+ Post New Thread
Results 1 to 5 of 5
*nix Thread, openbsd gateway in Technical; hello anyone any experience with openbsd and pf? Thanks...
  1. #1
    duxbuz's Avatar
    Join Date
    Jan 2010
    Posts
    338
    Thank Post
    14
    Thanked 1 Time in 1 Post
    Blog Entries
    1
    Rep Power
    0

    openbsd gateway

    hello

    anyone any experience with openbsd and pf?

    Thanks

  2. #2

    Join Date
    Feb 2009
    Posts
    95
    Thank Post
    3
    Thanked 33 Times in 32 Posts
    Rep Power
    17
    FreeBSD and PF nothing too complicated in my setups - what's the issue?

  3. #3
    duxbuz's Avatar
    Join Date
    Jan 2010
    Posts
    338
    Thank Post
    14
    Thanked 1 Time in 1 Post
    Blog Entries
    1
    Rep Power
    0
    i couldnt get my router to route. i had subnet with router then second subnet, with a gw to internet on it.

    I was told to add the gw of inside subnet to the internet router, and this seemed to work.

    my next question would be to find a simple pf ruleset that allows only incoming ssh traffic from certain ip ranges, and obviusly all out going traffic generated from internal network can get back in

    thanks

  4. #4

    Join Date
    Feb 2009
    Posts
    95
    Thank Post
    3
    Thanked 33 Times in 32 Posts
    Rep Power
    17
    If I only wanted to allow SSH in from some IPs, something (not actually tested) like this is what I'd do:

    Code:
    # the Internet facing interface
    interface="em0"
    
    # define a table to store bad IP addresses in
    table  persist
    
    # define a table with our good IPs in
    table   { 192.0.2.0/24 } persist
    
    # scrub all incoming packets to clean them up
    scrub in all
    
    # block all incoming traffic
    block in on $interface
    
    # block any traffic from IPs in the bruteforce table
    block quick from 
    
    # limit the number and rate of connections to SSH to prevent brute forcing, put offenders into the bruteforce table
    pass quick proto { tcp, udp } from any to any port ssh keep state (max-src-conn 10, max-src-conn-rate 2/1, overload  flush global)
    
    # allow traffic from IP addresses in the whitelist table to SSH in
    pass in on $interface proqto tcp from  to $interface port ssh
    
    # allow all outbound traffic
    pass out on $interface proto { tcp, udp } all
    Obviously adjusting for interface and the actual whitelisted IP ranges. You could update the whitelist table either using pfctl or you could load it from a file. The PF docs have plenty of examples. I added the brute-forcing here since I find if I leave SSH on the standard ports on my Internet servers all I get is endless bruteforcing attacks so It's become a standard part of deployments. To clean up the IPs in the bruteforce table I'd put something like this in my system crontab:
    Code:
    # Cleanup brute force attackers from PF tables, anthing older than 24hrs
    0	*	*	*	*	root	pfctl -t bruteforce -T expire 86400 >/dev/null 2>&1
    Remember if you're playing with the firewall make sure you have physical access to the sever since it's easy enough to lock yourself out and that's just annoying if the machine is on the other side of the country! Be careful!

    In general the PF docs are good with plenty of examples, otherwise the No Starch book on PF is a nice book.
    Last edited by Chillibear; 4th June 2010 at 11:01 PM. Reason: added note about bruteforcing

  5. Thanks to Chillibear from:

    matt40k (9th February 2012)

  6. #5
    soapyfish's Avatar
    Join Date
    Dec 2008
    Location
    Hertfordshire
    Posts
    180
    Thank Post
    49
    Thanked 7 Times in 5 Posts
    Blog Entries
    1
    Rep Power
    13
    I am running OpenBSD and Pf, can you post the output of "ifconfig" and the version of OpenBSD you are running please ?

SHARE:
+ Post New Thread

Similar Threads

  1. Gateway antivirus
    By tom_newton in forum Internet Related/Filtering/Firewall
    Replies: 31
    Last Post: 15th September 2010, 01:51 PM
  2. RD Gateway and RD Services
    By wesleyw in forum Windows Server 2008 R2
    Replies: 7
    Last Post: 23rd March 2010, 03:02 PM
  3. TS Gateway
    By wesleyw in forum Thin Client and Virtual Machines
    Replies: 3
    Last Post: 22nd September 2009, 05:36 PM
  4. Replies: 0
    Last Post: 17th June 2009, 02:19 PM
  5. Learning Gateway
    By Simcfc73 in forum MIS Systems
    Replies: 2
    Last Post: 16th March 2006, 12:21 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •