Slashdot Mirror
Using OpenBSD to Secure Small Networks, Part 2
An Anonymous Coward writes: "ONLamp has another article on securing small networks, this time with the current version of OpenBSD and pf. Quite good."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
My vagina is queefing. I repeat: MY VAGINA IS QUEEFING.
is broken... please try again.
If voting were effective, it would be illegal by now.
Netcraft officially confirms: *BSD is dying
Yet another crippling bombshell hit the beleaguered *BSD community when recently IDC confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and *BSD's long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
*BSD is dying
Netcraft officially confirms: *BSD is dying
Yet another crippling bombshell hit the beleaguered *BSD community when recently IDC confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and *BSD's long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
*BSD is dying
So why now? Why did *BSD fail? Once you get past the fact that *BSD is fragmented between a myriad of incompatible kernels, there is the historical record of failure and of failed operating systems. *BSD experienced moderate success about 15 years ago in academic circles. Since then it has been in steady decline. We all know *BSD keeps losing market share but why? Is it the problematic personalities of many of the key players? Or is it larger than their troubled personalities?
The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shroud over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.
I just heard some sad news on talk radio - Horror/Sci Fi writer Stephen King was found dead in his Maine home this morning. There weren't any more details. I'm sure everyone in the Slashdot community will miss him - even if you didn't enjoy his work, there's no denying his contributions to popular culture. Truly an American icon. He will be missed :(
I am a Computer Information Systems Professional at a major Fortune 500 corporation. Very recently the head of our IT department decided that we were going to switch every one of our networks over to Windows XP Professional. We had previously been running OpenBSD on all our quad processor Xeons. Some of them had had uptimes approaching a year! My personal favourite, Gerbil, had been running without a reboot for three years.
One day one of those Microsoft shills that you often read about on the Register came by for a visit. I grew very suspicious about what was going on when my boss and the Microsoft representative walked by my desk, and entered the server room. I could hear muffled voices through the closed door. The Microsoft representative was asking what we were running on our servers! My worst fears had come true. I sat at my desk for the rest of the day, silently awaiting the bad news. The news did not come until the next day. It was worse than I had feared. We were to be a Microsoft only shop from that day on! I could not believe it. The Microsoft representative had told my boss that the operating and support costs would actually go down. And my boss had fully bought into it, hook, line, and sinker.
Tough times hit our company in the last month, and we were forced to lay off a few of the less experienced IS/IT workers. One of them took this rather hard. As a last minute attempt at corporate sabotage, he decided to change all of the Computer Administrator passwords on a few of the XP Professional boxes sitting around in the server room. This caused absolute havoc, as Dell had failed to send along administrator passwords for the new boxes. Our company could not make use of these computers for three days. It took Dell that long to get us the administrator passwords. It is strictly because of Microsoft's poor implementation of a multi-user computing environment that our company lost three days of productivity.
Needless to say, I had our quad Xeons back running OpenBSD by the end of the week. Gerbil is back on its way to another glorious 3 years of uptime.
Here's a mirror
:-) To control pf, use the pfctl tool.
/etc/pf.conf /etc/nat.conf
/etc directory. The network address translation rules are stored in the nat.conf file located in the same directory. When pfctl complains about syntax errors, use the -v option to display the rules as they are processed by pfctl. For example, when the packet filtering rules contain errors, use pfctl -v -R /etc/pf.conf | less to browse the output and locate lines with errors; then edit the configuration file and try uploading the new rules again.
/etc/services.
Securing Small Networks With OpenBSD, Part 2
by Jacek Artymiak
04/11/2002
Welcome back.
advertisement
I'd like to thank you for your feedback on the first part of "Securing Small Networks with OpenBSD." You asked many interesting questions that prompted me to write another article in which I'll try to answer questions regarding the new packet filter, pf, introduced in OpenBSD 3.0.
How do I use pf?
That's easy: Download and install OpenBSD 3.0 or 3.1 and it's there.
*
* Start pf -- pfctl -e
* Stop pf -- pfctl -d
* Upload new pf rules -- pfctl -R
Upload new nat rules -- pfctl -N
As you can see, the names of the configuration files have changed as well: packet filtering rules are now stored in the pf.conf file located in the
Note that pfctl will complain if you try to upload new configuration rules while pf is not running. When that happens, start pf as described earlier and try again.
For more information about pfctl, read man pfctl.
How do I translate ipf rules into pf rules?
Administrators new to pf will be glad to know that its syntax is very similar to that of ipfilter . Simple rules can be translated without any changes whatsoever, while more complicated statements will have to be slightly adjusted to match the new syntax. This is only a small inconvenience, as the new rule syntax is easier to read and manage. In general, you can expect to halve the length of the configuration file while retaining all previous functionality.
Let's have a closer look at what changes have been made. First, a simple example using the design described in the original article:
lo0: all inbound and outbound packets can pass through ()
ipfilter:
pass out quick on lo0 all
pass in quick on lo all
pf:
pass out quick on lo0 all
pass in quick on lo all
As you can see, nothing has changed here. Such simple rules can be copied verbatim. The situation changes when we try to rewrite more complex rules, like the ones shown below. (The tun0 interface connects our network to the Internet.)
tun0: outbound packets sent from any network address to the private address space cannot pass through
ipfilter:
block out quick on tun0 from any to 192.168.0.0/16
block out quick on tun0 from any to 172.16.0.0/12
block out quick on tun0 from any to 127.0.0.0/8
block out quick on tun0 from any to 10.0.0.0/8
block out quick on tun0 from any to 0.0.0.0/8
block out quick on tun0 from any to 169.254.0.0/16
block out quick on tun0 from any to 192.0.2.0/24
block out quick on tun0 from any to 204.152.64.0/23
block out quick on tun0 from any to 224.0.0.0/3
pf:
block out quick on tun0 from any to { 192.168.0.0/16, 172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 }
Now, that's a refreshing change! We've just shrunk nine lines into one. As you can see, we listed all network addresses inside a pair of curly braces: {}. This simple trick can be used to list multiple arguments for the proto, from, to, port, and icmp-type keywords.
The rest of the syntax is unchanged, but watch out for the port and proto syntax.
tun0: incoming packets sent from any network address to port 80 can pass through to the mail and HTTP servers located in the DMZ
ipfilter:
pass in quick on tun0 proto tcp/udp from any to x.x.x.x/32 port = 25 pass in quick on tun0 proto tcp/udp from any to 192.168.2.4/32 port = 25pass in quick on tun0 proto tcp/udp from any to x.x.x.x/32 port = 80 pass in quick on tun0 proto tcp/udp from any to 192.168.2.3/32 port = 80
pf:
pass in on tun0 inet proto { tcp, udp } from any to x.x.x.x/32 port { 25, 80 }
pass in on tun0 inet proto { tcp, udp } from any to 192.168.2.3/32 port 80
pass in on tun0 inet proto { tcp, udp } from any to 192.168.2.4/32 port 25
O'Reilly Open Source Convention.
From the Frontiers of Research to the Heart of the Enterprise
July 22-26, 2002
San Diego, CA
The O'Reilly Open Source Convention distills the values of the open source community into programs designed to share information, transfer skills, and integrate grassroots organizations and forward-thinking idealists into the growing open source community.
Saving up to $750 when you register for the conference is easy: Purchase a conference pass, buy two tutorials, and we'll give you two additional tutorials for free! Visit the conference home page for details.
As you can see, in pf rules there is no = character after the port keyword. We do not use the tcp/udp notation to specify both tcp and udp protocols, but we list them in curly braces instead. Forgetting to change this is a common mistake when transferring rules from ipfilter to pf. Fortunately, pfctl spots such mistakes and refuses to upload them to pf.
The name of the port can be replaced by the name of the service assigned to that port. For example:
pass in on tun0 inet proto { tcp, udp } from any to x.x.x.x/32 port { smtp, www }
The names of services can be found in
Other interesting changes include the scrub action, which normalizes malformed packets. This action uses additional CPU cycles, but it's well worth using to ensure that the packets arriving in our network are well formed and won't cause problems to applications running on your internal network. Should you use it? You decide. Try running your firewall with and without scrub and see if there is a difference in network performance. The following rule tells pf to normalize all incoming packets on all interfaces; add it at the beginning of your pf ruleset.
scrub in all
Further improvements made to pf include enhanced stateful filtering. Not only can you ask pf to keep state, the same feature available in ipfilter, but you can also improve security by generating more secure initial sequence numbers with modify state. To enable this feature, replace keep state with modify state . This feature puts additional load on the firewall machine, and you might want to compare firewall performance with and without modify state to see if and how it affects performance. To use it, replace keep state with modify state in your ruleset (using modify state implies keep state). state modification works only with TCP packets.
Ok, the article is fine, informative and well shaped, needless to say that openbsd does it's work really well as a firewall.
... really.
...
But why the hell do we have 80% troll posts? This sucks
Oh yeah, mod me down now, but you know i'm right
Life sucks.
One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market shar has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is dying
Psst...CmdrTaco sucks cock. Pass it on.
Your Operating system has officially died. No one gives a damn anymore about how 1337 your OS is. Everyone has moved on to real operating systems, like Windows XP. Proof positive of how little people care about *BSD is in the numerous trolls and crapfloods that abound on slashdot.org/bsd Just look at the signal to noise ratio on this page. Nearly all are trolls! 'Nuff said.
Its simple really. If the management cared, they'd block the trolls. But because the VA software staff can't even make money selling linux boxen, they don't want to be seen supporting BSD in any way.
If the trolls were about how VA or Taco sucked, you know they would be blocked.
To be sung by beastie to the sound of
fsck running as a background process:
When I was young,
I never needed anyone,
and making love was
just for fun,
those days are gone.
Living alone
I think of all the friends I've
known but when I
dial the telephone,
nobodys home
Hard to be sure,
sometimes I feel so insecure,
and love so distant
and obscure,
remains the cure.
All by myself, dont want to be
all by myself, anymore.
Smells like a dying OS
The funeral will take place in three days time.
I'll bet he gets to do another article (do you think there is money in writing for O'reilly web?) and will tell you how to look at those log files.
I read where tcpdump has a vulnerability, does anyone know what that would mean to looking at your pf logs?
Of course, we should expect to soon see the ipfilter vs pf flames shooting out from the screen, real soon now.....NOT!
I happen to have pf running on my cable modem, and it does great, thank you. But the number of blocked atacks that appear to be residual Code Red or Nimbda is astonishing. Is the Internet catching the equivalent of the common cold, that drains more productivity out of the economy than cancer or heart disease?
did you know that searching for 'nigger' on google returns the category Arts > Movies > Titles > W > Who Framed Roger Rabbit ??? See for yourself!
I am a OpenBSD fan, but I think that it doesn't get as much stage time for things other then a firewall. I use OpenBSD to run a webserver for my company, and an LDAP server. Granted I'm not running a high profile server, but it still gets the job done nicely, plus it's very secure. OpenBSD is a great firewall, but it also excells in many other aspects of serving...
ahh, the egg in the basket..
Take a look at emBSD at 32 meg it's small and secure (OS is on flash memory). Most inportantly it does one job, routing and firewall duties, and it does it well. http://embsd.suspicious.org/