Actions
Openbsd apu » Historique » Révision 3
« Précédent |
Révision 3/5
(diff)
| Suivant »
sacha, 11/11/2020 21:37
Firewall OpenBSD on PCEngines APU¶
DISCLAIMER: This is not a step by step guide.
This is a toolbox on various config files, scripts (like prometheus startup scripts, sounds on boot...) and various tips (adding hardware power button).
Install an OpenBSD image¶
Getting the OpenBSD image¶
The list of the mirrors is here: https://www.openbsd.org/ftp.html
Get the last version, here 6.5
wget ftp://ftp.irisa.fr/pub/mirrors/OpenBSD/6.5/amd64/install65.fs
Write the image to an USB Key¶
My usb key is on /dev/sde
dd if=install65.fs of=/dev/sde bs=1M
Boot USB & install¶
Select the tty output in 115200 on com0
SeaBIOS (version rel-1.12.0.1-0-g393dc9c) Press F10 key now for boot menu Booting from Hard Disk... Using drive 0, partition 3. Loading...... probing: pc0 com0 com1 com2 com3 mem[639K 1918M a20=on] disk: hd0+ hd1+* >> OpenBSD/amd64 BOOT 3.43 boot> stty com0 115200 boot> set tty com0 switching console to com>> OpenBSD/amd64 BOOT 3.43 boot>
Replying to answears
Welcome to the OpenBSD/amd64 6.5 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I
Terminal type? [vt220]
System hostname? (short form, e.g. 'foo') cerbere
Password for root account? (will not echo)
Password for root account? (again)
Start sshd(8) by default? [yes]
Change the default console to com0? [yes]
Available speeds are: 9600 19200 38400 57600 115200.
Which speed should com0 use? (or 'done') [115200]
Setup a user? (enter a lower-case loginname, or 'no') [no]
Since no user was setup, root logins via sshd(8) might be useful.
WARNING: root is targeted by password guessing attacks, pubkeys are safer.
Allow root ssh login? (yes, no, prohibit-password) [no] yes
Available disks are: sd0 sd1.
Which disk is the root disk? ('?' for details) [sd0]
No valid MBR or GPT.
Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]
80% /
10% swap
10% /var/log
Configuration¶
/etc/sysctl.conf¶
net.inet.ip.forwarding=1 net.inet.gre.allow=1
/root/.profile¶
export PS1="\H|\t|:\w\\$" umask 022 #export LS_OPTIONS='--color=auto' alias ls='/usr/local/bin/colorls -G' alias ll='ls -l' alias l='ls -lA' alias d="du --max-depth=1 -h" #alias carp='ifconfig carp |grep -e "MASTER" -e "BACKUP" && ifconfig -g carp' # Some more alias to avoid making mistakes: alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' alias df='df -h' alias b='echo "\n IP BLACKLISTED\n========================================================";pfctl -t BLACKLIST -T show;echo "\n TOP 10 states\n========================================================";pfctl -sS |sort -nrk4 |head -n 10 ' echo echo "________________________________________________________________________" echo who echo "________________________________________________________________________" echo last -n 20 echo "________________________________________________________________________" echo uptime echo "________________________________________________________________________"
/home/sacha/.profile¶
# $OpenBSD: dot.profile,v 1.5 2018/02/02 02:29:54 yasuoka Exp $ # # sh/ksh initialization PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games export PATH HOME TERM export PS1="\H|\t|:\w\\$" alias ls='colorls -G' alias ll='ls -l' alias l='ls -lA' alias d="du --max-depth=1 -h" # Some more alias to avoid making mistakes: alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' alias df='df -h' echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _" echo echo -n " " && uname -a echo echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _" echo w echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _" echo && echo
/etc/ssh/sshd_config¶
Port 55555 PasswordAuthentication no ChallengeResponseAuthentication no
- Ajouter le réseau local sur em2 sour la forme 10.10.département/24
/etc/dhcpd.conf¶
En fonction du réseau local, exemple:
subnet 10.10.79.0 netmask 255.255.255.0 {
range 10.10.79.100 10.10.79.199;
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 10.10.79.255;
option routers 10.10.79.254;
option domain-name-servers 10.10.79.254, 185.233.100.100;
option domain-name "niort.rosedor.fr";
}
echo 'dhcpd_flags="em2"' >>/etc/rc.conf.local
/etc/resolv.conf¶
search brest.openlux.fr nameserver 10.10.79.254 lookup file bind
/etc/ntpd.conf¶
# $OpenBSD: ntpd.conf,v 1.14 2015/07/15 20:28:37 ajacoutot Exp $ # # See ntpd.conf(5) and /etc/examples/ntpd.conf #listen on 172.16.1.254 servers fr.pool.ntp.org
boot sound¶
- Exemples:
echo -e "l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker echo -e "<cd<a#~<a#>f" > /dev/speaker echo "o2 AAA ml o2l8F P16 o3l16C o2 l4A l8F o3P16l16C o2 l4A p4 o3 EEE ml l8F P16 o3l16C o2 l4A- l8F o3P16l16C o2 l4A" > /dev/speaker echo -e "ec" > /dev/speaker echo -e "t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f.." > /dev/speaker echo -e "<cd<a#~<a#>f" > /dev/speaker echo -e "t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf.">/dev/speaker echo -e "t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8" > /dev/speaker echo -e "olcega.a8f>cd2bgc.c8dee2" > /dev/speaker echo -e "msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4" > /dev/speaker echo -e "l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker Beatles "T255O3< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A F#A B A F# L1 E.< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A L2 F#.> L4 C# < L2 B A L1 B B L1 N0< < L2 A > > > L4 C# < L2 B > L2 C# < L2 A.> L4 C# < A B > L2 C#.< < L2 A > > > L4 C# < L2 B > C# < L2 A.L4 N0 A L2 B AL2 N0 > L2 C# < B A N0L4 F# A B E A B D A B A G# F# E" sw "t136 mn o3 l8 ddgfe-dc o2 b-ag o3 d2. l12 ddd l8 g4 p4 p2 p2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t136 mn o3 l8 p4 mn o2 l8 d4 e4.e o3c o2 bag l12 gab l8 a8. e16f+4d8. d e4.e o3 c o2 bag o3 d8.o2 a16 ml a4a4 mn d4 e4.e O3 c o2 bag l12 gaba8. e16 f+4 o3 d8. d16 l16 g8. fe-8. d c8. o2 b-a8. g o3 d2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 co2 b o3c l2 ml o2a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2ba ml l2 o3gdd mn l6 co2bo3c l2 ml o2a1a4 p4 mn l6 o3 mn ddd ml l1 gggg4 p4 p4 mn l12 dddg2" Reveille: t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f.. Close Encounters: <cd<a#~<a#>f Lord of the Dance (aka Simple Gifts): t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf. Loony Toons theme: t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8 standard villain's entrance music: mst200o2ola.l8bc.~a.~>l2d# a trope from 'The Right Stuff' score by Bill Conti: olcega.a8f>cd2bgc.c8dee2 opening bars of Bach's Toccata and Fugue in D Minor": msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4 opening bars of the theme from Star Trek Classic: l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2
echo 'echo -e "<cd<a#~<a#>f" > /dev/speaker' >> /etc/rc.local echo '"O3L30cO4L30cO5L30cO5L30g" > /dev/speaker' >> /etc/rc.local
Unbound¶
ln -s /var/unbound/etc/unbound.conf /etc/unbound.conf
# $OpenBSD: unbound.conf,v 1.14 2018/12/16 20:41:30 tim Exp $
server:
interface: 127.0.0.1
interface: 172.16.1.254
#interface: 127.0.0.1@5353 # listen on alternative port
# interface: ::1
do-ip6: no
# override the default "any" address to send queries; if multiple
# addresses are available, they are used randomly to counter spoofing
#outgoing-interface: 192.0.2.1
#outgoing-interface: 2001:db8::53
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 172.16.1.254/16 allow
access-control: ::0/0 refuse
access-control: ::1 allow
hide-identity: yes
hide-version: yes
# Uncomment to enable DNSSEC validation.
#
#auto-trust-anchor-file: "/var/unbound/db/root.key"
#val-log-level: 2
# Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains
# https://tools.ietf.org/html/rfc8198
#
#aggressive-nsec: yes
# Serve zones authoritatively from Unbound to resolver clients.
# Not for external service.
#
#local-zone: "local." static
#local-data: "mycomputer.local. IN A 192.0.2.51"
#local-zone: "2.0.192.in-addr.arpa." static
#local-data-ptr: "192.0.2.51 mycomputer.local"
# UDP EDNS reassembly buffer advertised to peers. Default 4096.
# May need lowering on broken networks with fragmentation/MTU issues,
# particularly if validating DNSSEC.
#
#edns-buffer-size: 1480
# Use TCP for "forward-zone" requests. Useful if you are making
# DNS requests over an SSH port forwarding.
#
#tcp-upstream: yes
remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock
# Use an upstream forwarder (recursive resolver) for some or all zones.
#
#forward-zone:
# name: "." # use for ALL queries
# forward-addr: 192.0.2.53 # example address only
# forward-first: yes # try direct if forwarder fails
rcctl enable unbound rcctl start unbound
Install Prometheus node exporter¶
pkg_add go git gmake python-3.6 colorls gnuwatch mtr pftop curl bash ln -s /usr/local/bin/python3 /usr/local/bin/python cd /home/sacha go get github.com/prometheus/node_exporter cd /home/sacha/go/src/github.com/prometheus/node_exporter gmake mv node_exporter /usr/local/bin/
script de démarage: /etc/rc.d/node_exporter¶
vim /etc/login.conf (...) node_exporter:\ :tc=daemon:
cap_mkdb /etc/login.conf groupadd -g 2222 _node_exporter useradd -u 2222 -g 2222 -c "Prometheus Node Exporter agent" -d /var/empty -s /sbin/nologin -L node_exporter _node_exporter
- /etc/rc.d/node_exporter
#!/bin/sh
#
daemon="/usr/local/bin/node_exporter"
node_exporter_textfile_dir="/var/node_exporter"
daemon_flags="--collector.textfile.directory==${node_exporter_textfile_dir}"
daemon_user="_node_exporter"
daemon_group="_node_exporter"
. /etc/rc.d/rc.subr
pexp="${daemon}.*"
rc_bg=YES
rc_reload=NO
rc_pre() {
if ! id ${daemon_user}; then
groupadd _node_exporter
useradd -g _node_exporter -c "Prometheus Node Exporter agent"\
-d /var/empty -s /sbin/nologin -L node_exporter _node_exporter
fi
if [ ! -d ${node_exporter_textfile_dir} ]; then
install \
-d \
-o ${daemon_user} \
-g ${daemon_group} \
-m 1755 \
${node_exporter_textfile_dir}
fi
}
rc_start() {
${rcexec} "${daemon} ${daemon_flags} < /dev/null 2>&1"
}
rc_cmd $1
chmod 0755 /etc/rc.d/node_exporter chown root:wheel /etc/rc.d/node_exporter rcctl enable node_exporter rcctl start node_exporter
Firewall¶
touch /etc/BLACKLIST vi /etc/WHITELIST
Standard: 1 ADSL¶
#######################################################
# Firewall PF - OpenBSD - #
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- #
# V1.0 - 20190612 #
#######################################################
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# MACROS #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
#-----------------------------------------#
# Interfaces #
#-----------------------------------------#
#=====----> ADSL
ADSL = "pppoe0"
#=====----> LAN
LAN = "em2"
LAN_VoIP = "em3"
#-----------------------------------------#
# Hosts #
#-----------------------------------------#
#-----------------------------------------#
# W H I T E L I S T #
#-----------------------------------------#
table <WHITELIST> persist file "/etc/WHITELIST"
#-----------------------------------------#
# B L A C K L I S T #
#-----------------------------------------#
table <BLACKLIST> counters persist file "/etc/BLACKLIST"
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# OPTIONS #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
set loginterface $ADSL
#set optimization aggressive
set block-policy drop
set skip on lo0
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# LOG #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
match log all
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# NORMALISATION #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# Nettoyer les paquets entrant
match in scrub (reassemble tcp random-id)
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# NAT #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
match out on $ADSL inet from ($LAN:network) to any nat-to ($ADSL)
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# FILTRAGE #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
block log all
#-----------------------------------------#
# Anti-Flood #
#-----------------------------------------#
#NOFLOOD ="synproxy state (source-track rule max-src-conn 500, max-src-conn-rate 50/10, overload <BLACKLIST> flush global)"
NOFLOOD ="keep state (source-track rule, max-src-states 100)"
block in log quick on $ADSL from no-route to any
block out log quick on $ADSL from no-route to any
block in log quick on $ADSL from any to 255.255.255.255
#-----------------------------------------#
# Blacklists #
#-----------------------------------------#
block in quick from <BLACKLIST>
block in log quick on $ADSL inet proto icmp from any to any icmp-type redir
block in log quick on $ADSL inet6 proto icmp6 from any to any icmp6-type redir
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# Anti-spoof #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
antispoof log quick for $ADSL label "antispoof"
#---------------------------------------#
# ICMP #
#---------------------------------------#
pass inet proto icmp all icmp-type { echorep, echoreq, timex, unreach }
#---------------------------------------#
# Trace Route #
#---------------------------------------#
pass in on { $LAN } proto udp from any to any port 33433 >< 33626 keep state
#---------------------------------------#
# WHITELIST #
#---------------------------------------#
pass in quick on $ADSL proto tcp from <WHITELIST> to any port 55555
#---------------------------------------#
# LAN #
#---------------------------------------#
#=====----> Firewall to Lan
pass out on $LAN inet to $LAN:network
#=====----> ssh LAN
pass in quick on $LAN proto tcp from $LAN:network to $LAN port 55555
#pass in quick proto tcp from any to port 55555
#=====----> dns
pass in quick on $LAN proto udp from $LAN:network to $LAN port 53
#=====----> dhcp
pass in quick on $LAN inet from $LAN:network to 255.255.255.255
#=====----> Permit Lan to output
pass in on $LAN inet from $LAN:network to any
pass out on $LAN inet from $LAN:network to any
#---------------------------------------#
# ACCEPT OUTGOING #
#---------------------------------------#
pass out on $ADSL
Mis à jour par sacha il y a environ 4 ans · 3 révisions