Go back to fronty page View most popular entries View latest additions Submit tutorials to UnixTutorials.info
UnixTutorials logo

Search results for Firewalling with OpenBSD's PF packet filter

BSD Firewalling with OpenBSD's PF packet filter
Post date: April 18, 2005, 22:04 Category: Network Views: 101
Tutorial quote: PF operates in a world which consists of packets, protocols, connections and ports.

Based on where a packet is coming from or where it's going, which protocol, connection of port it is designated for, PF is able to determine where to lead the packet, or decide if it is to be let through at all.

It's equally possible to direct network traffic based on packet contents, usually referred to as application level filtering, but this is not the kind of thing PF does. We will come back later to some cases where PF will hand off these kinds of tasks to other software, but first let us deal with some basics.

We've already mentioned the firewall concept. One important feature of PF and similar software, perhaps the most important feature, is that it is able to identify and block traffic which is you do not want to let into your local network or let out to the world outside. At some point the term 'firewall' was coined.
OpenBSD Transparent proxying with squid and pf
Post date: May 17, 2005, 04:05 Category: Network Views: 220
Tutorial quote: squid is a caching web proxy, it's set up between web browsers and servers, fetching documents from servers on behalf of browsers. It can accelerate web access by caching frequently requested pages and serving them from its cache. It can also be used to filter pop-up ads and malware or to enforce access control (which clients may request what pages based on different authentication methods).

Traditionally, the proxy is an optional component, and browsers are configured to actively use the proxy. Transparent proxying means forcing all web traffic through the proxy without the cooperation (or knowledge) of the clients. Once all browser connections pass through the proxy, outgoing connections to external hosts can be restricted to the proxy, and direct connections from local clients can be blocked.

The OpenBSD packet filter (pf) can be used to redirect connections based on various criteria, including source and destination addresses and ports. For instance, one can redirect all TCP connections with destination port 80 (HTTP) that arrive through an interface connected to local workstations to a squid proxy running on a different address and port.
Unix+clones Encrypted NFS with OpenSSH
Post date: May 21, 2005, 15:05 Category: Network Views: 44
Tutorial quote: NFS is a widely deployed, mature, and understood protocol that allows computers to share files over a network. The main problems with NFS are that it relies on the inherently insecure UDP protocol, transactions are not encrypted, hosts and users cannot be easily authenticated, and its difficulty in firewalling. This article provides a solution to most of these problems for Linux clients and servers. These principles may also be applied to any UNIX server with ssh installed. This article assumes basic knowledge of NFS and firewalling for Linux.
SmoothWall Install SquidGuard on Smoothwall
Post date: April 12, 2005, 14:04 Category: Software Views: 254
Tutorial quote: squidGuard describes itself as: "An ultrafast and free filter, redirector and access controller for Squid". In my experience, it is the ideal web filter for use with Smoothwall and IpCop since it is lightweight and easy to set up. I use it on an i486, 33Mhz system with 18Mb of Ram and 500Mb of hard drive - and while there is a minor performance hit, the hit is not significant.

This simple how-to describes the steps I took to install squidGuard on my system - it should work for yours too.
Linux Three tools to help you configure iptables
Post date: May 25, 2005, 10:05 Category: Network Views: 90
Tutorial quote: Every user whose client connects to the Internet should configure his firewall immediately after installation. Some Linux distributions include firewall configuration as a part of installation, often offering a set of defaults configurations to choose from. However, to ensure that your machine presents the minimum "attack surface" (a measure of the number of vulnerable ports, user accounts, and sockets exposed to attack) to the predatory inhabitants of the Internet, you may need to do some manual configuration of your firewall. Here are three tools that can help.
The Linux kernel (version 2.4 onwards) contains a framework for packet filtering and firewalling using netfilter and iptables. Netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. Iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target). Iptables has extensive documentation that can be accessed online or by typing man iptables at the command line. Yet despite the depth of the documentation available for iptables, its complexity can be baffling.
FreeBSD Build your own gateway firewall
Post date: April 11, 2006, 17:04 Category: Miscellaneous Views: 24
Tutorial quote: Learn how to build your own gateway firewall using FreeBSD and old PC parts. The firewall will consist of the PF firewall, Snort IDS, various IPS applications, Squid proxy, and some intuitive web interfaces for auditing. The cost of this project should be between free and $200 depending on your resourcefulness. I built mine for free using spare parts that were stockpiled in personal storage and parts that the USMC was throwing away, but you can build one from used and/or new parts for dirt cheap.
Unix+clones Optimizing DSPAM + MySQL 4.1
Post date: April 2, 2006, 18:04 Category: Optimizing Views: 16
Tutorial quote: DSPAM is a scalable and open-source content-based spam filter designed for multi-user enterprise systems. It's great at filtering out spam but on busy mailservers the pruning of the MySQL databases takes way too long time ...
OpenBSD Creating secure wireless access points with OpenBSD and OpenVPN
Post date: December 13, 2005, 13:12 Category: Network Views: 108
Tutorial quote: You know how insecure 802.11x wireless networks are. In this article we'll create an OpenBSD-based secure wireless access point that prevents unauthorized access and encrypts every packet using a VPN tunnel. OpenBSD is one of the most secure operating systems available, is easy to use, and includes almost everything you need for this project in the base installation.
Linux Using iptables to rate-limit incoming connections
Post date: December 16, 2005, 17:12 Category: Network Views: 74
Tutorial quote: There are times when you have to allow arbitary incoming connections, when you are travelling for example.

In these situations you can open up your system to allow incoming connections and be the target of a dictionary attack - literally a machine trying to connect and login over and over again using usernames and passwords from a dictionary.

In this situation you can create a collection of firewalling rules which will deny access from remote clients who attempt to connect "too many" times.
Debian Using the 'snort' Intrusion Detection System
Post date: December 27, 2005, 10:12 Category: Security Views: 71
Tutorial quote: Snort is the leading open source Network Intrusion Detection System and is a valuable addition to the security framework at any site. Even if you are employing lots of preventative measures, such as firewalling, patching, etc., a detection system can give you an assurance that your defences truly are effective, or if not, will give you valuable information about what you need to improve.

Fortunately, there is a good set of snort packages for Debian which takes a lot of the tedious work out of building a useful Network Intrusion Detection System. Before we start on installation, we should review a few details about the networking satack that you're going to need to make sense of the alerts snort will generate. Impatient readers and those who are familiar with the TCP/IP suite of protocols may do now skip to the bit that says Stand alone snort.
[1] [2] [next]