Re: simple PF question

2008-06-22 Thread Lars Noodén 
Peter N. M. Hansteen wrote:
 ... Hm. Might actually be a good idea to expose
 learners to tcpdump a tad earlier.

I used PF on OpenBSD for a small polytechnic course with the help of
Peter's book.  For most it was a first introduction to any of these
tools or supporting tools or hands-on computing.  As much as possible, I
encouraged people to get comfortable looking for man pages, howtos, web
forums and mailing list archives.

Below is the base checklist for laboratory exercises from the 7-week
course.  It's so short because, among other things, there was no access
to the laboratory outside of class hours.  :(

I placed tcpdump near the end, because familiarity with PF needs to be
established first.  But it not at the very end in order to still have
time for repetition.  Nearly everyone got that far, a few got to the
queues and one got to the round-robin.

There were supplemental exercises to keep those with experience learning
while others were working on the main exercises.

Regards,
-Lars

[note, 1b/s is not possible, turns out that 6kb/s is the slowest]

Install OpenBSD 4.2 b!.  Install pftop b!  and nmap b! .
Use of editor b!, pfctl b! and working from copy of /etc/pf.conf b! (not
/etc/pf.conf itself)

Create a host-based packet filter. Allow incoming SSH b! , HTTP b! and
HTTPS  b! and some ICMP (0,3,4,8,11,30)  b! See pp 7 - 16, and p 29

Allow incoming SSH, HTTP and HTTPS and some ICMP (0,3,4,8,11,30) Use a
table b! and state-tracking options to limit or block b! hosts that try to
connect to frequently or too many times concurrently to SSH. See pp 67 -
71 (excluding 'expiretable')

Use pftop b! to track connections to your machine. Currently you have
HTTP and SSH available. Show me one SSH b! connection and one HTTP or
HTTPS b! connection. See pp 115 - 116 and the manpage printed last week.

Use pflog b! and tcpdump b! to track some connections to your machine.
Show me one SSH b! connection and one HTTP or HTTPS b! connection.  See pp
107 - 115

Use the overload tables from the second host-based exercise, and
class-based queuing (cbq) b!.
Rather than blocking overloads, send them to a 1 b/s queue.  b!  See pp
87 b 97

Arrange that one interface on a multi-homed machine connects to the
Internet and distributes  b! incoming connections to a 'pool' of web
services, using rdr. Choose either 'round-robin' or 'random' assignment.
  See pp 50 - 52


===
supplemental activities

If and only if you have already finished your first packet filter, then
try turning on HTTPS  b! You will need to create a self-signed (aka root)
certificate for the web server as well as create one virtual host.

If and only if you have already finished HTTPS, then you may try
installing and using Xfce b!

Install pfstat b! and create a graph b! based on traffic to or from your
machine.  (pp 115-118)

Show that you have lab notes b!

Re: simple PF question

2008-06-21 Thread Peter N. M. Hansteen 
Robert Gilaard [EMAIL PROTECTED] writes:

 All the time I had the following entries in my pf.conf for my
 Desktop system.  However, as I've bought this pf book that was
 lately released, I begin to suspect that these rules are way to
 liberal.

 If I only want to be able to browse the web and maybe use
 ssh-client, how should I rewrite the rules so that only those ports
 are open (80,443 and 22)?

The main message in the parts of the book you're referring to is that
allowing only the traffic you know there's a good reason to allow
leads to a cleaner network and fewer surprises.  In fact it can be
quite instructive (and fun!) to play around with tcpdump to watch what
happens on the interfaces you're interested in.  You will see, of
course, a lot of relatively uninteresting stuff that only says the
traffic you thought would pass indeed does, but every now and then you
will likely see something that has you grepping /etc/services and
browsing man pages.  Hm. Might actually be a good idea to expose
learners to tcpdump a tad earlier.

- P
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

simple PF question

2008-06-20 Thread Robert Gilaard 
Hi folks,

All the time I had the following entries in my pf.conf for my Desktop system.
However, as I've bought this pf book that was lately released, I begin to 
suspect that these rules are way to liberal.

If I only want to be able to browse the web and maybe use ssh-client, how 
should I rewrite the rules so that only those ports are open (80,443 and 22)?

I guess i'm looking forward to a RTFM answer, but hey, I wouldn't ask if I knew 
how to write them.

The best I could guess is:

pass out on $int_if proto tcp from any to any port 80 modulate state flags S/SA

But I don't know if this is correct.

Brgds
Robert

Re: simple PF question

2008-06-20 Thread Calomel 
Robert,

You rule looks ok. You may want to add a variable for the port number
so you can add or delete them as needed. Something like... 

### Ports
AllowOUT={22, 80, 443}

### Pass out interface
pass out on $int_if proto tcp from ($int_if) to any port $AllowOUT modulate 
state flags S/SA


Hope this helps,

 OpenBSD Pf Firewall how to ( pf.conf )
 https://calomel.org/pf_config.html

--
  Calomel @ https://calomel.org
  Open Source Research and Reference


On Fri, Jun 20, 2008 at 02:10:52PM -0700, Robert Gilaard wrote:
Hi folks,

All the time I had the following entries in my pf.conf for my Desktop system.
However, as I've bought this pf book that was lately released, I begin to 
suspect that these rules are way to liberal.

If I only want to be able to browse the web and maybe use ssh-client, how 
should I rewrite the rules so that only those ports are open (80,443 and 22)?

I guess i'm looking forward to a RTFM answer, but hey, I wouldn't ask if I 
knew how to write them.

The best I could guess is:

pass out on $int_if proto tcp from any to any port 80 modulate state flags S/SA

But I don't know if this is correct.

Brgds
Robert

Re: simple PF question

2008-06-20 Thread Martin Toft 
On Fri, Jun 20, 2008 at 02:10:52PM -0700, Robert Gilaard wrote:
 Hi folks,
 
 All the time I had the following entries in my pf.conf for my Desktop
 system.
 However, as I've bought this pf book that was lately released, I begin
 to suspect that these rules are way to liberal.
 
 If I only want to be able to browse the web and maybe use ssh-client,
 how should I rewrite the rules so that only those ports are open
 (80,443 and 22)?
 
 I guess i'm looking forward to a RTFM answer, but hey, I wouldn't ask
 if I knew how to write them.
 
 The best I could guess is:
 
 pass out on $int_if proto tcp from any to any port 80 modulate state
 flags S/SA
 
 But I don't know if this is correct.
 
 Brgds
 Robert

If it's just a simple workstation with a single user, I see no reason
for restricting outgoing traffic. If you really want this, remember to
also allow DNS queries (port 53, tcp+udp).

Let me point you to some of Peter Hansteen's goodies:

  http://home.nuug.no/~peter/pf/en/minimal-ruleset.html

(you should also click Next when you get to the bottom of that page)

The full table of contents:

  http://home.nuug.no/~peter/pf/en/

Martin