Re: simple PF question

Sun, 22 Jun 2008 02:14:30 -0700 

Peter N. M. Hansteen wrote:
> ... Hm. Might actually be a good idea to expose
> learners to tcpdump a tad earlier.

I used PF on OpenBSD for a small polytechnic course with the help of
Peter's book.  For most it was a first introduction to any of these
tools or supporting tools or hands-on computing.  As much as possible, I
encouraged people to get comfortable looking for man pages, howtos, web
forums and mailing list archives.

Below is the base checklist for laboratory exercises from the 7-week
course.  It's so short because, among other things, there was no access
to the laboratory outside of class hours.  :(

I placed tcpdump near the end, because familiarity with PF needs to be
established first.  But it not at the very end in order to still have
time for repetition.  Nearly everyone got that far, a few got to the
queues and one got to the round-robin.

There were supplemental exercises to keep those with experience learning
while others were working on the main exercises.

Regards,
-Lars

[note, 1b/s is not possible, turns out that 6kb/s is the slowest]

Install OpenBSD 4.2 b!.  Install pftop b!  and nmap b! .
Use of editor b!, pfctl b! and working from copy of /etc/pf.conf b! (not
/etc/pf.conf itself)

Create a host-based packet filter. Allow incoming SSH b! , HTTP b! and
HTTPS  b! and some ICMP (0,3,4,8,11,30)  b! See pp 7 - 16, and p 29

Allow incoming SSH, HTTP and HTTPS and some ICMP (0,3,4,8,11,30) Use a
table b! and state-tracking options to limit or block b! hosts that try to
connect to frequently or too many times concurrently to SSH. See pp 67 -
71 (excluding 'expiretable')

Use pftop b! to track connections to your machine. Currently you have
HTTP and SSH available. Show me one SSH b! connection and one HTTP or
HTTPS b! connection. See pp 115 - 116 and the manpage printed last week.

Use pflog b! and tcpdump b! to track some connections to your machine.
Show me one SSH b! connection and one HTTP or HTTPS b! connection.  See pp
107 - 115

Use the overload tables from the second host-based exercise, and
class-based queuing (cbq) b!.
Rather than blocking overloads, send them to a 1 b/s queue.  b!  See pp
87 b 97

Arrange that one interface on a multi-homed machine connects to the
Internet and distributes  b! incoming connections to a 'pool' of web
services, using rdr. Choose either 'round-robin' or 'random' assignment.
  See pp 50 - 52


===
supplemental activities

If and only if you have already finished your first packet filter, then
try turning on HTTPS  b! You will need to create a self-signed (aka root)
certificate for the web server as well as create one virtual host.

If and only if you have already finished HTTPS, then you may try
installing and using Xfce b!

Install pfstat b! and create a graph b! based on traffic to or from your
machine.  (pp 115-118)

Show that you have lab notes b!

Reply via email to