NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > OpenBSD Security> 2002-07

From: nakazintuyosinakajin.dyndns.org
Date: Mon Jul 01 2002 - 17:24:22 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi , I am a jpanese and my name is tuyosi .
Sorry for my poor English .

With Pf , Making Dynamic DNS work,
-----------
example
block out log quick on $ext_if from ! qqq to any
------------
qqq must be substituted by IP address using "sed".

fletz ISDN
$B!C(B
(Termina Adapter:mn128-miniS)
|
OpenBSD3.1
$B!C(B
HUB
$B!C(B
PC

open# cat /etc/ppp/ppp.conf
---------------------------
default:
set device /dev/cua00
set log Phase Chat LCP IPCP CCP tun command
set speed 115200
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT OK-AT-OK ATE1Q0 OK \\
dATDT\\T TIMEOUT 40 CONNECT"

sss:
set phone 1492
set login
set timeout 600
disable pred1
deny pred1
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR
enable dns
set authname aaa
set authkey bbb
dial
------------------

To connet
-------------
ppp -auto sss

===============
# cat now.bat
#!/bin/sh
sed 's/qqq/'`cat /root/address.txt`'/g' /etc/pf.pre > /etc/pf.conf
sed 's/qqq/'`cat /root/address.txt`'/g' /etc/nat.pre > /etc/nat.conf
===============

/etc/rc.conf
------------
pf_rules=/etc/pf.conf # Packet filter rules file
nat_rules=/etc/nat.conf # NAT rules file

# cat /etc/ppp/new_rule.bat
-------------
pfctl -F rules
pfctl -F nat
pfctl -R /etc/pf.conf
pfctl -N /etc/nat.conf
pfctl -e

# cat /root/address.bat
----------
#!/bin/sh
/root/if.bat > /root/address.txt

# cat /root/if.bat
-----------
ifconfig tun0 | grep inet | sed 's/.*inet\ //' | sed 's/\ -.*//'

# cat /etc/nat.pre
-------------
nat on tun0 from 192.168.1.0/24 to any -> qqq

# cat /etc/pf.pre
---------------------
ext_if = "tun0"
# normalize all incoming traffic
scrub in on $ext_if all
# block and log everything by default
block out log on $ext_if all
block in log on $ext_if all
block return-rst out log on $ext_if proto tcp all
block return-rst in log on $ext_if proto tcp all
block return-icmp out log on $ext_if proto udp all
block return-icmp in log on $ext_if proto udp all
# block and log outgoing packets that don't have our address as source,
# they are either spoofed or something is misconfigured (NAT disabled,
# for instance), we want to be nice and don't send out garbage.
block out log quick on $ext_if from ! qqq to any
# silently drop broadcasts (cable modem noise)
block in quick on $ext_if from any to 255.255.255.255
# block and log incoming packets from reserved address space and invalid
# addresses, they are either spoofed or misconfigured, we can't reply to
# them anyway (hence, no return-rst).
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \
192.168.1.0/24, 255.255.255.255/32 } to any
#----moto----> 192.168.0.0/16, 255.255.255.255/32 } to any
# ICMP
# pass out/in certain ICMP queries and keep state (ping)
# state matching is done on host addresses and ICMP id (not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
# UDP
# pass out all UDP connections and keep state
pass out on $ext_if proto udp all keep state
# pass in certain UDP connections and keep state (DNS)
pass in on $ext_if proto udp from any to any port = domain keep state
# TCP
# pass out all TCP connections and modulate state
pass out on $ext_if proto tcp all modulate state
# pass in certain TCP connections and keep state (SSH, SMTP, DNS, IDENT)
pass in on ne1 proto tcp from 192.168.1.0/24 to any port { ftp, ftp-data }
keep state
pass in on $ext_if proto tcp from any to any port { ssh, smtp, domain, \
pop3, www, auth } keep state

# cat /var/cron/tabs/root
-------------------------
*/10 * * * * /root/all.bat

# cat /root/all.bat
#-----------------------------------
/root/address.bat
/root/now.bat
/etc/ppp/new_rule.bat
/usr/local/sbin/do_ipcheck.bat

_/_/_/Using Yahoo's Broad$B!!(B Band ,_/_/_/
I build a$B!!(B www $B!!!!(B & mail $B!!!!(Bserver
on this$B!!(B "Firewall$B!!(B+$B!!(BNat" machine .
The OS is "OpenBSD3.0 with ipf".
Home$B!!(B Page : http://nakajin.dyndns.org/
Mail Address : nakazintuyosinakajin.dyndns.org
every home has a firewall "mam , I'm asahmed of naked "

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]