Aquilenet

> > {{\>toc}}

# Firewall OpenBSD sur les PCEngines APU

## Install an OpenBSD image

### Getting the OpenBSD image 

The list of the mirrors is here: https://www.openbsd.org/ftp.html

Get the last version, here 6.5

~~~

wget ftp://ftp.irisa.fr/pub/mirrors/OpenBSD/6.5/amd64/install65.fs

~~~

### Write the image to an USB Key

My usb key is on /dev/sde

~~~

dd if=install65.fs of=/dev/sde bs=1M

~~~

### Boot USB & install

Select the tty output in 115200 on com0

~~~

SeaBIOS (version rel-1.12.0.1-0-g393dc9c)

Press F10 key now for boot menu

Booting from Hard Disk...

Using drive 0, partition 3.

Loading......

probing: pc0 com0 com1 com2 com3 mem[639K 1918M a20=on] 

disk: hd0+ hd1+*

>> OpenBSD/amd64 BOOT 3.43

boot> stty com0 115200

boot> set tty com0

switching console to com>> OpenBSD/amd64 BOOT 3.43

boot>

~~~

Replying to answears

~~~

Welcome to the OpenBSD/amd64 6.5 installation program.

(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I

Terminal type? [vt220]

System hostname? (short form, e.g. 'foo') cerbere

Password for root account? (will not echo) 

Password for root account? (again) 

Start sshd(8) by default? [yes] 

Change the default console to com0? [yes] 

Available speeds are: 9600 19200 38400 57600 115200.

Which speed should com0 use? (or 'done') [115200] 

Setup a user? (enter a lower-case loginname, or 'no') [no] 

Since no user was setup, root logins via sshd(8) might be useful.

WARNING: root is targeted by password guessing attacks, pubkeys are safer.

Allow root ssh login? (yes, no, prohibit-password) [no] yes

Available disks are: sd0 sd1.

Which disk is the root disk? ('?' for details) [sd0] 

No valid MBR or GPT.

Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole] 

~~~

80% /

10% swap

10% /var/log

### Configuration

#### /etc/sysctl.conf       

~~~

net.inet.ip.forwarding=1

net.inet.gre.allow=1

~~~

#### adduser

group wheel

#### /etc/doas.conf       

~~~

permit :wheel

~~~

#### /root/.profile

~~~

export PS1="\H|\t|:\w\\$"                                                                                                                                               

umask 022

#export LS_OPTIONS='--color=auto'

alias ls='/usr/local/bin/colorls -G'

alias ll='ls -l'

alias l='ls -lA'

alias d="du --max-depth=1 -h"

#alias carp='ifconfig carp |grep -e "MASTER" -e "BACKUP" && ifconfig -g carp'

# Some more alias to avoid making mistakes:

alias rm='rm -i'

alias cp='cp -i'

alias mv='mv -i'

alias df='df -h'

alias b='echo "\n IP BLACKLISTED\n========================================================";pfctl -t BLACKLIST -T show;echo "\n TOP 10 states\n========================================================";pfctl -sS |sort -nrk4 |head -n 10 '

echo

echo "________________________________________________________________________"

echo

who

echo "________________________________________________________________________"

echo

last -n 20

echo "________________________________________________________________________"

echo

uptime

echo "________________________________________________________________________"

~~~

#### /home/sacha/.profile

~~~

# $OpenBSD: dot.profile,v 1.5 2018/02/02 02:29:54 yasuoka Exp $

#

# sh/ksh initialization

PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games

export PATH HOME TERM

export PS1="\H|\t|:\w\\$"

alias ls='colorls -G'

alias ll='ls -l'

alias l='ls -lA'

alias d="du --max-depth=1 -h"

# Some more alias to avoid making mistakes:

alias rm='rm -i'

alias cp='cp -i'

alias mv='mv -i'

alias df='df -h'

echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"

echo

echo -n "     " && uname -a

echo

echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"

echo

w

echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"

echo && echo

~~~

#### /etc/ssh/sshd_config

~~~

Port 55555

PasswordAuthentication no

ChallengeResponseAuthentication no

~~~

+ Ajouter le réseau local sur em2 sour la forme 10.10.département/24

#### /etc/dhcpd.conf

En fonction du réseau local, exemple:

~~~

subnet 10.10.79.0 netmask 255.255.255.0 {

  range 10.10.79.100 10.10.79.199;

  default-lease-time 600;

  max-lease-time 7200;

  option subnet-mask 255.255.255.0;

  option broadcast-address 10.10.79.255;

  option routers 10.10.79.254;

  option domain-name-servers 10.10.79.254, 185.233.100.100;

  option domain-name "niort.rosedor.fr";

}

~~~

~~~

echo 'dhcpd_flags="em2"' >>/etc/rc.conf.local

~~~

#### /etc/resolv.conf 

~~~

search brest.openlux.fr 

nameserver 10.10.79.254

lookup file bind

~~~

#### /etc/ntpd.conf

~~~

# $OpenBSD: ntpd.conf,v 1.14 2015/07/15 20:28:37 ajacoutot Exp $

#

# See ntpd.conf(5) and /etc/examples/ntpd.conf

#listen on 172.16.1.254 

servers fr.pool.ntp.org

~~~

#### boot sound

* Exemples:

~~~

echo -e "l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker

echo -e "<cd<a#~<a#>f" > /dev/speaker

echo "o2 AAA ml o2l8F P16 o3l16C o2 l4A  l8F o3P16l16C o2 l4A p4 o3 EEE ml l8F P16 o3l16C o2 l4A- l8F o3P16l16C o2 l4A"  > /dev/speaker

echo -e "ec" > /dev/speaker

echo -e "t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f.." > /dev/speaker

echo -e "<cd<a#~<a#>f" > /dev/speaker

echo -e "t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf.">/dev/speaker

echo -e "t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8" > /dev/speaker

echo -e "olcega.a8f>cd2bgc.c8dee2" > /dev/speaker

echo -e "msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4" > /dev/speaker

echo -e "l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker

Beatles

"T255O3< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A F#A B A F# L1 E.< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A L2 F#.> L4 C# < L2 B A L1 B B L1 N0< < L2 A > > > L4 C# < L2 B > L2 C# < L2 A.> L4 C# < A B > L2 C#.< < L2 A > > > L4 C# < L2 B > C# < L2 A.L4 N0 A L2 B AL2 N0 > L2 C# < B A N0L4 F# A B E A B D A B A G# F# E"

sw

"t136 mn o3 l8 ddgfe-dc o2 b-ag o3 d2. l12 ddd l8 g4 p4 p2 p2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t136 mn o3 l8 p4 mn o2 l8 d4 e4.e o3c o2 bag l12 gab l8 a8. e16f+4d8. d e4.e o3 c o2 bag o3 d8.o2   a16 ml a4a4 mn d4 e4.e O3 c o2 bag l12 gaba8. e16 f+4 o3 d8. d16 l16   g8. fe-8. d c8. o2 b-a8. g o3 d2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 co2 b o3c l2 ml o2a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2ba ml l2 o3gdd mn l6 co2bo3c l2 ml o2a1a4 p4 mn l6 o3 mn ddd ml l1 gggg4 p4 p4 mn l12 dddg2"

Reveille: t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f..

Close Encounters: <cd<a#~<a#>f

Lord of the Dance (aka Simple Gifts): t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf.

Loony Toons theme: t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8

standard villain's entrance music: mst200o2ola.l8bc.~a.~>l2d#

a trope from 'The Right Stuff' score by Bill Conti: olcega.a8f>cd2bgc.c8dee2

opening bars of Bach's Toccata and Fugue in D Minor": msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4

opening bars of the theme from Star Trek Classic: l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2

~~~

~~~

echo 'echo -e "<cd<a#~<a#>f" > /dev/speaker' >> /etc/rc.local

echo '"O3L30cO4L30cO5L30cO5L30g" > /dev/speaker' >> /etc/rc.local

~~~

#### Unbound

~~~

ln -s /var/unbound/etc/unbound.conf /etc/unbound.conf

~~~

~~~

# $OpenBSD: unbound.conf,v 1.14 2018/12/16 20:41:30 tim Exp $

server:

        interface: 127.0.0.1

        interface: 172.16.1.254

        #interface: 127.0.0.1@5353      # listen on alternative port

#       interface: ::1

        do-ip6: no

        # override the default "any" address to send queries; if multiple

        # addresses are available, they are used randomly to counter spoofing

        #outgoing-interface: 192.0.2.1

        #outgoing-interface: 2001:db8::53

        access-control: 0.0.0.0/0 refuse

        access-control: 127.0.0.0/8 allow

        access-control: 172.16.1.254/16 allow 

        access-control: ::0/0 refuse

        access-control: ::1 allow

        hide-identity: yes

        hide-version: yes

        # Uncomment to enable DNSSEC validation.

        #

        #auto-trust-anchor-file: "/var/unbound/db/root.key"

        #val-log-level: 2

        # Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains

        # https://tools.ietf.org/html/rfc8198

        #

        #aggressive-nsec: yes

        # Serve zones authoritatively from Unbound to resolver clients.

        # Not for external service.

        #

        #local-zone: "local." static

        #local-data: "mycomputer.local. IN A 192.0.2.51"

        #local-zone: "2.0.192.in-addr.arpa." static

        #local-data-ptr: "192.0.2.51 mycomputer.local"

        # UDP EDNS reassembly buffer advertised to peers. Default 4096.

        # May need lowering on broken networks with fragmentation/MTU issues,

        # particularly if validating DNSSEC.

        #

        #edns-buffer-size: 1480

        # Use TCP for "forward-zone" requests. Useful if you are making

        # DNS requests over an SSH port forwarding.

        #

        #tcp-upstream: yes

remote-control:

        control-enable: yes

        control-interface: /var/run/unbound.sock

# Use an upstream forwarder (recursive resolver) for some or all zones.

#

#forward-zone:

#       name: "."                               # use for ALL queries

#       forward-addr: 192.0.2.53                # example address only

#       forward-first: yes                      # try direct if forwarder fails

~~~

~~~

rcctl enable unbound

rcctl start unbound

~~~

#### Install Prometheus  node exporter

~~~

pkg_add go git gmake python-3.6 colorls gnuwatch mtr pftop curl bash 

ln -s /usr/local/bin/python3 /usr/local/bin/python

cd /home/sacha

go get github.com/prometheus/node_exporter

cd /home/sacha/go/src/github.com/prometheus/node_exporter

gmake

mv node_exporter /usr/local/bin/

~~~

##### script de démarage: /etc/rc.d/node_exporter

~~~

vim /etc/login.conf

(...)

node_exporter:\

  :tc=daemon:

~~~

~~~

cap_mkdb /etc/login.conf

groupadd -g 2222 _node_exporter

useradd -u 2222 -g 2222 -c "Prometheus Node Exporter agent" -d /var/empty -s /sbin/nologin -L node_exporter _node_exporter

~~~

* /etc/rc.d/node_exporter

~~~

#!/bin/sh

#

daemon="/usr/local/bin/node_exporter"

node_exporter_textfile_dir="/var/node_exporter"

daemon_flags="--collector.textfile.directory==${node_exporter_textfile_dir}"

daemon_user="_node_exporter"

daemon_group="_node_exporter"

. /etc/rc.d/rc.subr

pexp="${daemon}.*"

rc_bg=YES

rc_reload=NO

rc_pre() { 

    if ! id ${daemon_user}; then

        groupadd _node_exporter

        useradd -g _node_exporter -c "Prometheus Node Exporter agent"\

        -d /var/empty -s /sbin/nologin -L node_exporter _node_exporter

    fi

    if [ ! -d ${node_exporter_textfile_dir} ]; then

        install \

            -d \

            -o ${daemon_user} \

            -g ${daemon_group} \

            -m 1755 \

            ${node_exporter_textfile_dir}

    fi

}

rc_start() {

    ${rcexec} "${daemon} ${daemon_flags} < /dev/null 2>&1"

}

rc_cmd $1

~~~

~~~

chmod 0755 /etc/rc.d/node_exporter

chown root:wheel /etc/rc.d/node_exporter

rcctl enable node_exporter

rcctl start node_exporter

~~~

---

## Firewall

~~~

touch /etc/BLACKLIST

vi /etc/WHITELIST

~~~

### Standard: 1 ADSL

~~~

#######################################################

#         Firewall PF - OpenBSD -                     #

# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- #

# V1.0 - 20190612                                     #

#######################################################

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

#               MACROS                  #

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

#-----------------------------------------#

#               Interfaces                #

#-----------------------------------------#

#=====----> ADSL

ADSL       = "pppoe0"

#=====----> LAN

LAN             = "em2"

LAN_VoIP        = "em3"

#-----------------------------------------#

#               Hosts                     #

#-----------------------------------------#

#-----------------------------------------#

#       W H I T E  L I S T                #

#-----------------------------------------#

table <WHITELIST> persist file "/etc/WHITELIST"

#-----------------------------------------#

#       B L A C K  L I S T                #

#-----------------------------------------#

table <BLACKLIST> counters persist file "/etc/BLACKLIST"

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

#               OPTIONS                 #

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

set loginterface $ADSL

#set optimization aggressive

set block-policy drop

set skip on lo0 

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

#               LOG                     #

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

match log all

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

#               NORMALISATION           #

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

# Nettoyer les paquets entrant

match in scrub (reassemble tcp random-id)

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

#                NAT                    #

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

match out on $ADSL inet from ($LAN:network) to any nat-to ($ADSL)

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

#               FILTRAGE                #

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

block log all

#-----------------------------------------#

#               Anti-Flood                #

#-----------------------------------------#

#NOFLOOD ="synproxy state (source-track rule max-src-conn 500, max-src-conn-rate 50/10, overload <BLACKLIST> flush global)"

NOFLOOD ="keep state (source-track rule, max-src-states 100)"

block in log quick on $ADSL from no-route to any

block out log quick on $ADSL from no-route to any

block in log quick on $ADSL from any to 255.255.255.255

#-----------------------------------------#

#               Blacklists                #

#-----------------------------------------#

block in quick from <BLACKLIST>

block in log quick on $ADSL inet proto icmp from any to any icmp-type redir

block in log quick on $ADSL inet6 proto icmp6 from any to any icmp6-type redir

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

#               Anti-spoof                  #

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

antispoof log quick for $ADSL label "antispoof"

#---------------------------------------#

#               ICMP                    #

#---------------------------------------#

pass inet proto icmp all icmp-type { echorep, echoreq, timex, unreach }

#---------------------------------------#

#               Trace Route             #

#---------------------------------------#

pass in on { $LAN } proto udp from any to any port 33433 >< 33626 keep state

#---------------------------------------#

#               WHITELIST               #

#---------------------------------------#

pass in quick on $ADSL proto tcp from <WHITELIST> to any port 55555 

#---------------------------------------#

#                 LAN                   #

#---------------------------------------#

#=====----> Firewall to Lan

pass out on $LAN inet to $LAN:network

#=====----> ssh LAN

pass in quick on $LAN proto tcp from $LAN:network to $LAN port 55555

#pass in quick proto tcp from any to port 55555

#=====----> dns

pass in quick on $LAN proto udp from $LAN:network to $LAN port 53 

#=====----> dhcp

pass in quick on $LAN inet from $LAN:network to 255.255.255.255 

#=====----> Permit Lan to output

pass in on $LAN inet from $LAN:network to any

pass out on $LAN inet from $LAN:network to any

#---------------------------------------#

#            ACCEPT OUTGOING            #

#---------------------------------------#

pass out on $ADSL

~~~