Re: PF rule - am I being stupid ?
> I think it is caused by the packets blocked having the RST flag set -- a > consequence of specifying "flags S/SA" in rule @39. Check out man > pf.conf. Look for section about "flags a/b | any" (line 317 here). The S/SA wasn't set explicitly my me, its the default. Out of interest, would this possibly be a PF behaviour change somewhere between 6.1 and 6.3 ? I'm trying to troubleshoot a VoIP phone that has stopped functioning, and the only change has been an upgrade to 6.3.
Re: Equipment for OBSD based firewall
I am a big fan of Decisio (https://www.deciso.com/product-catalog/) Yes, it comes out of the box with "another BSD" preloaded, but you can easily take care of that in a few minutes courtesy of a USB console and a USB key with Mr de Raadt's opus magnum on it. ;-) ‐‐‐ Original Message ‐‐‐ On September 4, 2018 12:17 AM, Bogdan Kulbida wrote: > Ladies and gentlemen, > > I need to build a pf OBSD firewall for a small office. What minimally > feasible equipment would you recommend in order to achieve this goal? > > Thank you! > > --- > > Best regards, > Bogdan Kulbida > Founder and CEO, Konstankino LLC http://konstankino.com > +1.802.793.8295
PF rule - am I being stupid ?
Hi, I'm banging my head against a brick wall here trying to figure out why PF (on OpenBSD 6.3) is allowing some packets but blocking others ? Here's the tcpdump: Sep 05 18:07:45.084191 rule 39/(match) pass in on vlan108: 192.0.2.150.49156 > 198.51.100.158.20001: udp 47 Sep 05 18:07:45.084220 rule 39/(match) pass out on em2: 192.0.2.150.49156 > 198.51.100.158.20001: udp 47 Sep 05 18:08:01.136633 rule 39/(match) pass in on vlan108: 192.0.2.150.49157 > 198.51.100.158.69: 47 RRQ "MainIp5340e.bin" Sep 05 18:08:01.136661 rule 39/(match) pass out on em2: 192.0.2.150.49157 > 198.51.100.158.69: 47 RRQ "MainIp5340e.bin" Sep 05 18:08:25.607885 rule 11/(match) block in on vlan108: 192.0.2.150.6998 > 198.51.100.158.6801: R 16764161:16764161(0) ack 209207857 win 4224 [tos 0x60] Sep 05 18:08:27.919688 rule 11/(match) block in on vlan108: 192.0.2.150.6978 > 198.51.100.158.6802: R 17473283:17473283(0) ack 3296254713 win 4224 [tos 0x60] Sep 05 18:08:32.594889 rule 11/(match) block in on vlan108: 192.0.2.150.6930 > 198.51.100.158.6800: R 18671363:18671363(0) ack 3527351279 win 4224 [tos 0x60] Here are the rules concerned: @11 block drop log all @39 pass log quick inet from 192.0.2.150 to 198.51.100.158 flags S/SA
Re: OpenBGPD as route server - correct filter syntax ?
Thanks for your reply. > > If you are configuring a route server, you don't want "route-collector yes". > Or if you want a route collector, it won't advertise any route so your > concerns > are null. Interesting point. My understanding was that a route server did not make any best-path decisions and merely relayed what it was told ? That was my thinking behind "route-collector yes". > This is not needed. Code says (rde_update.c L292) : > > if (peer == prefp) > /* Do not send routes back to sender */ > return (0); > That's good news !
OpenBGPD as route server - correct filter syntax ?
Hi, I'm trying to figure out the most suitable config params transform OpenBGPD into a route server. So far I have : route-collector yes transparent-as yes But my concern is more in the area of suitable filters to prevent loops. I'm thinking I need something along the lines of : allow to any peer-as != neighbor-as But any variation of the above that I try always ends up with a "bgpd -n -f" throwing a syntax error. Ideas most welcome ! Thanks Bob
browser security
vmware recently released a program which kind of chroot jails the browser. http://www.vmware.com/vmtn/vm/browserapp.html im not a programmer myself, but i was wondering if perhaps using a similar technique we could lock down the browsers in openbsd? seems to me that would increase security greatly for us who surf the web on openbsd boxes? or am i mistaking?
Re: browser security
thanks for the explanation. so it would be less work to try to chroot a browser then to make a virtual machine? perhaps its even a better way of isolating? i googled around a bit and found some threads about people trying to chroot their browsers, but i couldnt find any successful story. is it practically doable? looking at other troublesome programs; they come chooted by default on openbsd. is there any effort being made by others than vmware to isolate browsers? seems to me like it would be a step in the right direction? On 12/14/05, J. C. Roberts [EMAIL PROTECTED] wrote: On Wed, 14 Dec 2005 05:41:30 -0800, Bob Smith [EMAIL PROTECTED] wrote: vmware recently released a program which kind of chroot jails the browser. http://www.vmware.com/vmtn/vm/browserapp.html im not a programmer myself, but i was wondering if perhaps using a similar technique we could lock down the browsers in openbsd? seems to me that would increase security greatly for us who surf the web on openbsd boxes? or am i mistaking? You need to understand the tech being used a bit better. There's a big difference between a chroot/jail and a virtual machine. They both try to isolate an application from interacting with the rest of the system but the way the two go about it is vastly different. Obviously, isolation is a good thing but you need to understand that writing a complete virtual machine in C that works on all supported OpenBSD architectures is a *MASSIVE* amount of work. Even VMware supports only one architecture for their player (x86-32) and only two possible host operating systems on that architecture (linux and ms-windows). You may also want to realize that no attempted isolation is perfect. There are ways for attackers to break out of jails/chroots and similar is true for virtual machines. By using such methods you've only added a _layer_ of security which only stops _some_ (possibly many) attackers. It's not completely bullet proof (nothing is) but it does help. Kind Regards, JCR
Re: browser security - restricted user
Just a thought: sudo -u $some_restricted_user $your_preffered_browser ? good that you brought this up; i been wondering about this too. does it help? if so how come there isnt a default non-privileged user created for, say, firefox when the pkg is installed? like there is for bitlbee (_bitlbee) or tcpdump (_tcpdump)?
