From Erik\\\\\\\\\\\\\\\'s IT-Security notes
Jump to: navigation, search

The Better Mousetrap

"Build a better mousetrap and the world will NOT beat down your firewall front door".
- Definitely not Ralph Waldo Emerson.

This project is dead. I got started, and then I found PFSense, which does everything TBM could ever do and
much more. And it's free. 
So TBM has no purpose. PFSense is a great thing.
http://www.pfsense.com/
--Erik 13:06, 25 November 2009 (UTC)

Abstract

Getting a gateway to secure your own home network is an easy task. Just go out and get one of those Netgear och Dlink boxes. They are adequate protection for you own home network as long as you keep the workstations on the inside secure. If you want to make servers accessible from the Internet, they are not going to a good choice. An additional problem is most firewalls at the gateway only monitors the state of connections. They keep unsolicited traffic out and lets through responses to requests made from the inside. This is good basic protection, but it does not care about the data passing through.

The purpose of TBM is to do stateful packet inspection and to use a reverse proxy to protect servers from unwanted data getting through. All the software is free and can be downloaded directly from the Internet.

The purpose of the TBM firewall:

  • To be secure by default and to use a sensible setup.
  • To do the job without require extensive resources such as CPU, memory and disk.
  • To have a very small attack surface
  • To be reliable and require very little maintenance.
  • To be free

What you should understand

  • This project will not be gui-based. That means you must understand how to work in the OpenBSD command line.
  • The settings will be complex, so you must know basic TCP/IP and how to work with firewall rules.
  • TBM is built to allow you to host servers to the Internet. Those servers should be connected to the DMZ network.
  • At this time, reverse proxying is meant to protect web servers. You can off course publish other types of servers.
  • This project is not meant to an easy way to setup a basic firewall. If you need that consider an appliance.
  • This guide will configure the router's external interface to you network address translation (NAT).
  • We will only use ipv4. A ipv6 guide may come later.

Preparations

This is what we need to get started.

Hardware:
PC with CPU capable of running 64bit instructions
Three network cards
1 GB of memory
2 GB of disk space
All hardware must be supported by OpenBSD (See http://www.openbsd.org/amd64.html#hardware for more information)
Software:
OpenBSD 4.4 or later
Squid

First let us choose the commin settings. You need to known this to proceed with the installation. Replace my selections with your own. I will setup my system behind a preexisting gateway to keep it protected during the installation.

Name of the gateway: tmb
DNS-name: ericade.net
Default gateway: 192.168.12.1 <this is your path to the internet>
The Internet facing card will use network address translation.

So how do we want the firewall to work?

  • Internal to Internet (egress) - Allow all
  • Internal to DMZ(egress) - Allow all
  • DMZ to Internet (egress) - Deny all
  • DMZ to Internal (egress) - Deny all
  • Internet to Internal - Allow solicited
  • Internet to DMZ - Allow solicited

This is the default rules for this firewall. We will the have to create rules to allow specific settings and port mappings later on. Let's take some time to create the network design. This is the settings I will use. You should substitute it with your own settings.

Network card 1
Alias: tmb-internet
Purpose: The card facing the Internet
IP-adress: 192.168.12.7
MASK: 255.255.255.0
Default route: 192.168.12.1

The reason I use an Internal address for my Internet-facing network card is that I'm setting up the system behind another router that I will later replace with this router when it's ready for business. I advice against connecting this router to the Internet before you have set it up properly. Next card please.

Network card 2
Alias: tmb-dmz
Purpose: Card for the DMZ-network.
IP-adress: 192.168.20.1
MASK: 255.255.255.0
Default route: -

And the internal card which will be where your clients are.

Network card 3
Alias: tmb-internal
Purpose: Card for the DMZ-network.
IP-adress: 192.168.21.1
MASK: 255.255.255.0
Default route: -

Here's a golden rule to remember: don't ever connect anything directly to the Internet before it's been properly installed and configured. OpenBSD is an operating system with an excellent track record when it comes to security. Still, it's not advisable to connect it to Internet before it's ready for it.

Step 1 - installing OpenBSD

First thing is to prepare the computer. Check that the hardware is compatible with OpenBSD (see above). Make sure to remove all partitions on the hard drive. You can use OpenBSD to do this, but this guide assumes the disk is empty.

Then we need a copy of OpenBSD. The current version as I write this is 4.4. OpenBSD can be obtained at http://www.openbsd.org/ftp.html. I suggest you download the .iso-file and burn it to a CD. The download is about 250 MB in size.

Now boot up computer with the CD-rom.

Tbmfig1.gif

Select [I] to perform a new install. Then you'll be presented with a prompt asking which terminal type you want to use. Press enter to except the default choice of vt220. No you will have to select which keyboard mapping you want. You can select L to list them.

Keyb.gif

Select your preferred keyboard setting code and press enter. The codes are listed in the picture above.

The next prompt asks you if you should proceed with the installation. Type yes and the press enter.

Tmbdisk1.gif

Next you will select the disk. In my case I only have one disk which OpenBSD lists as wd0 Press enter on the "Which one is the root disk?" prompt assuming that only have one disk. Otherwise you have to select the correct disk. Next question asks you if you want to allocate all of the disk space for the OpenBSD installation. I suggest you select yes. This assumes you have no data you wish to preserve. Some really old computers have partitions for their bios-settings. If yours does, select no.

Now it's time to partition the system. I've used the instructions from the official OpenBSD guide as an inspiration. The commands you must type are shown in bold.

 > p m
 This will list the size of the disk. Note this down!
 #             size        offset  fstype [fsize bsize  cpg]

Ok, onto the main part.

 > a a
 offset: [3148740] Enter
 size: [35953470] 150m
 Rounding to cylinder: 321300
 FS type: [4.2BSD] Enter
 mount point: [none] /
 > a b
 offset: [3470040] Enter
 size: [35632170] 300m
 Rounding to cylinder: 626535
 FS type: [swap] Enter
 > a d
 offset: [4096575] Enter
 size: [35005635] 120m
 Rounding to cylinder: 257040
 FS type: [4.2BSD] Enter
 mount point: [none] /tmp
 > a e
 offset: [4353615] Enter
 size: [34748595] 80m
 Rounding to cylinder: 176715
 FS type: [4.2BSD] Enter
 mount point: [none] /var

The next two partitions will be use the bulk of the disk. I suggest you split the remaining disk in half. So far you have partitioned 650 MB of the disk. My disk i 2G in size, so my choice looks like this:

 > a g
 offset: [4530330] Enter
 size: [34571880] 1g
 Rounding to cylinder: 12594960
 FS type: [4.2BSD] Enter
 mount point: [none] /usr
 > a h
 offset: [17125290] Enter
 size: [21976920] 250m
 Rounding to nearest cylinder: 8401995
 FS type: [4.2BSD] Enter
 mount point: [none] /home

Now type q and press enter. The prompt "Write new label?: [y]" will pop up. Press enter. Time to select the mount points. In this case you press "Enter" four time and the you type "done" and press enter.

 Mount point for wd0d (131584 KBytes)? (or 'none' or 'done') [/tmp] Enter
 Mount point for wd0e (90624 KBytes)? (or 'none' or 'done') [/var] Enter
 Mount point for wd0g (6656 MBytes)? (or 'none' or 'done') [/usr] Enter
 Mount point for wd0h (4096 MBytes)? (or 'none' or 'done') [/home] Enter
 Mount point for wd0d (131584 KBytes)? (or 'none' or 'done') [/tmp] done
 No more disks to initialize.

 OpenBSD filesystems:
 wd0a /
 wd0d /tmp
 wd0e /var
 wd0g /usr
 wd0h /home

Good, new type yes and enter to accept and destroy all settings on the disk. The screen scrolls through disk partitions and stops to ask you what you want to call the system. Type in the selected name and press enter. Press enter to configure the network. Now you'll have to cycle through all your three network card. The first one is called [em0] on my system.

 Configure the network? [yes] Enter
 Available interfaces are: em0 em1 em2.
 Which one do you wish to initialize? (or 'done') [em0] Enter
 Symbolic (host) name for em0? [puffy] tmb-internetl
 The media options for em0 are currently
         media: Ethernet autoselect (1000baseTX full-duplex,master)
 Do you want to change the media options? [no] Enter
 IPv4 address for em0? (or 'dhcp') 192.168.12.7
 Netmask? [255.255.255.0] Enter
 IPv6 address for em0? (or 'rtsol' or 'none') [none] Enter

The first interface is now all right. The installation will now reiterate through the other two interfaces. When done, it's time to select the DNS and routing settings.

 No more interfaces to initialize.
 DNS domain name? (e.g. 'bar.com') [my.domain] ericade.net
 DNS nameserver? (IP address or 'none') 192.168.4.19 192.168.4.20 Enter
 Use the nameserver now? [yes] Enter
 Default route? (IP address, 'dhcp' or 'none') [dhcp] 192.168.12.1
 Edit hosts with ed? [no] Enter
 Do you want to do any manual network configuration? [no] Enter

Done. Let's discuss passwords, because that's what's next on the menu. You will now select a password for your root account. Please select a strong and complex password. Using bad passwords kind of makes the plan of creating a secure server pointless.

Password for root account? (will not echo) <A good password goes here>
Password for root account? (again) <A good password goes here>

Now press enter to accept the cd as the default location of the sets. A set refers to a set of packages that needs to be installed. Next accept the selected name of the cd0. This assumes you have only one CD-drive on the system and that you booted from it. Press enter on the pathname question. Next up is the prompt " Set name? (or 'done') [bsd.mp]". Type -game44.tgz and press enter. You don't need games on a router, now do you :) The prompt reappears. Type done and press enter. Press enter again to accept.

Sit back with your favorite beverage and watch the installation proceed.

After a while it prompts you for the location of the sets. Type done and press enter. Time for the last leg of the journey to OpenBSD

 Start sshd(8) by default? [yes] yes
 Start ntpd(8) by default? [no] yes
 NTP server? (hostname or 'default') [default] Enter
 Do you expect to run the X Window System? [no] Enter
 Change the default console to com0? [no] Enter

Next question, where in the world are you?

 What timezone are you in? ('?' for list) [Canada/Mountain] ?
 Africa/      Chile/       GB-Eire      Israel       NZ-CHAT      UCT
 America/     Cuba         GMT          Jamaica      Navajo       US/
 Antarctica/  EET          GMT+0        Japan        PRC          UTC
 Arctic/      EST          GMT-0        Kwajalein    PST8PDT      Universal
 Asia/        EST5EDT      GMT0         Libya        Pacific/     W-SU
 Atlantic/    Egypt        Greenwich    MET          Poland       WET
 Australia/   Eire         HST          MST          Portugal     Zulu
 Brazil/      Etc/         Hongkong     MST7MDT      ROC          posix/
 CET          Europe/      Iceland      Mexico/      ROK          posixrules
 CST6CDT      Factory      Indian/      Mideast/     Singapore    right/
 Canada/      GB           Iran         NZ           Turkey       zone.tab
 Select a sub-timezone of 'US' ('?' for list): CET

I live in CET, but you should enter your time zone. And that's it for the installation. Well done. Type halt, wait until it tells you it has halted and the press any key to let it reboot.

Step 2 - Setting up the stateful firewall