Building Firewalls With OpenBSD And PF, 2nd Edition (2003)

xii

8.1.18 Stateful Filtering (keep state, modulate state, synproxy state) ... 173

xiv

Preface

Why I Wrote This Book

When I Œrst started using OpenBSD sometime in 1999, it certainly wasn't because I wanted to write a book about it. All I needed was a stable server for my home network, something I could conŒgure and forget about. I tried all obvious suspects: FreeBSD, NetBSD, OpenBSD, and four or Œve different Linux distributions, My choice was OpenBSD, because it installed without problems, was easy to conŒgure, and did not have the infuriating problems with NFS that plagued me on Linux at that time. FreeBSD and NetBSD lost their race at the installation stage, after they failed to recognize some pieces of the hardware I was using. It wasn't a high-tech lab test, I just needed a stable server. OpenBSD behaved well, did not require much of my attention and was doing its job.

Then, sometime in 2000, I was asked to help secure a network, which was coming under an increasingly heavy barrage of attacks and was getting broken into approximately twice a month. The Œrst thing we did was secure the hosts exposed to the outside world as much as the operating system allowed, but the rest of the job was going to be the responsibility of a Œ- rewall. I did some research and found out that many people recommended OpenBSD as the best solution for this job. Knowing it doesn't cost a penny to install, I quickly put OpenBSD on four Œrewall hosts guarding points of contact with the outside world and watched them in action. Attacks didn't stop, but none of them was successful. OpenBSD has earned its keep. And that's how it's been for the last three years.

Of course, OpenBSD is only one of many components of the security setup used at that site, but it is proving to be the most signiŒcant one. Over the last three years, that network has undergone signiŒcant changes in hardware and software, many security solutions were tried and discarded, yet OpenBSD is still running those four Œrewalls as well as some web servers, mail servers, DNS, DHCP, and NIDS.

One of my jobs is freelance technical writing, so it wasn't long before I got an idea that it might be useful to help promote the tools I use and like. I quickly wrote an article about installing and conŒguring OpenBSD and Daren Reed's ipŒlter, the Œrewall that shipped with OpenBSD before May 2001. The article was published in February 2002 on the O'Reilly & Associates Network's ONLamp.com and became the Œrst in the series now known under the name of Securing Small Networks with OpenBSD, available at:

http://www.onlamp.com/pub/ct/58

The word `small' used in the title of that series is a little misleading, because OpenBSD is capable of meeting the demands of all kinds of networks, large and small. It was used because I wanted to help administrators of small and underfunded networks secure their installations with OpenBSD. Some of that material made its way into this book.

When I wrote my Œrst article for ONLamp.com in late 2001, I only wanted to write a tutorial that would help others protect their networks with OpenBSD and ipŒlter. It was meant to be something to help people get ipŒlter working in a relatively short time. There were no plans for additional articles. I foolishly assumed that it would be all that was needed. Unfortunately for me, by the time that Œrst article was published, the OpenBSD project abandoned ipŒlter for Daniel Hartmeier's pf. I got a lot of mail telling me in more or less civilized ways that my article was a worthless bag of bits. So, I quickly wrote an update, which was promptly published on ONLamp.com.

After ONLamp.com published the second article, I received a lot of positive feedback, bug reports, and suggestions that I should write a book about OpenBSD. To tell the truth, I did not want to write a book on that subject, because I knew that the market was too small to be considered proŒtable by trade computer book publishers. But, as the number of requests for the book grew, I sat down and wrote a proposal, which I later submitted to a few good publishers. My proposal was turned down by everyone, which convinced me that a book on OpenBSD would not sell. Of course, the real reason could just as well be the weaknesses in my proposal. Either way, I was not interested in pursuing this further and put the whole thing on hold.

Then, in late 2002, I received an email message from a venerable academic publisher interested in publishing a book about OpenBSD. Unfortunately, we couldn't agree on the terms of the contract. By the time our talks broke down, I had a sizeable part of the manuscript ready for editing. I could forget it and move to other projects, but I felt it was too good to be trashed. I decided to risk it and announced The OpenBSD Gazetteer. As I was working towards the end of the manuscript, I could see that it was becoming too long for a single book. I had to split it into two books. Building Firewalls with OpenBSD and PF is the Œrst book, The OpenBSD Gazetteer is the second. That way I can make sure that both books are not overly expensive, that they are delivered on time, and that they can be quickly updated.

The Œrst edition of Building Firewalls with OpenBSD and PF was so popular that I had to quickly start work on the second edition, which would cover the changes made to the OpenBSD operating system and pf between releases 3.3 and 3.4. I also wanted to respond to the requests and suggestions made by the readers of the Œrst edition. I hope that this new edition lives up to your expectations.

0.1 Acknowledgments

This book wouldn't exist if I had not met many great people who continue to support and encourage me along the way. First and foremost I wish to thank the OpenBSD user community for their support, and for challenging me with interesting questions, suggestions, and critique. Without them swamping me with requests to write a book about OpenBSD, this little tome would not be in your hands today. One of the most active members of the OpenBSD community supporting my efforts is Leonard Jacobs, who devoted a lot of his precious time to help me make this edition better than the Œrst one. Thank you, Leonard!

Whenever I publish something on the Internet, I usually do it with the help of these great people: Chris Coleman (DaemonNews), chromatic (O'Reilly Networks), Tim O'Reilly (O'Reilly & Associates), Jose Nazario (OpenBSD Journal), and editors at various BSD news sites and forums. Thank you!

My special thanks must go to Theo de Raadt, Daniel Hartmeier, Artur Grabowski, Jason L. Wright, Miod Vallat, Dale Rahn, Nick Holland, Wim

Vandeputte (kd85.com), Austin Hook (The Computer Shop of Calgary), and other OpenBSD developers, evangelists and supporters, without whose hard work we wouldn't be able to enjoy OpenBSD, OpenSSH, and pf.

I also wish to thank doctors Joanna Markiewicz and Witalis Misiewicz who keep their watchful eyes on my health and make sure I don't dump core before my time.

Last, but not least I want to thank my dear wife, Malgosia, who patiently puts up with my non-standard working hours, deadlines that move everything else aside, and the growing farm of computer hardware. Without her support and understanding I'd never have written this book.

Jacek Artymiak

Lublin, Poland

October 2003

Chapter 1

Introduction

What this book is about. What information you'll Œnd on its pages. How to keep in touch with the author of this book, the developer of pf, and the OpenBSD community.

This book explains how to build, conŒgure, and manage IP packet Œrewalls using commodity hardware, the OpenBSD operating system, and Daniel Hartmeier's pf packet Œlter. Its intended audience are network and security administration professionals and the users of the OpenBSD operating system. The material presented in this book requires basic knowledge of TCP/IP networking and Unix. Readers unfamiliar with either or both of these topics ought to consult [Stevens 1994], [Wright, Stevens 1994], [Stevens 1994a], and [Frisch 2002]. Links to online bookstores selling these and other titles mentioned in this book can be found at the following address:

http://www.devguide.net/books/openbsdfw-02-ed/

1.1 Why Do We Need to Secure Our Networks

The reasons for securing computers and networks against attacks are in many ways similar to the reasons for securing ourselves and our property in the real world. The likely suspects, the problems they cause, and the protection mechanisms we use to defend ourselves are often quite alike, it doesn't matter that we are dealing with 1s and 0s. In an ideal world, there would be no need for fences, gates, or locks, because the good side of the human nature and the laws of our society would be enough to protect ourselves, our privacy, and our property.

Unfortunately, we are not living in such a world nor we are likely to create one on this planet or anywhere else, at least not anytime soon. The fact that a small, but nevertheless noticeable through their actions, percentage of this world's population breaks laws, steals our belongings, trespasses on our

property, and invades our privacy means that we must protect ourselves, our loved ones, and all that we hold valuable. And so we raise fences, buy padlocks, Œt our homes and business premises with burglar alarms, and pay bodyguards to ensure our safety, or to at least make us feel a little safer.

Things are no different in the networked world. Just like the real world around us, the Internet gives people with malicious intent plenty of opportunities to perform their questionable activities. Even though a vast majority of the people and the companies connected to the Internet mean no harm to anyone and just want to get on with their business, there are people who take a certain kind of pride in wreaking havoc online, stealing information or disrupting network services. Some even turned it into a way to make a living. They can spy on our communications, break into computers and networks, block connections between machines, destroy data, falsify records, and bring whole systems to a halt. Their motives are almost always the same: money, the need to have something to brag about, the attraction of a difŒcult challenge, ideology, revenge, or plain curiosity.

Modern network technology gives attackers many ways to amplify the power of their actions by using numerous compromised low-proŒle hosts to launch attacks against selected high-proŒle sites. Equipped with automated cracking tools and access to hundreds of compromised hosts, a single person can potentially cause damage on a scale comparable to an attack on a nuclear power plant or an oil reŒnery. And just as attacks on oil reŒneries can create shortages of oil and raise costs of transport, attacks against certain hosts on the Internet can slow down or cut off large portions of the Internet damaging sales, communications or, in some cases, endangering human lives. Of course, not all attacks are visible and discussed on CNN. Instead of destroying things, someone may prefer to break into a network and listen to communications, copy classiŒed Œles, or change essential records. Such covert operations can result in more damage than a massscale attack on the Internet infrastructure. They are also more proŒtable to an attacker than the 5 minutes of fame he (or she) gets on the global news networks.

Even though many corporate, university, or home networks can have little end value for an attacker, their sole ability to send packets on the Internet can be worth a lot to someone who wants to break into them and use compromised hosts to launch an escalated Distributed Denial of Service (DDoS) attack against other, more valuable hosts. Owners of computers