Junky
July 30th, 2003, 18:25
Hi,
I am fairly new to OpenBSD (3.3 CD) and could do with a little advice regarding PF. Here is my setup:
ISP
|
|
Cable Modem
|
|
| [W]
Linksys Router
| [L]
|
P1----------DMZ
P2----------XBOX (yes, i know)
P3----------[vr0] OpenBSD-PF [xl0]---------------[I] Browsing Machine
P4
P5
Where:
[W] = DHCP assigned by ISP
[L] = 192.168.1.1/255.255.255.0
[vr0] = 192.168.1.4/255.255.255.0
[xl0] = 172.16.0.1/255.255.255.0
[I] = 172.16.0.2/255.255.255.0
So the OpenBSD machine has /etc/mygate of 192.168.1.1.
Basically the 'Browsing Machine' is a tri-boot of Windows, OpenBSD and FreeBSD which I am using to learn on. I also want this machine to be as secure as possible in case I do something silly during my experiments!
I know it would probably be easier to make vr0 dhcp and plug straight into the Cable Modem, but this would mean having to have extra noisy machine (and more heat) powered up when I am using xbox-live. Also it appears the linksys router provides basic filtering.
Don't worry, I am coming onto the problem(s) shortly!...
Anyway, I brought a copy of Michael Lucas's book "Absolute OpenBSD" and after some heavy copying (!) I had:
For /etc/pf.conf:
# /etc/pf.conf
#
# MACROS
int_if = "xl0"
ext_if = "vr0"
# TABLES
table <illegal_in> file "/etc/pf_illegal_ip_in"
table <illegal_out> file "/etc/pf_illegal_ip_out"
# OPTIONS
set block-policy drop
set loginterface $ext_if
#set loginterface $int_if
set optimization normal
# TRAFFIC NORMALISATION
scrub in all
# BANDWIDTH MANAGEMENT
#
# TRANSLATION
#
# REDIRECTION
#
# PACKET FILTERING
# Block everything
block drop in all
block drop out all
# Stop all IPv6 traffic
block drop in log quick inet6 all
block drop out log quick inet6 all
# Prevent spoofing of non-routable addresses
block drop in log quick on $ext_if from <illegal_in>
block drop in log quick on $int_if from <illegal_out>
# Antispoof all interfaces
antispoof log for vr0
antispoof log for xl0
antispoof log for lo0
# Pass everything on loopback (lo0)
pass in quick on lo0 all
pass out quick on lo0 all
# Disrupt port scanners
block in quick proto tcp all flags SF/SFRA
block in quick proto tcp all flags SFUP/SFRAU
block in quick proto tcp all flags FPU/SFRAUP
block in quick proto tcp all flags /SFRA
block in quick proto tcp all flags F/SFRA
block in quick proto tcp all flags U/SFRAU
# block in quick proto tcp all flags P
# Allow valid network tarffic in and out
pass in on $int_if from 172.16.0.2 to any modulate state
pass out on $ext_if proto tcp to any port { www, https } modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
And /etc/pf_illegal_ip_in:
# /etc/pf_illegal_ip_in
#
224.0.0.0/3
10.0.0.0/8
127.0.0.0/8
0.0.0.0/8
172.16.0.0/12
192.168.0.0/16
169.254.0.0/16
204.152.64.0/23
192.0.2.0/24
255.255.255.255/32
!192.168.1.1
And /etc/pf_illegal_ip_out:
# /etc/pf_illegal_ip_out
#
224.0.0.0/3
10.0.0.0/8
127.0.0.0/8
0.0.0.0/8
172.16.0.0/12
192.168.0.0/16
169.254.0.0/16
204.152.64.0/23
192.0.2.0/24
255.255.255.255/32
!172.16.0.2
Ok, the rules are loaded as shown above, but I have a couple of problems:-
1. #set loginterface $int_if
Only one interface seems to be logged by PF (shown by pfctl -s
info) For instance, if I uncomment the above line then xl0 is
logged but vr0 is no longer logged? I know it is not really needed,
but how can I log all the interfaces?
2. I copied the rules to 'confuse' port scanner's straight out of Michael
Lucas's book and to be honest, I have took them as read.
However if I uncomment the line:
# block in quick proto tcp all flags P
Then PF complains of an error in this line - something is wrong but
I do not understand what?
3. I get confusing results when I try to test the firewall, which I am
pretty sure is to do with having the Linksys router in the way (ie
this is doing things to data too).
From: http://www.grc.com - Shields Up
Shows: All ports show as stealth except IDENT (113) is shown
as closed
From: http://scan.sygatetech.com - TCP scan
Shows: All ports show as stealth except IDENT (113) AND WEB
(80) are shown as closed???
[Both run from my browsing machine]
The thing is if I disable PF I get the same results.
I suppose this means that my PF rules aren't doing anything and I
am just seeing results from router (which has very little to
configure)? Still the two web sites also show inconsistencies???
Can anyone help with any of these things - especially if my rules are even
valid - I'd sure be grateful and it would give me a bit of confidence!!!
I am fairly new to OpenBSD (3.3 CD) and could do with a little advice regarding PF. Here is my setup:
ISP
|
|
Cable Modem
|
|
| [W]
Linksys Router
| [L]
|
P1----------DMZ
P2----------XBOX (yes, i know)
P3----------[vr0] OpenBSD-PF [xl0]---------------[I] Browsing Machine
P4
P5
Where:
[W] = DHCP assigned by ISP
[L] = 192.168.1.1/255.255.255.0
[vr0] = 192.168.1.4/255.255.255.0
[xl0] = 172.16.0.1/255.255.255.0
[I] = 172.16.0.2/255.255.255.0
So the OpenBSD machine has /etc/mygate of 192.168.1.1.
Basically the 'Browsing Machine' is a tri-boot of Windows, OpenBSD and FreeBSD which I am using to learn on. I also want this machine to be as secure as possible in case I do something silly during my experiments!
I know it would probably be easier to make vr0 dhcp and plug straight into the Cable Modem, but this would mean having to have extra noisy machine (and more heat) powered up when I am using xbox-live. Also it appears the linksys router provides basic filtering.
Don't worry, I am coming onto the problem(s) shortly!...
Anyway, I brought a copy of Michael Lucas's book "Absolute OpenBSD" and after some heavy copying (!) I had:
For /etc/pf.conf:
# /etc/pf.conf
#
# MACROS
int_if = "xl0"
ext_if = "vr0"
# TABLES
table <illegal_in> file "/etc/pf_illegal_ip_in"
table <illegal_out> file "/etc/pf_illegal_ip_out"
# OPTIONS
set block-policy drop
set loginterface $ext_if
#set loginterface $int_if
set optimization normal
# TRAFFIC NORMALISATION
scrub in all
# BANDWIDTH MANAGEMENT
#
# TRANSLATION
#
# REDIRECTION
#
# PACKET FILTERING
# Block everything
block drop in all
block drop out all
# Stop all IPv6 traffic
block drop in log quick inet6 all
block drop out log quick inet6 all
# Prevent spoofing of non-routable addresses
block drop in log quick on $ext_if from <illegal_in>
block drop in log quick on $int_if from <illegal_out>
# Antispoof all interfaces
antispoof log for vr0
antispoof log for xl0
antispoof log for lo0
# Pass everything on loopback (lo0)
pass in quick on lo0 all
pass out quick on lo0 all
# Disrupt port scanners
block in quick proto tcp all flags SF/SFRA
block in quick proto tcp all flags SFUP/SFRAU
block in quick proto tcp all flags FPU/SFRAUP
block in quick proto tcp all flags /SFRA
block in quick proto tcp all flags F/SFRA
block in quick proto tcp all flags U/SFRAU
# block in quick proto tcp all flags P
# Allow valid network tarffic in and out
pass in on $int_if from 172.16.0.2 to any modulate state
pass out on $ext_if proto tcp to any port { www, https } modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
And /etc/pf_illegal_ip_in:
# /etc/pf_illegal_ip_in
#
224.0.0.0/3
10.0.0.0/8
127.0.0.0/8
0.0.0.0/8
172.16.0.0/12
192.168.0.0/16
169.254.0.0/16
204.152.64.0/23
192.0.2.0/24
255.255.255.255/32
!192.168.1.1
And /etc/pf_illegal_ip_out:
# /etc/pf_illegal_ip_out
#
224.0.0.0/3
10.0.0.0/8
127.0.0.0/8
0.0.0.0/8
172.16.0.0/12
192.168.0.0/16
169.254.0.0/16
204.152.64.0/23
192.0.2.0/24
255.255.255.255/32
!172.16.0.2
Ok, the rules are loaded as shown above, but I have a couple of problems:-
1. #set loginterface $int_if
Only one interface seems to be logged by PF (shown by pfctl -s
info) For instance, if I uncomment the above line then xl0 is
logged but vr0 is no longer logged? I know it is not really needed,
but how can I log all the interfaces?
2. I copied the rules to 'confuse' port scanner's straight out of Michael
Lucas's book and to be honest, I have took them as read.
However if I uncomment the line:
# block in quick proto tcp all flags P
Then PF complains of an error in this line - something is wrong but
I do not understand what?
3. I get confusing results when I try to test the firewall, which I am
pretty sure is to do with having the Linksys router in the way (ie
this is doing things to data too).
From: http://www.grc.com - Shields Up
Shows: All ports show as stealth except IDENT (113) is shown
as closed
From: http://scan.sygatetech.com - TCP scan
Shows: All ports show as stealth except IDENT (113) AND WEB
(80) are shown as closed???
[Both run from my browsing machine]
The thing is if I disable PF I get the same results.
I suppose this means that my PF rules aren't doing anything and I
am just seeing results from router (which has very little to
configure)? Still the two web sites also show inconsistencies???
Can anyone help with any of these things - especially if my rules are even
valid - I'd sure be grateful and it would give me a bit of confidence!!!