DOCSLIB.ORG

Firewalling with Openbsd's PF Packet Filter

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Firewalling with Openbsd's PF Packet Filter Firewalling with OpenBSD’s PF packet filter Peter N. M. Hansteen [email protected] Copyright © 2005 - 2012 Peter N. M. Hansteen This document is © Copyright 2005 - 2012, Peter N. M. Hansteen. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The document is a ’work in progress’, based on a manuscript prepared for a lecture at the BLUG (see http://www.blug.linux.no/) meeting of January 27th, 2005. Along the way it has spawned several conference tutorials as well as The Book of PF (http://nostarch.com/pf2.htm) (second edition, No Starch Press November 2010), which expands on all topics mentioned in this document presents several topics that are only hinted at here. I’m interested in comments of all kinds, and you may if you wish add web or other references to html or pdf versions of the manuscript. If you do, I would like, but can not require, you to send me an email message that you’ve done it. For communication regarding this document please use the address <[email protected]> and preferably a recognizable subject line; $ whois bsdly.net provides full contact information. For full revision history, see the HTML version or the SGML source. Revision History Revision 0.09687e 02 may 2011 expiretable removed from OpenBSD ports. Thanks: Rodolfo Gouveia. Also: we’re at 4.9 Revision 0.096871e 07 may 2011 in OpenBSD 4.9, ifconfig wpa syntax is simpler Revision 0.0968711e 05 jan 2012 -stable is 5.0, bump references where appropriate, rev latest year Table of Contents Before we start ..............................................................................................1 PF? ....................................................................................................................5 Packet filter? Firewall?................................................................................7 NAT? .................................................................................................................9 PF today ........................................................................................................11 BSD vs Linux - Configuration ..................................................................13 Simplest possible setup (OpenBSD) .......................................................15 Simplest possible setup (FreeBSD).........................................................17 Simplest possible setup (NetBSD)...........................................................19 First rule set - single machine..................................................................21 Slightly stricter ...........................................................................................23 Statistics from pfctl ....................................................................................25 A simple gateway, NAT if you need it .....................................................27 Gateways and the pitfalls of in, out and on ...........................................27 What is your local network, anyway?.....................................................28 Setting up.................................................................................................29 That sad old FTP thing ..............................................................................33 If We Have To: ftp-proxy With Redirection............................................33 Historical FTP proxies: do not use .........................................................35 Ancient FTP through NAT: ftp-proxy .............................................36 Ancient: FTP, PF and routable addresses: ftpsesame, pftpx and ftp-proxy! ...................................................................................37 ftp-proxy, slightly new style ............................................................38 Making your network troubleshooting friendly..................................41 Then, do we let it all through?................................................................41 The easy way out: The buck stops here..................................................42 Letting ping through ...............................................................................42 Helping traceroute ..................................................................................43 Path MTU discovery................................................................................43 Network hygiene: Blocking, scrubbing and so on...............................45 block-policy .............................................................................................45 scrub .........................................................................................................45 antispoof ..................................................................................................46 Handling non-routable addresses from elsewhere ................................46 iii A web server and a mail server on the inside ......................................49 Taking care of your own - the inside ......................................................50 Tables make your life easier.....................................................................53 Logging..........................................................................................................55 Taking a peek with tcpdump ..................................................................55 Other log tools you may want to look into..............................................56 But there are limits (an anecdote)..........................................................57 Keeping an eye on things with systat ....................................................59 Keeping an eye on things with pftop......................................................61 Invisible gateway - bridge.........................................................................63 Directing traffic with ALTQ......................................................................65 ALTQ - prioritizing by traffic type..........................................................66 So why does this work? ....................................................................66 Using a match Rule for Queue Assignment....................................67 ALTQ - allocation by percentage ............................................................67 ALTQ - handling unwanted traffic .........................................................69 CARP and pfsync.........................................................................................71 Wireless networks made simple ..............................................................73 A little IEEE 802.11 background............................................................73 WEP (Wired Equivalent Privacy)....................................................73 WPA (WiFi Protected Access) ..........................................................74 Setting up a simple wireless network ....................................................74 An open, yet tightly guarded wireless network with authpf............79 Turning away the brutes...........................................................................83 expiring table entries with pfctl .............................................................85 Using expiretable to tidy your tables .....................................................86 Giving spammers a hard time..................................................................87 Remember, you are not alone: blacklisting ............................................87 List of black and grey, and the sticky tarpit ..........................................88 Setting up spamd.....................................................................................88 Some early highlights of our spamd experience ....................................90 Beating’em up some more: spamdb and greytrapping ..........................93 Enter greytrapping ..........................................................................94 Your own traplist..............................................................................94 Deleting, handling trapped entries .................................................95 The downside: some people really do not get it ..............................96 Conclusions from our spamd experience................................................97 iv PF - Haiku .....................................................................................................99 References ..................................................................................................101
Load more

Recommended publications
  • ROADS and BRIDGES: the UNSEEN LABOR BEHIND OUR DIGITAL INFRASTRUCTURE Preface
    Roads and Bridges:The Unseen Labor Behind Our Digital Infrastructure WRITTEN BY Nadia Eghbal 2 Open up your phone. Your social media, your news, your medical records, your bank: they are all using free and public code. Contents 3 Table of Contents 4 Preface 58 Challenges Facing Digital Infrastructure 5 Foreword 59 Open source’s complicated relationship with money 8 Executive Summary 66 Why digital infrastructure support 11 Introduction problems are accelerating 77 The hidden costs of ignoring infrastructure 18 History and Background of Digital Infrastructure 89 Sustaining Digital Infrastructure 19 How software gets built 90 Business models for digital infrastructure 23 How not charging for software transformed society 97 Finding a sponsor or donor for an infrastructure project 29 A brief history of free and public software and the people who made it 106 Why is it so hard to fund these projects? 109 Institutional efforts to support digital infrastructure 37 How The Current System Works 38 What is digital infrastructure, and how 124 Opportunities Ahead does it get built? 125 Developing effective support strategies 46 How are digital infrastructure projects managed and supported? 127 Priming the landscape 136 The crossroads we face 53 Why do people keep contributing to these projects, when they’re not getting paid for it? 139 Appendix 140 Glossary 142 Acknowledgements ROADS AND BRIDGES: THE UNSEEN LABOR BEHIND OUR DIGITAL INFRASTRUCTURE Preface Our modern society—everything from hospitals to stock markets to newspapers to social media—runs on software. But take a closer look, and you’ll find that the tools we use to build software are buckling under demand.
    [Show full text]
  • An Automated Binary Security Update System for Freebsd
    An Automated Binary Security Update System for FreeBSD Colin Percival Computing Lab, Oxford University [email protected] Abstract that a large number of people find the task of applying security patches and rebuilding affected programs to be difficult and/or confusing. Given that releases are on av- With the present trend towards increased reliance upon erage several months – and several security holes – old computer systems, the provision and prompt application by the time they are installed, the possibility arises that of security patches is becoming vital. Developers of all a new user will find his system compromised before he operating systems must generally be applauded for their has a chance to bring it up to date. success in this area; systems administrators, however, are often found lacking. Furthermore, there are some circumstances where build- ing from source is undesirable. Some embedded sys- Anecdotal evidence suggests that for FreeBSD much of tems might lack sufficient disk space to store the entire the difficulty arises out of the need to recompile from the source and object trees; some system administrators re- source code after applying security patches. Many peo- move part or all of the build toolchain in an (arguably ple, after spending years using closed-source point-and- misguided) attempt to thwart any attempt to build a click operating systems, find the concept of recompiling rootkit; and the purveyors of application-specific ‘toast- software to be entirely foreign, and even veteran users ers’ might very likely wish to keep the complexity of of open source software are often less than prompt about building from source entirely hidden from their users.
    [Show full text]
  • The Title Title: Subtitle March 2007
    sub title The Title Title: Subtitle March 2007 Copyright c 2006-2007 BSD Certification Group, Inc. Permission to use, copy, modify, and distribute this documentation for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE DOCUMENTATION IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS DOCUMENTATION INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CON- SEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEG- LIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS DOCUMENTATION. NetBSD and pkgsrc are registered trademarks of the NetBSD Foundation, Inc. FreeBSD is a registered trademark of the FreeBSD Foundation. Contents Introduction vii 1 Installing and Upgrading the OS and Software 1 1.1 Recognize the installation program used by each operating system . 2 1.2 Recognize which commands are available for upgrading the operating system 6 1.3 Understand the difference between a pre-compiled binary and compiling from source . 8 1.4 Understand when it is preferable to install a pre-compiled binary and how to doso ...................................... 9 1.5 Recognize the available methods for compiling a customized binary . 10 1.6 Determine what software is installed on a system . 11 1.7 Determine which software requires upgrading . 12 1.8 Upgrade installed software . 12 1.9 Determine which software have outstanding security advisories .
    [Show full text]
  • Active-Active Firewall Cluster Support in Openbsd
    Active-Active Firewall Cluster Support in OpenBSD David Gwynne School of Information Technology and Electrical Engineering, University of Queensland Submitted for the degree of Bachelor of Information Technology COMP4000 Special Topics Industry Project February 2009 to leese, who puts up with this stuff ii Acknowledgements I would like to thank Peter Sutton for allowing me the opportunity to do this work as part of my studies at the University of Queensland. A huge thanks must go to Ryan McBride for answering all my questions about pf and pfsync in general, and for the many hours working with me on this problem and helping me test and debug the code. Thanks also go to Theo de Raadt, Claudio Jeker, Henning Brauer, and everyone else at the OpenBSD network hackathons who helped me through this. iii Abstract The OpenBSD UNIX-like operating system has developed several technologies that make it useful in the role of an IP router and packet filtering firewall. These technologies include support for several standard routing protocols such as BGP and OSPF, a high performance stateful IP packet filter called pf, shared IP address and fail-over support with CARP (Common Address Redundancy Protocol), and a protocol called pfsync for synchronisation of the firewalls state with firewalls over a network link. These technologies together allow the deployment of two or more computers to provide redundant and highly available routers on a network. However, when performing stateful filtering of the TCP protocol with pf, the routers must be configured in an active-passive configuration due to the current semantics of pfsync.
    [Show full text]
  • Linux Hacking Case Studies Part 4: Sudo Horror Stories
    Linux Hacking Case Studies Part 4: Sudo Horror Stories written by Scott Sutherland | March 26, 2020 This blog will cover different ways to approach SSH password guessing and attacking sudo applications to gain a root shell on a Linux system. This case study commonly makes appearances in CTFs, but the general approach for attacking weak passwords and sudo applications can be applied to many real world environments. This should be a fun walk through for people new to penetration testing. This is the fourth of a five part blog series highlighting entry points and local privilege escalation paths commonly found on Linux systems during network penetration tests. Below are links to the first three blogs in the series: Linux Hacking Case Study Part 1: Rsync Linux Hacking Case Study Part 2: NFS Linux Hacking Case Study Part 3: phpMyAdmin Below is an overview of what will be covered in this blog: Finding SSH Servers Dictionary Attacks against SSH Servers Viewing Sudoers Execution Options Exploiting Sudo sh Exploiting Sudo VI Exploiting Sudo Python Exploiting Sudo Nmap Finding SSH Servers Before we can start password guessing or attacking sudo applications, we need to find some SSH servers to go after. Luckily Nmap and similar port scanning tools make that pretty easy because most vendors still run SSH on the default port of 22. Below is a sample Nmap command and screenshot to get you started. nmap -sS -sV -p22 192.168.1.0/24 -oA sshscan Once you’ve run the port scan you can quickly parse the results to make a file containing a list of SSH servers to target.
    [Show full text]
  • Getty Scholars' Workspace™ INSTALLATION INSTRUCTIONS
    Getty Scholars’ Workspace™ INSTALLATION INSTRUCTIONS This document outlines methods to run the application locally on your personal computer or to do a full installation on a web server. Test Drive with Docker Getty Scholars' Workspace is a multi-tenant web application, so it is intended to be run on a web server. However, if you'd like to run it on your personal computer just to give it a test drive, you can use Docker to create a virtual server environment and run the Workspace locally. Follow the steps below to give it a spin. Scroll further for real deployment instructions. 1. Install Docker on your machine. Follow instructions on the Docker website: https://www.docker.com/ 2. If you are using Docker Machine (Mac or Windows), be sure to start it by using the Docker Quickstart Terminal. Docker is configured to use the default machine with IP 192.168.99.100. 3. At the command line, pull the Getty Scholars' Workspace image. $ docker pull thegetty/scholarsworkspace 4. Run the container. $ docker run -d -p 8080:80 --name=wkspc thegetty/scholarsworkspace supervisord -n 5. Point your browser to `<ip address>:8080/GettyScholarsWorkspace`. Use the IP address noted in Step 2. 6. The Drupal administrator login is `scholar` and the password is `workspace`. Be sure to change these in the Drupal admin interface. 7. To shut it down, stop the container: $ docker stop wkspc Web Server Installation These installation instructions assume you are installing Getty Scholars' Workspace on a server (virtual or physical) with a clean new instance of Ubuntu 14.04 as the operating system.
    [Show full text]
  • Twenty Years of Berkeley Unix : from AT&T-Owned to Freely
    Twenty Years of Berkeley Unix : From AT&T-Owned to Freely Redistributable Marshall Kirk McKusick Early History Ken Thompson and Dennis Ritchie presented the first Unix paper at the Symposium on Operating Systems Principles at Purdue University in November 1973. Professor Bob Fabry, of the University of California at Berkeley, was in attendance and immediately became interested in obtaining a copy of the system to experiment with at Berkeley. At the time, Berkeley had only large mainframe computer systems doing batch processing, so the first order of business was to get a PDP-11/45 suitable for running with the then-current Version 4 of Unix. The Computer Science Department at Berkeley, together with the Mathematics Department and the Statistics Department, were able to jointly purchase a PDP-11/45. In January 1974, a Version 4 tape was delivered and Unix was installed by graduate student Keith Standiford. Although Ken Thompson at Purdue was not involved in the installation at Berkeley as he had been for most systems up to that time, his expertise was soon needed to determine the cause of several strange system crashes. Because Berkeley had only a 300-baud acoustic-coupled modem without auto answer capability, Thompson would call Standiford in the machine room and have him insert the phone into the modem; in this way Thompson was able to remotely debug crash dumps from New Jersey. Many of the crashes were caused by the disk controller's inability to reliably do overlapped seeks, contrary to the documentation. Berkeley's 11/45 was among the first systems that Thompson had encountered that had two disks on the same controller! Thompson's remote debugging was the first example of the cooperation that sprang up between Berkeley and Bell Labs.
    [Show full text]
  • Programmer's Guide
    Programmer’s Guide Release 2.2.0 January 16, 2016 CONTENTS 1 Introduction 1 1.1 Documentation Roadmap...............................1 1.2 Related Publications..................................2 2 Overview 3 2.1 Development Environment..............................3 2.2 Environment Abstraction Layer............................4 2.3 Core Components...................................4 2.4 Ethernet* Poll Mode Driver Architecture.......................6 2.5 Packet Forwarding Algorithm Support........................6 2.6 librte_net........................................6 3 Environment Abstraction Layer7 3.1 EAL in a Linux-userland Execution Environment..................7 3.2 Memory Segments and Memory Zones (memzone)................ 11 3.3 Multiple pthread.................................... 12 3.4 Malloc.......................................... 14 4 Ring Library 19 4.1 References for Ring Implementation in FreeBSD*................. 20 4.2 Lockless Ring Buffer in Linux*............................ 20 4.3 Additional Features.................................. 20 4.4 Use Cases....................................... 21 4.5 Anatomy of a Ring Buffer............................... 21 4.6 References....................................... 28 5 Mempool Library 31 5.1 Cookies......................................... 31 5.2 Stats.......................................... 31 5.3 Memory Alignment Constraints............................ 31 5.4 Local Cache...................................... 32 5.5 Use Cases....................................... 33 6
    [Show full text]
  • Computer Security Administration
    Information Security Group Information + Technology Services University of Toronto Endpoint Security Policy System A Network Access Control System with Vulnerability Detection and User Remediation Evgueni Martynov UNIX Systems Group Mike Wiseman Computer Security Administration Endpoint Security Policy System Table of Contents Acknowledgements............................................................................. 3 Change History .................................................................................... 4 Summary ............................................................................................. 5 Overview .............................................................................................. 5 Network Isolation ............................................................................... 6 Vulnerability Detection ....................................................................... 6 User Remediation ................................................................................ 8 Administering ESP ............................................................................... 8 ESP Operations Experience ................................................................ 9 Appendix I – Installation and Configuration of ESP server ........... 10 Using init.sh ..................................................................................... 10 Post-Installation ................................................................................ 11 Configuring an ESP Server to Work with an ESP Agent .......................
    [Show full text]
  • The Pfsense Book Release
    The pfSense Book Release The pfSense Team May 10, 2017 CONTENTS 1 Preface 1 1.1 Acknowledgements...........................................1 1.2 Feedback.................................................3 1.3 Typographic Conventions........................................3 1.4 Authors..................................................4 2 Foreword 7 3 Introduction 9 3.1 What does pfSense stand for/mean?...................................9 3.2 Why FreeBSD?..............................................9 3.3 Common Deployments.......................................... 10 3.4 Interface Naming Terminology..................................... 11 3.5 Finding Information and Getting Help.................................. 12 3.6 Project Inception............................................. 13 4 Networking Concepts 15 4.1 Understanding Public and Private IP Addresses............................. 15 4.2 IP Subnetting Concepts......................................... 16 4.3 IP Address, Subnet and Gateway Configuration............................. 16 4.4 Understanding CIDR Subnet Mask Notation.............................. 17 4.5 CIDR Summarization.......................................... 18 4.6 Broadcast Domains............................................ 19 4.7 IPv6.................................................... 19 4.8 Brief introduction to OSI Model Layers................................. 32 5 Hardware 33 5.1 Minimum Hardware Requirements................................... 33 5.2 Hardware Selection........................................... 33
    [Show full text]
  • The Qosbox: Quantitative Service Differentiation in BSD Routers∗
    The QoSbox: Quantitative Service Differentiation in BSD Routers∗ Nicolas Christin Jorg¨ Liebeherr Information Networking Institute and The Edward S. Rogers Sr. Department of CyLab Japan Electrical and Computer Engineering Carnegie Mellon University University of Toronto 1-3-3-17 Higashikawasaki-cho 10 King’s College Road Chuo-ku, Kobe 650-0044, Japan Toronto, ON M5S 3G4, Canada [email protected] [email protected] Abstract We describe the design and implementation of the QoSbox, a configurable IP router that provides per-hop service differentiation on loss, delays and throughput to classes of traffic. The novel aspects of the QoSbox are that (1) the QoSbox does not rely on any external component (e.g., no traffic shaping and no admission control) to provide the desired service differentiation, but instead, (2) dynamically adapts packet forwarding and dropping decisions as a function of the instantaneous traffic arrivals and allows for temporary relaxation of some service objectives; also, (3) the QoSbox can enforce both absolute and proportional service differentiation on queuing delays, loss rates, and throughput at the same time. We focus on a publicly available implementation of the QoSbox in BSD-based PC-routers. We evaluate our implementation in a testbed of BSD routers over a FastEthernet network, and we sketch how the QoSbox can be implemented in high speed architectures. Keywords: Quality-of-Service Implementations, Service Differentiation, PC-Routers, BSD, High-Speed Networks. ∗Most of this work was done while both authors were with the University of Virginia. This work was supported in part by the National Science Foundation through grants ANI-9730103 and ANI-0085955.
    [Show full text]
  • The Netbsd Project
    The NetBSD Project Introducción a NetBSD Julio M. Merino Vidal <[email protected]> iParty 8 22 de abril de 2006 Contenido NetBSD vs. Linux. Un poco de historia. Objetivos. Política de versiones. pkgsrc. Cómo obtener NetBSD. Dónde obtener ayuda. Cómo reportar fallos. NetBSD vs. GNU/Linux Sistema completo. Núcleo = Linux. Basado en 4.4BSD. Aplicaciones de GNU. Licencia BSD. Escrito desde cero. Licencia GPL. Un poco de historia (1/4) Fork de 4.3BSD Networking/2: 386BSD. Motivo: Frustración en la integración de parches. Un poco de historia (2/4) 386BSD deriva en: NetBSD (portabilidad) FreeBSD (i386) Primera versión: NetBSD 0.8 20 de abril de 1993 Un poco de historia (3/4) Integración de las mejoras en 4.4BSD (Lite). NetBSD 1.0 ve la luz 26 de octubre de 1994. Un poco de historia (4/4) Últimas versiones: NetBSD 2.0.3, 31 de octubre de 2005. NetBSD 2.1, 2 de noviembre de 2005. NetBSD 3.0, 23 de diciembre de 2005. Objetivos (1/5) Diseño correcto: Posiblemente el objetivo más importante. Ejemplo: abstracción del acceso al bus del sistema. “It doesn't work unless it's right”. Completitud del sistema: Protocolos de red. Utilidades de desarrollo. Sistema de paquetes. Objetivos (2/5) Estabilidad: Sistema usado en producción. Rapidez: Plataformas antiguas vs. nuevas. Micro vs. macro-optimizaciones. Objetivos (3/5) Libre distribución: Uso de la licencia BSD. Algunas herramientas añadidas son GPL. Transportable: División MI/MD. Ejemplo: fxp(4) funciona sobre alpha, i386, macppc, etc. 40 arquitecturas soportadas. Objetivos (4/5) Interoperable: Emulación binaria: Linux, FreeBSD, Solaris, etc.
    [Show full text]