display | more...
Securing OpenBSD 3.x

Regardless of OpenBSD's claim of "five years without a remote hole in the default install," this claim is, while impressive, mostly for the press. By default, OpenBSD has very few services (as listed in /etc/inetd.conf) enabled, and those have reasonably airtight code, so there's very little chance of Theo's claim being disproved any time soon.

The first thing you do when you get any operating system installed (preferably offline, so you have a chance to secure it first) is to take stock of what is currently listening on what ports and take actions to shut down those you don't want. OpenBSD 3.0 has comsat, daytime, ssh and time running by default when you finish installing it.

The first thing to do is comment all of these except SSH (and that, too, unless you never plan to log in remotely) out of inetd.conf. Your next step is set pf in rc.conf to YES to enable OpenBSD's packet filter. If you are unsure of how to structure the rules, read the man pages on pf.conf (located in /etc/).

The default rules for pf are pass in all and pass out all. These rules leave a lot to be desired, despite the fact that the applications that are currently running are considered to be secure. Leave nothing to chance. Here is a sample set of rules, with explanations:

ExtIF = "dc1" # This is my NIC adapter that faces the internet
IntIF = "dc0" # This is my NIC adapter that faces my LAN
NoRouteIPs = " { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } " # Non-Routable IPs
Services = " { 22, 80 } " # The ports that applications you want to run listen on.

scrub in all # This removes fragmented and abnormal packets
block in quick on $ExtIF from $NoRouteIPs to any # Prevents IP spoofing to your external NIC
block out quick on $ExtIF from any to $NoRouteIPs # Keeps people inside your LAN from IP Spoofing


# Because of OpenBSD's "last match" rule, the last rule (that does not have 'quick' in it) that matches a packet is the one acted upon, so we're able to block all packets at this level that don't match the following rules
block in all on $ExtIF

pass in on $ExtIF inet proto tcp from any to any port $Services flags S/SA keep state
# This allows only the packets for incoming SSH and HTTP sessions to make it through the packetfilter, and only SYN or SYN/ACK packets at that. Keep state allows the session to stay alive through the filter. Very handy.

pass out on $ExtIF all keep state # Kind of useless as it's implied
There are of course far better rules, including rules that only allow certain types of outgoing traffic, but those are beyond the scope of this write-up. There are always ways to improve security, and this one focuses only on the network security aspect of it.

Log in or register to write something here or to contact authors.