Re: simple PF question
Peter N. M. Hansteen wrote: ... Hm. Might actually be a good idea to expose learners to tcpdump a tad earlier. I used PF on OpenBSD for a small polytechnic course with the help of Peter's book. For most it was a first introduction to any of these tools or supporting tools or hands-on computing. As much as possible, I encouraged people to get comfortable looking for man pages, howtos, web forums and mailing list archives. Below is the base checklist for laboratory exercises from the 7-week course. It's so short because, among other things, there was no access to the laboratory outside of class hours. :( I placed tcpdump near the end, because familiarity with PF needs to be established first. But it not at the very end in order to still have time for repetition. Nearly everyone got that far, a few got to the queues and one got to the round-robin. There were supplemental exercises to keep those with experience learning while others were working on the main exercises. Regards, -Lars [note, 1b/s is not possible, turns out that 6kb/s is the slowest] Install OpenBSD 4.2 b!. Install pftop b! and nmap b! . Use of editor b!, pfctl b! and working from copy of /etc/pf.conf b! (not /etc/pf.conf itself) Create a host-based packet filter. Allow incoming SSH b! , HTTP b! and HTTPS b! and some ICMP (0,3,4,8,11,30) b! See pp 7 - 16, and p 29 Allow incoming SSH, HTTP and HTTPS and some ICMP (0,3,4,8,11,30) Use a table b! and state-tracking options to limit or block b! hosts that try to connect to frequently or too many times concurrently to SSH. See pp 67 - 71 (excluding 'expiretable') Use pftop b! to track connections to your machine. Currently you have HTTP and SSH available. Show me one SSH b! connection and one HTTP or HTTPS b! connection. See pp 115 - 116 and the manpage printed last week. Use pflog b! and tcpdump b! to track some connections to your machine. Show me one SSH b! connection and one HTTP or HTTPS b! connection. See pp 107 - 115 Use the overload tables from the second host-based exercise, and class-based queuing (cbq) b!. Rather than blocking overloads, send them to a 1 b/s queue. b! See pp 87 b 97 Arrange that one interface on a multi-homed machine connects to the Internet and distributes b! incoming connections to a 'pool' of web services, using rdr. Choose either 'round-robin' or 'random' assignment. See pp 50 - 52 === supplemental activities If and only if you have already finished your first packet filter, then try turning on HTTPS b! You will need to create a self-signed (aka root) certificate for the web server as well as create one virtual host. If and only if you have already finished HTTPS, then you may try installing and using Xfce b! Install pfstat b! and create a graph b! based on traffic to or from your machine. (pp 115-118) Show that you have lab notes b!
Re: simple PF question
Robert Gilaard [EMAIL PROTECTED] writes: All the time I had the following entries in my pf.conf for my Desktop system. However, as I've bought this pf book that was lately released, I begin to suspect that these rules are way to liberal. If I only want to be able to browse the web and maybe use ssh-client, how should I rewrite the rules so that only those ports are open (80,443 and 22)? The main message in the parts of the book you're referring to is that allowing only the traffic you know there's a good reason to allow leads to a cleaner network and fewer surprises. In fact it can be quite instructive (and fun!) to play around with tcpdump to watch what happens on the interfaces you're interested in. You will see, of course, a lot of relatively uninteresting stuff that only says the traffic you thought would pass indeed does, but every now and then you will likely see something that has you grepping /etc/services and browsing man pages. Hm. Might actually be a good idea to expose learners to tcpdump a tad earlier. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
simple PF question
Hi folks, All the time I had the following entries in my pf.conf for my Desktop system. However, as I've bought this pf book that was lately released, I begin to suspect that these rules are way to liberal. If I only want to be able to browse the web and maybe use ssh-client, how should I rewrite the rules so that only those ports are open (80,443 and 22)? I guess i'm looking forward to a RTFM answer, but hey, I wouldn't ask if I knew how to write them. The best I could guess is: pass out on $int_if proto tcp from any to any port 80 modulate state flags S/SA But I don't know if this is correct. Brgds Robert
Re: simple PF question
Robert, You rule looks ok. You may want to add a variable for the port number so you can add or delete them as needed. Something like... ### Ports AllowOUT={22, 80, 443} ### Pass out interface pass out on $int_if proto tcp from ($int_if) to any port $AllowOUT modulate state flags S/SA Hope this helps, OpenBSD Pf Firewall how to ( pf.conf ) https://calomel.org/pf_config.html -- Calomel @ https://calomel.org Open Source Research and Reference On Fri, Jun 20, 2008 at 02:10:52PM -0700, Robert Gilaard wrote: Hi folks, All the time I had the following entries in my pf.conf for my Desktop system. However, as I've bought this pf book that was lately released, I begin to suspect that these rules are way to liberal. If I only want to be able to browse the web and maybe use ssh-client, how should I rewrite the rules so that only those ports are open (80,443 and 22)? I guess i'm looking forward to a RTFM answer, but hey, I wouldn't ask if I knew how to write them. The best I could guess is: pass out on $int_if proto tcp from any to any port 80 modulate state flags S/SA But I don't know if this is correct. Brgds Robert
Re: simple PF question
On Fri, Jun 20, 2008 at 02:10:52PM -0700, Robert Gilaard wrote: Hi folks, All the time I had the following entries in my pf.conf for my Desktop system. However, as I've bought this pf book that was lately released, I begin to suspect that these rules are way to liberal. If I only want to be able to browse the web and maybe use ssh-client, how should I rewrite the rules so that only those ports are open (80,443 and 22)? I guess i'm looking forward to a RTFM answer, but hey, I wouldn't ask if I knew how to write them. The best I could guess is: pass out on $int_if proto tcp from any to any port 80 modulate state flags S/SA But I don't know if this is correct. Brgds Robert If it's just a simple workstation with a single user, I see no reason for restricting outgoing traffic. If you really want this, remember to also allow DNS queries (port 53, tcp+udp). Let me point you to some of Peter Hansteen's goodies: http://home.nuug.no/~peter/pf/en/minimal-ruleset.html (you should also click Next when you get to the bottom of that page) The full table of contents: http://home.nuug.no/~peter/pf/en/ Martin