OpenBSD firewall using pf

abstract from unixcircle
OpenBSD pf by Hoang Q. Tran
OpenBSD firewall using pfby
Hoang Q. Tran
It is really easy to configure an OpenBSD gateway for a private network. Here are the following steps:

• 
  Lock down the box
  
• 
  Install second ethernet card in the OpenBSD box
  
• 
  Customize the kernel
  
• 
  Enable packet forwarding, dhcp, firewall and network address translation
  
• 
  Configure machines behind NAT
  
• 
  Familiarize with pf
  
• 
  Quality of Service (QoS)
  
• 
  References
  

Lock down the boxThe first step to lock down the firewall box is to disable all unnecessary running services. Luckily, OpenBSD out of the box is really secure even with ident, comsat, daytime, time, rstatd and rusersd enabled in /etc/inetd.conf. Comment out mentioned services in /etc/inetd.conf and edit /etc/rc.conf and make sure portmap, sendmail and ntpd daemons are disabled as well. Don't disable inetd as you will need it later for ftp-proxy.
check_quotas=NO
ntpd=NO
sendmail_flags=NO
sshd is enabled out of the box. If you don't plan to use it, disable it with sshd_flags=NO
Once you disabled unnecessary services, go to
unixcircle
to remotely port scan your own box from the outside. Be careful when you do this behind a firewall box as the port scan script will scan the firewall instead. If you have another box, use
nmap
to scan the box from the inside.
Get the latest OpenBSD
security
patches and manually apply or download all the
patches
in one file or use AnonCVS to synchronize to
stable
release and build from source.
Make sure you check out the 3.2 stable branch with -rOPENBSD_3_2. Otherwise, you're checking out the ``current'' branch instead.
Finally, readup on SANS's
The Twenty Most Critical Internet Security Vulnerabilities (Updated)
Install second Ethernet card in the OpenBSD boxUse any supported ethernet card for the second NIC in the OpenBSD machine. One card will be given a public IP address (assigned by your ISP or obtained dynamically, e.g., with DHCP) and the other will be given an IP address in a non-routable network. Your choices for private network addresses must come from one of these ranges (see RFC 1918): 10.0.0.1 - 10.255.255.254      netmask 255.0.0.0
172.16.0.1 - 172.31.255.254    netmask 255.240.0.0
192.168.0.1 - 192.168.255.254  netmask 255.255.0.0
Assume the first card is ``ep", create /etc/hostname.ep0 with the following x.x.x.x netmask x.x.x.x where x.x.x.x is what you choose above. # First NIC - private
192.168.1.1 netmask 255.255.255.0 media 10baseT
And if you have a static IP address for the second NIC, you naturally need to have it configured as /etc/hostname.ep1 as well. # Second NIC with public IP address
123.221.8.1 netmask 255.190.280.0 media 10baseT

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有