[buug] Convert Linux Gateway to OpenBSD

f.johan.beisser jan at caustic.org
Thu Oct 24 12:37:38 PDT 2002 

On Thu, 24 Oct 2002, Charles Howse wrote:

> Been there, done that.

good.

> I don't pretend to be as knowledgeable as you folks, but maybe I can get
> it done with just a little prodding.

what you're wanting isn't difficult, it's something that a newbie should
be able to do with a little help.

> Have also worn out the book "FreeBSD Unleashed".

haven't heard of it. any good for a newbie?

> > either is supported in OpenBSD.
>
> Dhcp only.

by nature, openbsd treats each interface separately. you only need to
configure the external interface to request DHCP service on bootup.
normally, the behaviour of dhcp is to give you a lease on an IP, and
continually renew that least. you keep the same address for a while.

> > they have a perl version, which should work in OpenBSD with
>
> I'm pretty confident the beta they sent me will work.

it probably will. i'd tend to use the perl script anyway, since there's a
higher chance of me being able to read and understand what exactly is
going on.

> > it does web serving?
>
> At present, I don't object to building a DMZ and hosting my web site and
> mail server on another machine.

well, it's usually easier to simply host it on an 'external' box from the
firewall/NAT. you can statically map addresses, of course.

> Because I haven't had consistent email service from my ISP since August
> 28th.
> "-ERR Incorrect user name or password"

that's a popmail error code, as far as i can tell. if it were SMTP it
would have a number code.

> My Red Hat box (Curly) has firewalled, nat'd, smtp'd, httpd'd and
> emailed the logs to me for a year with no problems.

leaving logs local, and using syslog to forward them is easier to deal
with.

> Remember, I said I'm running PortSentry, LogSentry, Logwatch, etc.

portsentry is useless. a little worse than useless, actually. what's the
point of having a piece of software detect portscans on a machine that's
doing nat?

all it really does is add to the processing overhead of the kernel.

> Are you saying that OpenBSD can't do the same thing on the same machine
> without coughing?

it can. it's less likely to cough, actually.

> Where can I look at a real good pf.conf file?

dig up a howto off of google. i'd actually suggest reading the IPFilter
howto to get an idea of how the rules are set up. pf has a bit simpler
syntax, and seems to run somewhat faster. the man pages for pf.conf are
fairly decent in documenting basic examples.

my own pf.conf file for my IPv6 gateway has around 137 rules, once loaded.
written this is only 95 rules.

> Nothing else available.  Remember, this is a home network, built from
> used machines.
> The DMZ setup seems to be where you're headed.  Fine with me.

it's not so much that i'm headed torward a DMZ setup, it's that you're
wanting much more out of the server than it's function would normally
have.

> Well, (remember, I'm a BSD newbie), the firewall should have a compiler
> so I can install the latest security patches and recompile from
> source...

yes, and no.

if a firewall is compromised (there are the occasional exploits that can
nail you, after all) the compiler is just another liability. despite
things like systrace, once a root level compromise happens, the attacker
can change the rules anyway. despite things like securelevels.

> Isn't that the way it's supposed to work?  I refer to the
> following page...
> http://www.openbsd.org/stable.html

sure.

but, when you're building a machine intended for one purpose, why make it
a generalist? that breaks Best Practice. if you're forced to make it a
general system, you have it stripped down to bare minimum, then start
including everything you think you may need.

from your emails, you need:

	nat/firewall
	WebServer
	mail

everything else is just icing.

i would suggest starting with a simple idea of what you want, then
building on that framework.

what you seem to want isn't that complex, but unlike many linux distros,
OpenBSD is fairly stripped down by default. this is the real way it can
say "secure by default", it doesn't have many features untill you add
them.

minimalism is beautiful, when it comes to security.

-------/ f. johan beisser /--------------------------------------+
  http://caustic.org/~jan                      jan at caustic.org
	"Champagne for my real friends, real pain for
	  my sham friends." -- Tom Waits

More information about the buug mailing list