Domain: obfuscation.org
Stories and comments across the archive that link to obfuscation.org.
Comments · 8
-
Re:Where are you, Linux?From the IPF Howto:
We want convenience and security in one. Lots of people do, that's why Ciscos have an "established" clause that lets established tcp sessions go through. Ipfw has established. Ipfwadm has setup/established. They all have this feature, but the name is very misleading. When we first saw it, we thought it meant our packet filter was keeping track of what was going on, that it knew if a connection was really established or not. The fact is, they're all taking the packet's word for it from a part of the packet anybody can lie about. They read the TCP packet's flags section and there's the reason UDP/ICMP don't work with it, they have no such thing. Anybody who can create a packet with bogus flags can get by a firewall with this setup.
I remember ipfw getting actual state features like IPF has. I'm more accustomed to the BSD operating systems so I'm not sure how Linux accomplishes this, does netfilter maintain a state table as well or does it still act like how the excerpt from the IPF howto describes it?
Then use netfilter.. its pretty nice...
In all fairness, IPF and PF seem to have a way better/intuitive syntax compared to iptables. Since we're talking about Linux here, a community which usually considers having more choice when it comes to software a good thing, I think it would be beneficial to have more choice where packet filters are concerned.
-
Re:PF for bridging.
-
99/1 rule on spammersOver the past 2 years we have noticed that more than 99% of the repeat spam comes from less than 1% of the sites.
In addition to the usual anti-spam methods:
- dorkslayers
- procmail
- Project SETS
- well configured MTA
- etc.
one can block IP addresses that attempt to spam on a regular basis. Tools such
can be configured to block frequent spammer IP addresses from your SMTP ports.The following is a list of IP addresses that we have observed spamming on a regular basis. Blocking these sites won't solve your spam problem. On the other hand blocking common spam locations as part of an overall anti-spam system will help.
12.30.205.0/24 24.2.10.0/24 24.88.20.0/24 61.13.0.0/16 61.30.0.0/16 61.129.0.0/16 61.177.0.0/16 63.100.231.32/28 63.184.200.0/24 64.14.218.128/28 64.65.0.0/18 64.80.216.0/22 64.80.220.0/23 64.208.134.0/15 64.239.0.0/18 66.33.0.0/17 66.72.98.10/32 128.18.0.0/16 128.121.126.220/32 142.154.0.0/16 161.58.0.0/16 192.147.174.0/24 194.91.230.0/24 195.53.155.0/24 195.153.207.128/27 202.9.128.0/19 202.181.196.120/29 205.141.192.0/19 205.141.224.0/21 206.173.16.0/21 206.173.24.0/22 208.50.155.0/24 208.165.228.0/22 208.187.17.192/27 209.38.216.0/22 209.69.0.0/16 209.239.0.0/19 209.239.192.0/19 209.249.0.0/16 210.52.0.0/24 210.85.0.0/16 210.201.0.0/18 210.226.0.0/15 210.228.0.0/14 210.241.0.0/17 211.20.180.0/22 211.21.0.0/16 211.32.0.0/13 211.51.63.171/32 211.226.126.0/24 212.49.192.0/24 212.174.0.0/15 212.216.0.0/16 216.41.0.0/16 216.42.0.0/16 216.53.128.0/17 216.79.0.0/16 216.87.64.0/19 216.122.0.0/16 216.143.68.0/22 216.143.72.0/22 216.143.76.0/24 216.167.0.0/17 216.174.192.0/18 216.183.206.64/28
Sorry if your IP address is in the above list. If you are not a spammer then it could be that you happen to be using an ISP that tolerates spammers (or is unable/unwilling to block them), or you work for a company that spam, or you are near a poorly configured and poorly maintained site that is abused as an open relay.
-
wow
This was submitted almost 3 weeks ago, anyways, its nice to see that people are still interested in the BSD's.
Recently I optioned on either buying two more Nokia 650 firewalls for my network and installed three new OpenBSD boxes using a combination of Trex, and IPF. While Checkpoint is a pretty cool firewall, I figured we (my company) didn't need to go out and spend more loot on firewalls. Sure IPF and Trex don't have true stateful inspections, and sure you can't do as much as you can with Checkpoint, but here are some of the neat things I managed to fiddle with. (posting this for this who do the fw things ya know)
On my Checkpoint FW I'm allowed the ability to mainpulate time based rules. (meaning I can allow in, out, block, on certain times of the day etc.) Being that at night (in case things go bonkers) servers go down, I made a simple shell script that is cron'd to open a connection at 8pm daily (when I'm home away from work) to my home subnet. This is pretty similar to Checkpoint's time based rules.
Not a major hack but it does me justice
Using a combination of FreeBSD, NetBSD, and OpenBSD at work (I'm senior admin so I get to use whatever I want) I also took the liberty of stunneling just about everything I could with OpenSSL so even if someone got unto out network, traffic is pretty secure for the most part.
Anyone else care to share some tweaks, tips and stuff on this boring Sunday?
-
Overkill is your Friend
There is always the concern that one defense or nother will have a hole. I personally would advocate using a different OS for your firewall, as well, in this case OpenBSD and ipfilter is my favorite, than you use for your interior workstations.
Configure ipfilter in a nice and paranoid fashion, ensure via nmap that no services are addressable, (inetd, portmap, etc, etc.. )
/then/ go about placing ipchains input rules on your interior boxen.The idea is, even if there is a vunerability found in the firewall box, there is a different type of wall protecting your secured hosts. ipfilter is also available for FreeBSD, in case you find OpenBSD a little too user/hardware-hostile.
For more info on ipfilter visit The IPFilter HOWTO and The IPFilter Mailing-Lists.
(Zealotry Notice, *BSD-fanatic who wouldn't trust ipchains with Bill Gate's homepage, but understands that Helix is addictive.)
-
Re:OpenBSD FirewallsBuilding OpenBSD and Linux Firewalls, Sonnerreich and Yates. This will tell you enough to get a solid OpenBSD firewall up.
Building Internet Firewalls, Second Edition Zwicky, Cooper, Chapman. This will provide you with more background information, but nothing on OpenBSD. (I was, not so much disappointed, as surprised, at this, for the first time with an O'Reilly book).The best, in my very humble opinion, references are online, but they aren't as nice to read as the Building Linux and OpenBDS Firewalls book, but are an excellent suppliment.
http://coombs.anu.edu.au/ipfilter
http://www.obfuscation.org/ipf/See the prior of the web pages for a mailing list (Majordomo). The author (Darren Reed) of IPFilter actively participates in this mailing list, which is helpful, and often appreciated.
Hope that helps
Brian -
Re:OpenBSD Firewalls
I have built an OpenBSD Firewall, and it has been chugging away on a $10.00 salvage 486 with two spare NICs for a few months now. OpenBSD uses the IPFilter packet filtering program for firewalling, and for Network Address Translation (having multiple machines share a single IP), you have IPNAT.
Both are included in the base install of OpenBSD, but need to be activated. From the OpenBSD FAQ at http://www.usa.openbsd.org/faq/faq6.ht ml#6.2 you can check out the IPFilter and IPNAT sections - this helped me to get running from practically step zero. The MAN pages in OpenBSD are also the best in the business, with example code and config files, and they are consistently getting better with each release.
To develop your rule base for IPFilter, you can't beat the IPFilter HOWTO located at http://www.obfuscation.org/ipf/. This has everything you need to know about creating a solid firewall without being an expert in TCP/IP packet routing.
So since you can get all the info for free, try downloading OpenBSD 2.7 and give it a shot. When it works for you WAY easier than you expected, take the cash that you would have spect on the firewall book and purchase the CD (and yes, mine is on the way...)
Good Luck and Enjoy! -
Openbsd and ipf is a pleasure to use
Personally I've found ipf and openbsd to be much easier to understand and maintain than ipfwadm or ipchains. With new firewall tools in 2.4 I'm glad I made the investment and switched. My suggestion if you want to use ipf, is definitely read the ipf howto.