[buug] Convert Linux Gateway to OpenBSD

f.johan.beisser jan at caustic.org
Thu Oct 24 14:50:55 PDT 2002 

On Thu, 24 Oct 2002, Charles Howse wrote:

> Well, because my web server and mail server live at that address.
> Remember, the routable address is the address of the external interface
> on the Linux machine.
> If they hack that address, they can root the box.
> Am I missing your point?

yes.

portsentry, at least on BSDs, simply listen on ports for scans. since
scans are some of the most common traffic you'll encounter, it's simply
wasted overhead. if you default to denying all traffic, the portsentry
program sits there, doing nothing. it's not particularly intelligent about
how it blocks things either. if it detects a scan - sometimes little more
than a connection to a port that's not open - it flips out.

portsentry simply provides too many false positives, making it more
useless than simply blocking the ports and logging each connection in the
first place.

> I thought man pf.conf had a good example.  I may try that.

the basic rules are easy, doing more complex things makes things more
interesting.

> Could you please confirm that in the nat rules AND in the pf rules, I
> can refer to the interface (ep1) rather than the actual dynamic IP
> address of the external interface?  It will ruin everything if I have to
> refer to an IP address that is going to change every 4 hours or so.  ;-)

normally, you can handle traffic based on interfaces being passed through.
untill you handle virtual hosts on the same machine (very unlikely) you
don't have to worry to much about static addressing.

http://www.openbsd.org/faq/faq6.html#NAT

an example:
	nat on fxp0 from 192.168.1.0/24 to any -> fxp0

> > everything else is just icing.
>
> Well, I would agree...so...I should upgrade to stable, apply the
> patches, then remove the compiler, then put it on the network?

install the snapshots. upgrade when 3.2 (-stable) is released.

> How do I apply future patches?  (I admit I havn't done my homework
> here.)

if the machine works, why fix it? the occasional upgrade isn't a bad idea,
doing one that's not nessassary to a production machine (and that is what
this is) is foolish.

[root at brimstone log] {23}$ uname -ap
OpenBSD brimstone 3.1 GENERIC#5 sparc SUNW,Sun 4/50, W8601/8701 or MB86903
@ 40 MHz, on-chip FPU
[root at brimstone log] {24}$ uptime
 2:47PM  up 39 days, 2 hrs, 1 user, load averages: 0.32, 0.25, 0.18

i had a bit of downtime due to moving the hardware around. after the ssh
vulnerability came out, i upgraded to a snapshot release, and once again
ignored this machine.

-------/ f. johan beisser /--------------------------------------+
  http://caustic.org/~jan                      jan at caustic.org
	"Champagne for my real friends, real pain for
	  my sham friends." -- Tom Waits

More information about the buug mailing list