OpenBSD Index

1.1. Install OpenBSD notes

Quick introduction to Packet Filter

Packet filter

Packet filter or pf is the system that controls the flow of packets, read more about it on OpenBSD faq and it's man page.

As a service can be enable or disable with rcctl or by pfctl program. PF uses /etc/pf.conf as it's main configuration file, after boot can load more rules from other files if needed.

Configuration

To setup a simple firewall edit /etc/pf.conf, default comes with very simple rules;

        # $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
        #
        # See pf.conf(5) and /etc/examples/pf.conf

        set skip on lo

        block return	# block stateless traffic
        pass		# establish keep-state

        # By default, do not permit remote connections to X11
        block return in on ! lo0 proto tcp to port 6000:6010

        # Port build user does not need network
        block return out log proto {tcp udp} user _pbuild
        

This configuration allows incoming connections and outgoing connections except for was is commented such as X11 or user that port system runs under when building.

Control

After boot PF operation can be managed using pfctl;

        pfctl -f  /etc/pf.conf    Load the pf.conf file
        pfctl -nf /etc/pf.conf    Parse the file, but don't load it
        pfctl -sr                 Show the current ruleset
        pfctl -ss                 Show the current state table
        pfctl -si                 Show filter stats and counters
        pfctl -sa                 Show EVERYTHING it can show
        

Logs

Documentation tells that when logging a packet a copy of it's header is sent to pflog interface with additional data such as the interface, action pf took, etc.

pflog interface allows user space applications to receive this data from the kernel. At boot when pf is enabled pflogd is also started and by default listens on pflog0 and writes to /var/log/pflog file.

To read log file;

        # tcpdum -n -e -ttt -r /var/log/pflog
        

To read log in real time;

        # tcpdump -n -e -ttt -i pflog0
        

Simple firewall

Simplified syntax for filter rules is;

        action [direction] [log] [quick] [on interface] [af]
        [proto protocol] [from src_addr [port src_port]]
        [to dst_addr [port dst_port]] [flags tcp_flags] [state]
        

Start changing default configuration by setting "default policy to deny" and to log all packets. Change configuration file to contain first filter rule;

        int_if  = "re0"
        lan_net = "10.0.0.0/24"

        set skip on lo

        # scrub incoming packets
        match in all scrub (no-df)

        set block-policy drop # block silenty 
        block drop log all    # block and log everything

        # activate spoofing protection for all interfaces
        block in quick from urpf-failed

        # allow out dns
        pass out on $int_if proto udp to 10.0.0.254 port domain

        # allow out ntp
        pass out on $int_if proto udp to any port ntp

        # allow out https
        pass out on $int_if proto tcp to any port 443

        # allow out ssh
        pass out on $int_if proto tcp to any port { 22, 2222 }

        # allow in ssh
        pass in log on $int_if proto tcp from any to 10.0.0.10 port 22

        # do not permit remote connections to X11
        block in on ! lo0 proto tcp to port 6000:6010

        # port build user does not need network
        block out log proto {tcp udp} user _pbuild    
        

To reload configuration file;

        # pfctl -f /etc/pf.conf
        

See what ports are open;

        # netstat -na -f inet | grep LISTEN
        

Check rules;

        # pfctl -sr
        
OpenBSD Index

This is part of the LeetIO System Documentation. Copyright (C) 2021 LeetIO Team. See the file Gnu Free Documentation License for copying conditions.