Re: PF firewall for desktop
Lots of miscommunications in these threads. The original poster here was talking about setting up a virtual firewall machine to deal with traffic on a single box. Most of the war stories are from sys admins protecting a corporate LAN (or larger) with lawyers and accountants weighing in. Of course you need to consider the collective OpenBSD wisdom and up your game accordingly, when protecting a multimillion dollar facility. I could really go for a methanol, about now! On Tue, May 28, 2019 at 6:58 AM Kevin Chadwick wrote: > On 5/24/19 8:30 PM, Jean-Francois Simon wrote: > > Hi, > > > > Out of interest, I'd like to let you know a specific use of OpenBSD with > PF, in > > virtualbox, 2 virtual network card Bridged to physical NIC, and building > up a > > subnet with NAT and hence running Packet Filter as the > machine's firewall. > > > > > > That's the firewall I use under Win7, OpenBSD running in a VM, out of > pure > > interest into running BSD and let it purify the network access to > > desktop (without need for additional hardware). > > > > > > Works well, love it. > > I have done something similar in the past. My personal preference is > hyper-v on > windows 10 pro which seven can be upgraded to. I would hope hyper-V has > inherited kernel sandboxing/mitigation protections and hardening from > Windows > kernel/azure. > > I assign the physical nick to the OpenBSD VM and remove all check boxes > like > ipv4/ipv6 support from that nick. Then I had an VNAT device for windows to > talk > to. Glasswire ontop gives a window into the why is it connecting there or > obfuscating CDNs https certs without the other free windows firewall cruft. > > I assume communications to the windows box could be made from a foreign > network > via arp manipulation but a nice setup none the less, if you can be > bothered with it. > >
Re: PF firewall for desktop
On 5/24/19 8:30 PM, Jean-Francois Simon wrote: > Hi, > > Out of interest, I'd like to let you know a specific use of OpenBSD with PF, > in > virtualbox, 2 virtual network card Bridged to physical NIC, and building up a > subnet with NAT and hence running Packet Filter as the machine's firewall. > > > That's the firewall I use under Win7, OpenBSD running in a VM, out of pure > interest into running BSD and let it purify the network access to > desktop (without need for additional hardware). > > > Works well, love it. I have done something similar in the past. My personal preference is hyper-v on windows 10 pro which seven can be upgraded to. I would hope hyper-V has inherited kernel sandboxing/mitigation protections and hardening from Windows kernel/azure. I assign the physical nick to the OpenBSD VM and remove all check boxes like ipv4/ipv6 support from that nick. Then I had an VNAT device for windows to talk to. Glasswire ontop gives a window into the why is it connecting there or obfuscating CDNs https certs without the other free windows firewall cruft. I assume communications to the windows box could be made from a foreign network via arp manipulation but a nice setup none the less, if you can be bothered with it.
Re: PF firewall for desktop
On 28/05/2019 11:12, Janne Johansson wrote: > Den sön 26 maj 2019 kl 10:03 skrev Walt : > >> I like having a firewall that would pretty much require someone physically >> entering the computer room in order to attack the firewall. With OpenBSD, >> your firewall can control your network traffic without having an IP address >> at all. >> One thing that you could try is to use the OpenBSD VM as the firewall, but >> don't assign any IP address to the firewall. The Win7 VM would have the >> actual IP address, but the OpenBSD VM would control the network. >> I am curious if there is any way to attack the firewall if it has no IP >> addresses. >> > If you build it like the emails before listed, you still have the attack > surface of the whole OS that runs VirtualBox, then the whole codebase of > Virtualbox on top of that before you reach your obsd ip-less > un-maintainable VM to "protect you" from evil packets. In advance it's been mentioned many times is this list that bridge-only (IP-less) firewall is not a recommended setup. Start with this: https://marc.info/?l=openbsd-misc=124056858519840=2 I'm sure you will find valuable info there like the post from Henning@ (pf dev): "yes. lots of idiots do it. bridging is stupid. don't. there are cases where you can't avoid it, but deliberately? about as clever as knowingly drinking methanol." First of all it's harder to detect problems, configuration errors. There might be performance issues as well since you're utilizing the bridge interface (not sure if it's still a case) IP/routing adds another layer of protection. The packets must pass the network layer 3 of the firewall. Layer 2 attacks are not easy to protect from or even to detect sometimes. Not having an IP on the firewall is no better than having an IP firewall with no open services or no open services on the external interface. G
Re: PF firewall for desktop
Den sön 26 maj 2019 kl 10:03 skrev Walt : > I like having a firewall that would pretty much require someone physically > entering the computer room in order to attack the firewall. With OpenBSD, > your firewall can control your network traffic without having an IP address > at all. > One thing that you could try is to use the OpenBSD VM as the firewall, but > don't assign any IP address to the firewall. The Win7 VM would have the > actual IP address, but the OpenBSD VM would control the network. > I am curious if there is any way to attack the firewall if it has no IP > addresses. > If you build it like the emails before listed, you still have the attack surface of the whole OS that runs VirtualBox, then the whole codebase of Virtualbox on top of that before you reach your obsd ip-less un-maintainable VM to "protect you" from evil packets. -- May the most significant bit of your life be positive.
Re: PF firewall for desktop
IP is a fairly high-order construct. Beneath it , the data link and physical layers remain almost unnoticed. One thought that came to mind would be to attack a machine on the same LAN, and then exploit an Ethernet vulnerability to listen to "the wire". Not sure how many (if any) Ethernet vulnerabilities there are, but that would be one possible vector. Also, the nic card itself might have physical-layer vulnerabilities, such as administrative backdoors. That's all aimed at eavesdropping. Escalating that to an OS pwnership is beyond my imagination. But I imagine it's not beyond *somebody's* imagination. And that's the beauty of the hack. There's always someone in the rabble with a background in electronics or orchid-growing or intergalactic imaging that has an insight that nobody thought to defend. Check... No, wait, Checkmate! On Sun, May 26, 2019 at 4:04 AM Walt wrote: > ‐‐‐ Original Message ‐‐‐ > On Friday, May 24, 2019 2:30 PM, Jean-Francois Simon < > jfsimon1...@gmail.com> wrote: > > > Hi, > > > > Out of interest, I'd like to let you know a specific use of OpenBSD with > > PF, in virtualbox, 2 virtual network card Bridged to physical NIC, and > > building up a subnet with NAT and hence running Packet Filter as the > > machine's firewall. > > > > That's the firewall I use under Win7, OpenBSD running in a VM, out of > > pure interest into running BSD and let it purify the network access to > > desktop (without need for additional hardware). > > > > Works well, love it. > > > > Jean-François > > I like having a firewall that would pretty much require someone physically > entering the computer room in order to attack the firewall. With OpenBSD, > your firewall can control your network traffic without having an IP address > at all. > > One thing that you could try is to use the OpenBSD VM as the firewall, but > don't assign any IP address to the firewall. The Win7 VM would have the > actual IP address, but the OpenBSD VM would control the network. > > If I ever get around to getting enough IPv4 addresses so that I don't need > a NAT, I'll go back to isolating access to the firewall with this approach. > > I am curious if there is any way to attack the firewall if it has no IP > addresses. > > W > >
Re: PF firewall for desktop
‐‐‐ Original Message ‐‐‐ On Friday, May 24, 2019 2:30 PM, Jean-Francois Simon wrote: > Hi, > > Out of interest, I'd like to let you know a specific use of OpenBSD with > PF, in virtualbox, 2 virtual network card Bridged to physical NIC, and > building up a subnet with NAT and hence running Packet Filter as the > machine's firewall. > > That's the firewall I use under Win7, OpenBSD running in a VM, out of > pure interest into running BSD and let it purify the network access to > desktop (without need for additional hardware). > > Works well, love it. > > Jean-François I like having a firewall that would pretty much require someone physically entering the computer room in order to attack the firewall. With OpenBSD, your firewall can control your network traffic without having an IP address at all. One thing that you could try is to use the OpenBSD VM as the firewall, but don't assign any IP address to the firewall. The Win7 VM would have the actual IP address, but the OpenBSD VM would control the network. If I ever get around to getting enough IPv4 addresses so that I don't need a NAT, I'll go back to isolating access to the firewall with this approach. I am curious if there is any way to attack the firewall if it has no IP addresses. W
Re: PF firewall for desktop
I like your suggestion! I am security paranoid to a fault. For me, a system is either rock solid or wide open. obsd is the closest I've found to rock solid, and frankly a virtualbox vm running on win7 feels wide open. But the more I thought about your idea, the more I liked it. Win7 w/o the virtual firewall is more simply at risk, so why not? Seeing as I am still new to OpenBSD, I would probably have 2 vms: bsd1 passes everything incoming to bsd2 (the firewall), then bsd1 quietly logs what goes out to check for nefarious-looking packets. That would take two separate boxes to even start building, without vms. The VMs can fight and die and be replaced, and even a noob like myself can learn what works better and harder. Can't wait to set something up. -Jim On Fri, May 24, 2019 at 3:38 PM Jean-Francois Simon wrote: > Hi, > > Out of interest, I'd like to let you know a specific use of OpenBSD with > PF, in virtualbox, 2 virtual network card Bridged to physical NIC, and > building up a subnet with NAT and hence running Packet Filter as the > machine's firewall. > > > That's the firewall I use under Win7, OpenBSD running in a VM, out of > pure interest into running BSD and let it purify the network access to > desktop (without need for additional hardware). > > > Works well, love it. > > > Jean-François > >
PF firewall for desktop
Hi, Out of interest, I'd like to let you know a specific use of OpenBSD with PF, in virtualbox, 2 virtual network card Bridged to physical NIC, and building up a subnet with NAT and hence running Packet Filter as the machine's firewall. That's the firewall I use under Win7, OpenBSD running in a VM, out of pure interest into running BSD and let it purify the network access to desktop (without need for additional hardware). Works well, love it. Jean-François