Building Firewalls with OpenBSD and PF www.sharexxx.net - free books & magazines Coming soon from devGuide.net The OpenBSD Gazetteer by Jacek Artymiak Building Virtual Private Networks with FreeBSD, NetBSD, OpenBSD, Linux, Apple Mac OS X, and Microsoft Windows by Jacek Artymiak The FreeBSD Gazetteer by Jacek Artymiak The NetBSD Gazetteer by Jacek Artymiak Scripting Caligari trueSpace with Python by Jacek Artymiak Scripting Adobe Photoshop with JavaScript by Jacek Artymiak Youwill find more information under this address: http://www.devguide.net Building Firewalls with OpenBSD and PF Jacek Artymiak Second Edition Lublin Building Firewalls with OpenBSD and PF by Jacek Artymiak Published by: devGuide.net Jacek Artymiak email: openbsdpf-ed-02@devguide.net www: http://www.devguide.net Copyright © 2003 Jacek Artymiak All rights reserved. No part of this pubication may be reproduced, stored in aretrievalsystem, or transmitted, in anyform or by anymeans, electronic, mechanical, photocopying, recording, or otherwise, without the prior consent of the publisher. First edition 2003 Second edition 2003 Printed in Poland 03 10 987654321 ISBN: 83-916651-1-9 The author and the publisher disclaim anyand all liability for the use of information and programs contained in this book. All trademarks mentioned in this book are the sole property of their owners. Sowa - Print on demand http://www.sowadruk.pl phone: +48 (22) 431-81-40 To Gosia TableofContents Preface 1 0.1 Acknowledgments 3 Chapter 1: Introduction 5 1.1 WhyDoWeNeed to Secure Our Networks 5 1.2 WhyDoWeNeed Firewalls 7 1.3 WhyOpen Source Software 7 1.4 WhyOpenBSD and pf 9 1.5 Cryptographyand Law 11 1.6 HowThis Book Is Organized 12 1.7 Typographic Conventions Used in This Book 14 1.8 Staying in Touch with the OpenBSD Community 14 1.9 Getting in Touch with the Author 15 Chapter 2: Firewall Designs 17 2.1 Define Your Local Packet Filtering Policy 17 2.2 What Is a ‘Firewall’? 18 2.3 What Firewalls Are Not 19 2.4 Hardware vs. Software Firewalls 19 2.5 Firewalls Great and Small 20 2.5.1 Screened Host 20 2.5.2 Screened LAN or Screened LAN Segment 22 2.5.3 Bastion Host 24 2.5.4 Demilitarized Zone (DMZ) 25 2.5.5 Large-Scale LANs 27 2.6 Invisible Hosts and Firewalls 27 2.6.1 Filtering Bridge 28 2.6.2 Network Address Translation (NAT) 30 2.7 Additional Functionality 30 Table of Contents ix Chapter 3: Installing OpenBSD 33 3.1 Software Requirements 33 3.1.1 Buy Official OpenBSD CD-ROM Sets 34 3.1.2 Additional Software Requirements 35 3.2 Hardware Requirements 36 3.2.1 Which Hardware Platform Should You Choose? 36 3.2.2 Motherboard 38 3.2.3 BIOS 39 3.2.4 Processor 39 3.2.5 Memory 41 3.2.6 Disk Space 42 3.2.7 Network Interfaces 43 3.2.8 Communicating with Your Computer During Installation 46 3.2.9 HowAre You Going to Install OpenBSD? 48 3.2.10 Tape Drives 49 3.2.11 Debugging Hardware 49 3.2.12 Other Requirements 49 3.2.13 When in Trouble, Use the Manual 50 3.3 Downloading OpenBSD 50 3.4 Preparing Installation Media 51 3.5 Installing OpenBSD 52 3.6 Securing Your Firewall Hardware 65 Chapter 4: Configuring OpenBSD 67 4.1 User Management 67 4.1.1 Adding Users 67 4.1.2 Letting Users Do As Root Does (su) 68 4.1.3 Changing the User Password 69 4.1.4 Giving Users Limited Access to Root Privileges (sudo) 69 4.1.5 Removing Users 70 4.2 Hardening OpenBSD 70 4.2.1 Disabling Non-Essential Services 70 4.2.2 Patching 71 4.2.3 When a Patch Is Not Enough 76 4.3 Configuring Networking 76 4.3.1 More Than One Address on a Single Interface (Aliases) 78 4.3.2 Pf Configuration Options 80 4.3.3 Bridge Configuration Options 81 x 4.3.4 IP Forwarding 84 4.3.5 Fixing FTP 85 4.3.6 Taking Control of ARP 89 4.4 Automated System Reboot 95 4.5 Swap Encryption 95 4.6 Working with Securelevels 96 4.7 Setting Time and Date 97 4.8 Configuring the Kernel to SolveHardware Problems 97 4.8.1 MakeaCopyofthe Old Kernel 98 4.8.2 User Kernel Config (UKC) 98 4.8.3 Brain Transplants for OpenBSD 101 4.9 Adding and Compiling Software 101 4.10 Configuring Disks 102 4.10.1 RAID 102 Chapter 5: /etc/pf.conf 103 5.1 Inside pf.conf 103 5.1.1 Changing the pf.conf Section Order 105 5.1.2 Breaking Long Lines into Smaller Pieces 105 5.1.3 Grouping Rule Elements into Lists ({}) 105 5.2 Macros 106 5.3 Tables (table) 107 5.4 Anchors (anchor,nat-anchor,rdr-anchor,binat-anchor) 109 5.5 Common Components Found in pf Rules 110 5.5.1 Directions (in, out) 110 5.5.2 Interfaces (on) 110 5.5.3 Address Families (inet, inet6) 111 5.5.4 Protocols (proto) 111 5.5.5 Addresses (from, to, any, all) 112 5.5.6 Dynamic Assignment of Addresses 115 5.5.7 Ports (port) 116 5.5.8 Ports (port) 118 5.6 Tools for Writing and Editing pf.conf 119 5.6.1 WhyNot Edit pf.conf on Another Machine? 119 5.6.2 Syntax Highlighting 119 5.6.3 GUI Tools for Writing Rulesets with a Mouse 120 5.6.4 Scripting pf.conf 120 5.7 Managing pf.conf Versions with CVS 120 Table of Contents xi Chapter 6: Packet Normalization 125 6.1 Implementing Packet Normalization (scrub) 125 6.1.1 Scrub Rule Syntax 125 6.2 Fine-Tuning Scrub Rules 127 6.2.1 Pf Options (limit frags, timeout frags) 128 6.2.2 Scrub Rule Options 128 6.3 Who’sSending All Those Malformed Packets? 131 Chapter 7: Packet Redirection 133 7.1 Security Applications 133 7.2 Expanding the IPv4 Address Space 134 7.2.1 Does IPv6 MakeNAT r edundant? 136 7.2.2 What Problems Does NAT C ause? 136 7.3 NAT R ules 137 7.3.1 Hiding Hosts Behind a Single Address with nat Rules 138 7.3.2 Redirecting Packets to Other Addresses and Ports (rdr) 145 7.3.3 Forcing Everyone to Use a Web Cache 150 7.3.4 Other Uses of rdr Rules 150 7.3.5 binat 150 7.4 Proxy ARP 153 Chapter 8: Packet Filtering 155 8.1 The Anatomy of a Filtering Rule 155 8.1.1 What Is pf Supposed to Do (block, pass)? 156 8.1.2 Return to Sender (return-icmp, return-rst) 157 8.1.3 Inbound or Outbound (in, out)? 160 8.1.4 ToLog or Not to Log (log, log-all)? 160 8.1.5 Finishing Early (quick) 161 8.1.6 Network Interface Names (on)? 162 8.1.7 Routing Options (fastroute, reply-to, route-to, dup-to) 162 8.1.8 IP Addressing Familes: IPv4 (inet) or IPv6 (inet6)? 164 8.1.9 Protocols (proto)? 165 8.1.10 Source Address (from, any, all)? 165 8.1.11 Source Port (port)? 166 8.1.12 Sender’sOperating System (os)? 168 8.1.13 Destination IP address (to, any, all) 169 8.1.14 Destination Port (port) 170 [...]... why we should use OpenBSD and pf, and how to keep in touch with the OpenBSD project, developers, and the author of this book Chapter 2, Firewall Designs presents popular firewall configurations and discusses their uses, pros and cons Every design is illustrated with a diagram, and some less obvious designs are discussed as well Chapter 3, Installing OpenBSD discusses basic hardware and software requirements... and pf into your existing network without fear of violating some obscure licensing term You can even package OpenBSD and pf and sell it or embed it in your expensive black box hardware Also, because OpenBSD and pf are free (as in freedom and as in beer), you can install and use them on as many machines as you like This will surely impress your accountants, lawyers, and bank managers 1.5 Cryptography and. .. availability of OpenBSD and pf for many hardware platforms, including i386, Sparc, Sparc Ultra, Alpha, and others And, if you would like to have OpenBSD or pf ported to another hardware platform, all you have to do is Section 1.5: Cryptography and Law 11 download the code and get to work, or hire the OpenBSD developers to do it for you (It’s a win-win situation You will get they tools you want, and the OpenBSD. .. overly expensive, that they are delivered on time, and that they can be quickly updated The first edition of Building Firewalls with OpenBSD and PF was so popular that I had to quickly start work on the second edition, which would cover the changes made to the OpenBSD operating system and pf between releases 3.3 and 3.4 I also wanted to respond to the requests and suggestions made by the readers of the first... Calgary), and other OpenBSD developers, evangelists and supporters, without whose hard work we wouldn’t be able to enjoy OpenBSD, OpenSSH, and pf I also wish to thank doctors Joanna Markiewicz and Witalis Misiewicz who keep their watchful eyes on my health and make sure I don’t dump core before my time Last, but not least I want to thank my dear wife, Malgosia, who patiently puts up with my non-standard... people who continue to support and encourage me along the way First and foremost I wish to thank the OpenBSD user community for their support, and for challenging me with interesting questions, suggestions, and critique Without them swamping me with requests to write a book about OpenBSD, this little tome would not be in your hands today One of the most active members of the OpenBSD community supporting... ready for editing I could forget it and move to other projects, but I felt it was too good to be trashed I decided to risk it and announced The OpenBSD Gazetteer As I was working towards the end of the manuscript, I could see that it was becoming too long for a single book I had to split it into two books Building Firewalls with OpenBSD and PF is the first book, The OpenBSD Gazetteer is the second That... else aside, and the growing farm of computer hardware Without her support and understanding I’d never have written this book Jacek Artymiak Lublin, Poland October 2003 Chapter 1 Introduction What this book is about What information you’ll find on its pages How to keep in touch with the author of this book, the developer of pf, and the OpenBSD community This book explains how to build, configure, and manage... attacks against the rich guys’ networks 1.4 Why OpenBSD and pf Why should you use OpenBSD and pf to protect your network? There are many reasons legal, financial, and technical As for the technical reasons, the first one is quite obvious; if you want to use Daniel Hartmeier’s pf packet filter, you need to install OpenBSD, because it is closely integrated with that particular operating system This will... Helping OpenBSD and PF contains ideas for helping the good guys who gave us OpenBSD and pf 1.7 Typographic Conventions Used in This Book The right hand symbol () is used to mark the beginning of a line that was too long and had to be broken into shorter pieces to fit on a printed page For example: http://www.devguide.net/ books/ openbsdfw-02-ed/ is the equivalent of: http://www.devguide.net/books/openbsdfw-02-ed/ . address: http://www.devguide.net Building Firewalls with OpenBSD and PF Jacek Artymiak Second Edition Lublin Building Firewalls with OpenBSD and PF by Jacek Artymiak Published. Building Firewalls with OpenBSD and PF www.sharexxx.net - free books & magazines Coming soon from devGuide.net The OpenBSD Gazetteer