![]() |
|
OpenBSD Security Functionally paranoid! |
![]() |
|
Thread Tools | Display Modes |
|
|||
![]()
Hi , Daemon Eagles !
what is the safest strategy to follow in pf rule set for an OpenBSD Desktop ? contenting with basic services only while still being able to use p2p ? an example to follow is much appreciated .. then I can elaborate on it depending on further needs . Thank you so much , |
|
|||
![]()
The one I posted in http://www.daemonforums.org/showthread.php?t=4367 is quite strict, or paranoiac. It even limits ftp to a bunch of explicitly named ftp server.
IMHO allowing p2p is incompatible with security ![]()
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
![]() Quote:
Code:
block in all pass out all The point here is that one size doesn't fit all situations. The question is broad, & one definitive answer doesn't exist. You can help determine the answer which best fits your needs by studying:
...& of course, the pf(4) manpage is gospel. |
|
|||
![]()
Thank you so much , J65nko , Ocicat , Jggimi !!! for your support ...
I purposefully described it as a simple desktop/worksation .. not attached to any network but a router .. I guess I'd use J56nko's http://www.daemonforums.org/showthread.php?t=4367 as for p2p , at times I use amule and disable the sharing option , so that nobody can see the shared files .. with this plus obfuscation support and tor+polipo .. is p2p still a security risk ? |
|
||||
![]() Quote:
Security:
As you dig, you may discover more questions to ask. And, you may like the answers, you may not. But they will help you make better decisions. Your nearby Internet search engine may be able to provide you with some answers, for others, you may find yourself wanting to review the source code. --- If it seems like I am advocating self-sufficiency; well, yes, I am. I also don't have any answers to these questions, because I have never used aMule. I know where to look, though, if I wanted to find out. I would start with Google. |
|
|||
![]()
Thank you so much Jgimmi for brainstorming daemonfowl ..
In fact I highly respect your approach and would consider it .. sometimes a newbie looks for shortcuts to help him decide at the time of asking .. later on though , he would shift course depending on the knowledge/expertise gained .. I remember I could not use *Nix without kde .. now I feel comfort without it .. maybe after some time I will do without X .. happily .. |
|
||||
![]()
That's a goal I can +1.
If it weren't for the need for firefox at my place of employment (plugins for some of our internal tools), I'd probably run tmux and a bunch of ssh sessions and leave it at that...but until that requirement goes away I'm using X with cwm and tmux.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
|||
![]()
Hi Rocket357 !
you've got an inspiring nick and a revealing pic ! is cwm your preference over fvwm ? maybe more minimalistic .. |
|
||||
![]()
I've never really used fvwm seriously, so I can't really say. cwm does what I need and is minimalist so I use it. Well, it's minimalist *enough*. I went through a "let's optimize everything!" phase with Gentoo and LFS long time ago, but I gave up on that after a shootout between my l33t uber Gentoo install and stock FreeBSD didn't go the way I wanted it to. Optimization like that gains points for learning, but otherwise is a complete waste of time.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
|||
![]()
Conversation has veered from pf(4) rules to X window managers. Unless further comments are on the original subject, please start a new thread.
|
|
|||
![]()
Hello everyone! I'm new to this forum, but I've using OpenBSD for some months now.
I wanted to present my PF configuration to the OP, but also to the members of this forum, for comments basically, if any. I don't consider the configuration to be very paranoiac, but I believe it provides good functionality with some strict rules. If anything seems abnormal, please give an alternative solution ![]() You will notice I am using sshguard too, it can be found under OpenBSD packages. Code:
services="{ 80, 443, 3689 }" # don't filter on the loopback interface set skip on lo0 # scrub incoming packets match in all scrub (no-df) # setup a default deny policy for incoming connections block all pass out quick modulate state # activate spoofing protection for all interfaces block in quick from urpf-failed # sshguard rules table <sshguard> persist block in quick on egress proto tcp from <sshguard> to (egress) port ssh label "ssh bruteforce" # open ssh port - protect ssh server from bruteforce attacks (actual offenders will be picked up by sshguard) pass in on egress proto tcp from any to (egress) port ssh synproxy state (max-src-conn 15, max-src-conn-rate 5/3) # open ports for services - protect services from abusive hosts pass in on egress proto tcp from any to (egress) port $services synproxy state (max-src-conn 100, max-src-conn-rate 15/5) # allow IGMP traffic with ip options from rooter pass in quick on egress proto igmp from X.X.X.X to 224.0.0.0/4 allow-opts # by default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 |
|
|||
![]() Quote:
For the sake of archive information, can you tell us which version of OpenBSD you are using? Providing the output of the following command will provide all necessary information: $ sysctl kern.version
|
|
|||
![]() Quote:
![]() Code:
OpenBSD 4.9 (GENERIC.MP) #794: Wed Mar 2 07:19:02 MST 2011 ...:/usr/src/sys/arch/i386/compile/GENERIC.MP |
|
||||
![]()
You may want to consider strengthening the following rule and its like, unless there's reasons not to.
Code:
# open ssh port - protect ssh server from bruteforce attacks (actual offenders will be picked up by sshguard) pass in on egress proto tcp \ from any to (egress) port ssh \ synproxy state (max-src-conn 15, max-src-conn-rate 5/3) Code:
# open ssh port - protect ssh server from bruteforce attacks (actual offenders will be picked up by sshguard) pass in log quick on egress inet proto tcp \ from !(egress:0) to (egress) port ssh \ synproxy state (max-src-conn 15, max-src-conn-rate 5/3)
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience. ![]() |
|
||||
![]()
Also, I don't see any NAT rules. Is the 'egress' interface blessed with a truly global IP and, therefore, NAT is not required?
If NAT is required, then you need additional rules and NAT rules -- done well -- can prevent 'leaks.' /S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience. ![]() |
|
||||
![]()
Additionally,
Code:
# open ssh port - protect ssh server from bruteforce attacks (actual offenders will be picked up by sshguard) pass in on egress proto tcp \ from any to (egress) port ssh \ synproxy state (max-src-conn 15, max-src-conn-rate 5/3) Code:
# open ssh port - protect ssh server from bruteforce attacks (actual offenders will be picked up by sshguard) pass in on egress proto tcp \ from any to (egress) port ssh \ synproxy state (max-src-conn 15, max-src-conn-rate 5/3 overload <sshbrutes> flush global) Code:
# open ssh port - protect ssh server from bruteforce attacks (actual offenders will be picked up by sshguard) table <sshbrutes> persist { } # pass in log quick on egress inet proto tcp \ from !{ (egress:0) <sshbrutes>} to (egress:0) port ssh \ synproxy state (max-src-conn 15, max-src-conn-rate 5/3 overload <sshbrutes> flush global)
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience. ![]() |
|
|||
![]()
Thank you s2scott
![]() The interface has a truly global IP, so yes, no need for NAT there. About the sshbrutes table, sshguard program already creates a table, named sshguard, not by any overload command, but in the background (by polling the /var/log/authlog file). So this command blocks any IP that exists in sshguard table: Code:
block in quick on egress proto tcp from <sshguard> to (egress) port ssh label "ssh bruteforce" |
|
|||
![]() Quote:
Less is more! ![]() |
|
|||
![]() Quote:
Another update of mine: Code:
pass out quick proto { tcp udp icmp } modulate state |
![]() |
Thread Tools | |
Display Modes | |
|
|
![]() |
||||
Thread | Thread Starter | Forum | Replies | Last Post |
4.7 pf rule to block traffic from guest network | mikesg | OpenBSD Security | 5 | 16th August 2015 11:04 AM |
Advantages of FreeBSD over OpenBSD [Desktop] | EverydayDiesel | FreeBSD General | 38 | 17th May 2013 05:18 PM |
PF rule to disable icmp? | cyanide_christ | OpenBSD Security | 6 | 15th October 2009 05:35 AM |
pf: why is that rule not working? | ivanatora | FreeBSD General | 14 | 11th December 2008 09:32 AM |
pf.conf brute force rule | ijk | FreeBSD Security | 6 | 11th August 2008 04:54 PM |