Building Firewalls With OpenBDS And PF:9788391665114:Artymiak, Jacek:eCampus.com

Preface

(2)

0.1 Acknowledgments

(2)

Chapter 1: Introduction

(12)

1.1 Why Do We Need to Secure Our Networks

(2)

1.2 Why Do We Need Firewalls

(1)

1.3 Why Open Source Software

(2)

1.4 Why OpenBSD and pf

(2)

1.5 Cryptography and Law

(1)

1.6 How This Book Is Organized

(2)

1.7 Typographic Conventions Used in This Book

(1)

1.8 Staying in Touch with the OpenBSD Community

(1)

1.9 Getting in Touch with the Author

(2)

Chapter 2: Firewall Designs

(16)

2.1 Define Your Local Packet Filtering Policy

(1)

2.2 What Is a 'Firewall'?

(1)

2.3 What Firewalls Are Not

(1)

2.4 Hardware vs. Software Firewalls

(1)

2.5 Firewalls Great and Small

(7)

2.5.1 Screened Host

(2)

2.5.2 Screened LAN or Screened LAN Segment

(2)

2.5.3 Bastion Host

(1)

2.5.4 Demilitarized Zone (DMZ)

(2)

2.5.5 Large-Scale LANs

(1)

2.6 Invisible Hosts and Firewalls

(3)

2.6.1 Filtering Bridge

(2)

2.6.2 Network Address Translation (NAT)

(1)

2.7 Additional Functionality

(3)

Chapter 3: Installing OpenBSD

(34)

3.1 Software Requirements

(3)

3.1.1 Buy Official OpenBSD CD-ROM Sets

(1)

3.1.2 Additional Software Requirements

(1)

3.2 Hardware Requirements

(14)

3.2.1 Which Hardware Platform Should You Choose?

(2)

3.2.2 Motherboard

(1)

3.2.3 BIOS

(1)

3.2.4 Processor

(2)

3.2.5 Memory

(1)

3.2.6 Disk Space

(1)

3.2.7 Network Interfaces

(3)

3.2.8 Communicating with Your Computer During Installation

(2)

3.2.9 How Are You Going to Install OpenBSD?

(1)

3.2.10 Tape Drives

(1)

3.2.11 Debugging Hardware

(1)

3.2.12 Other Requirements

(1)

3.2.13 When in Trouble, Use the Manual

(1)

3.3 Downloading OpenBSD

(1)

3.4 Preparing Installation Media

(1)

3.5 Installing OpenBSD

(13)

3.6 Securing Your Firewall Hardware

(2)

Chapter 4: Configuring OpenBSD

(36)

4.1 User Management

(3)

4.1.1 Adding Users

(1)

4.1.2 Letting Users Do As Root Does (su)

(1)

4.1.3 Changing the User Password

(1)

4.1.4 Giving Users Limited Access to Root Privileges (sudo)

(1)

4.1.5 Removing Users

(1)

4.2 Hardening OpenBSD

(6)

4.2.1 Disabling Non-Essential Services

(1)

4.2.2 Patching

(5)

4.2.3 When a Patch Is Not Enough

(1)

4.3 Configuring Networking

(19)

4.3.1 More Than One Address on a Single Interface (Aliases)

(2)

4.3.2 Pf Configuration Options

(1)

4.3.3 Bridge Configuration Options

(3)

4.3.4 IP Forwarding

(1)

4.3.5 Fixing FTP

(4)

4.3.6 Taking Control of ARP

(6)

4.4 Automated System Reboot

(1)

4.5 Swap Encryption

(1)

4.6 Working with Securelevels

(1)

4.7 Setting Time and Date

(1)

4.8 Configuring the Kernel to Solve Hardware Problems

(4)

4.8.1 Make a Copy of the Old Kernel

(1)

4.8.2 User Kernel Config (UKC)

(3)

4.8.3 Brain Transplants for OpenBSD

101

(1)

4.9 Adding and Compiling Software

101

(1)

4.10 Configuring Disks

102

(1)

4.10.1 RAID

102

(1)

Chapter 5: /etc/pf.conf

103

(22)

5.1 Inside pf.conf

103

(3)

5.1.1 Changing the pf.conf Section Order

105

(1)

5.1.2 Breaking Long Lines into Smaller Pieces

105

(1)

5.1.3 Grouping Rule Elements into Lists ({ })

105

(1)

5.2 Macros

106

(1)

5.3 Tables (table)

107

(2)

5.4 Anchors (anchor, nat-anchor, rdr-anchor, binat-anchor)

109

(1)

5.5 Common Components Found in pf Rules

110

(9)

5.5.1 Directions (in, out)

110

(1)

5.5.2 Interfaces (on)

110

(1)

5.5.3 Address Families (inet, inet6)

111

(1)

5.5.4 Protocols (proto)

111

(1)

5.5.5 Addresses (from, to, any, all)

112

(3)

5.5.6 Dynamic Assignment of Addresses

115

(1)

5.5.7 Ports (port)

116

(2)

5.5.8 Ports (port)

118

(1)

5.6 Tools for Writing and Editing pf.conf

119

(1)

5.6.1 Why Not Edit pf.conf on Another Machine?

119

(1)

5.6.2 Syntax Highlighting

119

(1)

5.6.3 GUI Tools for Writing Rulesets with a Mouse

120

(1)

5.6.4 Scripting pf.conf

120

(1)

5.7 Managing pf.conf Versions with CVS

120

(5)

Chapter 6: Packet Normalization

125

(8)

6.1 Implementing Packet Normalization (scrub)

125

(2)

6.1.1 Scrub Rule Syntax

125

(2)

6.2 Fine-Tuning Scrub Rules

127

(4)

6.2.1 Pf Options (limit frags, timeout frags)

128

(1)

6.2.2 Scrub Rule Options

128

(3)

6.3 Who's Sending All Those Malformed Packets?

131

(2)

Chapter 7: Packet Redirection

133

(22)

7.1 Security Applications

133

(1)

7.2 Expanding the IPv4 Address Space

134

(3)

7.2.1 Does IPv6 Make NAT redundant?

136

(1)

7.2.2 What Problems Does NAT Cause?

136

(1)

7.3 NAT Rules

137

(16)

7.3.1 Hiding Hosts Behind a Single Address with nat Rules

138

(7)

7.3.2 Redirecting Packets to Other Addresses and Ports (rdr)

145

(5)

7.3.3 Forcing Everyone to Use a Web Cache

150

(1)

7.3.4 Other Uses of rdr Rules

150

(1)

7.3.5 binat

150

(3)

7.4 Proxy ARP

153

(2)

Chapter 8: Packet Filtering

155

(30)

8.1 The Anatomy of a Filtering Rule

155

(25)

8.1.1 What Is pf Supposed to Do (block, pass)?

156

(1)

8.1.2 Return to Sender (return-icmp, return-rst)

157

(3)

8.1.3 Inbound or Outbound (in, out)?

160

(1)

8.1.4 To Log or Not to Log (log, log-all)?

160

(1)

8.1.5 Finishing Early (quick)

161

(1)

8.1.6 Network Interface Names (on)?

162

(1)

8.1.7 Routing Options (fastroute, reply-to, route-to, dup-to)

162

(2)

8.1.8 IP Addressing Familes: IPv4 (inet) or IPv6 (inet6)?

164

(1)

8.1.9 Protocols (proto)?

165

(1)

8.1.10 Source Address (from, any, all)?

165

(1)

8.1.11 Source Port (port)?

166

(2)

8.1.12 Sender's Operating System (os)?

168

(1)

8.1.13 Destination IP address (to, any, all)

169

(1)

8.1.14 Destination Port (port)

170

(1)

8.1.15 User and Group Access Control (user, group)

170

(1)

8.1.16 TCP Flags (flags)

171

(1)

8.1.17 ICMP Packets

172

(1)

8.1.18 Stateful Filtering (keep state, modulate state, synproxy state)

173

(6)

8.1.19 IP Options (allow-opts)

179

(1)

8.1.20 Labels (label)

180

(1)

8.2 Antispoof Rules

180

(1)

8.3 Filtering Rules for Redirected Packets

181

(4)

Chaper 9: Dynamic Rulesets

185

(6)

9.1 Designig an Automated Firewall

185

(6)

Chaper 10: Bandwidth Shaping and Load Balancing

191

(30)

10.1 Load Balancing

191

(4)

10.1.1 Implementing Load Balancing

193

(2)

10.2 Bandwidth Shaping

195

(26)

10.2.1 The Anatomy of a Scheduler Rule

196

(1)

10.2.2 The Anatomy of a Queue Rule

197

(2)

10.2.3 Assigning Queues to Packet Filtering Rules

199

(1)

10.2.4 Priority Queuing (PRIQ)

199

(7)

10.2.5 Class-Based Queuing (CBQ)

206

(7)

10.2.6 Hierarchical Fair Service Curve (HFSC)

213

(5)

10.2.7 Queuing Incoming Packets

218

(1)

10.2.8 Which Scheduler is Best?

218

(3)

Chapter 11: Logging and Log Analysis

221

(12)

11.1 Enabling Packet Logging

222

(1)

11.2 Log Analysis

222

(2)

11.3 Which Packets Do You Want to Capture?

224

(2)

11.4 The Secret Life of Logs

226

(3)

11.5 Bandwidth and Disk Space Requirements

229

(3)

11.6 Logging on a Bridge (Span Ports)

232

(1)

Chapter 12: Using authpf

233

(6)

12.1 Configuring authpf

233

(1)

12.2 Configuring sshd

234

(1)

12.3 Configuring Login Shell

234

(1)

12.4 Writing pf Rules for authpf

235

(1)

12.5 Authenticating User Joe

235

(4)

Chapter 13: Using spamd

239

(6)

13.1 Configuring spamd

239

(6)

Chapter 14: Ruleset Optimization

245

(4)

14.1 The pf Optimization Checklist

245

(1)

14.2 Pf Optimization Options

246

(3)

Chapter 15: Testing Your Firewall

249

(10)

15.1 Pencil Test

249

(1)

15.2 Checking Host Availability

250

(2)

15.2.1 When Ping Cannot Help

252

(1)

15.3 Discovering Open Ports on Remote Hosts

253

(1)

15.4 Testing Network Performance

253

(3)

15.5 Are packets passing through pf?

256

(2)

15.6 Additional tools

258

(1)

Chapter 16: Firewall Management

259

(8)

16.1 General Operations

259

(1)

16.2 Pfctl Output Control Options

259

(1)

16.3 Managing Rulesets

260

(1)

16.4 Managing Macros

260

(1)

16.5 Managing Tables

260

(2)

16.6 Managing pf Options

262

(1)

16.7 Managing Queues

262

(1)

16.8 Managing Packet Redirection Rules

262

(1)

16.9 Managing Packet Filtering Rules

263

(1)

16.10 Managing Anchors

263

(1)

16.11 Managing States

264

(1)

16.12 Managing Operating System Fingerprints

265

(1)

16.13 Statistics

265

(1)

16.14 Additional Tools for Managing pf

266

(1)

Appendix A: Manual Pages

267

(4)

A.1 Using the OpenBSD Manual

267

(1)

A.1.1 Reading the OpenBSD Manual Pages on the Web

268

(1)

A.2 Pages Related to pf

268

(1)

A.3 Other Pages of Interest

269

(2)

Appendix B: Rules for Poplar (and Less Popular) Services

271

(16)

B.1 Dealing with ICMP

273

(3)

B.2 Fixing FTP

276

(1)

B.3 Template Rules for Services Using TCP and UDP

276

(7)

B.4 Adapting the Template for Other Services

283

(4)

Appendix C: Rule Templates for Typical Firewall Configurations

287

(10)

C.1 Bastion Host

287

(1)

C.2 Bastion Host II (Some Access Allowed)

288

(1)

C.3 Screened Host/LAN (Public IP Addresses)

289

(1)

C.4 Screened LAN (Some Access Allowed)

290

(2)

C.5 NAT + Screened LAN

292

(1)

C.6 NAT + Screened LAN + DMZ

293

(2)

C.7 Invisible Bridge

295

(2)

Appendix D: Helping OpenBSD and PF

297

(6)

D.1 Buy Official CD-ROMs, T-Shirts, and Posters

297

(1)

D.2 Make Small, but Regular Donations

298

(1)

D.3 Hire Developers of OpenBSD and Pf

299

(1)

D.4 Donate Hardware

300

(1)

D.5 Spare Some of Your Precious Time

300

(1)

D.6 Spread the Word

301

(1)

D.7 Attend Training Seminars

301

(1)

D.8 Encourage People to Buy this Book

301

(2)

Bibliography

303

(4)

Index

307

(15)

About this Book

322


	Order Status Contact Us Help Desk Marketplace Info	Shipping Rates Return Policy Bulk Orders F.A.S.T.	Privacy Policy Legal Notices Site Security Employment	Advertise With Us Affiliate Program Business Accounts College Marketing

Need Help? eService@ecampus.com Copyright© 1999-2008
.