PF firewall for desktop

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

PF firewall for desktop

Jean-Francois Simon
Hi,

Out of interest, I'd like to let you know a specific use of OpenBSD with
PF, in virtualbox, 2 virtual network card Bridged to physical NIC, and
building up a subnet with NAT and hence running Packet Filter as the
machine's firewall.


That's the firewall I use under Win7, OpenBSD running in a VM, out of
pure interest into running BSD and let it purify the network access to
desktop (without need for additional hardware).


Works well, love it.


Jean-François

Reply | Threaded
Open this post in threaded view
|

Re: PF firewall for desktop

James Huddle
I like your suggestion!  I am security paranoid to a fault.  For me, a
system is either rock solid or wide open.  obsd is the closest I've found
to rock solid, and frankly a virtualbox vm running on win7 feels wide
open.  But the more I thought about your idea, the more I liked it.  Win7
w/o the virtual firewall is more simply at risk, so why not?
Seeing as I am still new to OpenBSD, I would probably have 2 vms: bsd1
passes everything incoming to bsd2 (the firewall), then bsd1 quietly logs
what goes out to check for nefarious-looking packets.  That would take two
separate boxes to even start building, without vms.  The VMs can fight and
die and be replaced, and even a noob like myself can learn what works
better and harder.

Can't wait to set something up.
-Jim

On Fri, May 24, 2019 at 3:38 PM Jean-Francois Simon <[hidden email]>
wrote:

> Hi,
>
> Out of interest, I'd like to let you know a specific use of OpenBSD with
> PF, in virtualbox, 2 virtual network card Bridged to physical NIC, and
> building up a subnet with NAT and hence running Packet Filter as the
> machine's firewall.
>
>
> That's the firewall I use under Win7, OpenBSD running in a VM, out of
> pure interest into running BSD and let it purify the network access to
> desktop (without need for additional hardware).
>
>
> Works well, love it.
>
>
> Jean-François
>
>
Reply | Threaded
Open this post in threaded view
|

Re: PF firewall for desktop

Walt
In reply to this post by Jean-Francois Simon
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, May 24, 2019 2:30 PM, Jean-Francois Simon <[hidden email]> wrote:

> Hi,
>
> Out of interest, I'd like to let you know a specific use of OpenBSD with
> PF, in virtualbox, 2 virtual network card Bridged to physical NIC, and
> building up a subnet with NAT and hence running Packet Filter as the
> machine's firewall.
>
> That's the firewall I use under Win7, OpenBSD running in a VM, out of
> pure interest into running BSD and let it purify the network access to
> desktop (without need for additional hardware).
>
> Works well, love it.
>
> Jean-François

I like having a firewall that would pretty much require someone physically entering the computer room in order to attack the firewall.  With OpenBSD, your firewall can control your network traffic without having an IP address at all.

One thing that you could try is to use the OpenBSD VM as the firewall, but don't assign any IP address to the firewall.  The Win7 VM would have the actual IP address, but the OpenBSD VM would control the network.

If I ever get around to getting enough IPv4 addresses so that I don't need a NAT, I'll go back to isolating access to the firewall with this approach.

I am curious if there is any way to attack the firewall if it has no IP addresses.

W

Reply | Threaded
Open this post in threaded view
|

Re: PF firewall for desktop

James Huddle
IP is a fairly high-order construct.  Beneath it , the data link and
physical layers remain almost unnoticed.  One thought that came to mind
would be to attack a machine on the same LAN, and then exploit an Ethernet
vulnerability to listen to "the wire".  Not sure how many (if any) Ethernet
vulnerabilities there are, but that would be one possible vector.  Also,
the nic card itself might have physical-layer vulnerabilities, such as
administrative backdoors.  That's all aimed at eavesdropping.  Escalating
that to an OS pwnership is beyond my imagination.  But I imagine it's not
beyond *somebody's* imagination.  And that's the beauty of the hack.
There's always someone in the rabble with a background in electronics or
orchid-growing or intergalactic imaging that has an insight that nobody
thought to defend.  Check...  No, wait, Checkmate!

On Sun, May 26, 2019 at 4:04 AM Walt <[hidden email]> wrote:

> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Friday, May 24, 2019 2:30 PM, Jean-Francois Simon <
> [hidden email]> wrote:
>
> > Hi,
> >
> > Out of interest, I'd like to let you know a specific use of OpenBSD with
> > PF, in virtualbox, 2 virtual network card Bridged to physical NIC, and
> > building up a subnet with NAT and hence running Packet Filter as the
> > machine's firewall.
> >
> > That's the firewall I use under Win7, OpenBSD running in a VM, out of
> > pure interest into running BSD and let it purify the network access to
> > desktop (without need for additional hardware).
> >
> > Works well, love it.
> >
> > Jean-François
>
> I like having a firewall that would pretty much require someone physically
> entering the computer room in order to attack the firewall.  With OpenBSD,
> your firewall can control your network traffic without having an IP address
> at all.
>
> One thing that you could try is to use the OpenBSD VM as the firewall, but
> don't assign any IP address to the firewall.  The Win7 VM would have the
> actual IP address, but the OpenBSD VM would control the network.
>
> If I ever get around to getting enough IPv4 addresses so that I don't need
> a NAT, I'll go back to isolating access to the firewall with this approach.
>
> I am curious if there is any way to attack the firewall if it has no IP
> addresses.
>
> W
>
>
Reply | Threaded
Open this post in threaded view
|

Re: PF firewall for desktop

Janne Johansson-3
In reply to this post by Walt
Den sön 26 maj 2019 kl 10:03 skrev Walt <[hidden email]>:

> I like having a firewall that would pretty much require someone physically
> entering the computer room in order to attack the firewall.  With OpenBSD,
> your firewall can control your network traffic without having an IP address
> at all.
> One thing that you could try is to use the OpenBSD VM as the firewall, but
> don't assign any IP address to the firewall.  The Win7 VM would have the
> actual IP address, but the OpenBSD VM would control the network.
> I am curious if there is any way to attack the firewall if it has no IP
> addresses.
>

If you build it like the emails before listed, you still have the attack
surface of the whole OS that runs VirtualBox, then the whole codebase of
Virtualbox on top of that before you reach your obsd ip-less
un-maintainable VM to "protect you" from evil packets.

--
May the most significant bit of your life be positive.
Reply | Threaded
Open this post in threaded view
|

Re: PF firewall for desktop

Kapetanakis Giannis
On 28/05/2019 11:12, Janne Johansson wrote:

> Den sön 26 maj 2019 kl 10:03 skrev Walt <[hidden email]>:
>
>> I like having a firewall that would pretty much require someone physically
>> entering the computer room in order to attack the firewall.  With OpenBSD,
>> your firewall can control your network traffic without having an IP address
>> at all.
>> One thing that you could try is to use the OpenBSD VM as the firewall, but
>> don't assign any IP address to the firewall.  The Win7 VM would have the
>> actual IP address, but the OpenBSD VM would control the network.
>> I am curious if there is any way to attack the firewall if it has no IP
>> addresses.
>>
> If you build it like the emails before listed, you still have the attack
> surface of the whole OS that runs VirtualBox, then the whole codebase of
> Virtualbox on top of that before you reach your obsd ip-less
> un-maintainable VM to "protect you" from evil packets.


In advance it's been mentioned many times is this list that bridge-only (IP-less) firewall is not a recommended setup.
Start with this: https://marc.info/?l=openbsd-misc&m=124056858519840&w=2
I'm sure you will find valuable info there like the post from Henning@ (pf dev):

"yes. lots of idiots do it.
bridging is stupid. don't. there are cases where you can't avoid it,
but deliberately? about as clever as knowingly drinking methanol."

First of all it's harder to detect problems, configuration errors.
There might be performance issues as well since you're utilizing the bridge interface (not sure if it's still a case)
IP/routing adds another layer of protection. The packets must pass the network layer 3 of the firewall.
Layer 2 attacks are not easy to protect from or even to detect sometimes.

Not having an IP on the firewall is no better than having an IP firewall with no open services or no open services on the external interface.

G


Reply | Threaded
Open this post in threaded view
|

Re: PF firewall for desktop

Kevin Chadwick-4
In reply to this post by Jean-Francois Simon
On 5/24/19 8:30 PM, Jean-Francois Simon wrote:

> Hi,
>
> Out of interest, I'd like to let you know a specific use of OpenBSD with PF, in
> virtualbox, 2 virtual network card Bridged to physical NIC, and building up a
> subnet with NAT and hence running Packet Filter as the machine's firewall.
>
>
> That's the firewall I use under Win7, OpenBSD running in a VM, out of pure
> interest into running BSD and let it purify the network access to
> desktop (without need for additional hardware).
>
>
> Works well, love it.

I have done something similar in the past. My personal preference is hyper-v on
windows 10 pro which seven can be upgraded to. I would hope hyper-V has
inherited kernel sandboxing/mitigation protections and hardening from Windows
kernel/azure.

I assign the physical nick to the OpenBSD VM and remove all check boxes like
ipv4/ipv6 support from that nick. Then I had an VNAT device for windows to talk
to. Glasswire ontop gives a window into the why is it connecting there or
obfuscating CDNs https certs without the other free windows firewall cruft.

I assume communications to the windows box could be made from a foreign network
via arp manipulation but a nice setup none the less, if you can be bothered with it.

Reply | Threaded
Open this post in threaded view
|

Re: PF firewall for desktop

James Huddle
Lots of miscommunications in these threads.  The original poster here was
talking about setting up a virtual firewall machine to deal with traffic on
a single box.
Most of the war stories are from sys admins protecting a corporate LAN (or
larger)
with lawyers and accountants weighing in.  Of course you need to consider
the
collective OpenBSD wisdom and up your game accordingly, when protecting
a multimillion dollar facility.

I could really go for a methanol, about now!

On Tue, May 28, 2019 at 6:58 AM Kevin Chadwick <[hidden email]> wrote:

> On 5/24/19 8:30 PM, Jean-Francois Simon wrote:
> > Hi,
> >
> > Out of interest, I'd like to let you know a specific use of OpenBSD with
> PF, in
> > virtualbox, 2 virtual network card Bridged to physical NIC, and building
> up a
> > subnet with NAT and hence running Packet Filter as the
> machine's firewall.
> >
> >
> > That's the firewall I use under Win7, OpenBSD running in a VM, out of
> pure
> > interest into running BSD and let it purify the network access to
> > desktop (without need for additional hardware).
> >
> >
> > Works well, love it.
>
> I have done something similar in the past. My personal preference is
> hyper-v on
> windows 10 pro which seven can be upgraded to. I would hope hyper-V has
> inherited kernel sandboxing/mitigation protections and hardening from
> Windows
> kernel/azure.
>
> I assign the physical nick to the OpenBSD VM and remove all check boxes
> like
> ipv4/ipv6 support from that nick. Then I had an VNAT device for windows to
> talk
> to. Glasswire ontop gives a window into the why is it connecting there or
> obfuscating CDNs https certs without the other free windows firewall cruft.
>
> I assume communications to the windows box could be made from a foreign
> network
> via arp manipulation but a nice setup none the less, if you can be
> bothered with it.
>
>