Securing OpenBSD 3.x
Regardless of OpenBSD's claim of "five years without a remote
hole in the default install," this claim
is, while impressive, mostly for the press. By default, OpenBSD has very few
services (as listed in
/etc/
inetd.
conf) enabled, and those have reasonably
airtight code, so there's very little chance
of
Theo's claim being disproved any time soon.
The first thing you do when you get any
operating system installed (preferably
offline, so you have
a chance to
secure it first) is to take stock of what is currently listening on what
ports and take
actions to shut down those you don't want. OpenBSD 3.0 has comsat, daytime,
ssh and time running by
default when you finish installing it.
The first thing to do is comment all of these except SSH (and that, too, unless you never plan to log in
remotely) out of inetd.conf. Your next step is set
pf in
rc.conf to YES to enable
OpenBSD's packet filter. If you are unsure of how to
structure the rules, read the man pages on
pf.conf (located in /
etc/).
The default
rules for pf are pass in all and pass out all. These rules leave a lot to be desired,
despite the fact that the
applications that are currently running are considered to be secure. Leave
nothing to chance. Here is a sample set of rules, with explanations:
ExtIF = "dc1" # This is my NIC adapter that faces the internet
IntIF = "dc0" # This is my NIC adapter that faces my LAN
NoRouteIPs = " { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } " # Non-Routable IPs
Services = " { 22, 80 } " # The ports that applications you want to run listen on.
scrub in all # This removes fragmented and abnormal packets
block in quick on $ExtIF from $NoRouteIPs to any # Prevents IP spoofing to your external NIC
block out quick on $ExtIF from any to $NoRouteIPs # Keeps people inside your LAN from IP Spoofing
# Because of OpenBSD's "last match" rule, the last rule (that does not have 'quick' in it) that matches
a packet is the one acted upon, so we're able to block all packets at this level that don't match the
following rules
block in all on $ExtIF
pass in on $ExtIF inet proto tcp from any to any port $Services flags S/SA keep state
# This allows only the packets for incoming SSH and HTTP sessions to make it through the packetfilter,
and only SYN or SYN/ACK packets at that. Keep state allows the session to stay alive through the
filter. Very handy.
pass out on $ExtIF all keep state # Kind of useless as it's implied
There are of course far better rules, including rules that only allow certain types of outgoing traffic,
but those are beyond the scope of this write-up. There are always ways to improve security, and this
one focuses only on the
network security aspect of it.