Print PDF
Favorite
Email
Step 5Configuring your software
Here is a VERY brief overview of the configuration process.
» Install and configure OpenSSH for network terminal emulation. Pre-shared keys are definately recommended, but not a requirement.
» Confirm SSH connectivity from another machine on the LAN using OpenSSH (*nix) or PuTTY (Windows)
» Install and configure the ported version of OpenBSD's PF packet-filtering, stateful firewall. You can take a look at pf.conf for an example of what your PF configuration file might look like. Also, two great sources for information pertaining to PF are the PF User Guide and Peter Hansteen's Firewalling with OpenBSD's PF packet filter. Thanks for the resource Peter!
» Install and configure any other software that you would like. I recommend the Squid caching-proxy (installing as a reverse-proxy is nice too), Snort IDS (Intrusion Detection System), ClamAV (antivirus) with vectoring through your firewall, Bruteforceblocker (SSH bruteforce blocker), and Snarf (web interface for Snort logs).
Craig McLean was kind enough to let me integrate a how-to article on the same topic into this one. We've agreed to post some of his article here. Please realize, he, like I, wrote this article from memory. If you find any errors in it, please let us know. What follows is taken directly from his howto.
Things to decide
You will need to decide what you want your internal network to look like when this is over, and which machines should have access to what. This is not as complex as it sounds but it benefits us to work it out in advance. In this guide I will use the following:
Things to know
» You will need to know what your internal- and external-facing interfaces and IP addresses are.
» You will also need to know the IP address(es) of the DNS servers provided by your ISP.
» The FreeBSD device name for your internal/external interfaces. These are named like so: The name of the driver used for the device followed by a number. This number is typically 0 (zero), but if you have multiple devices using the same drivers, each device will have a unique number starting at zero and counting up. For example, two Realtek based NICs will apear as rl0 and rl1. lo0 is your loopback device (IP 127.0.0.1). If you've configured pflog to monitor your firewall, you'll see pflog0 here also. (John)
In this guide, I'll use the following:
» "xl0" will be my internal interface.
» 172.16.3.200 will be my internal IP address. Internal hosts will have to route packets through this.
» "dc0" will be my external interface.
» 82.30.189.185 will be my internet-facing IP address, used for machines in the outside world to connect to me.
You may not know your external IP yet, but once the install is complete you should use:
If the IP assigned by your ISP is dynamic, you may need to setup DHCP on your external interface. Use dhclient for this. Also, while using DHCP on your internal network is more user-friendly, static IP addressing works just fine too. It can also make security audits more straightforward. (John)
Setting up the System
There is a really important file on your new FreeBSD machine. It's called /etc/rc.conf. In here you will put information on a variety of things. The hostname of the system, IP addresses, the services you want to be started when the system boots, and much more. You should take the time to have a look at it before we move on, and while you are there - make a backup copy!
Add a User
If you didn't do this during install, you should add a non-root user which you can use on a day-to-day basis. This can be done with the command:
The pw command can also be used to add/modify/delete users and groups. (John)
Set up OpenSSH
OpenSSH (Open Secure SHell) should be your weapon of choice when connecting to your new FreeBSD host. It's secure, included by default with the OS, and there are any number of clients you can use to connect to it. Linux machines will have ssh by default, windows users can get hold of PuTTY (www.chiark.greenend.org.uk/~sgtatham/putty/).
OpenSSH can be enabled on FreeBSD by editing /etc/rc.conf and making sure you have the following:
Your machine will be on the internet, and people will try and get in. One of the ways they will do this is to try to guess usernames and passwords, which ssh uses by default. If you don't absolutely need ssh from the internet, make sure you only listen for connections on the internal interface. Do this by editing the ssh daemon configuration file which lives at /etc/ssh/sshd_config and make sure you have
Now you can run
If you decide that you need ssh access from the outside world, you should disable password-based access and instead use publik-key authentication. Google will tell you how!
Setting up Firewall and NAT
Primarily, we want this system to be protected from bad guys on the internet by using firewalling, and share out our internet connection to other equipment on our network using NAT (Network Address Translation).
The Firewall
While Craig covers using IP Filter here, I will append a tutorial for using PF when I get the chance. For now, you can refer to the PF Guide (openbsd.org/faq/pf/) and the sample configuration file that i've attached (pf.conf). (John)
First, let me point you at another great URL, it's the renowned "ipf HOWTO": www.obfuscation.org/ipf/. Keep it to hand as we go through these steps.
In a minute, "in" and "out" are going to have very specific meaning, but let's not worry about that yet. Logically, we want to do the following:
» Allow internal IP traffic to the firewall machine.
» Redirect (where necessary) internal IP traffic to the internet.
» Redirect replies to internal traffic back to individual systems.
» Allow machines on the internet access to certain ports/services on the firewall.
» (maybe) Redirect access from machines on the internet to other machines on the local network.
» Block everything else.
First we need to enable ipfilter. That needs the following in /etc/rc.conf
This should be pretty self-explanatory, and the first thing to note is the location of the rules file, /etc/ipf.conf. This is where all our rules will live.
From here onwards, "in" and "out" need to be used very carefully, as they refer to "in" and "out" of a specific interface. Keep this in mind as we go on.
We decided earlier what logic we wanted, and can now translate that into rules:
Those are the basics. You can start the firewall, using these rules, by issuing:
The 'ipf' functionality in FreeBSD is huge. This has only just scratched the surface of what is possible, or desirable. There's more info in the manpages, and at the link at the beginning of this section. I strongly suggest you take a look at both.
Warning: Think very hard before changing firewall rules if you are connected over TCP/IP. You may find if hard to recover if you get it wrong, and suddenly find yourself disconnected :-)
The NAT
Next we want to set up Network Address Translation for other devices on our internal network. NAT allows many internal clients to share one internet address.
To do this, we need to add some more lines to /etc/rc.conf:
NAT is really easy to set up. We want to allow anything on 172.16.0.0/16 to use the internet, so our rule is:
The second line will proxy outbout ftp access. This is necessary if you don't want to have to use passive ftp all the time because the ftp protocol sucks.
To get ipnat up and running, do:
At this point, any client on the 172.16.0.0 network which has a netmask of 255.255.0.0 or stricter and 172.16.3.200 as its router should be able to access the internet, with its packets being "mapped" by the NAT setup on the firewall machine.
DHCP Server Setup
The final step in the initial setup of your system will be to provide your clients with DHCP information. This allows centralised management should things change, and automatically assigns IP addresses (and more importantly, gateway information) to clients. We're going to allocate from 172.16.4.1 to 172.16.4.100 for clients...
To do this, we will use ISC's DHCPD from the ports collection.
From the menu, select whichever options you want (I'd recommend at least PARANOIA and JAIL)
Then edit the dhcpd.conf file, so it looks like this:
You will need to substitute nnn.nnn.nnn.nnn with your ISP's domain name servers.
Then ensure /etc/rc.conf contains:
Thanks Craig, I appreciate the help. While my home network is a little different than Craigs, the same still applies. Here is how mine is setup:
» Cisco uBR900 cable modem provides connectivity to the internet.
» The modem is connected to my firewall. The WAN IP on the firewall is assigned by DHCP from the modem.
» The LAN network is 192.168.0.0/16 and static (no DHCP)
» My firewall connects to a 24port switch. This is connected to a 108Mbps 802.11g D-link WAP and an 8port gigabit switch. The WAP has a static IP, but provides wireless access through DHCP.
» My firewall provides no internal protection. All internal traffic moves unprohibitted by the firewall. This includes outbound traffic also. While this may not be the most secure, it is definitely easier to manage. I don't have to add firewall rules everytime I want to access a new service.
Your setup may be different also. It's all personal preference.
» Install and configure OpenSSH for network terminal emulation. Pre-shared keys are definately recommended, but not a requirement.
» Confirm SSH connectivity from another machine on the LAN using OpenSSH (*nix) or PuTTY (Windows)
» Install and configure the ported version of OpenBSD's PF packet-filtering, stateful firewall. You can take a look at pf.conf for an example of what your PF configuration file might look like. Also, two great sources for information pertaining to PF are the PF User Guide and Peter Hansteen's Firewalling with OpenBSD's PF packet filter. Thanks for the resource Peter!
» Install and configure any other software that you would like. I recommend the Squid caching-proxy (installing as a reverse-proxy is nice too), Snort IDS (Intrusion Detection System), ClamAV (antivirus) with vectoring through your firewall, Bruteforceblocker (SSH bruteforce blocker), and Snarf (web interface for Snort logs).
Craig McLean was kind enough to let me integrate a how-to article on the same topic into this one. We've agreed to post some of his article here. Please realize, he, like I, wrote this article from memory. If you find any errors in it, please let us know. What follows is taken directly from his howto.
Things to decide
You will need to decide what you want your internal network to look like when this is over, and which machines should have access to what. This is not as complex as it sounds but it benefits us to work it out in advance. In this guide I will use the following:
172.16.0.0/16 (172.16.0.1 to 172.16.255.254) Will be the internal network.172.16.3.200 Will be the firewall's internal IP address.172.16.4.0/24 (172.16.4.1 to 172.16.4.254) will be assigned to a DHCP range.
Things to know
» You will need to know what your internal- and external-facing interfaces and IP addresses are.
» You will also need to know the IP address(es) of the DNS servers provided by your ISP.
» The FreeBSD device name for your internal/external interfaces. These are named like so: The name of the driver used for the device followed by a number. This number is typically 0 (zero), but if you have multiple devices using the same drivers, each device will have a unique number starting at zero and counting up. For example, two Realtek based NICs will apear as rl0 and rl1. lo0 is your loopback device (IP 127.0.0.1). If you've configured pflog to monitor your firewall, you'll see pflog0 here also. (John)
In this guide, I'll use the following:
» "xl0" will be my internal interface.
» 172.16.3.200 will be my internal IP address. Internal hosts will have to route packets through this.
» "dc0" will be my external interface.
» 82.30.189.185 will be my internet-facing IP address, used for machines in the outside world to connect to me.
You may not know your external IP yet, but once the install is complete you should use:
# ifconfig -ato find it out.
If the IP assigned by your ISP is dynamic, you may need to setup DHCP on your external interface. Use dhclient for this. Also, while using DHCP on your internal network is more user-friendly, static IP addressing works just fine too. It can also make security audits more straightforward. (John)
Setting up the System
There is a really important file on your new FreeBSD machine. It's called /etc/rc.conf. In here you will put information on a variety of things. The hostname of the system, IP addresses, the services you want to be started when the system boots, and much more. You should take the time to have a look at it before we move on, and while you are there - make a backup copy!
Add a User
If you didn't do this during install, you should add a non-root user which you can use on a day-to-day basis. This can be done with the command:
# adduserMake sure the user is in the group "wheel". This is a special group which contains all users who can become "root". If you find 'su' rejecting you, it's probably because you are not a member of the "wheel" group.
The pw command can also be used to add/modify/delete users and groups. (John)
Set up OpenSSH
OpenSSH (Open Secure SHell) should be your weapon of choice when connecting to your new FreeBSD host. It's secure, included by default with the OS, and there are any number of clients you can use to connect to it. Linux machines will have ssh by default, windows users can get hold of PuTTY (www.chiark.greenend.org.uk/~sgtatham/putty/).
OpenSSH can be enabled on FreeBSD by editing /etc/rc.conf and making sure you have the following:
sshd_enable="YES"in there.
Your machine will be on the internet, and people will try and get in. One of the ways they will do this is to try to guess usernames and passwords, which ssh uses by default. If you don't absolutely need ssh from the internet, make sure you only listen for connections on the internal interface. Do this by editing the ssh daemon configuration file which lives at /etc/ssh/sshd_config and make sure you have
ListenAddress 172.16.3.200in there, replacing 172.16.3.200 with the internal IP address we decided on earlier.
Now you can run
# /etc/rc.d/sshd startto start the service.
If you decide that you need ssh access from the outside world, you should disable password-based access and instead use publik-key authentication. Google will tell you how!
Setting up Firewall and NAT
Primarily, we want this system to be protected from bad guys on the internet by using firewalling, and share out our internet connection to other equipment on our network using NAT (Network Address Translation).
The Firewall
While Craig covers using IP Filter here, I will append a tutorial for using PF when I get the chance. For now, you can refer to the PF Guide (openbsd.org/faq/pf/) and the sample configuration file that i've attached (pf.conf). (John)
First, let me point you at another great URL, it's the renowned "ipf HOWTO": www.obfuscation.org/ipf/. Keep it to hand as we go through these steps.
In a minute, "in" and "out" are going to have very specific meaning, but let's not worry about that yet. Logically, we want to do the following:
» Allow internal IP traffic to the firewall machine.
» Redirect (where necessary) internal IP traffic to the internet.
» Redirect replies to internal traffic back to individual systems.
» Allow machines on the internet access to certain ports/services on the firewall.
» (maybe) Redirect access from machines on the internet to other machines on the local network.
» Block everything else.
First we need to enable ipfilter. That needs the following in /etc/rc.conf
ipfilter_enable="YES"ipfilter_program="/sbin/ipf"ipfilter_rules="/etc/ipf.conf"ipfilter_flags=""
This should be pretty self-explanatory, and the first thing to note is the location of the rules file, /etc/ipf.conf. This is where all our rules will live.
From here onwards, "in" and "out" need to be used very carefully, as they refer to "in" and "out" of a specific interface. Keep this in mind as we go on.
We decided earlier what logic we wanted, and can now translate that into rules:
# First, deny everything unless specified.block in on xl0 # Our internal interfaceblock out on xl0block in on dc0 # Our external interfaceblock out on dc0# Allow our internal network to come into the internal interfacepass in on xl0 from 172.16.0.0/16 to any# Allow our internal interface to talk to the internal networkpass out on xl0 from 172.16.3.200 to any# Allow tcp or udp from our external interface outwards to anywhere, keeping# a "state table" of connections and assembling fragmented packetspass out on dc0 proto tcp/udp from any to any keep state keep frags# Allow "ping" and its friends out from the external interfacepass out on dc0 proto icmp from any to any## Services## We're going to be running a web server, so we need port 80pass in on dc0 proto tcp from any to any port = 80 flags S keep frags keep statepass in on dc0 proto tcp from any to any port = 443 flags S keep frags keep state# Likewise sendmail, eventually. Leave it commented for now, though.# pass in on dc0 proto tcp from any to any port = smtp flags S keep frags keep state# pass in on dc0 proto tcp from any to any port = smtps flags S keep frags keep state
Those are the basics. You can start the firewall, using these rules, by issuing:
# /etc/rc.d/ipf startIf you change the rules, and want to reload the firewall tables, you can use:
# ipf -Fa -f /etc/ipf.confwhich translates as "Flush all, read new rules from file /etc/ipf.conf". If you want to clear out your firewall rules just use:
# ipf -FaTo view all rules for inbound packets:
# ipfstat -iand outbound:
# ipfstat -o
The 'ipf' functionality in FreeBSD is huge. This has only just scratched the surface of what is possible, or desirable. There's more info in the manpages, and at the link at the beginning of this section. I strongly suggest you take a look at both.
Warning: Think very hard before changing firewall rules if you are connected over TCP/IP. You may find if hard to recover if you get it wrong, and suddenly find yourself disconnected :-)
The NAT
Next we want to set up Network Address Translation for other devices on our internal network. NAT allows many internal clients to share one internet address.
To do this, we need to add some more lines to /etc/rc.conf:
gateway_enable="YES"ipnat_enable="YES"ipnat_program="/sbin/ipnat"ipnat_rules="/etc/ipnat.rules"ipnat_flags=""Pretty much like the firewall stuff, but this time the rules are in /etc/ipnat.rules.
NAT is really easy to set up. We want to allow anything on 172.16.0.0/16 to use the internet, so our rule is:
map dc0 172.16.0.0/16 -> dc0/32 portmap tcp/udp automap dc0 172.16.0.0/16 -> dc0/32 proxy port ftp ftp/tcpThe first line maps internet access outbound on dc0 to appear from "dc0/32", which is shorthand for "the IP address currently associated with the interface dc0".
The second line will proxy outbout ftp access. This is necessary if you don't want to have to use passive ftp all the time because the ftp protocol sucks.
To get ipnat up and running, do:
# /etc/rc.d/routing start# /etc/rc.d/ipnat start
At this point, any client on the 172.16.0.0 network which has a netmask of 255.255.0.0 or stricter and 172.16.3.200 as its router should be able to access the internet, with its packets being "mapped" by the NAT setup on the firewall machine.
DHCP Server Setup
The final step in the initial setup of your system will be to provide your clients with DHCP information. This allows centralised management should things change, and automatically assigns IP addresses (and more importantly, gateway information) to clients. We're going to allocate from 172.16.4.1 to 172.16.4.100 for clients...
To do this, we will use ISC's DHCPD from the ports collection.
# cd /usr/ports/net/isc-dhcp3-server# make
From the menu, select whichever options you want (I'd recommend at least PARANOIA and JAIL)
# make install# cd /usr/local/etc# mv dhcpd.conf.sample dhcpd.conf
Then edit the dhcpd.conf file, so it looks like this:
ddns-update-style none;log-facility local7;shared-network Dynamic-4-subnet {option routers 172.16.3.200;option domain-name-servers nnn.nnn.nnn.nnn;subnet 172.16.0.0 netmask 255.255.0.0 {range 172.16.4.1 172.16.4.100;}You will need to substitute nnn.nnn.nnn.nnn with your ISP's domain name servers.
Then ensure /etc/rc.conf contains:
dhcpd_enable="YES"and start the dhcp server using
# /usr/local/etc/rc.d/isc-dhcpd.sh start
Thanks Craig, I appreciate the help. While my home network is a little different than Craigs, the same still applies. Here is how mine is setup:
» Cisco uBR900 cable modem provides connectivity to the internet.
» The modem is connected to my firewall. The WAN IP on the firewall is assigned by DHCP from the modem.
» The LAN network is 192.168.0.0/16 and static (no DHCP)
» My firewall connects to a 24port switch. This is connected to a 108Mbps 802.11g D-link WAP and an 8port gigabit switch. The WAP has a static IP, but provides wireless access through DHCP.
» My firewall provides no internal protection. All internal traffic moves unprohibitted by the firewall. This includes outbound traffic also. While this may not be the most secure, it is definitely easier to manage. I don't have to add firewall rules everytime I want to access a new service.
Your setup may be different also. It's all personal preference.
pf.conf4 KB| « Previous Step | Download PDFView All Steps | Next Step » |
1
comment
|
Add Comment
|
Apr 14, 2011. 3:53 PMFKINGLAG
says:
Awesome, you broke the site's web format with this page.
Reply
 |
Add Comment
|
