|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|
|||
How do I enable IP protocol 47 (GRE) and TCP port 1723?
I need to enable IP protocol 47 (GRE) and open TCP port 1723 on an OpenBSD 4.3 firewall so that I can allow Windows VPN traffic to pass.
Can anybody tell me how to do this? This is an incredibly amateur question I am aware but I've never worked with OpenBSD before and am in need of some assistance. Thanks! |
|
||||
The tool used with OpenBSD for firewall operations is PF -- Packet Filter. However there have been many changes since your version of the OS, which is unsupported.
There have been many, many changes to PF, so you will need older, out-of-date documentation. I will build and attach a 4.3 version of the PF User's Guide for you, it will take a few minutes. Meanwhile... The man pages for 4.3 might be on your system, or might not. Here are links to the two you will absolutely need for reference to PF, for 4.3: pf.conf(5) pfctl(8) Last edited by jggimi; 2nd August 2010 at 09:05 PM. Reason: clarity |
|
|||
I appreciate your help. I've just started this job and am planning to upgrade the systems.
I'll start another thread later to see about upgrading this system. Thanks for your help, I really appreciate it. |
|
|||
Doing incremental upgrades like that is very tedious, but, releases are made every 6 months so if one leaves a system to stagnate for several releases, they end up making it harder to upgrade.
A fresh installation would probably be the best route to take, but, that won't preserve any changes made to the system. Maintaining a system that was configured by someone else is a enormous job if you have no familiarity with the system, or what services it was providing for your employers network.. I do hope for your sake that the previous maintainer left behind lots of documentation, so you can replicate the configuration. 4.8 will be released soon, in a few months, so hopefully this will give you time to become familiar with this system, and OpenBSD in particular, hopefully making this migration a lot less painful in the future, just remember to keep it regularly maintained and upgraded. |
|
|||
Quote:
There is no documentation to speak of unfortunately so this isn't going to be a very fun process. I think I might just go through the tedious process of updating from 4.3 > 4.4 > ... > 4.8. I would rather do that than risk breaking something that is critical as this is a production firewall. IT professionals that don't properly document things are very frustrating. Sure you're adding job security, but you're also preventing yourself from getting promoted or taking a vacation. Oh well, what can you do... |
|
|||
That's sad, but at least this gives you the opportunity to outshine your predecessor, try and document the changes he made from the "vanilla" installation of 4.3.
I do believe that this system should be upgraded, but, doing so without first doing some initial research would be a mistake.. it may be running 3rd party software from the ports tree or things they manually compiled (..or wrote) and a premature upgrade could theoretically break things and leave you in a awkward situation of trying to restore functionality of what is essentially a "black box" to you. I fear that you may have bitten off more than you can chew, I would not want to be in your situation.. but we'll do our best to help you with any questions you may have, but 4.3 is generations ago and it may time time for us to formulate something resembling a response. Good luck! Last edited by BSDfan666; 3rd August 2010 at 12:27 AM. |
|
|||
Quote:
It's not a super complex network so I think I should be okay in terms of handling the situation...I just need to be careful with how I approach things. I probably could build a new firewall to the best of my ability in regards to how the network appears to be configured and then just find out that what is broken and what needs to be fixed. However, I haven't worked with OpenBSD before so I'd rather use this as a learning opportunity and establish a new skillset. This seems like a pretty helpful forum, I'm glad I made my way here. Thanks again for the advice thus far. |
|
|||
Quote:
Given that the purpose of firewalls is to plug/thwart many of the vectors malevolent souls exploit to either get past security roadblocks or perform malicious acts, making sure firewall software is current & patched should be a paramount goal. Also if I recall correctly, there were significant performance enhancements made to both OpenBSD 4.2 & 4.4. Once you become familiar with the terrain, moving to 4.7 (& OpenBSD 4.8 will be released in November...) should be high on your list of things to get done. |
|
||||
The firewall script (/etc/pf.conf, usually) will tell you how the thing acts as a firewall. That cannot be moved, unchanged, to 4.7, but the upgrade guides along the way will explain what changes will need to be made.
The /etc/hostname.* files will give you your network configuration. The hostname.if(5) man page will help you understand those files. The pkg_info(1) command will tell you all 3rd party software installed on your platform through the packages/ports system, described in FAQ 15. The sysctl.conf(5) file will show any "knobs" that might have been turned -- routers/firewalls, for instance, should have ip forwarding enabled there. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pf & remote desktop protocol | cerulean | FreeBSD General | 7 | 4th August 2011 10:14 PM |
Enable SNMP? | dzudja100 | FreeBSD Ports and Packages | 1 | 20th May 2010 05:52 PM |
Firefox 3 - Adding magnet: protocol | whetphish | FreeBSD General | 1 | 22nd November 2009 07:24 PM |
boot bug with USB enable | nORKy | FreeBSD Installation and Upgrading | 5 | 12th June 2008 04:56 PM |