Building Firewalls with OpenBSD and PF, 1st edition
Jacek Artymiak
ISBN: 83-916651-4-3

Table of Contents

Preface ..... 1

0.1 Acknowledgments ..... 3

Chapter 1: Introduction ..... 5

1.1 Why Do We Need to Secure Our Networks ..... 5
1.2 Why Do We Need Firewalls ..... 7
1.3 Why Open Source Software ..... 7
1.4 Why OpenBSD and pf ..... 9
1.5 Cryptography and Law ..... 11
1.6 How This Book Is Organized ..... 12
1.7 Typographic Conventions Used in This Book ..... 14
1.8 Staying in Touch with the OpenBSD Community ..... 14
1.9 Getting in Touch with the Author ..... 15

Chapter 2: Firewall Designs ..... 17

2.1 Define Your Local Packet Filtering Policy ..... 17
2.2 What Is a `Firewall'? ..... 18
2.3 What Firewalls Are Not ..... 19
2.4 Hardware vs. Software Firewalls ..... 19
2.5 Firewalls Great and Small ..... 20
2.5.1 Screened Host ..... 20
2.5.2 Screened LAN or Screened LAN Segment ..... 22
2.5.3 Bastion Host ..... 24
2.5.4 Demilitarized Zone (DMZ) ..... 25
2.5.5 Large-Scale LANs ..... 27
2.6 Invisible Hosts and Firewalls ..... 27
2.6.1 Filtering Bridge ..... 28
2.6.2 Network Address Translation (NAT) ..... 30
2.7 Additional Functionality ..... 30

Chapter 3: Installing OpenBSD ..... 33

3.1 Software Requirements ..... 33
3.1.1 Why Buying Official OpenBSD CD-ROM Sets Is a Smart Thing to Do ..... 34
3.1.2 Additional Software Requirements ..... 34
3.2 Hardware Requirements ..... 36
3.2.1 Which Hardware Platform Should You Choose? ..... 36
3.2.2 Motherboard ..... 38
3.2.3 BIOS ..... 38
3.2.4 Processor ..... 38
3.2.5 Memory ..... 40
3.2.6 Disk Space ..... 41
3.2.7 Network Interfaces ..... 42
3.2.8 Communicating with Your Computer During Installation ..... 45
3.2.9 How Are You Going to Install OpenBSD? ..... 46
3.2.10 Tape Drives ..... 47
3.2.11 Debugging Hardware ..... 47
3.2.12 Other Requirements ..... 47
3.2.13 When in Trouble, Use the Manual ..... 48
3.3 Downloading OpenBSD ..... 48
3.4 Preparing Installation Media ..... 49
3.5 Installing OpenBSD ..... 50
3.6 Securing Your Firewall Hardware ..... 60

Chapter 4: Configuring OpenBSD ..... 61

4.1 User Management ..... 61
4.1.1 Adding Users ..... 61
4.1.2 Letting Users Do As Root Does (su) ..... 62
4.1.3 Changing the User Password ..... 62
4.1.4 Giving Users Limited Access to Root Privileges (sudo) ..... 63
4.1.5 Removing Users ..... 63
4.2 Hardening OpenBSD ..... 63
4.2.1 Disabling Non-Essential Services ..... 64
4.2.2 Patching ..... 64
4.3 Configuring Networking ..... 69
4.3.1 More Than One Address on a Single Interface (Aliases) ..... 72
4.3.2 Pf Configuration Options ..... 73
4.3.3 Bridge Configuration Options ..... 74
4.3.4 IP Forwarding ..... 76
4.3.5 Configuring FTP Proxy ..... 77
4.4 Automated System Reboot ..... 78
4.5 Swap Encryption ..... 78
4.6 Working with Securelevels ..... 78
4.7 Setting Time and Date ..... 79
4.8 Configuring the Kernel to Solve Hardware Problems ..... 80
4.8.1 Make a Copy of the Old Kernel ..... 81
4.8.2 User Kernel Config (UKC) ..... 81
4.8.3 Brain Transplants for OpenBSD ..... 84
4.9 Adding and Compiling Software ..... 84
4.10 Configuring Disks ..... 85
4.10.1 RAID ..... 85

Chapter 5: /etc/pf.conf ..... 87

5.1 Inside pf.conf ..... 87
5.1.1 Changing the pf.conf Section Order ..... 88
5.1.2 Breaking Long Lines into Smaller Pieces ..... 88
5.1.3 Grouping Rule Elements into Lists ({}) ..... 89
5.2 Macros ..... 89
5.3 Tables (table) ..... 90
5.4 Anchors (anchor, nat-anchor, rdr-anchor, binat-anchor) ..... 92
5.5 Common Components Found in pf Rules ..... 93
5.5.1 Directions (in, out) ..... 93
5.5.2 Interfaces (on) ..... 93
5.5.3 Address Families (inet, inet6) ..... 94
5.5.4 Protocols (proto) ..... 95
5.5.5 Addresses (from, to, any, all) ..... 95
5.5.6 Dynamic Assignment of Addresses ..... 98
5.5.7 Ports (port) ..... 98
5.6 Tools for Writing and Editing pf.conf ..... 99
5.6.1 Why Not Edit pf.conf on Another Machine? ..... 100
5.6.2 Syntax Highlighting ..... 100
5.6.3 GUI Tools for Writing Rulesets with a Mouse ..... 100
5.6.4 Scripting pf.conf ..... 100
5.7 Managing pf.conf Versions with CVS ..... 100

Chapter 6: Packet Normalization ... 103

6.1 Implementing Packet Normalization (scrub) ..... 104
6.1.1 Scrub Rule Syntax ..... 104
6.2 Fine-Tuning Scrub Rules ..... 105
6.2.1 Pf Options (limit frags, timeout frags) ..... 106
6.2.2 Scrub Rule Options ..... 106
6.3 Who's Sending All Those Malformed Packets? ..... 109

Chapter 7: Packet Redirection .... 111

7.1 Security Applications ..... 111
7.2 Expanding the IPv4 Address Space ..... 112
7.2.1 Does IPv6 Make NAT redundant? ..... 114
7.2.2 What Problems Does NAT Cause? ..... 114
7.3 NAT Rules ..... 115
7.3.1 Hiding Hosts Behind a Single Address with nat Rules ..... 116
7.3.2 Redirecting Packets to Other Addresses and Ports (rdr) ..... 121
7.3.3 Forcing Everyone to Use a Web Cache ..... 125
7.3.4 Other Uses of rdr Rules ..... 127
7.3.5 binat ..... 127

Chapter 8: Packet Filtering ... 129

8.1 The Anatomy of a Filtering Rule ..... 129
8.1.1 What Is pf Supposed to Do (block, pass)? ..... 130
8.1.2 Return to Sender (return-icmp, return-rst) ..... 131
8.1.3 Inbound or Outbound (in, out)? ..... 133
8.1.4 To Log or Not to Log (log, log-all)? ..... 133
8.1.5 Finishing Early (quick) ..... 134
8.1.6 Network Interface Names (on)? ..... 135
8.1.7 Routing Options (fastroute, reply-to, route-to, dup-to) ..... 135
8.1.8 IP Addressing Familes: IPv4 (inet) or IPv6 (inet6)? ..... 137
8.1.9 Protocols (proto)? ..... 137
8.1.10 Source Address (from, any, all)? ..... 138
8.1.11 Source Port (port)? ..... 139
8.1.12 Destination IP address (to, any, all) ..... 140
8.1.13 Destination Port (port) ..... 141
8.1.14 User and Group Access Control (user, group) ..... 141
8.1.15 TCP Flags (flags) ..... 142
8.1.16 ICMP Packets ..... 143
8.1.17 Stateful Filtering (keep state, modulate state) ..... 144
8.1.18 IP Options (allow-opts) ..... 149
8.1.19 Labels (label) ..... 149
8.2 Antispoof Rules ..... 150
8.3 Filtering Rules for Redirected Packets ..... 151

Chaper 9: Dynamic Rulesets ..... 155

9.1 Designig an Automated Firewall ..... 155

Chaper 10: Bandwidth Shaping and Load Balancing ..... 159

10.1 Load Balancing ..... 159
10.1.1 Implementing Load Balancing ..... 161
10.2 Bandwidth Shaping ..... 163
10.2.1 The Anatomy of a Scheduler Rule ..... 163
10.2.2 The Anatomy of a Queue Rule ..... 164
10.2.3 Priority Queuing (PRIQ) ..... 165
10.2.4 Class-Based Queuing (CBQ) ..... 165
10.2.5 Assigning Packets to Queues ..... 166

Chapter 11: Logging and Log Analysis

11.1 Enabling Packet Logging ..... 170
11.2 Log Analysis ..... 170
11.3 Which Packets Do You Want to Capture? ..... 172
11.4 The Secret Life of Logs ..... 174
11.5 Bandwidth and Disk Space Requirements ..... 177

Chapter 12: Using authpf ..... 181

12.1 Configuring authpf ..... 181
12.2 Configuring sshd ..... 182
12.3 Configuring login ..... 182
12.4 Writing pf Rules for authpf ..... 183

Chapter 13: Using spamd ..... 185

13.1 Configuring spamd ..... 185

Chapter 14: Ruleset Optimization ..... 189

14.1 The pf Optimization Checklist ..... 189
14.2 Pf Optimization Options ..... 190

Chapter 15: Testing Your Firewall ..... 193

15.1 Pencil Test ..... 193
15.2 Checking Host Availability ..... 194
15.2.1 When Ping Cannot Help ..... 195
15.3 Discovering Open Ports on Remote Hosts ..... 196
15.4 Testing Network Performance ..... 197
15.5 Are packets passing through PF? ..... 200
15.6 Additional tools ..... 201

Chapter 16: Firewall Management ..... 203

16.1 General Operations ..... 203
16.2 Pfctl Output Control Options ..... 203
16.3 Managing Rulesets ..... 204
16.4 Managing Macros ..... 204
16.5 Managing Tables ..... 204
16.6 Managing pf Options ..... 206
16.7 Managing Queues ..... 206
16.8 Managing Packet Redirection Rules ..... 206
16.9 Managing Packet Filtering Rules ..... 207
16.10 Managing Anchors ..... 207
16.11 Managing States ..... 208
16.12 Statistics ..... 209
16.13 Additional Tools for Managing pf ..... 209

Appendix A: Manual Pages ... 211

A.1 Using the OpenBSD Manual ..... 211
A.1.1 Reading the OpenBSD Manual Pages on the Web ..... 212
A.2 Pages of Interest ..... 213

Appendix B: Rules for Poplar (and Less Popular) Services ..... 215

B.1 Fixing FTP ..... 217

Appendix C: Rule Templates for Typical Firewall Configurations ..... 219

Appendix D: Helping OpenBSD and PF ..... 225

D.1 Buy Official CD-ROMs, T-Shirts, and Posters ..... 225
D.2 Make Small, but Regular Donations ..... 226
D.3 Hire Developers of OpenBSD and Pf ..... 227
D.4 Donate Hardware ..... 228
D.5 Spare Some of Your Precious Time ..... 228
D.6 Spread the Word ..... 229
D.7 Attend Training Seminars ..... 229
D.8 Encourage People to Buy this Book ..... 229

Bibliography ..... 231

About this Book ..... 235