[TriLUG] Drop and insert transparent firewall (OpenBSD)

Aaron Joyner aaron at joyner.ws
Sun May 2 21:02:07 EDT 2004


I realize this is, after all, a Linux User's Group, but when it comes 
right down to it, I must readily admit that OpenBSD has better 
firewalling capabilities with the pf firewall, than either Linux or 
FreeBSD.

The amount of things that are possible with pf, including but not 
limited to:
- scrubbing packets (changing the packet's random identifiers to be 
_more_ random to help protect hosts behind the firewall with bad random 
number generators)
- complete on-the-fly reassembly of tcp connections (so no fragments 
pass through the filter that could bypass the rules)
- simple and *incredibly* powerful class-based queueing
- the ability to stack class based queues with in priority based 
queues, as deep as your requirements require
- rulesets that allow you to actually filter on interface by name, as 
opposed to changing that interface to an IP when the rule is imported 
(as iptables does with simple rules)
- the list goes on and on

The ability to boot entirely to a serial console as well as push the 
BIOS out is just icing on the cake (Linux is capable of doing this as 
well, it's only not as well documented because it's a less common 
setup).  I have to say, the box that Jason and I setup for transparent 
firewalling is very much an "ideal" firewall in my mind.  It's next to 
impossible that it would be the first machine on your network to be 
compromised, and it's the gatekeeper to protecting the rest of the 
machines.

About the only thing we could have added that we didn't have, would be 
some form of Intrusion Detection or Prevention software.  I'm not sure 
how we would handle convenient alerting of intrusions, as it can't 
readily send mail.  I wonder how difficult it would be to originate a 
spoofed smtp connection from that machine sourced from a machine inside 
the network destined for a machine outside the network.  Another option 
would of course be a simple dial-up modem and only page under extreme 
circumstances.  Perhaps another serial connection to a machine running 
a daemon on that port, that would allow you to connect and send mail.  
Okay, that's about the extent of my ideas and ramblings.  Just a few 
thoughts.  :)

Aaron S. Joyner


On May 2, 2004, at 12:37 AM, Jason Tower wrote:

> the other neat thing about this setup is that it can be *very*
> minimalistic.  the box that jon referenced is using a 1gb disk with 70%
> free space, 32mb ram w/ 20mb free and 6 runnng processes.
>
> management is also different from most linux setups.  since it has no 
> IP
> addresses on either interface, you can't ssh to it.  instead, you ssh
> to another host and run minicom which communicates with the firewall
> via a serial port.  this particular hardware has the ability to direct
> the bios display to a serial port, so you can actually see the bootup
> info and even change bios options remotely.  pretty slick :-)
>
> props to aaron joyner who helped with the setup and configuration of
> this particular device.
>
> jason
>
> On Saturday 01 May 2004 19:35, Jon Carnes wrote:
>> Jason Tower showed me a neat trick the other day - using OpenBSD to
>> insert a Firewall/packet filter transparently into an existing
>> network.
>>
>> The firewall uses no ip addresses and sits between the router and the
>> companies external switch.  The external switch has various boxen
>> attached - each of which uses an external IP address. All the
>> external IP addresses are in use, so the firewall/packet filter had
>> to be inserted without using any additional IP's.
>>
>> This does the trick rather nicely:
>> http://www.openbsd.org/faq/faq6.html#Bridge
>>
>> Enjoy!
> -- 
> TriLUG mailing list        : 
> http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc




More information about the TriLUG mailing list