Re: Advanced Firewall Techniques

From: Omas Jakobsson (omas.jakobsson@corren.se)
Date: 07/25/02 

Date: Thu, 25 Jul 2002 09:01:03 +0200
From: Omas Jakobsson <omas.jakobsson@corren.se>
To: Eric Friedrich <limited@nycap.rr.com>, SECURITY-BASICS@securityfocus.com

Hi!

No, i have not heard about any script that does that for you on OpenBSD,
your only option as i see it, is for you to unpack src.tar.gz and
src.tar.gz to /usr/src and download the patches that
http://www.openbsd.org provide you with. Apply the patches to the
sourcetree and follow instructions for each one of them on how to
compile and install them from the sourcetree.

TIP! Each patch is a textfile, read the first line of them for
instructions on how to apply them.

Regarding other protection, there is not very much you can do (at least
with the default install) except building a good ruleset with PF, to
keep out any unwanted traffic.

If you also fell up to it, you can "clean" incoming ip-packets by
passing "scrub" options to PF, in order to protect weak services you
might have running on your machine.

If you bought an official OpenBSD discset, then the sourcecode i
mentioned should be located on cd3 (if i remember correct) if not, you
can download it from OpenBSDīs ftp, or a mirror.

Pathes for OpenBSD
http://www.openbsd.org/errata.html

OpenBSD FAQ (read it!)
http://www.openbsd.org/faq/index.html

pf.conf MAN-page
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

Regards.

/Omas Jakobsson

Eric Friedrich skrev:
>
> I've sucessfully set up a home LAN with NAT, OpenBSD firewall, and all
> the goodies. However, I'm wondering what the next step is. As far as
> system maintenance, I know that all OS's require constant patches, but I
> have no idea what that involves as far as OpenBSD goes, is there a
> program out there which will update the system for me?
> Also, I've heard of attacks using other protocols, and such, what
> other security measures can I implement aside from only opening the
> necessary ports with PF? Is there anything to protect against non tcp
> attacks, DOS attacks and other ones I'm not mentiong? Thanks,
>
> limited

Relevant Pages

  • Re: Surf and Spyware Protection on OpenBSD
    ... >> Spyware Protection) on OpenBSD? ... OpenBSD does not provide an application layer firewall; ... idiot users of Internet Explorer. ... PF can and does protect your Windows boxes from external attacks arriving ...
    (comp.unix.bsd.openbsd.misc)
  • Re: synproxy state does not work on FreeBSD 7.1-PRERELEASE
    ... The bug this note refers to was introduced after OpenBSD 4.1 (our last ... import) and should not be present in the FreeBSD code. ... it to protect a service running on the same box as your pf, ...
    (freebsd-stable)
  • Re: synproxy state does not work on FreeBSD 7.1-PRERELEASE
    ... The bug this note refers to was introduced after OpenBSD 4.1 (our last ... it to protect a service running on the same box as your pf, ...
    (freebsd-stable)
  • Re: Surf and Spyware Protection on OpenBSD
    ... > OpenBSD does not provide an application layer firewall; ... > idiot users of Internet Explorer. ... Ok, then if I want to run OpenBSD as a firewallbox, what do I do to protect ...
    (comp.unix.bsd.openbsd.misc)
  • Re: Advanced Firewall Techniques
    ... > I've sucessfully set up a home LAN with NAT, OpenBSD firewall, and all ... > attacks, DOS attacks and other ones I'm not mentiong? ... Just block all incoming traffic and use stateful firewalling and NAT. ...
    (Security-Basics)
Loading