How to use OpenBSD to firewall off your ADSL line

By Daniel Walker

Slide 01 – How to use OpenBSD to firewall off your ADSL line or Only one remote hole in the default install, in more than 7 years. Discuss:

Slide 02 – OpenBSD vs Linux:

Secure by default

OpenBSD is secure by default – Most distros of Linux are not as secure due to more services running, etc.

BSD vs GPL licensing

This can be important, depending on personal beliefs or requirements.

Updating

OpenBSD is dead easy to update – unless they do something like replace the packet filter again – you can just do a CVS update. The project also releases fixes as patches. (at time of writing OpenBSD 3.2 has 3 patches)

Slide 03 – Installing OpenBSD – I:

Install hardware
  1. Pentium MMX 200MHz
  2. 64 Meg RAM
  3. 20 Gig Fujitsu HD
  4. 2x 3Com 3c900B 10Mbps-Combo network cards
Make boot floppy from ftp site

http://www.openbsd.org/ftp.html for list

Follow Install instructions on OpenBSD site

http://www.openbsd.org/faq/faq4.html – from CD, FTP or CVS

Disable some un-needed services
  1. ident
  2. comsat
  3. daytime
  4. time
  5. rstatd
  6. rusersd

Add PermitRootLogin=No to /etc/ssh/sshd_config

Portscan now gives
Interesting ports on  (192.168.254.174):
(The 1600 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh

Nmap run completed -- 1 IP address (1 host up) scanned in 17 seconds
Compile new kernel

Delete unsued drivers and such.

wibble# ls -l /bs*
-rw-r--r--  1 root  wheel  2145836 Dec 21 15:12 /bsd
-rw-r--r--  1 root  wheel  4515116 Dec 21 15:12 /bsd.old

Note: no “ls -lh“!

Slide 04 – Installing OpenBSD- II:

Change default shell to ksh

Unless you like tcsh. No bash by default but in ports collection.

I’ve never managed to get chsh to work permanently in OpenBSD – you have to change /etc/master.passwd and then run pwd_mkdb -p /etc/master.passwd

Install patches

Buy CD, union mount sources, and install patches or

cd /usr
cvs -q get -rOPENBSD_3_2 -P src

Note: gets patch branch rather than current sources as more stable. This takes ages, and you have to delete them afterwards if you’re being really secure.

Slide 05 – The Packet Filter, pf:

Enable packet forwarding, dhcp, firewall and network address translation

edit /etc/sysctl.conf and uncomment:

net.inet.ip.forwarding=1      # 1=Permit forwarding (routing) of packets
vm.swapencrypt.enable=1       # 1=Encrypt pages that go to swap
Filter and NAT rules
  • Since OpenBSD 3.2, these are both in the same file /etc/pf.conf
  • For clients behind NAT to work, you need one NAT and one RDR rule
  • nat on ep1 from 192.168.1.0/24 to any -> ep1
    rdr on ep0 proto tcp from any to any port 21 -> 127.0.0.1 port 8081

    And the second one only if you need active ftp to work!

Slide 06 – Example pf.conf:

Example pf.conf

Taken from: http://www.muine.org/~hoang/pf.txt

Local copy of above file: pf.txt

Slide 07 – pf vs. ipf:

Licence dispute between Theo de Raadt and Darren Reed

In essence, DR [changed|clarified] the licence to his ipf. It did not allow distribution of modifications – i.e. was not compatible with BSD-style licensing. The version in OpenBSD <= 2.9 is modified.

TdR claims to have [politely|rudely] asked for changes. DR refused, and so OpenBSD project wrote pf, instead.

Licence issues also affected FreeBSD and NetBSD, and DR eventually changed the licence to BSD style anyway, but TdR had already expunged it. ipf is not even in ports, but Darren Reed OpenBSD versions with ipf are theoretically avaliable, however I’ve only ever seen dead links.

Active and Inactive rulesets

ipf had two rulesets in memory at once. You could ipf -s; sleep 5; ipf -s in case you accidentally locked yourself out of the firewall. AFAIK, pf does not have this.

Performance

Click on the image below to view at full size.

pf seems to perform better than ipf on identical hardware. (after OpenBSD 3.0)

Taken from: Stateless filtering with 100 rules (throughput)

Slide 08 – Features of pf that ipf doesn’t have:

Variable Substitution in config file

Useful esp. in multiple roll-outs and for applying the same rule to several
IP addresses – e.g. to block goatse.cx except for management IPs

Normalisation of packets

Fixes packet defrag problems.

Scrubbing (state modulation)

Replaces sequence numbers as some IP stacks have poor randomisation.

Slide 09 – pf vs IPTables:

Note: I have never used IPTables. Based on

http://www.benzedrine.cx/pf-paper.html

IPTables does not have proper stateful inspection

Quote: Iptables has not been included in this benchmark because it does not do stateful filtering comparable to pf and IPFilter. The version of iptables that we tested employs connection tracking without any sequence number analysis for packets outside of the initial TCP handshake. While this is unsurprisingly faster, it would be an unfair performance comparison. There is a patch for iptables that adds sequence number checking, but it is still beta and is not included in the GNU/Linux distribution used for testing.

Performance better on IPtables for stateless rules

Quote: In summary, iptables perform the best for stateless rules and pf performs the best when using stateful filtering

Security better on pf

OpenBSD extra-paranoid security auditing applies to pf

Ruleset parsing more efficient on IPTables

IPTables parses as a tree, pf as a linked list with ‘skip steps’

Better GUI tools for IPTables

Although there are GUI tools for pf – including one written in VB!

Slide 10 – Other stuff that can be done with pf to increase security:

3-legged firewall

Allows DMZ for public webserver, mail server etc.

Virtual Servers user rdr

Again, good for servers when you have limited public IP addresses

Remove some executables for services not in use

e.g. sendmail

Slide 11 – Summary:

  • pf is an excellent packet filter
  • Debatably better than IPTables
  • Not hard to install
  • Simple to configure
  • Ideal for SOHO network

Slide 12 – References:

OpenBSD home page:
http://www.openbsd.org

OpenBSD patches:
http://www.openbsd.org/security.html

IPF licence article:
http://lwn.net/2001/0524/
(half-way down page)

Discusses original Darren Reed licence problem

IPF changes licence again:
http://www.deadly.org/article.php3?sid=20010922020412

Discusses Darren Reed changing to more free, but not BSD, licence

PF vs ipf vs IPTables paper:
http://www.benzedrine.cx/pf-paper.html

OpenBSD Packet Filter HowTo:
http://www.inebriated.demon.nl/pf-howto/

OpenBSD firewall using pf: OpenBSD firewall using pf

Place I gratuitously stole Title-page diagram from: http://www.hal-pc.org/journal/july01/Column/firewell/firewell.html

Building Linux and OpenBSD Firewalls Wes Sonnenreich and Tom Yates, Wiley, ISBN 0-471-35366 Publisher’s Catalogue Page

Out-of-date, (based on OpenBSD 2.8 – so ipf not pf)but has an excellent discussion of the purpose and philosophy behind firewalls – doesn’t get to actually installing until Chapter 6!

Comments are closed.