pf

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

pf

Incomex
I've looked an man pf, and it's way too confusing; I'm using smoothwall as a
standalone firewall, and it pretty much works the way I want it to; however,
I've found a reason to block a an IP range, particularly 216.87.0.0/17;
is there an equivalent to an iptables command I can use to simply
drop all traffic coming from that range?

like go into a file, and have a command in the form of: 'drop all from
216.87.0.0/17'?

oh, and does anyone have any comments on Labrea? as a honeypot?  it looks
pretty good, and it comes for openbsd, or is openbsd simply best left alone?

thanks

_________________________________________________________________
Get the latest Windows Live Messenger 8.1 Beta version. Join now.
http://ideas.live.com

Reply | Threaded
Open this post in threaded view
|

Re: pf

Marc Balmer-2
* David B. wrote:
> I've looked an man pf, and it's way too confusing; I'm using smoothwall as a
> standalone firewall, and it pretty much works the way I want it to; however,
> I've found a reason to block a an IP range, particularly 216.87.0.0/17;
> is there an equivalent to an iptables command I can use to simply
> drop all traffic coming from that range?

so you think you will get help here after admitting to be to lazy to
read the man page... ;)

do read it, understand it, and apply the wisdom it contains.

>
> like go into a file, and have a command in the form of: 'drop all from
> 216.87.0.0/17'?
>
> oh, and does anyone have any comments on Labrea? as a honeypot?  it looks
> pretty good, and it comes for openbsd, or is openbsd simply best left alone?
>
> thanks
>
> _________________________________________________________________
> Get the latest Windows Live Messenger 8.1 Beta version. Join now.
> http://ideas.live.com

Reply | Threaded
Open this post in threaded view
|

Re: pf

Darrin Chandler
In reply to this post by Incomex
On Sat, Dec 09, 2006 at 02:43:38AM -0700, David B. wrote:
> I've looked an man pf, and it's way too confusing; I'm using smoothwall as a
> standalone firewall, and it pretty much works the way I want it to; however,
> I've found a reason to block a an IP range, particularly 216.87.0.0/17;
> is there an equivalent to an iptables command I can use to simply
> drop all traffic coming from that range?
>
> like go into a file, and have a command in the form of: 'drop all from
> 216.87.0.0/17'?

The man pages you *probably* want are pf.conf(5) and pfctl(8). Also see
http://www.openbsd.org/faq/pf/

The answer is yes, you can do that. Quick answer:

echo 'block drop in from 216.87.0.0/17' | pfctl -mf - -n

The above won't work until you read the man page for pfctl and remove
one of the options. ;)

There are better ways in the long run. Read about tables.

--
Darrin Chandler            |  Phoenix BSD Users Group
[hidden email]   |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/  |

Reply | Threaded
Open this post in threaded view
|

Re: pf

steve (Bugzilla)-9
In reply to this post by Incomex
On Saturday 09 December 2006 04:43, David B. wrote:

> I've looked an man pf, and it's way too confusing; I'm using smoothwall as
> a standalone firewall, and it pretty much works the way I want it to;
> however, I've found a reason to block a an IP range, particularly
> 216.87.0.0/17; is there an equivalent to an iptables command I can use to
> simply
> drop all traffic coming from that range?
>
> like go into a file, and have a command in the form of: 'drop all from
> 216.87.0.0/17'?
>
> oh, and does anyone have any comments on Labrea? as a honeypot?  it looks
> pretty good, and it comes for openbsd, or is openbsd simply best left
> alone?

OBSD is for anyone who wants to use it. However, making changes to a computer
which is connected directly to the Internet can be a liability as you may
open yourself up to being hacked.

Having enough experience to at least be able to follow the instructions on how
to set up a firewall is so basic that without it you are "a sitting duck".

This is of course applicable to any O/S.

A good OBSD book to read is Absolute Openbsd by Lucas, No Starch Press.

BSD's begs to be worked on and used. Getting an understanding of pf is really
not that hard as things go. Following the steps in:
        http://openbsd.org/faq/faq6.html
are really very simple.

OBSD is different than Linux. It's similar but different. All unix based O/S
have a certain number of things in common. But each have their own direction
and specific ways. Reading a book like the above is a good start for those
new to it and will get you the conceptual understanding needed.

A line in pf.conf along this line may stop traffic from an IP. I say may
because again not knowing what you are doing you can undo it elsewhere.

        block in quick on $ext_if from 216.87.0.0/17 to any

Pf.conf is really very very flexible and able to handle any situation. But
again, you must have a clue of what you are doing. The best rule is probably
to know that when looking at a firewall, realize it does not know which side
is on the inside or outside. It simply looks at packets either coming into or
exiting.

You normally only filter on one interface, the external one.

Best practice is usually to start by blocking everything, and then opening
ports/addresses as needed. On that interface you can not only block all
inbound, but also all outbound. This will give you control on what your
computer and or network can do.

The above FAQ example uses a block all inbound and allow all outbound policy,
if I recall correctly. This is a good start. But sometimes it might be needed
to also control which external services can be accessed, at least by port.
(Since there are many workarounds by using commonly used ports like www, port
80.)

One of the really nice things about pf is that you can use variables. So you
can say friends="{ ip ip ip ip ip }" and then later say:

        allow in on $ext_if from $friends to any

Or, if you have a LAN and want to let friends reach a computer (192.168.0.10
on a specific number of ports like 2000,2002,2012):
       
        my_comp="192.168.0.10"
        my_ports="{ 2000 2002 2012 }"
        allow in on $ext_if from $friends to $my_comp port $my_ports

The variable names are of course whatever you choose them to be. Descriptive
names are usually best.

OpenBSD have pretty decent documentation. Just remember not to go past words
or definitions you don't understand. When an unknown term is used chase it
down on google, for example, before going on. Make sure it makes sense before
going on. This is key in learning anything. Otherwise you'll get stuck.

I had a friend that used to program in assembler (machine code) and just enter
the hex values into the computer. He could never really debug what he wrote,
but he could write a new program just like that. He said the key was that he
had complete understanding of all the commands and the environment. There
were nothing misunderstood.
--

Steve Szmidt

"To enjoy the right of political self-government, men must be
capable of personal self-government - the virtue of self-control.
A people without decency cannot be secure in its liberty.
                        From the Declaration Principles

Reply | Threaded
Open this post in threaded view
|

Re: pf

jared r r spiegel
In reply to this post by Incomex
On Sat, Dec 09, 2006 at 02:43:38AM -0700, David B. wrote:
> I've looked an man pf, and it's way too confusing;

  read pf.conf(5) instead.

  pf(4) isn't going to be very useful to you if you're
  not writing code who wants to interact with pf.

> like go into a file, and have a command in the form of: 'drop all from
> 216.87.0.0/17'?

  that file is usually /etc/pf.conf

--

  jared

Reply | Threaded
Open this post in threaded view
|

Re: pf

L. V. Lammert
In reply to this post by Incomex
On Sat, 9 Dec 2006, David B. wrote:

> oh, and does anyone have any comments on Labrea? as a honeypot?  it looks
> pretty good, and it comes for openbsd, or is openbsd simply best left alone?
>
In use here for MANY years! Don't need an OBSD flavor.

        Lee