DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 11th May 2013
ripe ripe is offline
New User
 
Join Date: Feb 2013
Location: France
Posts: 8
Thanked 0 Times in 0 Posts
Default A question about pf by default.

Hi all,


I am new on OpenBSD, my level is not good about security :
I installed OpenBSD 5.3, is the pf.conf by default enough to protect me ?!

Code:
#       $OpenBSD: pf.conf,v 1.52 2013/02/13 23:11:14 halex Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# increase default state limit from 10'000 states on busy systems
#set limit states 100000

set skip on lo

# filter rules and anchor for ftp-proxy(8)
#anchor "ftp-proxy/*"
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021

# anchor for relayd(8)
#anchor "relayd/*"

block           # block stateless traffic
pass            # establish keep-state

# rules for spamd(8)
#table <spamd-white> persist
#table <nospamd> persist file "/etc/mail/nospamd"
#pass in on egress proto tcp from any to any port smtp \
#    rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from <nospamd> to any port smtp
#pass in log on egress proto tcp from <spamd-white> to any port smtp
#pass out log on egress proto tcp to any port smtp


#block in quick from urpf-failed to any # use with care

# By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010
Thanks for any help.
ripe
Reply With Quote
  #2   (View Single Post)  
Old 11th May 2013
denta denta is offline
Fdisk Soldier
 
Join Date: Nov 2009
Posts: 73
Thanked 0 Times in 0 Posts
Default

Hello, assuming you are not running a bunch of services on the machine, maybe I'd go with something like
Code:
block all
pass out keep state
It will allow traffic that you initiate yourself, and block everything else.
Reply With Quote
  #3   (View Single Post)  
Old 11th May 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

The default configuration only blocks stateless traffic. It doesn't "protect" anything.

Configuring PF requires basic knowledge of 1) TCP/IP, 2) your network applications, and 3) PF configuration rules.

The PF User's Guide, found with the OpenBSD FAQ at the project website, is required reading.
Reply With Quote
  #4   (View Single Post)  
Old 12th May 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

For a desktop machine the simple ruleset suggested by Denta is a good start. It will keep the bad guys from connecting to your machine.
I would propose two small changes to those rules:
Code:
block log all
pass out
Loading this set:
Code:
# pfctl -vvf denta.pf
Loaded 710 passive OS fingerprints
@0 block drop log all
@1 pass out all flags S/SA
So I drop the keep state because that is the default and add log to the block rule. This will allow you to see the blocked packets with tcpdump

Code:
# tcpdump -eni pflog0tcpdump -eni pflog0 
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG

01:53:27.574962 rule 0/(match) block in on re0: 188.142.61.141 >
   192.168.222.20: icmp: echo request
01:53:28.575951 rule 0/(match) block in on re0: 188.142.61.141 >
  192.168.222.20: icmp: echo request

01:54:00.295763 rule 0/(match) block in on re0: 188.142.61.141.58361
  > 192.168.222.20.80: S 282493765:282493765(0) win 16384 <mss
  1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 3475091480[|tcp]>
  (DF)

01:57:24.229775 rule 0/(match) block in on re0: 192.168.222.241.138
  > 192.168.222.255.138: udp 201
The first two packets are a blocked ping(8), followed by a probe for a web server at port 80.
The last packet blocked is a NetBIOS broadcast from my wife's Windows machine.

If you are looking for a firewall box rule set you could have a look at http://www.daemonforums.org/showthre...7366#post45234
It is a pf.conf that I use for my OpenBSD firewall box at my home.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 12th May 2013
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 330
Thanked 9 Times in 9 Posts
Default

OP needs to define "protect". What expectations are you making that we should be aware of when making suggestions? Are you looking for a simple "block traffic not related to out bound connections I initiated" type of scenario (covered by Denta's post above), or a more advanced "allow inbound traffic to certain services/servers/etc...while blocking other traffic not related to outbound connections I initiate", or even more advanced "block all traffic except allowed outbound traffic", or perhaps a combination of these approaches?
__________________
Linux Admin by Profession. OpenBSD user by choice.
Reply With Quote
  #6   (View Single Post)  
Old 12th May 2013
ripe ripe is offline
New User
 
Join Date: Feb 2013
Location: France
Posts: 8
Thanked 0 Times in 0 Posts
Default

Hi, thank you all for yours answers

I use OpenBSD as a deskop machine, i work on it (libreoffice, gimp, maybe developing in the future), looking videos (minitube, vlc), downloading (transmission), playing some video games (online/offline). I choose OpenBSD because it is related as secure, of course if it is well configured i think now.
I have windows on another hard disk for the same things (+ more games) but i wanted to have another operating system. Where i work i suffered a virus that crypted all my files, admins worked 1 or 2 days to repair it and i said to myself, if a day it can happen at home ?

So it is the "block traffic not related to out bound connections I initiated" type of scenario assuming if i can play online.

At the moment i put on pf.conf, what denta and J65nko said, and as said jggimi i will read PF user's guide and waiting what you think about.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Ram usage on default installations libertas General software and network 7 21st January 2012 04:46 PM
default crontab fbroce OpenBSD Installation and Upgrading 13 13th September 2010 09:20 PM
Security by default bettyblue OpenBSD Security 4 30th May 2010 08:30 PM
how APM & ACPI duke it out to be the default ocicat OpenBSD General 0 23rd June 2009 04:05 AM
external drive partition question + fdisk question gosha OpenBSD General 15 15th June 2009 02:00 PM


All times are GMT. The time now is 12:49 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick