Copyright C by Steve Litt , All rights reserved. Material provided as-is, use at your own risk. Steve Litt is the author of the Universal Troubleshooting Process Courseware , which can be presented either by Steve or by your own trainers. Your firewall needs are determined by your setup and what you have to lose. The firewall described in this document may not be sufficient for your needs.
|Published (Last):||4 May 2019|
|PDF File Size:||12.42 Mb|
|ePub File Size:||1.52 Mb|
|Price:||Free* [*Free Regsitration Required]|
No part of this pubication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior consent of the publisher. Published in Poland. ISBN: The author and the publisher disclaim any and all liability for the use of information and programs contained in this book.
All trademarks mentioned in this book are the sole property of their owners. Table of Contents Preface Software Firewalls Table of Contents 4. Table of Contents All I needed was a stable server for my home network, something I could congure and forget about. My choice was OpenBSD, because it installed without problems, was easy to congure, and did not have the infuriating problems with NFS that plagued me on Linux at that time. It wasnt a high-tech lab test, I just needed a stable server.
OpenBSD behaved well, did not require too much of my attention and was doing its job. Then, sometime in , I was asked to help secure a network, which was coming under an increasingly heavy barrage of attacks and was getting broken into approximately twice a month. The rst thing we did was securing the hosts exposed to the outside world as much as the operating system allowed, but the rest of the job was going to be the responsibility of a rewall. I did some research and found out that many people recommended OpenBSD as the best solution for this job.
Knowing it doesnt cost a dime to install, I put OpenBSD on four rewall hosts guarding access to the troubled network and watched them in action.
Attacks didnt stop, but none of them was successful. OpenBSD has earned its keep. And thats the way its been for the last three years. Of course, OpenBSD is only one of many components of the security setup used at that site, but it is proving to be the most signicant one. One of my jobs is freelance technical writing, so it wasnt long before I got an idea that it might be useful to help promote the tools I use and like. I quickly wrote an article about installing and conguring OpenBSD and.
It was used because I wanted to help administrators of small and underfunded networks secure their installations with OpenBSD. Some of that material made its way into this book. When I wrote my rst article for ONLamp. It was meant to be something to help people get iplter working in a relatively short time.
There were no plans for additional articles. I foolishly assumed that it would be all that was needed. Unfortunately for me, by the time that rst article was published, the OpenBSD project abandoned iplter for Daniel Hartmeiers pf.
I got a lot of mail telling me in more or less civilized ways that my article was a worthless bag of bits. So, I quickly wrote an update, which was promptly published on ONLamp. After ONLamp.
To tell the truth, I did not want to write a book on that subject, because I knew that the market was too small to be considered protable by trade computer book publishers. But, as the number of requests for the book grew, I sat down and wrote a proposal, which I later submitted to a few good publishers. My proposal was turned down by everyone, which convinced me that this subject was not sellable.
Of course, the real reason could just as well be the weaknesses in my proposal. Either way, I was not interested in pursuing this further and put the whole thing on hold.
Then, in late , I received an email message from a venerable academic publishers interested in publishing a book about OpenBSD. Unfortunately, we couldnt agree on the terms of the contract. By the time out talks broke down, I had a sizeable part of a manuscript ready for editing.
I could abandon it, but I felt it was too good to be trashed. I decided to risk it and an-. As I was working towards the end of the manuscript, I could see that it was becoming too long for a single book. I had to split it into two books. That way I can make sure that both books are not overly expensive, that they are delivered on time, and that they can be quickly updated. First and foremost I wish to thank the OpenBSD user community for their support, and for challenging me with interesting questions, suggestions, and critique.
Without them swamping me with requests to write a book about OpenBSD, this little tome would not be in your hands today. Thank you! I also wish to thank doctors Joanna Markiewicz and Witalis Misiewicz who keep their watchful eyes on my health and make sure I dont dump core before my time. Last, but not least I want to thank my dear wife, Malgosia, who patiently puts up with my non-standard working hours, deadlines that move everything else aside, and the growing farm of computer hardware.
Without her support and understanding Id never write this book. Jacek Artymiak Lublin, Poland June Introduction What this book is about. What information youll nd on its pages. How to keep in touch with the author, the developer of pf, and the OpenBSD project. This book explains how to build, congure, and manage IP packet rewalls using commodity hardware, the OpenBSD operating system, and the Daniel Hartmeiers pf packet lter.
Its intended audience are network and security administration professionals and the users of the OpenBSD operating system. Readers unfamiliar with either or both of these topics ought to consult [Stevens ], [Wright, Stevens ], [Stevens a], and [Frisch ].
The likely suspects, the problems they cause, and the protection mechanisms we use to defend ourselves are often quite alike, it doesnt matter that we are dealing with 1s and 0s.
In an ideal world, there would be no need for fences, gates, or locks, because the good side of the human nature and the laws of our society would be enough to protect ourselves, our privacy, and our property.
Unfortunately, we are not living in such world nor we are likely to create one on this planet or anywhere else, at least not anytime soon. The fact that a small, but nevertheless noticeable through their actions, percentage of this worlds population breaks laws, steals our belongings, trespasses on our. And so we raise fences, buy padlocks, t our homes and business premises with burglar alarms, and pay bodyguards to ensure our safety, or to at least make us feel a little safer.
Things are no different in the networked world. Just like the real world around us, the Internet gives people with malicious intent plenty of opportunities to perform their questionable activities. Even though a vast majority of the people and the companies connected to the Internet mean no harm to anyone and just want to get on with their business, there are people who take a certain kind of pride in wreaking havoc online, stealing information or disrupting network services.
Some even turned it into a way to make a living. They can spy on our communications, break into computers and networks, block connections between machines, destroy data, falsify records, and bring whole systems to a halt. Their motifs are almost always the same: money, the need to have something to brag about, the attraction of a difcult challenge, ideology, revenge, or plain curiosity.
Modern network technology gives attackers many ways to amplify the power of their actions by using numerous compromised low-prole hosts to launch attacks against selected high-prole sites. Equipped with automated cracking tools and access to hundreds of compromised hosts, a single person can potentially cause damage on a scale comparable to an attack on a nuclear power plant or an oil renery.
And just like attacks on oil reneries can create shortages of oil and raise costs of transport, attacks against certain hosts on the Internet can slow down or cut off large portions of the Internet damaging sales, communications or, in some cases, endangering human lives.
Of course, not all attacks are visible and discussed on CNN. Instead of destroying things, someone may prefer to break into a network and listen to communications, copy classied les, or change essential records. Such covert operations can result in more damage than a mass-scale attack on the Internet infrastructure. They are also more protable to an attacker than the 5 minutes of fame he or she gets on the global news networks.
Even though many corporate, university, or home networks can have little end value for an attacker, their sole ability to send packets on the Internet can be worth a lot to someone who wants to break into them and use compromised hosts to launch an escalated Distributed Denial of Service DDoS attack against other, more valuable hosts.
Owners of computers and networks connected to the Internet have a responsibility to keep their. If they dont take necessary precautions, they could be held responsible for damaged done to somebody elses site.
Taking all possible preventive steps is no longer an option, but an obligation, which quite likely will soon be enforced by laws declared by parliaments and governments around the world. As usual, the best way to ght such attacks is through prevention.
To avoid problems and to keep the bad guys out, many organizations invest large sums of money into security software, hardware, training, and auditing. This book shows how to save some of that cash using rewalls built with top quality free open source security software.
Due to the nature of the work they perform, rewalls are the rst line of defense against external attacks. They consist of a mixture of hardware and software placed at strategic junctions on the network, usually somewhere near the points of contact with other networks. Their basic purpose is to look at packets passing through them and letting those packets pass or blocking them according to the packet ltering policy implemented in the form of a list of packet ltering rules.
Over the last few years, rewalls acquired additional functionality and can perform much more than just plain packet ltering. Packet normalization, Network Address Translation NAT , stateful ltering, packet logging, support for spam lters, dynamic rulesets, and other additional advanced functionality are now standard on many rewall products.
Although they are no silver bullet that magically xes all problems, their ability to scrutinize, redirect, modify, and log packets make rewalls an ideal network security, audit, forensic, as well as management tool. It has to be that way, because there are simply not enough skilled security specialists to look after all networks that need their attention.
Organizations with deep pockets can afford to employ well-paid professional staff who provide better. This is not always the case, but exceptions to this rule should not be used to justify cuts in spending on IT security.
An unfortunate result of low supply and high demand is the migration of highly skilled personnel to clients who can meet their salary requirements. This leaves a lot of small and underfunded networks in the hands of less experienced administrators, who might not know how to design, congure, and monitor these networks safety mechanisms leaving them vulnerable to attacks from unscrupulous people looking for inside information, free warez storage, zombie hosts for DDoS attacks, or systems they can simply make inoperable for the sheer fun of doing it.
But even a fat wad of cash does not always solve all problems for large companies. Restricted by commercial licenses and limited by the size of their security budgets, even the giants of IT often cannot afford as high levels of protection as they would like to have. Fortunately, many good security products are now available for free and can be implemented using commodity hardware components and commodity free open source software the word free is important here, as not all open source software is free of licensing traps.
Using free open source software makes more sense today than ever, not only because there are plenty of high-quality open source IT security tools, but because those who learn them now, will be sought after tomorrow. The world is entering the era of software commoditization.
Building Firewalls With OpenBSD And PF, 2nd Edition (2003)
Dev Guide - Building Firewalls With Openbsd and Pf - 1st Ed