Actions
Openbsd apu » Historique » Révision 2
« Précédent |
Révision 2/5
(diff)
| Suivant »
sacha, 11/11/2020 21:32
Firewall OpenBSD sur les PCEngines APU¶
Install an OpenBSD image¶
Getting the OpenBSD image¶
The list of the mirrors is here: https://www.openbsd.org/ftp.html
Get the last version, here 6.5
wget ftp://ftp.irisa.fr/pub/mirrors/OpenBSD/6.5/amd64/install65.fs
Write the image to an USB Key¶
My usb key is on /dev/sde
dd if=install65.fs of=/dev/sde bs=1M
Boot USB & install¶
Select the tty output in 115200 on com0
SeaBIOS (version rel-1.12.0.1-0-g393dc9c) Press F10 key now for boot menu Booting from Hard Disk... Using drive 0, partition 3. Loading...... probing: pc0 com0 com1 com2 com3 mem[639K 1918M a20=on] disk: hd0+ hd1+* >> OpenBSD/amd64 BOOT 3.43 boot> stty com0 115200 boot> set tty com0 switching console to com>> OpenBSD/amd64 BOOT 3.43 boot>
Replying to answears
Welcome to the OpenBSD/amd64 6.5 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I
Terminal type? [vt220]
System hostname? (short form, e.g. 'foo') cerbere
Password for root account? (will not echo)
Password for root account? (again)
Start sshd(8) by default? [yes]
Change the default console to com0? [yes]
Available speeds are: 9600 19200 38400 57600 115200.
Which speed should com0 use? (or 'done') [115200]
Setup a user? (enter a lower-case loginname, or 'no') [no]
Since no user was setup, root logins via sshd(8) might be useful.
WARNING: root is targeted by password guessing attacks, pubkeys are safer.
Allow root ssh login? (yes, no, prohibit-password) [no] yes
Available disks are: sd0 sd1.
Which disk is the root disk? ('?' for details) [sd0]
No valid MBR or GPT.
Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]
80% /
10% swap
10% /var/log
Configuration¶
/etc/sysctl.conf¶
net.inet.ip.forwarding=1 net.inet.gre.allow=1
adduser¶
group wheel
/etc/doas.conf¶
permit :wheel
/root/.profile¶
export PS1="\H|\t|:\w\\$" umask 022 #export LS_OPTIONS='--color=auto' alias ls='/usr/local/bin/colorls -G' alias ll='ls -l' alias l='ls -lA' alias d="du --max-depth=1 -h" #alias carp='ifconfig carp |grep -e "MASTER" -e "BACKUP" && ifconfig -g carp' # Some more alias to avoid making mistakes: alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' alias df='df -h' alias b='echo "\n IP BLACKLISTED\n========================================================";pfctl -t BLACKLIST -T show;echo "\n TOP 10 states\n========================================================";pfctl -sS |sort -nrk4 |head -n 10 ' echo echo "________________________________________________________________________" echo who echo "________________________________________________________________________" echo last -n 20 echo "________________________________________________________________________" echo uptime echo "________________________________________________________________________"
/home/sacha/.profile¶
# $OpenBSD: dot.profile,v 1.5 2018/02/02 02:29:54 yasuoka Exp $ # # sh/ksh initialization PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games export PATH HOME TERM export PS1="\H|\t|:\w\\$" alias ls='colorls -G' alias ll='ls -l' alias l='ls -lA' alias d="du --max-depth=1 -h" # Some more alias to avoid making mistakes: alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' alias df='df -h' echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _" echo echo -n " " && uname -a echo echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _" echo w echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _" echo && echo
/etc/ssh/sshd_config¶
Port 55555 PasswordAuthentication no ChallengeResponseAuthentication no
- Ajouter le réseau local sur em2 sour la forme 10.10.département/24
/etc/dhcpd.conf¶
En fonction du réseau local, exemple:
subnet 10.10.79.0 netmask 255.255.255.0 {
range 10.10.79.100 10.10.79.199;
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 10.10.79.255;
option routers 10.10.79.254;
option domain-name-servers 10.10.79.254, 185.233.100.100;
option domain-name "niort.rosedor.fr";
}
echo 'dhcpd_flags="em2"' >>/etc/rc.conf.local
/etc/resolv.conf¶
search brest.openlux.fr nameserver 10.10.79.254 lookup file bind
/etc/ntpd.conf¶
# $OpenBSD: ntpd.conf,v 1.14 2015/07/15 20:28:37 ajacoutot Exp $ # # See ntpd.conf(5) and /etc/examples/ntpd.conf #listen on 172.16.1.254 servers fr.pool.ntp.org
boot sound¶
- Exemples:
echo -e "l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker echo -e "<cd<a#~<a#>f" > /dev/speaker echo "o2 AAA ml o2l8F P16 o3l16C o2 l4A l8F o3P16l16C o2 l4A p4 o3 EEE ml l8F P16 o3l16C o2 l4A- l8F o3P16l16C o2 l4A" > /dev/speaker echo -e "ec" > /dev/speaker echo -e "t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f.." > /dev/speaker echo -e "<cd<a#~<a#>f" > /dev/speaker echo -e "t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf.">/dev/speaker echo -e "t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8" > /dev/speaker echo -e "olcega.a8f>cd2bgc.c8dee2" > /dev/speaker echo -e "msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4" > /dev/speaker echo -e "l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker Beatles "T255O3< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A F#A B A F# L1 E.< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A L2 F#.> L4 C# < L2 B A L1 B B L1 N0< < L2 A > > > L4 C# < L2 B > L2 C# < L2 A.> L4 C# < A B > L2 C#.< < L2 A > > > L4 C# < L2 B > C# < L2 A.L4 N0 A L2 B AL2 N0 > L2 C# < B A N0L4 F# A B E A B D A B A G# F# E" sw "t136 mn o3 l8 ddgfe-dc o2 b-ag o3 d2. l12 ddd l8 g4 p4 p2 p2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t136 mn o3 l8 p4 mn o2 l8 d4 e4.e o3c o2 bag l12 gab l8 a8. e16f+4d8. d e4.e o3 c o2 bag o3 d8.o2 a16 ml a4a4 mn d4 e4.e O3 c o2 bag l12 gaba8. e16 f+4 o3 d8. d16 l16 g8. fe-8. d c8. o2 b-a8. g o3 d2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 co2 b o3c l2 ml o2a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2ba ml l2 o3gdd mn l6 co2bo3c l2 ml o2a1a4 p4 mn l6 o3 mn ddd ml l1 gggg4 p4 p4 mn l12 dddg2" Reveille: t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f.. Close Encounters: <cd<a#~<a#>f Lord of the Dance (aka Simple Gifts): t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf. Loony Toons theme: t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8 standard villain's entrance music: mst200o2ola.l8bc.~a.~>l2d# a trope from 'The Right Stuff' score by Bill Conti: olcega.a8f>cd2bgc.c8dee2 opening bars of Bach's Toccata and Fugue in D Minor": msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4 opening bars of the theme from Star Trek Classic: l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2
echo 'echo -e "<cd<a#~<a#>f" > /dev/speaker' >> /etc/rc.local echo '"O3L30cO4L30cO5L30cO5L30g" > /dev/speaker' >> /etc/rc.local
Unbound¶
ln -s /var/unbound/etc/unbound.conf /etc/unbound.conf
# $OpenBSD: unbound.conf,v 1.14 2018/12/16 20:41:30 tim Exp $
server:
interface: 127.0.0.1
interface: 172.16.1.254
#interface: 127.0.0.1@5353 # listen on alternative port
# interface: ::1
do-ip6: no
# override the default "any" address to send queries; if multiple
# addresses are available, they are used randomly to counter spoofing
#outgoing-interface: 192.0.2.1
#outgoing-interface: 2001:db8::53
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 172.16.1.254/16 allow
access-control: ::0/0 refuse
access-control: ::1 allow
hide-identity: yes
hide-version: yes
# Uncomment to enable DNSSEC validation.
#
#auto-trust-anchor-file: "/var/unbound/db/root.key"
#val-log-level: 2
# Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains
# https://tools.ietf.org/html/rfc8198
#
#aggressive-nsec: yes
# Serve zones authoritatively from Unbound to resolver clients.
# Not for external service.
#
#local-zone: "local." static
#local-data: "mycomputer.local. IN A 192.0.2.51"
#local-zone: "2.0.192.in-addr.arpa." static
#local-data-ptr: "192.0.2.51 mycomputer.local"
# UDP EDNS reassembly buffer advertised to peers. Default 4096.
# May need lowering on broken networks with fragmentation/MTU issues,
# particularly if validating DNSSEC.
#
#edns-buffer-size: 1480
# Use TCP for "forward-zone" requests. Useful if you are making
# DNS requests over an SSH port forwarding.
#
#tcp-upstream: yes
remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock
# Use an upstream forwarder (recursive resolver) for some or all zones.
#
#forward-zone:
# name: "." # use for ALL queries
# forward-addr: 192.0.2.53 # example address only
# forward-first: yes # try direct if forwarder fails
rcctl enable unbound rcctl start unbound
Install Prometheus node exporter¶
pkg_add go git gmake python-3.6 colorls gnuwatch mtr pftop curl bash ln -s /usr/local/bin/python3 /usr/local/bin/python cd /home/sacha go get github.com/prometheus/node_exporter cd /home/sacha/go/src/github.com/prometheus/node_exporter gmake mv node_exporter /usr/local/bin/
script de démarage: /etc/rc.d/node_exporter¶
vim /etc/login.conf (...) node_exporter:\ :tc=daemon:
cap_mkdb /etc/login.conf groupadd -g 2222 _node_exporter useradd -u 2222 -g 2222 -c "Prometheus Node Exporter agent" -d /var/empty -s /sbin/nologin -L node_exporter _node_exporter
- /etc/rc.d/node_exporter
#!/bin/sh
#
daemon="/usr/local/bin/node_exporter"
node_exporter_textfile_dir="/var/node_exporter"
daemon_flags="--collector.textfile.directory==${node_exporter_textfile_dir}"
daemon_user="_node_exporter"
daemon_group="_node_exporter"
. /etc/rc.d/rc.subr
pexp="${daemon}.*"
rc_bg=YES
rc_reload=NO
rc_pre() {
if ! id ${daemon_user}; then
groupadd _node_exporter
useradd -g _node_exporter -c "Prometheus Node Exporter agent"\
-d /var/empty -s /sbin/nologin -L node_exporter _node_exporter
fi
if [ ! -d ${node_exporter_textfile_dir} ]; then
install \
-d \
-o ${daemon_user} \
-g ${daemon_group} \
-m 1755 \
${node_exporter_textfile_dir}
fi
}
rc_start() {
${rcexec} "${daemon} ${daemon_flags} < /dev/null 2>&1"
}
rc_cmd $1
chmod 0755 /etc/rc.d/node_exporter chown root:wheel /etc/rc.d/node_exporter rcctl enable node_exporter rcctl start node_exporter
Firewall¶
touch /etc/BLACKLIST vi /etc/WHITELIST
Standard: 1 ADSL¶
#######################################################
# Firewall PF - OpenBSD - #
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- #
# V1.0 - 20190612 #
#######################################################
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# MACROS #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
#-----------------------------------------#
# Interfaces #
#-----------------------------------------#
#=====----> ADSL
ADSL = "pppoe0"
#=====----> LAN
LAN = "em2"
LAN_VoIP = "em3"
#-----------------------------------------#
# Hosts #
#-----------------------------------------#
#-----------------------------------------#
# W H I T E L I S T #
#-----------------------------------------#
table <WHITELIST> persist file "/etc/WHITELIST"
#-----------------------------------------#
# B L A C K L I S T #
#-----------------------------------------#
table <BLACKLIST> counters persist file "/etc/BLACKLIST"
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# OPTIONS #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
set loginterface $ADSL
#set optimization aggressive
set block-policy drop
set skip on lo0
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# LOG #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
match log all
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# NORMALISATION #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# Nettoyer les paquets entrant
match in scrub (reassemble tcp random-id)
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# NAT #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
match out on $ADSL inet from ($LAN:network) to any nat-to ($ADSL)
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# FILTRAGE #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
block log all
#-----------------------------------------#
# Anti-Flood #
#-----------------------------------------#
#NOFLOOD ="synproxy state (source-track rule max-src-conn 500, max-src-conn-rate 50/10, overload <BLACKLIST> flush global)"
NOFLOOD ="keep state (source-track rule, max-src-states 100)"
block in log quick on $ADSL from no-route to any
block out log quick on $ADSL from no-route to any
block in log quick on $ADSL from any to 255.255.255.255
#-----------------------------------------#
# Blacklists #
#-----------------------------------------#
block in quick from <BLACKLIST>
block in log quick on $ADSL inet proto icmp from any to any icmp-type redir
block in log quick on $ADSL inet6 proto icmp6 from any to any icmp6-type redir
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# Anti-spoof #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
antispoof log quick for $ADSL label "antispoof"
#---------------------------------------#
# ICMP #
#---------------------------------------#
pass inet proto icmp all icmp-type { echorep, echoreq, timex, unreach }
#---------------------------------------#
# Trace Route #
#---------------------------------------#
pass in on { $LAN } proto udp from any to any port 33433 >< 33626 keep state
#---------------------------------------#
# WHITELIST #
#---------------------------------------#
pass in quick on $ADSL proto tcp from <WHITELIST> to any port 55555
#---------------------------------------#
# LAN #
#---------------------------------------#
#=====----> Firewall to Lan
pass out on $LAN inet to $LAN:network
#=====----> ssh LAN
pass in quick on $LAN proto tcp from $LAN:network to $LAN port 55555
#pass in quick proto tcp from any to port 55555
#=====----> dns
pass in quick on $LAN proto udp from $LAN:network to $LAN port 53
#=====----> dhcp
pass in quick on $LAN inet from $LAN:network to 255.255.255.255
#=====----> Permit Lan to output
pass in on $LAN inet from $LAN:network to any
pass out on $LAN inet from $LAN:network to any
#---------------------------------------#
# ACCEPT OUTGOING #
#---------------------------------------#
pass out on $ADSL
Mis à jour par sacha il y a environ 4 ans · 2 révisions