Building firewall with openbsd and pf

  • 323 trang
  • file .pdf
www.sharexxx.net - free books & magazines
Building Firewalls
with
OpenBSD and PF
Coming soon from devGuide.net
The OpenBSD Gazetteer by Jacek Artymiak
Building Virtual Private Networks with FreeBSD, NetBSD, OpenBSD,
Linux, Apple Mac OS X, and Microsoft Windows by Jacek Artymiak
The FreeBSD Gazetteer by Jacek Artymiak
The NetBSD Gazetteer by Jacek Artymiak
Scripting Caligari trueSpace with Python by Jacek Artymiak
Scripting Adobe Photoshop with JavaScript by Jacek Artymiak
You will find more information under this address:
http://www.devguide.net
Building Firewalls
with
OpenBSD and PF
Jacek Artymiak
Second Edition
Lublin
Building Firewalls with OpenBSD and PF
by Jacek Artymiak
Published by:
devGuide.net Jacek Artymiak
email: [email protected]
www: http://www.devguide.net
Copyright © 2003 Jacek Artymiak
All rights reserved. No part of this pubication may be reproduced, stored in
a retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without the prior
consent of the publisher.
First edition 2003
Second edition 2003
Printed in Poland
03 10 9 8 7 6 5 4 3 2 1
ISBN: 83-916651-1-9
The author and the publisher disclaim any and all liability for the use of
information and programs contained in this book.
All trademarks mentioned in this book are the sole property of their owners.
Sowa - Print on demand
http://www.sowadruk.pl
phone: +48 (22) 431-81-40
To Gosia
Table of Contents
Preface ..... 1
0.1 Acknowledgments ..... 3
Chapter 1: Introduction ..... 5
1.1 Why Do We Need to Secure Our Networks ..... 5
1.2 Why Do We Need Firewalls ..... 7
1.3 Why Open Source Software ..... 7
1.4 Why OpenBSD and pf ..... 9
1.5 Cryptography and Law ..... 11
1.6 How This Book Is Organized ..... 12
1.7 Typographic Conventions Used in This Book ..... 14
1.8 Staying in Touch with the OpenBSD Community ..... 14
1.9 Getting in Touch with the Author ..... 15
Chapter 2: Firewall Designs ..... 17
2.1 Define Your Local Packet Filtering Policy ..... 17
2.2 What Is a ‘Firewall’? ..... 18
2.3 What Firewalls Are Not ..... 19
2.4 Hardware vs. Software Firewalls ..... 19
2.5 Firewalls Great and Small ..... 20
2.5.1 Screened Host ..... 20
2.5.2 Screened LAN or Screened LAN Segment ..... 22
2.5.3 Bastion Host ..... 24
2.5.4 Demilitarized Zone (DMZ) ..... 25
2.5.5 Large-Scale LANs ..... 27
2.6 Invisible Hosts and Firewalls ..... 27
2.6.1 Filtering Bridge ..... 28
2.6.2 Network Address Translation (NAT) ..... 30
2.7 Additional Functionality ..... 30
Table of Contents ix
Chapter 3: Installing OpenBSD ..... 33
3.1 Software Requirements ..... 33
3.1.1 Buy Official OpenBSD CD-ROM Sets ..... 34
3.1.2 Additional Software Requirements ..... 35
3.2 Hardware Requirements ..... 36
3.2.1 Which Hardware Platform Should You Choose? ..... 36
3.2.2 Motherboard ..... 38
3.2.3 BIOS ..... 39
3.2.4 Processor ..... 39
3.2.5 Memory ..... 41
3.2.6 Disk Space ..... 42
3.2.7 Network Interfaces ..... 43
3.2.8 Communicating with Your Computer During Installation ..... 46
3.2.9 How Are You Going to Install OpenBSD? ..... 48
3.2.10 Tape Drives ..... 49
3.2.11 Debugging Hardware ..... 49
3.2.12 Other Requirements ..... 49
3.2.13 When in Trouble, Use the Manual ..... 50
3.3 Downloading OpenBSD ..... 50
3.4 Preparing Installation Media ..... 51
3.5 Installing OpenBSD ..... 52
3.6 Securing Your Firewall Hardware ..... 65
Chapter 4: Configuring OpenBSD ..... 67
4.1 User Management ..... 67
4.1.1 Adding Users ..... 67
4.1.2 Letting Users Do As Root Does (su) ..... 68
4.1.3 Changing the User Password ..... 69
4.1.4 Giving Users Limited Access to Root Privileges (sudo) ..... 69
4.1.5 Removing Users ..... 70
4.2 Hardening OpenBSD ..... 70
4.2.1 Disabling Non-Essential Services ..... 70
4.2.2 Patching ..... 71
4.2.3 When a Patch Is Not Enough ..... 76
4.3 Configuring Networking ..... 76
4.3.1 More Than One Address on a Single Interface (Aliases) ..... 78
4.3.2 Pf Configuration Options ..... 80
4.3.3 Bridge Configuration Options ..... 81
x
4.3.4 IP Forwarding ..... 84
4.3.5 Fixing FTP ..... 85
4.3.6 Taking Control of ARP ..... 89
4.4 Automated System Reboot ..... 95
4.5 Swap Encryption ..... 95
4.6 Working with Securelevels ..... 96
4.7 Setting Time and Date ..... 97
4.8 Configuring the Kernel to Solve Hardware Problems ..... 97
4.8.1 Make a Copy of the Old Kernel ..... 98
4.8.2 User Kernel Config (UKC) ..... 98
4.8.3 Brain Transplants for OpenBSD ..... 101
4.9 Adding and Compiling Software ..... 101
4.10 Configuring Disks ..... 102
4.10.1 RAID ..... 102
Chapter 5: /etc/pf.conf ..... 103
5.1 Inside pf.conf ..... 103
5.1.1 Changing the pf.conf Section Order ..... 105
5.1.2 Breaking Long Lines into Smaller Pieces ..... 105
5.1.3 Grouping Rule Elements into Lists ({}) ..... 105
5.2 Macros ..... 106
5.3 Tables (table) ..... 107
5.4 Anchors (anchor, nat-anchor, rdr-anchor, binat-anchor) ..... 109
5.5 Common Components Found in pf Rules ..... 110
5.5.1 Directions (in, out) ..... 110
5.5.2 Interfaces (on) ..... 110
5.5.3 Address Families (inet, inet6) ..... 111
5.5.4 Protocols (proto) ..... 111
5.5.5 Addresses (from, to, any, all) ..... 112
5.5.6 Dynamic Assignment of Addresses ..... 115
5.5.7 Ports (port) ..... 116
5.5.8 Ports (port) ..... 118
5.6 Tools for Writing and Editing pf.conf ..... 119
5.6.1 Why Not Edit pf.conf on Another Machine? ..... 119
5.6.2 Syntax Highlighting ..... 119
5.6.3 GUI Tools for Writing Rulesets with a Mouse ..... 120
5.6.4 Scripting pf.conf ..... 120
5.7 Managing pf.conf Versions with CVS ..... 120
Table of Contents xi
Chapter 6: Packet Normalization ... 125
6.1 Implementing Packet Normalization (scrub) ..... 125
6.1.1 Scrub Rule Syntax ..... 125
6.2 Fine-Tuning Scrub Rules ..... 127
6.2.1 Pf Options (limit frags, timeout frags) ..... 128
6.2.2 Scrub Rule Options ..... 128
6.3 Who’s Sending All Those Malformed Packets? ..... 131
Chapter 7: Packet Redirection .... 133
7.1 Security Applications ..... 133
7.2 Expanding the IPv4 Address Space ..... 134
7.2.1 Does IPv6 Make NAT redundant? ..... 136
7.2.2 What Problems Does NAT Cause? ..... 136
7.3 NAT Rules ..... 137
7.3.1 Hiding Hosts Behind a Single Address with nat Rules ..... 138
7.3.2 Redirecting Packets to Other Addresses and Ports (rdr) ..... 145
7.3.3 Forcing Everyone to Use a Web Cache ..... 150
7.3.4 Other Uses of rdr Rules ..... 150
7.3.5 binat ..... 150
7.4 Proxy ARP ..... 153
Chapter 8: Packet Filtering ... 155
8.1 The Anatomy of a Filtering Rule ..... 155
8.1.1 What Is pf Supposed to Do (block, pass)? ..... 156
8.1.2 Return to Sender (return-icmp, return-rst) ..... 157
8.1.3 Inbound or Outbound (in, out)? ..... 160
8.1.4 To Log or Not to Log (log, log-all)? ..... 160
8.1.5 Finishing Early (quick) ..... 161
8.1.6 Network Interface Names (on)? ..... 162
8.1.7 Routing Options (fastroute, reply-to, route-to, dup-to) ..... 162
8.1.8 IP Addressing Familes: IPv4 (inet) or IPv6 (inet6)? ..... 164
8.1.9 Protocols (proto)? ..... 165
8.1.10 Source Address (from, any, all)? ..... 165
8.1.11 Source Port (port)? ..... 166
8.1.12 Sender’s Operating System (os)? ..... 168
8.1.13 Destination IP address (to, any, all) ..... 169
8.1.14 Destination Port (port) ..... 170
xii
8.1.15 User and Group Access Control (user, group) ..... 170
8.1.16 TCP Flags (flags) ..... 171
8.1.17 ICMP Packets ..... 172
8.1.18 Stateful Filtering (keep state, modulate state, synproxy state) ... 173
8.1.19 IP Options (allow-opts) ..... 179
8.1.20 Labels (label) ..... 180
8.2 Antispoof Rules ..... 180
8.3 Filtering Rules for Redirected Packets ..... 181
Chaper 9: Dynamic Rulesets ..... 185
9.1 Designig an Automated Firewall ..... 185
Chaper 10: Bandwidth Shaping and Load Balancing ..... 191
10.1 Load Balancing ..... 191
10.1.1 Implementing Load Balancing ..... 193
10.2 Bandwidth Shaping ..... 195
10.2.1 The Anatomy of a Scheduler Rule ..... 196
10.2.2 The Anatomy of a Queue Rule ..... 197
10.2.3 Assigning Queues to Packet Filtering Rules ..... 199
10.2.4 Priority Queuing (PRIQ) ..... 199
10.2.5 Class-Based Queuing (CBQ) ..... 206
10.2.6 Hierarchical Fair Service Curve (HFSC) ..... 213
10.2.7 Queuing Incoming Packets ..... 218
10.2.8 Which Scheduler is Best? ..... 218
Chapter 11: Logging and Log Analysis ..... 221
11.1 Enabling Packet Logging ..... 222
11.2 Log Analysis ..... 222
11.3 Which Packets Do You Want to Capture? ..... 224
11.4 The Secret Life of Logs ..... 226
11.5 Bandwidth and Disk Space Requirements ..... 229
11.6 Logging on a Bridge (Span Ports) ..... 232
Chapter 12: Using authpf ..... 233
12.1 Configuring authpf ..... 233
12.2 Configuring sshd ..... 234
Table of Contents xiii
12.3 Configuring Login Shell ..... 234
12.4 Writing pf Rules for authpf ..... 235
12.i5 Authenticating User Joe ..... 235
Chapter 13: Using spamd ..... 239
13.1 Configuring spamd ..... 239
Chapter 14: Ruleset Optimization ..... 245
14.1 The pf Optimization Checklist ..... 245
14.2 Pf Optimization Options ..... 246
Chapter 15: Testing Your Firewall ..... 249
15.1 Pencil Test ..... 249
15.2 Checking Host Availability ..... 250
15.2.1 When Ping Cannot Help ..... 252
15.3 Discovering Open Ports on Remote Hosts ..... 253
15.4 Testing Network Performance ..... 253
15.5 Are packets passing through pf? ..... 256
15.6 Additional tools ..... 258
Chapter 16: Firewall Management ..... 259
16.1 General Operations ..... 259
16.2 Pfctl Output Control Options ..... 259
16.3 Managing Rulesets ..... 260
16.4 Managing Macros ..... 260
16.5 Managing Tables ..... 260
16.6 Managing pf Options ..... 262
16.7 Managing Queues ..... 262
16.8 Managing Packet Redirection Rules ..... 262
16.9 Managing Packet Filtering Rules ..... 263
16.10 Managing Anchors ..... 263
16.11 Managing States ..... 264
16.12 Managing Operating System Fingerprints ..... 265
16.13 Statistics ..... 265
16.14 Additional Tools for Managing pf ..... 266
xiv
Appendix A: Manual Pages ... 267
A.1 Using the OpenBSD Manual ..... 267
A.1.1 Reading the OpenBSD Manual Pages on the Web ..... 268
A.2 Pages Related to pf ..... 268
A.3 Other Pages of Interest ..... 269
Appendix B: Rules for Poplar (and Less Popular) Services ..... 271
B.1 Dealing with ICMP ..... 273
B.2 Fixing FTP ..... 276
B.3 Template Rules for Services Using TCP and UDP ..... 276
B.4 Adapting the Template for Other Services ..... 283
Appendix C: Rule Templates for Typical Firewall Configurations ..... 287
C.1 Bastion Host ..... 287
C.2 Bastion Host II (Some Access Allowed) ..... 288
C.3 Screened Host/LAN (Public IP Addresses) ..... 289
C.4 Screened LAN (Some Access Allowed) ..... 290
C.5 NAT + Screened LAN ..... 292
C.6 NAT + Screened LAN + DMZ ..... 293
C.7 Invisible Bridge ..... 295
Appendix D: Helping OpenBSD and PF ..... 297
D.1 Buy Official CD-ROMs, T-Shirts, and Posters ..... 297
D.2 Make Small, but Regular Donations ..... 298
D.3 Hire Developers of OpenBSD and Pf ..... 299
D.4 Donate Hardware ..... 300
D.5 Spare Some of Your Precious Time ..... 300
D.6 Spread the Word ..... 301
D.7 Attend Training Seminars ..... 301
D.8 Encourage People to Buy this Book ..... 301
Bibliography ..... 303
Index ..... 307
About this Book
Table of Contents xv
Preface
Why I Wrote This Book
When I first started using OpenBSD sometime in 1999, it certainly wasn’t
because I wanted to write a book about it. All I needed was a stable server
for my home network, something I could configure and forget about. I tried
all obvious suspects: FreeBSD, NetBSD, OpenBSD, and four or five dif-
ferent Linux distributions, My choice was OpenBSD, because it installed
without problems, was easy to configure, and did not have the infuriating
problems with NFS that plagued me on Linux at that time. FreeBSD and
NetBSD lost their race at the installation stage, after they failed to re-
cognize some pieces of the hardware I was using. It wasn’t a high-tech lab
test, I just needed a stable server. OpenBSD behaved well, did not require
much of my attention and was doing its job.
Then, sometime in 2000, I was asked to help secure a network, which was
coming under an increasingly heavy barrage of attacks and was getting
broken into approximately twice a month. The first thing we did was se-
cure the hosts exposed to the outside world as much as the operating system
allowed, but the rest of the job was going to be the responsibility of a fi-
rewall. I did some research and found out that many people recommended
OpenBSD as the best solution for this job. Knowing it doesn’t cost a penny
to install, I quickly put OpenBSD on four firewall hosts guarding points of
contact with the outside world and watched them in action. Attacks didn’t
stop, but none of them was successful. OpenBSD has earned its keep. And
that’s how it’s been for the last three years.
Of course, OpenBSD is only one of many components of the security setup
used at that site, but it is proving to be the most significant one. Over the
last three years, that network has undergone significant changes in hardware
and software, many security solutions were tried and discarded, yet Open-
BSD is still running those four firewalls as well as some web servers, mail
servers, DNS, DHCP, and NIDS.
2 Preface: Why I Wrote This Book
One of my jobs is freelance technical writing, so it wasn’t long before I
got an idea that it might be useful to help promote the tools I use and like.
I quickly wrote an article about installing and configuring OpenBSD and
Daren Reed’s ipfilter, the firewall that shipped with OpenBSD before May
2001. The article was published in February 2002 on the O’Reilly & Asso-
ciates Network’s ONLamp.com and became the first in the series now
known under the name of Securing Small Networks with OpenBSD, avail-
able at:
http://www.onlamp.com/pub/ct/58
The word ‘small’ used in the title of that series is a little misleading, be-
cause OpenBSD is capable of meeting the demands of all kinds of net-
works, large and small. It was used because I wanted to help administrators
of small and underfunded networks secure their installations with Open-
BSD. Some of that material made its way into this book.
When I wrote my first article for ONLamp.com in late 2001, I only wanted
to write a tutorial that would help others protect their networks with
OpenBSD and ipfilter. It was meant to be something to help people get ip-
filter working in a relatively short time. There were no plans for additional
articles. I foolishly assumed that it would be all that was needed. Unfortu-
nately for me, by the time that first article was published, the OpenBSD
project abandoned ipfilter for Daniel Hartmeier’s pf. I got a lot of mail
telling me in more or less civilized ways that my article was a worthless bag
of bits. So, I quickly wrote an update, which was promptly published on
ONLamp.com.
After ONLamp.com published the second article, I received a lot of positive
feedback, bug reports, and suggestions that I should write a book about
OpenBSD. To tell the truth, I did not want to write a book on that subject,
because I knew that the market was too small to be considered profitable by
trade computer book publishers. But, as the number of requests for the
book grew, I sat down and wrote a proposal, which I later submitted to a
few good publishers. My proposal was turned down by everyone, which
convinced me that a book on OpenBSD would not sell. Of course, the real
reason could just as well be the weaknesses in my proposal. Either way, I
was not interested in pursuing this further and put the whole thing on hold.
Section 0.1: Acknowledgments 3
Then, in late 2002, I received an email message from a venerable academic
publisher interested in publishing a book about OpenBSD. Unfortunately,
we couldn’t agree on the terms of the contract. By the time our talks broke
down, I had a sizeable part of the manuscript ready for editing. I could for-
get it and move to other projects, but I felt it was too good to be trashed. I
decided to risk it and announced The OpenBSD Gazetteer. As I was work-
ing towards the end of the manuscript, I could see that it was becoming too
long for a single book. I had to split it into two books. Building Firewalls
with OpenBSD and PF is the first book, The OpenBSD Gazetteer is the
second. That way I can make sure that both books are not overly expensive,
that they are delivered on time, and that they can be quickly updated.
The first edition of Building Firewalls with OpenBSD and PF was so po-
pular that I had to quickly start work on the second edition, which would
cover the changes made to the OpenBSD operating system and pf between
releases 3.3 and 3.4. I also wanted to respond to the requests and sug-
gestions made by the readers of the first edition. I hope that this new
edition lives up to your expectations.
0.1 Acknowledgments
This book wouldn’t exist if I had not met many great people who continue
to support and encourage me along the way. First and foremost I wish to
thank the OpenBSD user community for their support, and for challenging
me with interesting questions, suggestions, and critique. Without them
swamping me with requests to write a book about OpenBSD, this little
tome would not be in your hands today. One of the most active members of
the OpenBSD community supporting my efforts is Leonard Jacobs, who de-
voted a lot of his precious time to help me make this edition better than the
first one. Thank you, Leonard!
Whenever I publish something on the Internet, I usually do it with the help
of these great people: Chris Coleman (DaemonNews), chromatic (O’Reilly
Networks), Tim O’Reilly (O’Reilly & Associates), Jose Nazario (OpenBSD
Journal), and editors at various BSD news sites and forums. Thank you!
My special thanks must go to Theo de Raadt, Daniel Hartmeier, Artur
Grabowski, Jason L. Wright, Miod Vallat, Dale Rahn, Nick Holland, Wim
4 Preface: Why I Wrote This Book
Vandeputte (kd85.com), Austin Hook (The Computer Shop of Calgary),
and other OpenBSD developers, evangelists and supporters, without whose
hard work we wouldn’t be able to enjoy OpenBSD, OpenSSH, and pf.
I also wish to thank doctors Joanna Markiewicz and Witalis Misiewicz who
keep their watchful eyes on my health and make sure I don’t dump core
before my time.
Last, but not least I want to thank my dear wife, Malgosia, who patiently
puts up with my non-standard working hours, deadlines that move ev-
erything else aside, and the growing farm of computer hardware. Without
her support and understanding I’d never have written this book.
Jacek Artymiak
Lublin, Poland
October 2003
Chapter 1
Introduction
What this book is about. What information you’ll find on
its pages. How to keep in touch with the author of this
book, the developer of pf, and the OpenBSD community.
This book explains how to build, configure, and manage IP packet firewalls
using commodity hardware, the OpenBSD operating system, and Daniel
Hartmeier’s pf packet filter. Its intended audience are network and security
administration professionals and the users of the OpenBSD operating
system. The material presented in this book requires basic knowledge of
TCP/IP networking and Unix. Readers unfamiliar with either or both of
these topics ought to consult [Stevens 1994], [Wright, Stevens 1994],
[Stevens 1994a], and [Frisch 2002]. Links to online bookstores selling
these and other titles mentioned in this book can be found at the following
address:
http://www.devguide.net/books/openbsdfw-02-ed/
1.1 Why Do We Need to Secure Our Networks
The reasons for securing computers and networks against attacks are in
many ways similar to the reasons for securing ourselves and our property
in the real world. The likely suspects, the problems they cause, and the
protection mechanisms we use to defend ourselves are often quite alike, it
doesn’t matter that we are dealing with 1s and 0s. In an ideal world, there
would be no need for fences, gates, or locks, because the good side of the
human nature and the laws of our society would be enough to protect our-
selves, our privacy, and our property.
Unfortunately, we are not living in such a world nor we are likely to create
one on this planet or anywhere else, at least not anytime soon. The fact that
a small, but nevertheless noticeable through their actions, percentage of this
world’s population breaks laws, steals our belongings, trespasses on our
6 Chapter 1: Introduction
property, and invades our privacy means that we must protect ourselves, our
loved ones, and all that we hold valuable. And so we raise fences, buy
padlocks, fit our homes and business premises with burglar alarms, and pay
bodyguards to ensure our safety, or to at least make us feel a little safer.
Things are no different in the networked world. Just like the real world
around us, the Internet gives people with malicious intent plenty of oppor-
tunities to perform their questionable activities. Even though a vast
majority of the people and the companies connected to the Internet mean no
harm to anyone and just want to get on with their business, there are people
who take a certain kind of pride in wreaking havoc online, stealing infor-
mation or disrupting network services. Some even turned it into a way to
make a living. They can spy on our communications, break into computers
and networks, block connections between machines, destroy data, falsify
records, and bring whole systems to a halt. Their motives are almost
always the same: money, the need to have something to brag about, the
attraction of a difficult challenge, ideology, revenge, or plain curiosity.
Modern network technology gives attackers many ways to amplify the
power of their actions by using numerous compromised low-profile hosts to
launch attacks against selected high-profile sites. Equipped with automated
cracking tools and access to hundreds of compromised hosts, a single
person can potentially cause damage on a scale comparable to an attack on
a nuclear power plant or an oil refinery. And just as attacks on oil refineries
can create shortages of oil and raise costs of transport, attacks against
certain hosts on the Internet can slow down or cut off large portions of the
Internet damaging sales, communications or, in some cases, endangering
human lives. Of course, not all attacks are visible and discussed on CNN.
Instead of destroying things, someone may prefer to break into a network
and listen to communications, copy classified files, or change essential
records. Such covert operations can result in more damage than a mass-
scale attack on the Internet infrastructure. They are also more profitable to
an attacker than the 5 minutes of fame he (or she) gets on the global news
networks.
Even though many corporate, university, or home networks can have little
end value for an attacker, their sole ability to send packets on the Internet
can be worth a lot to someone who wants to break into them and use com-
promised hosts to launch an escalated Distributed Denial of Service
(DDoS) attack against other, more valuable hosts. Owners of computers