DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 15th February 2021
sunfish117 sunfish117 is offline
New User
 
Join Date: Feb 2021
Posts: 6
Default pf public wifi configuration for a laptop

I have openbsd on my laptop, have been using it for years.
It cuts my download speeds more than in half with PF active, but thats okay.

Right now, I have a simple configuration for using public wifi that is very incompatible with my needs.

i cant seem to connect to bittorrent though i guess even though i opened the port that I USE for bittorrent, that doesnt matter with so many people making me use other random ports.

what can i do? its not as if i can just open every possible port, that'd' be hundreds if not more.
my pf.conf:
/etc/pf.conf
Code:
Services = "{https,http,ntp,22222,ftp,ftp-data,sftp,18500}"

## Interfaces ## 
Ext_If ="re0"
Ext_Wlan0 = "athn0"

## Hosts ##

set skip on lo0 # skip rules on loopback device

#block return    # block stateless traffic
#pass            # establish keep-state

block # block all traffic

pass out quick from self # pass out outgoing traffic no more rules applied if hit is positive with quick rule
pass in proto {tcp, udp} to self port $Services
pass in proto icmp 


## port build user does not need network
block return out log proto {tcp udp} user _pbuild

## rules for xodo ##
##block out quick proto { tcp, udp } from self user firefox
##block out quick proto { tcp, udp } from self user chromeuser


set block-policy  return



block in log quick proto tcp flags FUP/WEUAPRSF

block in log quick proto tcp flags WEUAPRSF/WEUAPRSF

block in log quick proto tcp flags SRAFU/WEUAPRSF

block in log quick proto tcp flags /WEUAPRSF

to be honest, the pf manual and documentation confuse me so maybe theres some functionality im missing here, i am not a unix expert, i just use openbsd because its easy and it works and linux/windows refuse to wrok on my machine
Reply With Quote
  #2   (View Single Post)  
Old 15th February 2021
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

What client are you using? It's been a while since I've used bittorrent but I thought it only needed one inbound port.
Reply With Quote
  #3   (View Single Post)  
Old 15th February 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I have provisioned my BitTorrent client with a static port for incoming connections, forwarded to my laptop through my firewalls with a PF rdr-to rule, such as:
Code:
# redirect both TCP and UDP port 7776 to my laptop
pass in on $external_nic proto {tcp udp} from any to any  \
        port 7776 rdr-to $laptop
pass out proto {tcp udp} from any to any port 7776
I'm the port maintainer for net/transmission, a BitTorrent client. In transmission, the incoming port is set via Edit...Preferences...Network in any of transmission's GUI implementations: GTK, Qt, or Web.

Last edited by jggimi; 15th February 2021 at 02:48 AM. Reason: clarity
Reply With Quote
  #4   (View Single Post)  
Old 16th February 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

A pf.conf rule set is an implementation of a security policy. I have difficulties in reverse engineering your security policy from your rule set

So the question is what is your security policy?

In other words: what do you allow the laptop user to do or access on the internet (web browsing, IRC chat, ssh out. etc)
Do you want to allow parties on the internet to give access to your laptop (web serving, ftp serving, ssh remote access etc)?

All packets from your laptop are allowed to go out : pass out quick from self

Info about these outgoing connections are entered in a "state" table
All incoming packets packet are checked whether they match an previous outgoing request in this state table. When they match these are allowed in without checking the rule set.

The incoming packets of the current rule set are limited to a list of services: https,http,ntp,22222,ftp,ftp-data,sftp,18500

If you mean to limit the outgoing stuff to these services you better can do:

Code:
pass out quick on egress inet proto tcp from any to any port $Services
This will automagically allow the outgoing request packets and their incoming replies.
Then with a default blocking policy you are done

Actually nearly done, because you also need their UDP equivalents (for NTP as well as TCP and UDP for dns)

I have a 100mbit optic fiber connection so I know nothing about bittorent
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 1st March 2021
SimpL SimpL is offline
Port Guard
 
Join Date: Nov 2020
Location: On a cloud;)
Posts: 31
Default

Hi. Just my 2 cents

Bittorrent uses random ports if they are not specified. If you specify a port it will use that port for incoming traffic but the traffic from you will be from random ports basically but that depends on the torrent. I used utorrent for a while (that was 10 years ago) and it had a wide range of settings.
If you have slow speed on torrent then your settings are a bit off and you need to set it to the correct values. There was an old article about it on utorrent waaaaay back when it was not full of adds and mining stuff. (the basic stuff http://www.torrenttrackerlist.com/be...rent-settings/)
but please dont use utorrent

If you are behind a router you need to set up the router or you will not be able to be "active" you would only be able to achieve "passive" connection, 10 years ago i had a few headaches with this
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
WIRELESS CONFIGURATION WHEN WIFI NAME HAS SPACES rdikarlus OpenBSD General 5 8th August 2020 03:39 PM
setting up a laptop as WiFi host access point gso OpenBSD General 7 27th July 2015 07:02 PM
Atheros Wifi Configuration Error Peter_APIIT OpenBSD General 2 27th June 2015 07:59 AM
Public WiFi and accept screens phyro OpenBSD Installation and Upgrading 10 10th January 2013 09:36 PM
any consequences to moving a laptop-based installed disk to another different laptop daemonfowl OpenBSD General 7 2nd August 2012 04:29 PM


All times are GMT. The time now is 02:41 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick