#!/bin/blog

June 26, 2012

A transparent firewall using OpenBSD

Filed under: UNIX/Linux/BSD — Tags: , — martin @ 1:46 pm

I wanted to enforce a different security policy for a given part of the home network, but without the introduction of separate subnets and static routes all over the place. So I started to experiment with a transparent firewall, on OpenBSD.

To accomplish this, what is needed first, is a bridge interface. A bridge interface is comprised of multiple (frequently 2) ethernet interfaces and transparently forwards traffic between the two interfaces. Very much like a 2-port ethernet switch would, or like a wireless bridge does.

If you have worked with bridges on Linux, configuration on OpenBSD works confusingly different than what you already know.

First, we have the configuration file /etc/hostname.bridge0, that specifies the interfaces that will be bridged:

# /etc/hostname.bridge0:
add vr0
add vr1
blocknonip vr1
up

If you are not concerned about non-IP traffic compromising the security of your bridging firewall, you may omit the option blocknonip here. The interface vr1 connects to the “restricted” part of the network here and for this example, I don’t want non-IP protocols such as NetBIOS to slip through.

Next, one of the two underlying interfaces is configured as if the bridge didn’t even exist. This will be the IP address of the bridge, here in /etc/hostname.vr0:

# /etc/hostname.vr0:
inet 192.168.1.3 255.255.255.0
inet6 2001:db0:1:2::3 64

And the additional interface for the bridge is only brought “up” in /etc/hostname.vr1:

# /etc/hostname.vr1:
up

After a reboot, the bridge will be forwarding packets, without the need to enable IP forwarding and without enabling the firewall.

Now I can start adding firewall rules in /etc/pf.conf:

# /etc/pf.conf:

# The interface on the open network
PUBLIC_IF=vr0

# The interface on the restricted network
RESTRICT_IF=vr1

# I don't believe in dropping packets
set block-policy return

# Leave the loopback interface unfiltered
set skip on lo

# Pass out what's already inside the firewall
pass out on vr0 all
pass out on vr1 all

# Pass in everything coming from the open network
pass in on $PUBLIC_IF

# Reject everything coming from the restricted network
block in on $RESTRICT_IF

# Restricted network may talk to the world
pass in on $RESTRICT_IF inet
pass in on $RESTRICT_IF inet6

# But not to the open network
block in on $RESTRICT_IF from any to 192.168.1.0/24
block in on $RESTRICT_IF from any to 2001:db8:1:2::/64

# Allow access to the site's DNS server 
pass in on $RESTRICT_IF proto {tcp,udp} from any to 192.168.1.11 port 53

# Allow access to this single SSH service
pass in on $RESTRICT_IF proto tcp from any to 192.168.1.11 port 22
pass in on $RESTRICT_IF proto tcp from any to 2001:db8:1:2::b port 22

# Pass ICMP in all directions
pass proto {icmp, icmp6}

And that’s about it. What I have here is really just a rough example of what can be done. Bridging over 3 or more interfaces is possible, if you enjoy the complexity.

With basic firewalling out of the way, it is also possible to filter by MAC address. For this, we need to tag some traffic, e.g. a “trusted client”, directly on the bridge:

ifconfig bridge0 rule pass in on vr1 src 00:1c:c6:8b:ae:3b tag TRUSTEDCLIENT

(Append this, excluding the leading “ifconfig bridge0”, to /etc/hostname.bridge0 to make it permanent.)

In /etc/pf.conf, we can then filter by tag:

# Allow all traffic from trusted MAC addresses
pass in on $RESTRICT_IF tagged TRUSTEDCLIENT

Or, more specific:

pass in on $RESTRICT_IF proto tcp all port 22 tagged TRUSTEDCLIENT

Combining MAC filters with other filter criteria is of course possible. Please make up your own mind about whether and how you want to use this.

A final word on performance: With both interfaces working in promiscuous mode, stress on the firewall’s CPU can be expected to be rather high. This 100 Mbps bridge with a 500 MHz AMD Geode CPU will reach a CPU load of 70% while moving no more than 85 Mbps on a single TCP connection.

Advertisements

January 7, 2012

Securitygewixe reloaded

Filed under: Security, UNIX/Linux/BSD — Tags: , — martin @ 11:13 am

Die WordPress-Referrer haben mir einen alten Beitrag über OpenBSD-Security nach oben gespült, in dem Linus Torvalds in seiner unnachahmlichen Art damit zitiert wird, daß er die OpenBSD-Entwickler für Securitywixer hält. Leider muß ich ihm zwischenzeitlich zustimmen.

Mich persönlich hat OpenBSD vor 2 Jahren beim Übergang von 4.6 zu 4.7 mit einer weitreichenden Änderung an der Firewallkonfiguration abgehängt, bei der Rewrite- und Filterregeln vereinigt wurden. Theoretisch betrachtet eine Vereinfachung. Praktisch leider mit dem Haken, daß es keinen Migrationspfad gab, um Regeln Zug um Zug umzustellen, denn mit Einführung der neuen Regeltypen waren die alten Regeln nicht mehr verfügbar. Die einzige Möglichkeit war, das gewachsene Regelwerk im Blindflug komplett umzustellen.

Die OpenBSD-Community zuckte mit den Schultern und verwies auf mein Testsystem, auf dem ich die Regeln ja testen kann. Was den Blindflug bei der Inbetriebnahme nicht minderte. Schade. Seitdem verzichte ich bei Installationen, die auch ohne Kopfschmerzen mal ein oder zwei Updates überstehen sollen, auf OpenBSD und greife lieber zu Debian Linux.

October 31, 2008

Bring on the goodies!

Filed under: UNIX & Linux — Tags: , , , — martin @ 8:49 pm

Ubuntu 8.10 – At last. 😉
OpenBSD 4.4 – Early. 🙂

OpenBSD 4.4 finally has support for my Huawei E220 UMTS/G3 modem (a.k.a. “T-Mobile Web & Walk Box Micro”) in the default installation. Granted, that’s at least one year late. Nevertheless, I have already used the E220 with an OpenBSD snapshot release, several months ago. The really good thing is that the OpenBSD implementation of the Huawei E220 serial interface runs circles around the shady E220 hack that is still required to get the thing up and running on Linux. 🙂

September 28, 2008

Dicke Installer, dünne Installer

Filed under: UNIX & Linux — Tags: , — martin @ 6:36 am

Seit ich meine Ladung Microdrives bekommen habe, bin ich für den Betrieb der ALIX nicht mehr auf das Hantieren mit speziell optimierten Flash-Images angewiesen, sondern kann bei Bedarf einfach ein neues Microdrive auspacken und mit PXE drauf los installieren.

Nachdem ich nun die ganze Zeit OpenBSD eingesetzt habe, versuche ich es grade mal mit Debian. Und ich muß sagen: Der Debian-Installer, den manche Leute ja schon für spartanisch halten, ist, durch eine serielle Schnittstelle mit 9600 bps gesehen, im Vergleich mit OpenBSD (hier nochmal ein Video, zur Erinnerung) wirklich ein grauenhafter Haufen Bloatware. Wer zum Teufel braucht eine verdammte, ressourcenverschwendende Menüführung? 😀

July 17, 2008

Auf ins Krisengebiet

Filed under: UNIX & Linux — Tags: , — martin @ 1:01 pm

# $OpenBSD: hostapd.conf,v 1.11 2007/02/27 20:53:45 david Exp $
# sample hostapd configuration file
# see hostapd.conf(5)

# "wavelan is a battle field"
[...]

Behaarte Wixer

Filed under: UNIX & Linux — Tags: , , — martin @ 5:41 am

Linus Torvalds über OpenBSD:

“Security people are often the black-and-white kind of people that I can’t stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them.”

Naja. Jeder hat wohl mal ‘nen schlechten Tag.

Create a free website or blog at WordPress.com.