Embed Size (px)
Citation preview
© 2003 Avik Sengupta. All Rights Reserved. 1
Secure Firewalls using OpenBSD
Avik SenguptaCTO
Itellix Software Solutions Pvt Ltd
© 2003 Avik Sengupta. All Rights Reserved. 2
Agenda
A gentle introduction to OpenBSDPacket Filter FeaturesNetwork Architecture for PF installationPacket Filter Example and SyntaxAdvanced Features
© 2003 Avik Sengupta. All Rights Reserved. 3
OpenBSD
Derived from 4.4 BSD Proactive security
Extensive source code auditsIntegrated cryptographyMinimalist default install
“Only one remote hole in the default install in 7 years!”Highly portable (i386,sparc,ppc,hppa ...etc..)Free, under a BSD Licence
© 2003 Avik Sengupta. All Rights Reserved. 4
Packet Filter (pf) Basics
Introduced in 2001 in OpenBSD 3.0Filter TCP/IP traffic and perform Network Address TranslationIntercept each IP packet, passing or blocking itStateless inspection, based on fields in each packetStatefull inspection, keeping track of connectionsPacket Normalisation
© 2003 Avik Sengupta. All Rights Reserved. 5
pf Rules
Evaluated from top to bottomRules contain parameters that match a packetRules pass or block a packetLast matching rule wins (except 'quick')Rules can create state
Represents an established connectionKeyed on 4-tuple: source{ip,port} and dest{ip,port}Further state matching packets are passed without rule evaluation
© 2003 Avik Sengupta. All Rights Reserved. 6
Example Network Topology
© 2003 Avik Sengupta. All Rights Reserved. 7
Lets make a firewall -I
Red="fxp0"
Green="rl1"
Amber="rl2"
NoRouteIPs="{127.0.0.0/8, 192.168.0.0/16}”
ExtIP="206.7.8.1"
PrivateIPs="192.168.2.0/24"
DMZIPs="192.168.1.0/24"
scrub in all
© 2003 Avik Sengupta. All Rights Reserved. 8
Lets make a firewall -II
nat on $Red from $InternalIPs to any -> $ExtIP
rdr on $Red proto tcp from any to $ExtIP port 80 -> 192.68.1.2 port 80
rdr on $Green proto tcp from any to $ExtIP port 80 -> 192.68.1.2 port 80
block drop in quick on $Red from $NoRouteIPs to any
block drop out quick on $Red from any to $NoRouteIPs
block in on $Red all
pass in on $Red from any to any port 80 flags S/SA keep state
© 2003 Avik Sengupta. All Rights Reserved. 9
Lets make a firewall -III
block in on $Green all
block out on $Green all
pass in on $Green from $PrivateIPs to any port {80,21,22,25,10000} flags S/SA modulate state
pass out on $Green from $DMZIPs to 192.168.2.10 port 389 keep state
pass out on $Green inet proto icmp from $PrivateIPs to any keep state
© 2003 Avik Sengupta. All Rights Reserved. 10
Lets make a firewall -IV
block in on $Amber all
block out on $Amber all
pass out on $Amber from any to $DMZIPs port 80 flags S/SA keep state
pass in on $Amber from $DMZIPs to $PrivateIPs keep state
pass out on $Amber inet proto tcp from $PrivateIPs to $DMZIPs port {ssh,10000} keep state
© 2003 Avik Sengupta. All Rights Reserved. 11
Managing the firewall
pf is a kernel moduleuserspace control via ioctl() on /dev/pfpfctl – userspace control/config utility
display loaded rulesreload rulesetsstatisticsmanipulate listsmanipulate state table
© 2003 Avik Sengupta. All Rights Reserved. 12
Advanced PF features
Queues and prioritisationRouting (eg. Using multiple uplinks)Anchors and Tables for dynamic ruleset changesIntegration with application level proxiesAll features work with Ipv6Logging (pcap/tcpdump compatible)
© 2003 Avik Sengupta. All Rights Reserved. 13
Thank You!
Resourcesman pf; man pf.conf; man pfctlhttp://www.benzedrine.cx/pf.htmlhttp://www.openbsd.org/faq/pf/index.html“Building Firewalls with OpenBSD and PF” by Jacek Artymiak (July 2003)This presentation:
http://www.sengupta.net/talks/
