 22 views)
Reply With Quote
Old 12th September 2017
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 67
Unhappy

Hi,

I hope you will help me to get this QoS feature working ! I feel I'm doing some fundamental mistake during configuration since, this did not work on my old OpenBSD 5.3 version as well.

Thanks
Reply With Quote
Old 12th September 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,893
Default

I don't see anything obvious, so I am left to guessing. You are attempting to use both queue names and priorities, and that might be the problem. Try removing your 'set prio' from your match rules, so that you are definitively using the queue name only. Queues are documented as being "sticky" on match rules, priorities are not, and setting the priority may override using named queues.

(You do not need to use "/32" to define single IP addresses.)

Last edited by jggimi; 12th September 2017 at 11:05 AM. Reason: typo
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Fan Control in OpenBSD? sparky OpenBSD General 18 4th April 2014 12:54 PM
Security Hacker Had Total Control Over DigiNotar Servers, Report J65nko News 0 1st November 2012 08:10 PM
five reasons why OpenBSD is recommended to total newbies daemonfowl OpenBSD General 20 25th February 2012 12:03 AM
Alix6e1 LED control in openbsd Sigi OpenBSD General 1 20th November 2011 08:24 PM
Fan control in OpenBSD Angevin OpenBSD General 6 20th November 2009 03:06 AM


All times are GMT. The time now is 04:47 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick