Wednesday Thursday Friday Saturday All Events All Speakers 

Details

Firewalling with the OpenBSD PF packet filter

von Stephan A. Rickauer (Institute of Neuroinformatics, ETH / University Zurich), Peter Hansteen (Datadokumentasjon AS)

Freitag, 01.06.2007, Workshop 1 (ICC-B/R44), 16:00-17:00 Uhr

This talk is for aspiring or seasoned network professionals with at least a basic knowledge of networking in general and TCP/IP particular. Aims at teaching tools and techniques to make sure your network works the way it's supposed to, keeping you in charge. Central to the toolbox is the OpenBSD PF packet filter.

By the time May rolls around, OpenBSD 4.1 will be the latest released version, with subtle but significant changes. The presentation will cover an exerpt of the most prominient features and changes of the OpenBSD pf packet filter.

PF? - why PF was needed and some history

Packet filter? Firewall? - some common terms explained

NAT? - common tricks of TCP/IP explained

PF today - a short overview of PF's feature set

BSD vs Linux - Configuration - if you came from Linux, how network config is done on BSD

Simplest possible setup (OpenBSD) - the minimal setup for an OpenBSD machine First rule set - single machine - introducing actual filtering rules

Slightly stricter - tightening security while introducing PF's macros, lists and other readability helpers

Statistics from pfctl - getting to know your main tool

Simple gateway with NAT - going stepwise to a typical home or small office gateway, adding some received wisdom and eliminating some bad habits, subsectioned into "Gateways and the pitfalls of in, out and on" "What is your local network, anyway?" and finally "Setting up"

That sad old FTP thing

- our first introduction to redirection is an attempt to handle that weird old protocol geeks all geeks hate with a passion, we end up with ways to make life more tolerable. Progresses through the use of several proxy-type applications, covering "FTP through NAT: ftp-proxy", "FTP through pf with routable addresses: ftpsesame, pftpx and ftp-proxy!" and finally "ftp-proxy, new style".

Making your network troubleshooting friendly - you do need ICMP, and you can filter away the bits you do not need. Provides some background, which leads to the subsections "Then, do we let it all through?", "The easy way out: The buck stops here", "Letting ping through", "Helping traceroute", and finally "Path MTU discovery".

Network hygiene: Blocking, scrubbing and so on - at this point, your filtering gateway will work, but a few tweaks might be what adds that extra sparkle: "block-policy", "scrub", "antispoof" and "Handling non-routable addresses from elsewhere".

A web server and a mail server on the inside - over time, your needs *will* change. Here we build on previous examples up to set up an environment where you need to host your own mail and web server on your LAN, still using only that single official IP address. The "Taking care of your own - the inside" subsection adds some extra tips for making your servers accessible to the LAN as well

Tables make your life easier - changing your filtering gateway's configuration while it's running, some command-line and script ideas.

Logging - explains how PF logs work and how to get just the data you need, with "Taking a peek with tcpdump" and "But there are limits (an anecdote)" to point you in useful directions.

Keeping an eye on things with pftop - introducing a useful monitoring tool which is not in the base system. Invisible gateway - bridge - stealth firewalling, shows the bare basics of filtering while hiding the actual machine doing the filtering.

Directing traffic with ALTQ - introducing the ALTQ traffic shaping, bandwidth allocating network, with three examples, "ALTQ - prioritizing by traffic type" "ALTQ - allocation by percentage" and "ALTQ - handling unwanted traffic", introducing the reader to filtering on operating system SYN signatures in the last example.

CARP and pfsync - explains the principles of setting up redundant hosts with automagic failover.

Wireless networks made simple - given useful hardware, wireless networks with BSD are easy and fun. Provides "A little IEEE 802.11 background" covering basic principles and some words about link level encryption methods before proceeding to "Setting up a simple wireless network".

An open, yet tightly guarded wireless network with authpf - using the authpf authenticating shell to load per user rule sets; useful for wireless and wired networks both.

Turning away the brutes - introduces 'pass with overload' rules which add DOS wannabes to a table we "block quick", proceeds to "expiretable tidies your tables" to prune tables of old clutter using a third-party tool.

The work in progress manuscript is BSD licensed (but a GNU FDL version will be made available for LinuxTag) and downloadable from http://home.nuug.no/~peter/pf/.

Über den Autor Stephan A. Rickauer:

Playing with Linux since 1995 I started working in the professional Unix environment 4 years later, with supporting AIX on IBM RS/6000 boxes for two years. I then touched Solaris briefly and switched back to Linux on the first opportunity at Swissair/Atraxis. I worked there for a couple of years within the web and infrastructure department as a Unix Internet Engineer.

I am currently working at the Institute of Neuroinformatics, which tries to understand how brains work and implements these principles in artificial systems. During my work I discovered OpenBSD three years ago and from that on I use it wherever it makes sense.

My main interests are consistent systems, like OpenBSD, and Free Software and Freedom in general.

Über den Autor Peter Hansteen:

Peter N. M. Hansteen is a consultant, writer and sysadmin based in
Bergen, Norway. He has been tinkering with computers since the mid
1980s, mainly while working to document how the systems work and why they don't, in English as well as his native Norwegian. In 1991 he
co-founded Datadokumentasjon AS, a documentation and localization
company where he is still chairman and senior consultant. Peter
rediscovered Unixes about the time 386BSD appeared. After a few years on Linux, which included participation in the RFC1149 implementation (2001), he eventually migrated all important bits to FreeBSD and OpenBSD. A long time freenix advocate, he is a member of the BLUG (Bergen (BSD and) Linux User Group) core group and current vice president of NUUG (the Norwegian Unix User Group). During recent years a frequent lecturer and tutor with emphasis on FreeBSD and OpenBSD topics, he is now working on a book on building the network you need using free tools, mainly BSD ones.

<< back to overview

Der LinuxTag bedankt sich bei seinen Sponsoren!GUUGLinux VerbandIBMNovellSunLPI e.V.Linux MagazinC & L VerlagIT Administratorcom!VoIPphones.deLinux New MediaHakin9Pro-LinuxLinux UserT3N MagazinISIS Report Spezial