Numbers Symbols A

INDEX

Numbers nonroutable, 83–84 routable, 60, 72 10.0.0.1 IP address, 27 192.168.0.1 IP address, 27 alert syslog level, 156 802.11 (all) logging option, 134–135 hardware, 44 ALTQ (ALTernate Queueing). See MAC address filtering, 42–43 also network traffic; traffic WEP (Wired Equivalent ACK packets, 110 Privacy), 43 cbq (class-based queues), 107, WPA (Wi-Fi Protected 112–113 Access), 43 concepts, 106 determining bandwidth, 109 features of, 105–106 Symbols on FreeBSD, 107–108 < > (angle brackets), 39 handling unwanted traffic, : (colon), 91 117–118 ! (exclamation mark), 39, 58 HFSC (Hierarchical Fair Service () (parentheses), 31, 154, 159 Curve) algorithm, 107 A traffic shaper, 113–115 match rules for assignment, Absolute OpenBSD (Lucas), 170 110–111 Acar, Can Erkin, 141 on NetBSD, 108 access points on OpenBSD, 107 FreeBSD WPA, 48–49 priq queues, 106–107, 108–111 with multiple interfaces, 50 queue concept, 106 OpenBSD WPA, 47–48 queue disciplines, 106 PF rule set, 49–50 queue schedulers, 106 adaptive firewall. See also firewall real-world example, 109–110 max, 88 rule sets, 113 overload, 88 for servers in DMZ, 115–117 setting up, 86–88 setting up, 107–108 address-allocation process, 27–28 syntax for, 108 addresses ToS (type of service) fields, 110 IP version 4, 27 using to handle traffic, 117–118 IP version 6, 27 ancontrol program, 42 C angle brackets (< > ), 39 CARP (Common Address antispoof, 159–160 Redundancy Protocol). ARPANET, 27 See also gateways ARP balancing, 128 advskew parameter, 123, 129 Artymiak, Jacek, 170 checking configurations, 123 attack techniques, 159 checking kernel options, 121 authpf program, 55–57. See also demotion counter, 124 security gateways, 119–121 macros and redirection, 57–58 GENERIC kernel special-case rules, 57 configurations, 121 user_ip macro, 57 ifconfig for interfaces, 122–124 auth_web macro, 58 ifstated daemon, 127 kernel options, 121 B for load balancing, 128–131 baseline filtering rule, 19 network interfaces, 122–124 Beck, Bob, 104, 168, 171 passphrase, 124 Berkeley Software Distribution setting sysctl values, 121–122 (BSD) systems, 3, 5 setting up, 121–124 vs. Linux, 6 systat states, 130 reading configurations, 6 traffic, handling, 126 blacklisting mode, setting up using for load balancing, spamd in, 91–92 128–130 blacklists, 97, 104 vhid (virtual host ID), 121 block in all rule, 17 Cho, Kenjiro, 170 block-policy option Christmas Tree EXEC worm, 2 drop value, 152 Cisco’s PIX firewall series exploit, 159 return value, 152 Brauer, Henning, 2, 5, 106, colon (:), 91 144, 168 Common Address Redundancy bridge, defined, 78 Protocol (CARP). See CARP (Common Address bridge setup. See also firewall Redundancy Protocol) on FreeBSD, 80–81 configuration files on NetBSD, 81–82 placement of, 11, 13 on OpenBSD, 79–80 as program output, 8 brute-force attacks, 86–88 reading, 6 bruteforce table entries, configuration tools, 11 removing, 89 connection information. See state BSD (Berkeley Software table Distribution) systems, 3, 5 content filtering, 90 vs. Linux, 6 control messages. See ICMP reading configurations, 6 (Internet Control Buechler, Christopher M., 171 Message Protocol) Building Firewalls with OpenBSD and Core Force firewall product, 5. See PF, 2nd Edition also firewall (Artymiak), 170 crit syslog level, 156 bytes in and out, showing, 23 cron job, creating for spamd-setup, 92

178 INDEX D /etc/pf.conf file, 6, 18 /etc/rc.conf file, 6, 13 debugging. See also logging; example.com network, 60 PF (Packet Filter) exclamation mark (! subsystem: logs ), 39, 58 rule sets, 162–164 “Exploit Mitigation Techniques” using log data for, 150 (de Raadt), 2 debug option, 156–157 debug syslog level, 156 F deep packet inspection, 2 failover and redundancy. See CARP Dehmlow, Sven, 2 (Common Address demilitarized zone (DMZ), 63–64 Redundancy Protocol) with NAT, 73 “Failover Firewalls with OpenBSD queueing for servers in, 115–117 and CARP” (Dixon), 170 testing, 161 FAQs (frequently answered total_ext bandwidth, 117 questions), 7–8 denial-of-service (DoS) attacks, File Transfer Protocol (FTP), 34 83, 159 proxying configuration, 34–36 de Raadt, Theo, 2, 4, 170 security issues, 34 “Design and Performance of the file transfers, options for, 34 OpenBSD Stateful Packet filtering on interface groups, 76–77 Filter (pf)” (Hartmeier), filtering rules, testing, 23 168 firewall, 3. See also adaptive firewall; dhclient command, 53 bridge setup; Core Force divert(4) sockets, 2 firewall product Dixon, Jason, 9, 170 configuration DMZ (demilitarized zone), 63–64 mistakes in, 26 with NAT, 73 to keyword, 26 queueing for servers in, 115–117 guides, applying to rule sets, 21 testing, 161 implementing as bridges, 78–79. total_ext bandwidth, 117 Floeter, Reyk, 66 DNS, running, 60 flowd package domain name resolution, configuration, 146 performing, 18 described, 145–146 domain names vs. IP addresses, 33 filtering features, 147–149 DoS (denial-of-service) attacks, flows, 146–147 83, 159 gateway field, 147 DragonFly BSD, 3, 5 internalnet macro, 148 limiting data stored, 148 E protocols, 146 setting up daemon, 146 email setups, dealing with, 102–103 storage of fields in flow email transmissions, RFC for, 95 records, 148 error information, generating, 156–157 unwired macro, 148 ESP protocol traffic, 51 verbose output, 147–148 Essential SNMP, 2nd Edition (Mauro fragments and Schmidt), 171 handling, bugs in, 159 reassembly options, 158

INDEX 179 FreeBSD, 3–4 optimization option, 158 ALTQ (ALTernate Queueing) reassemble option, 158 on, 107–108 ruleset-optimization option, bridge setup on, 80–81 157–158 connecting to WEP access point, skip option, 152–153 53–54 state-defaults option, 153–154 default values for PF-related state-policy, 153 settings, 14 timeout option, 154–155 /etc/rc.d/pf script, 15 greylisting, 93–98 GENERIC kernel, 14 keeping in sync, 101–102 IP forwarding, 29 mode kernel options, 121–122 managing, 102–103 packet filter (pf) home setting up spamd in, 94–96 page, 170 web resources, 171 pfSense build, 7 greytrapping, 98–99, 104 rc scripts, 15 GUI tool, using with PF rule set, 7 setting up PF on, 13–15 spamd in greylisting mode, 96 H versions of, 14 wireless network configuration, haiku, 8 46, 48 hardware support frequently answered questions developers, 175 (FAQs), 7–8 efforts, 175–176 FTP (File Transfer Protocol), 34 getting, 174–175 proxying configuration, 34–36 Harris, Evan, 93–94, 171 security issues, 34 Hartmeier, Daniel, 4, 109–110, 141, 168 ftp-proxy with redirection, 34–36 Hole, Kjell Jørgen, 42, 171 hostnames vs. IP addresses, 33 G hosts, providing feedback to, 152 gateways, 160–161. See also CARP (Common Address I Redundancy Protocol) allowing name service for IBM Christmas Tree EXEC worm, 2 clients, 32 ICMP (Internet Control Message authenticating, setting up, 55–57 Protocol), 36–37, 39 diagram, 120 codes, 38, 39 rule sets, 31 packet types, 38–39 setting up, 26, 29–33 IEEE 802.11 hardware, 44 using pass rule with, 32 MAC address filtering, 42–43 GENERIC kernel, using with WEP (Wired Equivalent FreeBSD, 14 Privacy), 43 global settings WPA (Wi-Fi Protected block-policy, 152 Access), 43 debug option, 156–157 fragment reassembly, 158 ifconfig command, 45 -a output of, 30 limit option, 155–156 bridge configuration, 79–80

180 INDEX CARP configuration, 124 L interface groups, 45, 47, 51, 52, labels, using for traffic statistics, 71, 76–77, 123 138–139 ifstated daemon, 127 Lehey, Greg, 3 ILOVEYOU worm, 2 limit option, 155–156 in and out rules, 26–27 links, establishing in wireless information technology (IT), 2 networks, 42 info syslog level, 156 Linux inserts counter, 23 vs. BSD, 6 interface groups, filtering on, 76–77 naming conventions, 6 interface:network notation, 28–29 possibility of running PF on, 7 interfaces, testing running lists status of, 30 defined, 18 interface state daemon, 127 of IP addresses, 39–40 Internet Control Message Protocol maintaining for services, 20 (ICMP), 36–37, 39 managing with spamdb, 100–101 codes, 38, 39 updating, 101 packet types, 38–39 using for readability, 18–22 IP addresses load balancing, 66–71, 73–74, vs. domain names, 33 128–131 vs. hostnames, 33 local network, defining, 28–29 IPv4 vs IPv6, 27 logging. See also debugging; moni- lists of, 39–40 toring tools; PF (Packet IPFilter Filter) subsystem: logs compatibility with, 4 (all) option, 134–135 copyright infringement basics, 132–133 episode, 4 data, using for debugging, 150 IPSec VPN solutions, 50–51 files, rule numbers in, 133 iptables vs. PF, 8 legal implications of, 134 IPv6 with pflogd daemon, 132 ICMP updates for, 39 to pflog interfaces, 135 vs. NAT (Network Address syslog, 135–137 Translation), 27–28 using tcdump program for, 133 packets, blocking, 23 logical NOT operator (!), 39, 58 traffic, forwarding, 29 loopback interface, preventing IT (information technology), 2 filtering of, 13 Lucas, Michael W., 170 K KAME project, 28 M keep state, 17 MAC address filtering, 42–43 kern.debug log level, 156–157 macros kernel using for readability, 18–22, hacking, 4 28–29, 31 memory space, 155 using with authpf program, PF loadable module, 14, 15, 108 57–58 Knight, Joel, 150 mail connections, tracking, 98 Kozierok, Charles M., 169 mail-in and mail-out labels, 138

INDEX 181 mail server, 61, 71–72 Nazario, Jose, 171 malicious software, 2 NetBSD, 3, 5 Management Information Base ALTQ (ALTernate Queueing) (MIB), 150 on, 108 “Managing Traffic with ALTQ” bridge setup on, 81–82 (Cho), 170 /etc/defaults/pf.boot.conf file, 16 man pages (manuals) /etc/pf.conf file, 16 consulting, 8 IP forwarding, 29 looking up, 44 kernel options, 121 listing, 44 PF pages, 170 martians macro, 83–84 setting up PF on, 15–16 match rule, using with nat-to, 31 NetFlow, 143–144. See also Mauro, Douglas R., 171 monitoring tools; pflow(4) maximum transmission unit pseudo-interface (MTU), 38 analysis, 145–149 Mazzocchio, Daniele, 169 choosing collectors, 145 McBride, Ryan, 5 collector and analysis memory pools, setting size of, packages, 145 155–156 data collecting, 145–149, MIB (Management Information 149–150 Base), 150 flowd package, 145–149 Miller, Damien, 2, 145, 150 flow-tools package, 145 monitoring tools. See also logging; nfdump package, 145 NetFlow; PF (Packet reporting, 145–149 Filter) subsystem: logs; sensor, setting up, 144–145 pflow(4) pseudo-interface network, diagram of, 60, 64, 82, flowd, 145-149 116, 120, 161 flow-tools, 145 Network Address Translation (NAT) nfdump, 145 DMZ with, 73 pfflowd, 149 handling for gateways, 31 pftop, 141 vs. IPv6, 27–28 pstat, 141–143 Network Flow Analysis (Lucas), 170 systat, 139–141 network interfaces Morris worm, 2 excluding from PF processing, MTU (maximum transmission 152–153 unit), 38 naming, 6, 31 networks N with gateways, 120 setting up, 74–76 name resolution network traffic. See also ALTQ handling, 20, 60 (ALTernate Queueing); testing, 21–22 traffic naming network interfaces, 6 catching via filtering rules, 23 NAT (Network Address cleaning up, 158–160 Translation) diagram of, 142, 143 DMZ with, 73 directing with ALTQ, 105–108 handling for gateways, 31 IPSec VPN solutions, 50–51 vs. IPv6, 27–28

182 INDEX limiting, 3 packets logging, 133 displaying live view of, 140 seeing snapshots of, 139–141 filtering, 3–4, 18, 76–77 viewing on interfaces, 164 forwarding, turning on for network troubleshooting, 36–39 gateways, 29 nixspam blacklist, 104 getting information about, 23 nonroutable addresses, 83–84 logging, 134–135 notice syslog level, 156 matching to state table, 153 movement, tracking, 137 O normalization, 158–159 tagging, 77–78 OpenBSD tracking paths of, 164 3.0 base system, 4 Palmer, Brandon, 171 3.1, PF performance, 4 parentheses (), 31, 154, 159 ALTQ (ALTernate Queueing) pass rule, using with gateways, 32 on, 107 path MTU discovery, 36, 38–39 approach toward design, 2 Pentium III machine, 5 approach toward security, 2 permissive rule sets, 19–20 benefits of, 5 pf.conf file, 13 bridge setup on, 79–80 pfctl program, 11–12 connecting to WEP access point, -d option, 12, 162 51–53 -sm option, 155 default pf.conf file, 13 -s timeouts option, 154–155 encapsulation interface, 51 using to extract information, /etc/rc script, 13 22–23 ifstated daemon, 127 using with tables, 89 IP forwarding, 29 pfflowd package, 149–150 kernel options, 121 #pf IRC channel wiki, 169 papers by developers, 168 pflog interfaces pass rules, 17 cloning, 135 presentations by developers, 168 disabling data accumulation, 136 setting up PF on, 12–13 logging to, 135 version of IPFilter, 4 pflogd logging daemon, 132 website, 168 pflow(4) pseudo-interface, 143–144. OpenBSD Journal, 167 See also monitoring tools; optimization option NetFlow aggressive setting, 158 pflow device, enabling, 144–145 conservative setting, 158 pflow state option, 143 high-latency value, 158 PF (Packet Filter) subsystem, 1 satellite value, 158 code, finding, 5 out-of-memory conditions, 159 configuration out-of-order MX use, detecting, 102 converting other products to, 7–8 P debugging, 162 Packet Filter (PF) subsystem. See PF confirming running status of, 22 (Packet Filter) subsystem data, graphing, 141–143 disabling, 12

INDEX 183 PF (Packet Filter) subsystem, ping of death, 36 continued PIX firewall series exploit, 159 enabling, 12–13, 162–163 pool memory, availability of, 155 haiku, 8 PPP connection, using with vs. iptables, 8 gateways, 30 logs, 132–133. See also PPPoE, using with gateways, 30 debugging; logging; pstat tool, 141–143 monitoring tools; syslog “Puffy at Work—Getting Code collecting data for, 132 Right and Secure, the storage of data, 132 OpenBSD Way” (Brauer tracking statistics for rules, and Dehmlow), 2 137–139 using labels with, 137–139 Q operating system fingerprinting, 118 queues. See ALTQ (ALTernate releases 4.4 through 4.8, 5 Queueing) requirements for, 5 quick keyword, 32–33 rise of, 3–5 rules, changes to syntax, 8 R rule set, managing, 7 Ranum, Marcus, 2, 18, 169 running on Linux, 7 readability, using lists and macros setting up on FreeBSD, 13–15 for, 18–22 setting up on NetBSD, 15–16 Realtek Ethernet cards, 31 setting up on OpenBSD, 12–13 reassemble option, 158 user guide, 75 redirection version in OpenBSD 4.8, 5 for load balancing, 73–74 pf_rules= setting, 13 to pool of addresses, 65–66 pfSense build of FreeBSD, 7 using with authpf program, pfSense: The Definitive Guide 57–58 (Buechler and using with auth_web macro, 58 Pingle), 171 using with ftp-proxy, 34–36 pfstat utility re driver, 26–27 collect statements, 142 redundancy and failover. See CARP color values in graphs, 142 (Common Address described, 141 Redundancy Protocol) home page, 143 Reed, Darren, 4 image definition, 142 Reed, Jeremy C., 171 setting up, 142 relayd daemon specifying graph size, 142 CARP-based failover, 71 pfsync interfaces, configuring, 125 enabling at startup, 69 pfsync protocol, 119 redirects and relays, 66 adding, 125–126 ssl options, 70–71 rule sets, 126–127 starting, 68 sysat states, 126 sticky-address option, 68 pftop tool, 141 tcp options, 71 ping command, 37 using for load balancing, 128 Pingle, Jim, 171 webpool table, 68

184 INDEX remote X11 traffic, blocking, 13 ruleset-optimization option, removals counter, 23 157–158 resource exhaustion, 159 rule sets RFCs bridge, 82–83 114 (FTP), 34 building, 16–17 765 and 775 (TCP/IP), 34 checking changes to, 21 792, 39 debugging, 162–164 950, 39 escapes from sequences, 32–33 1067 (SNMP), 150 examining, 13 1191, 39 firewall considerations, 21 1256, 39 keep state part, 17 1631 (IP NAT), 168 loading, 12, 162–163 1631 (NAT), 28 logic errors, 163–164 1885 (ICMP updates for IPv6), permissive, 19–20 39 quick keyword, 32–33 1918 (address allocation), 28, storage of, 11 60, 169 test case sequence, 162 2018, 71 testing, 18 2281 (VRRP), 119 after changing, 21–22 2460 (IPv6), 28 for gateways, 33 2463 (ICMP updates for IPv6), Russian name server example, 134 39 2466 (ICMP updates for IPv6), S 39 2521, 39 Schmidt, Kevin J., 171 2765, 39 Schwartz, Randal L., 169, 170 2821, 95 scrub feature, 158–159 3330, 60 Secure Architectures with OpenBSD 3411 through 3418 (SNMP), 150 (Palmer and Nazario), 171 3768 (VRRP), 119 Secure Shell (SSH) service, 86 5321, 95 security. See also authpf program Ritschard, Pierre-Yves, 66 OpenBSD’s approach to, 2 round-robin option, 65 in wireless networks, 42 routable addresses, 60, 72 “Security Measures in OpenSSH” rule numbers, displaying for (Damien Miller), 2 debugging, 163 Sender Policy Framework (SPF) rules records, storage of, 103 changing order of, 157 services evaluating for gateways, 32 maintaining lists of, 20 expansion of, 138–139 running, 65 getting log data for, 132 segregating, 63–65 merging into tables, 157 set options, 152 parsing without loading, 21 setup, testing, 160–162 reading, 21 Simple Network Management removing duplicates, 157 Protocol (SNMP), 150 removing subsets of, 157 skip option, 152–153 tracking statistics for, 137–139

INDEX 185 SMTP syslog servers, outgoing, 103 levels, 156 standards, interpreting, 93–97 logging to, 135–137. See also traffic, initiating, 61–62 PF (Packet Filter) SNMP (Simple Network subsystem: logs Management systat program, 111 Protocol), 150 bytes view, 140 software, malicious, 2 cycling through views, 141 spam, fighting, 104 iostat view, 141 SpamAssassin, 90 netstat view, 141 spamdb, using to manage lists, packets view, 140 100–101 pf view, 140 spamd daemon rules output, 140 features of, 89–90 states output, 139–140 keeping greylists in sync, vmstat view, 141 101–102 system information, displaying, logging, 93 22–23 running, 104 system status. See monitoring tools setting up in blacklisting mode, 91–92 T setting up in greylisting mode, 94–96 tables spamlogd whitelist updater, 98 entries, expiring, 89 SPF (Sender Policy Framework) tidying with pfctl, 89 records, storage of, 103 using as lists of IP addresses, spoofing, protecting against, 39–40 159–160 tags, 77–78 SSH brute-force attacks, 86 tarpitting, 90 SSH (Secure Shell) service, 86 tcdump program, 133 nohup state-defaults option, 153–154 command, 137 state information, keeping, 17 using to view traffic, 164 syslog state-policy option using with , 136–137 floating value, 153 TCP/IP if-bound value, 153 configuring client for, 53 state table, 17, 153 packet filtering, 30–31, 34, graphing, 142, 143 38, 169 statistics, interpreting, 23 TCP traffic, viewing, 164 viewing, 139–140 TCP vs. UDP services, 20 state-timeout handling, 158. See also testing setups, 160–162 timeout option “The Next Step in the Spam state-tracking options, 87–88 Control War: Greylisting” statistics, displaying live view of, 140 (Harris), 93–94, 171 sticky-address option, 65–66 The OpenBSD PF Packet Filter Book stuttering, 90 (Reed), 171 SYN-flood attacks, 62 “The Six Dumbest Ideas in synproxy state option, 62 Computer Security” sysctl command, using with IPv6 (Ranum), 2, 18, 169 traffic, 29 The TCP/IP Guide (Kozierok), 169

186 INDEX timeout option. See also state-timeout U handling UDP vs. TCP services, 20 adaptive values, 154 Unix.se user group, 169 frag value, 154 /usr/share/examples/pf/pf.conf file, 15 inspecting settings for parameters, 154–155 interval value, 154 V src.track value, 154 verbose mode, 20 to keyword, with firewalls, 26 virtual local area network traceroute command, 37–38 (VLAN), 63 traffic. See also ALTQ (ALTernate virtual private networks (VPNs), Queueing); network setting up, 50–51 traffic Virtual Router Redundancy catching via filtering rules, 23 Protocol (VRRP), 119 cleaning up, 158–160 viruses, 2 diagnostic, permitting, 37 VLAN (virtual local area directing with ALTQ, 105–108 network), 63 displaying live view of, 140 VPNs (virtual private networks), graphing with pfstat, 142, 143 setting up, 50–51 limiting, 3 VRRP (Virtual Router Redundancy logging, 133 Protocol), 119 seeing snapshots of, 139–141 shaping W cbq (class-based queues), 107, 112–113 warning syslog level, 156 concepts, 106 webpool table, creating, 68 features of, 105–106 web server, running, 71–72 HFSC (Hierarchical Fair websites Service Curve), 107 Cisco’s PIX firewall series queue concept, 106 exploit, 159 queue disciplines, 106 “Explaining BSD,” 3 queue schedulers, 106 flow-tools package, 145 real-world example, 109–110 FreeBSD packet filter (pf) home setting up, 107–108 page, 170 ToS (type of service) greylisting.org, 171 fields, 110 Hartmeier, Daniel, 4 using to handle traffic, network security, 42 117–118 nfdump package, 145 showing snapshots of, 141 OpenBSD, 168 totals, 137 OpenBSD security, 2 viewing on interfaces, 164 pfSense (FreeBSD build), 7 traplist, setting up, 99–100 security, 42 trojans, 2 SpamAssassin, 90 troubleshooting networks Wi-Fi Net News, 42 ICMP protocol, 36–37 WEP (Wired Equivalent Privacy), path MTU discovery, 38–39 43, 45 wicontrol program, 42 ping command, 37 Wi-Fi Net News website, 42 traceroute command, 37–38

INDEX 187 Wi-Fi Protected Access (WPA), 43, FreeBSD WPA access point, 47–48 48–49 Wired Equivalent Privacy (WEP), IPSec VPN solutions, 50–51 43, 45 OpenBSD WEP setup, 44 wireless networks OpenBSD WPA access point, access points 47–48 FreeBSD WPA, 48–49 security in, 42 with multiple interfaces, 50 setting up, 44–46 OpenBSD WPA, 47–48 viewing kernel messages, 44 PF rule set, 49–50 worms, 2 client side, 51 wpa-psk utility, running, 47 establishing links in, 42 wpa_supplicant, setting up, 54 FreeBSD WEP setup, 46 WPA (Wi-Fi Protected Access), 43, 47–48

188 INDEX