Upgrading to 4.1 I had to change the pass rules, for ``keep state'' and ``flags S/SA'' work differently now. So I ended up making other changes that I think rendered it more readable. Also, since that bug on IPv6 networking I block any ipv6 stuff. It's usually not very wise to share this kind of stuff, I think. But I don't see any problems, after all, this is just my home firewall. So, this is my current pf.conf:
#
# Macros
#
ext_if="vr0"
int_if="mtd0"
laptop="192.168.0.5"
desktop="192.168.0.2"
alexandre="192.168.0.3"
# 6111:6119 - starcraft
# 6881:6999 - bittorrent
# 4662 - emule
# 4665 - emule
# 2222 - ssh on this computer (my ISP won't let me use 22)
# 8080 - httpd on this computer (my ISP won't let me use 80)
# 8081 - httpd on my desktop
# 9418 - git
# 3690 - svn
allowed_tcp="{ 6111:6119, 6881:6999, 4662, 2222, 8080, 8081, 9418, ident,\
3690 }"
allowed_udp="{ 6111:6119, 4665, 4672, 3690 }"
#
# Tables
#
#
# Options
#
set loginterface $ext_if
set block-policy return
set skip on lo0
#
# Scrub
#
scrub in all max-mss 1440
#
# Queueing
#
#
# Translation
#
nat on egress from !(egress) -> (egress:0) static-port
#bittorrent
rdr on egress proto tcp to port 6881:6999 -> $laptop
#emule ports
rdr on egress proto tcp to port 4662 -> $desktop
rdr on egress proto udp to port { 4665, 4672 } -> $desktop
#git
rdr on egress proto tcp to port 9418 -> $laptop
#http
rdr on egress proto tcp to port 8081 -> $desktop
#starcraft ports
rdr on egress proto { tcp, udp } to port 6111:6119 -> $alexandre
#
# Filter rules
#
# I don't use IPv6
block in quick inet6
#allow everything from the internal network
pass in quick on $int_if all modulate state
#allow any packet to get out (this includes redirected stuff)
pass out quick all modulate state
#block everything by default
block in on egress all
#don't block this egressing traffic
pass in on egress proto tcp from any to any port $allowed_tcp modulate state
pass in on egress proto udp from any to any port $allowed_udp
pass in inet proto icmp all icmp-type echoreq
Saturday, November 17, 2007
Thursday, November 15, 2007
Upgrading from 4.0 to 4.1 (mergemaster)
Yeah, yeah, I never post on this thing. But that's because I rarely have any issues with OpenBSD. I decided to upgrade from 4.0 to 4.1 (yep, I'm still running behind the latest version). I didn't use my etc-update script at all this time, instead I used the mergemaster. It's a very good program, but you have to know what parameters to call it with. I didn't at first and I think I might have done some minor damage to my system, oh well, it won't happen again.
What I did was just calling mergemaster without any parameters or anything. It seems that it generates the stock options and let you chose what to upgrade. That's rather nice behaviour, but it wasn't clear to me at first. So I ended up using de /dev/MAKEDEV it generated. I relised that and copied the MAKEDEV on base41.tgz to /dev, I think I fixed it fine. Well, the system is working, so I guess I didn't do TERRIBLE bad.
Now, for doing it right. All you need is upacking the etc41.tgz to /tmp and then use mergemaster like this:
# mergemaster -rt /tmp
It worked smoothly and now I have a upgraded system :).
Later on I found out that if I had just changed the /usr/src for the openbsd 4.1 src it would work simply typing ``mergemaster''. I guess we only learn by trying, and you guys may learn by my mistakes.
See you in a few months (or years, or decades)
What I did was just calling mergemaster without any parameters or anything. It seems that it generates the stock options and let you chose what to upgrade. That's rather nice behaviour, but it wasn't clear to me at first. So I ended up using de /dev/MAKEDEV it generated. I relised that and copied the MAKEDEV on base41.tgz to /dev, I think I fixed it fine. Well, the system is working, so I guess I didn't do TERRIBLE bad.
Now, for doing it right. All you need is upacking the etc41.tgz to /tmp and then use mergemaster like this:
# mergemaster -rt /tmp
It worked smoothly and now I have a upgraded system :).
Later on I found out that if I had just changed the /usr/src for the openbsd 4.1 src it would work simply typing ``mergemaster''. I guess we only learn by trying, and you guys may learn by my mistakes.
See you in a few months (or years, or decades)
Monday, March 12, 2007
Setting up pf
I have a local nat here at home, so I needed to configure pf right away after installing openbsd. I've actually done that when I installed a week ago or so. But only today I study the pf user's guide (I didn't read it all, some topics such as queueing and load balancing, and everything after that I didn't get to read). You can read it at: http://www.openbsd.org/faq/pf/index.html
I think now I'm more confortable with the pf tool and I know a little more what it's capable of doing. I liked it, I thought it was far better to use than iptables (although I don't have much experience with iptables). I configured it this way:
# Macros
ext_if="vr0"
int_if="mtd0"
allowed_tcp="{ 6112:6119, 4662, 2222, ident }"
allowed_udp="{ 6112:6119, 4665, 4672 }"
# Tables
# Options
set loginterface $ext_if
set block-policy return
set skip on lo0
# Scrub
scrub in all max-mss 1440
# Queueing
# Translation
nat on egress from !(egress) -> (egress:0) static-port
#ftp workaround
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
#starcraft ports
rdr on egress proto { tcp, udp } to port 6112:6119 -> \
192.168.0.3
#emule ports
rdr on egress proto tcp to port 4662 -> 192.168.0.2
rdr on egress proto udp to port { 4665, 4672 } -> 192.168.0.2
# Filter rules
#allow everything from the internal network
pass in quick on $int_if all modulate state flags S/SA
#allow any packet to get out (this includes redirected stuff)
pass out quick all modulate state flags S/SA
block in on egress all
#ftp workaround
anchor "ftp-proxy/*"
pass in on egress proto tcp from any to any port $allowed_tcp \
modulate state flags S/SA
pass in on egress proto udp from any to any port \
$allowed_udp keep state
pass in inet proto icmp all icmp-type echoreq keep state
I think now I'm more confortable with the pf tool and I know a little more what it's capable of doing. I liked it, I thought it was far better to use than iptables (although I don't have much experience with iptables). I configured it this way:
# Macros
ext_if="vr0"
int_if="mtd0"
allowed_tcp="{ 6112:6119, 4662, 2222, ident }"
allowed_udp="{ 6112:6119, 4665, 4672 }"
# Tables
# Options
set loginterface $ext_if
set block-policy return
set skip on lo0
# Scrub
scrub in all max-mss 1440
# Queueing
# Translation
nat on egress from !(egress) -> (egress:0) static-port
#ftp workaround
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
#starcraft ports
rdr on egress proto { tcp, udp } to port 6112:6119 -> \
192.168.0.3
#emule ports
rdr on egress proto tcp to port 4662 -> 192.168.0.2
rdr on egress proto udp to port { 4665, 4672 } -> 192.168.0.2
# Filter rules
#allow everything from the internal network
pass in quick on $int_if all modulate state flags S/SA
#allow any packet to get out (this includes redirected stuff)
pass out quick all modulate state flags S/SA
block in on egress all
#ftp workaround
anchor "ftp-proxy/*"
pass in on egress proto tcp from any to any port $allowed_tcp \
modulate state flags S/SA
pass in on egress proto udp from any to any port \
$allowed_udp keep state
pass in inet proto icmp all icmp-type echoreq keep state
Sunday, March 11, 2007
Updating the etc.tgz set
After installing the OpenBSD I noticed that there were a few corrected bugs for my release (4.0) at www.openbsd.org/errata40.html. So, I figure it was time to upgrade. Everything went very smoothly, reading the release(8) manpage was enough to teach myself how to create a release with the patches. I'm currently following the -stable branch (patch branch), by the way.
After creating my release and installing it I found out that I was to merge the differences on the configuration files by myself. Doing so by hand is very tedius, so I wrote my own script to help me out. It will be helpful when I'm to upgrade to openbsd 4.1 also.
The usage of the script is very simple. Just decompress the etc.tgz set on some directory (in my case it was /tmp/config) and execute the program like this:
sh update-etc /tmp/config
I've done a little testing, but not too much, so it may still have some bugs, specially because I'm not really used to shell programming (I could write it in python, the scripting language I'm most confortable, but I wanted it to be compatible with openbsd out of the box). It has been working fine by now, if I find any bugs I'll make a new post telling everyone (I'll update this post also). If you find some bug tell me and I'll fix it.
Without any further ado, this is the script:
http://www.dcc.ufmg.br/~rafaelc/update-etc
download it, and have fun!
After creating my release and installing it I found out that I was to merge the differences on the configuration files by myself. Doing so by hand is very tedius, so I wrote my own script to help me out. It will be helpful when I'm to upgrade to openbsd 4.1 also.
The usage of the script is very simple. Just decompress the etc.tgz set on some directory (in my case it was /tmp/config) and execute the program like this:
sh update-etc /tmp/config
I've done a little testing, but not too much, so it may still have some bugs, specially because I'm not really used to shell programming (I could write it in python, the scripting language I'm most confortable, but I wanted it to be compatible with openbsd out of the box). It has been working fine by now, if I find any bugs I'll make a new post telling everyone (I'll update this post also). If you find some bug tell me and I'll fix it.
Without any further ado, this is the script:
http://www.dcc.ufmg.br/~rafaelc/update-etc
download it, and have fun!
Subscribe to:
Posts (Atom)