[TriLUG] Drop and insert transparent firewall (OpenBSD)

Jon Carnes jonc at nc.rr.com
Sun May 2 10:25:57 EDT 2004 

On Sun, 2004-05-02 at 21:02, Aaron Joyner wrote:
> I realize this is, after all, a Linux User's Group, but when it comes 
> right down to it, I must readily admit that OpenBSD has better 
> firewalling capabilities with the pf firewall, than either Linux or 
> FreeBSD.
> 
> The amount of things that are possible with pf, including but not 
> limited to:
> - scrubbing packets (changing the packet's random identifiers to be 
> _more_ random to help protect hosts behind the firewall with bad random 
> number generators)
> - complete on-the-fly reassembly of tcp connections (so no fragments 
> pass through the filter that could bypass the rules)
> - simple and *incredibly* powerful class-based queueing
> - the ability to stack class based queues with in priority based 
> queues, as deep as your requirements require
> - rulesets that allow you to actually filter on interface by name, as 
> opposed to changing that interface to an IP when the rule is imported 
> (as iptables does with simple rules)
> - the list goes on and on
> 
> The ability to boot entirely to a serial console as well as push the 
> BIOS out is just icing on the cake (Linux is capable of doing this as 
> well, it's only not as well documented because it's a less common 
> setup).  I have to say, the box that Jason and I setup for transparent 
> firewalling is very much an "ideal" firewall in my mind.  It's next to 
> impossible that it would be the first machine on your network to be 
> compromised, and it's the gatekeeper to protecting the rest of the 
> machines.
> 
> About the only thing we could have added that we didn't have, would be 
> some form of Intrusion Detection or Prevention software.

Another nice feature of OpenBSD is that it is incredibly hard to break
into - or to exploit if it is broken into. Most services run in a chroot
with only user privileges. 

Still you can easily add intrusion detection. Snort works fine (you can
install it via ports). My favorite is simply to add a hidden partition
to your setup and backup your configs, binaries, and libraries to the
this partition - then run an hourly comparison (from the binaries on the
hidden partition). 

>   I'm not sure 
> how we would handle convenient alerting of intrusions, as it can't 
> readily send mail.  I wonder how difficult it would be to originate a 
> spoofed smtp connection from that machine sourced from a machine inside 
> the network destined for a machine outside the network.  Another option 
> would of course be a simple dial-up modem and only page under extreme 
> circumstances.  Perhaps another serial connection to a machine running 
> a daemon on that port, that would allow you to connect and send mail.  
> Okay, that's about the extent of my ideas and ramblings.  Just a few 
> thoughts.  :)

How about a third network card in the box and if you need to send a
warning, have the system bring that NIC on-line and send out a warning,
then take the NIC off-line again?

Jon Carnes

More information about the TriLUG mailing list