Openbsd apu » Historique » Révision 3
Révision 2 (sacha, 11/11/2020 21:32) → Révision 3/5 (sacha, 11/11/2020 21:37)
> > {{\>toc}}
# Firewall OpenBSD on sur les PCEngines APU
DISCLAIMER: This is not a step by step guide.
This is a toolbox on various config files, scripts (like prometheus startup scripts, sounds on boot...) and various tips (adding hardware power button).
## Install an OpenBSD image
### Getting the OpenBSD image
The list of the mirrors is here: https://www.openbsd.org/ftp.html
Get the last version, here 6.5
~~~
wget ftp://ftp.irisa.fr/pub/mirrors/OpenBSD/6.5/amd64/install65.fs
~~~
### Write the image to an USB Key
My usb key is on /dev/sde
~~~
dd if=install65.fs of=/dev/sde bs=1M
~~~
### Boot USB & install
Select the tty output in 115200 on com0
~~~
SeaBIOS (version rel-1.12.0.1-0-g393dc9c)
Press F10 key now for boot menu
Booting from Hard Disk...
Using drive 0, partition 3.
Loading......
probing: pc0 com0 com1 com2 com3 mem[639K 1918M a20=on]
disk: hd0+ hd1+*
>> OpenBSD/amd64 BOOT 3.43
boot> stty com0 115200
boot> set tty com0
switching console to com>> OpenBSD/amd64 BOOT 3.43
boot>
~~~
Replying to answears
~~~
Welcome to the OpenBSD/amd64 6.5 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I
Terminal type? [vt220]
System hostname? (short form, e.g. 'foo') cerbere
Password for root account? (will not echo)
Password for root account? (again)
Start sshd(8) by default? [yes]
Change the default console to com0? [yes]
Available speeds are: 9600 19200 38400 57600 115200.
Which speed should com0 use? (or 'done') [115200]
Setup a user? (enter a lower-case loginname, or 'no') [no]
Since no user was setup, root logins via sshd(8) might be useful.
WARNING: root is targeted by password guessing attacks, pubkeys are safer.
Allow root ssh login? (yes, no, prohibit-password) [no] yes
Available disks are: sd0 sd1.
Which disk is the root disk? ('?' for details) [sd0]
No valid MBR or GPT.
Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]
~~~
80% /
10% swap
10% /var/log
### Configuration
#### /etc/sysctl.conf
~~~
net.inet.ip.forwarding=1
net.inet.gre.allow=1
~~~
#### adduser
group wheel
#### /etc/doas.conf
~~~
permit :wheel
~~~
#### /root/.profile
~~~
export PS1="\H|\t|:\w\\$"
umask 022
#export LS_OPTIONS='--color=auto'
alias ls='/usr/local/bin/colorls -G'
alias ll='ls -l'
alias l='ls -lA'
alias d="du --max-depth=1 -h"
#alias carp='ifconfig carp |grep -e "MASTER" -e "BACKUP" && ifconfig -g carp'
# Some more alias to avoid making mistakes:
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
alias df='df -h'
alias b='echo "\n IP BLACKLISTED\n========================================================";pfctl -t BLACKLIST -T show;echo "\n TOP 10 states\n========================================================";pfctl -sS |sort -nrk4 |head -n 10 '
echo
echo "________________________________________________________________________"
echo
who
echo "________________________________________________________________________"
echo
last -n 20
echo "________________________________________________________________________"
echo
uptime
echo "________________________________________________________________________"
~~~
#### /home/sacha/.profile
~~~
# $OpenBSD: dot.profile,v 1.5 2018/02/02 02:29:54 yasuoka Exp $
#
# sh/ksh initialization
PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games
export PATH HOME TERM
export PS1="\H|\t|:\w\\$"
alias ls='colorls -G'
alias ll='ls -l'
alias l='ls -lA'
alias d="du --max-depth=1 -h"
# Some more alias to avoid making mistakes:
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
alias df='df -h'
echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"
echo
echo -n " " && uname -a
echo
echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"
echo
w
echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"
echo && echo
~~~
#### /etc/ssh/sshd_config
~~~
Port 55555
PasswordAuthentication no
ChallengeResponseAuthentication no
~~~
+ Ajouter le réseau local sur em2 sour la forme 10.10.département/24
#### /etc/dhcpd.conf
En fonction du réseau local, exemple:
~~~
subnet 10.10.79.0 netmask 255.255.255.0 {
range 10.10.79.100 10.10.79.199;
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 10.10.79.255;
option routers 10.10.79.254;
option domain-name-servers 10.10.79.254, 185.233.100.100;
option domain-name "niort.rosedor.fr";
}
~~~
~~~
echo 'dhcpd_flags="em2"' >>/etc/rc.conf.local
~~~
#### /etc/resolv.conf
~~~
search brest.openlux.fr
nameserver 10.10.79.254
lookup file bind
~~~
#### /etc/ntpd.conf
~~~
# $OpenBSD: ntpd.conf,v 1.14 2015/07/15 20:28:37 ajacoutot Exp $
#
# See ntpd.conf(5) and /etc/examples/ntpd.conf
#listen on 172.16.1.254
servers fr.pool.ntp.org
~~~
#### boot sound
* Exemples:
~~~
echo -e "l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker
echo -e "<cd<a#~<a#>f" > /dev/speaker
echo "o2 AAA ml o2l8F P16 o3l16C o2 l4A l8F o3P16l16C o2 l4A p4 o3 EEE ml l8F P16 o3l16C o2 l4A- l8F o3P16l16C o2 l4A" > /dev/speaker
echo -e "ec" > /dev/speaker
echo -e "t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f.." > /dev/speaker
echo -e "<cd<a#~<a#>f" > /dev/speaker
echo -e "t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf.">/dev/speaker
echo -e "t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8" > /dev/speaker
echo -e "olcega.a8f>cd2bgc.c8dee2" > /dev/speaker
echo -e "msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4" > /dev/speaker
echo -e "l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker
Beatles
"T255O3< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A F#A B A F# L1 E.< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A L2 F#.> L4 C# < L2 B A L1 B B L1 N0< < L2 A > > > L4 C# < L2 B > L2 C# < L2 A.> L4 C# < A B > L2 C#.< < L2 A > > > L4 C# < L2 B > C# < L2 A.L4 N0 A L2 B AL2 N0 > L2 C# < B A N0L4 F# A B E A B D A B A G# F# E"
sw
"t136 mn o3 l8 ddgfe-dc o2 b-ag o3 d2. l12 ddd l8 g4 p4 p2 p2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t136 mn o3 l8 p4 mn o2 l8 d4 e4.e o3c o2 bag l12 gab l8 a8. e16f+4d8. d e4.e o3 c o2 bag o3 d8.o2 a16 ml a4a4 mn d4 e4.e O3 c o2 bag l12 gaba8. e16 f+4 o3 d8. d16 l16 g8. fe-8. d c8. o2 b-a8. g o3 d2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 co2 b o3c l2 ml o2a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2ba ml l2 o3gdd mn l6 co2bo3c l2 ml o2a1a4 p4 mn l6 o3 mn ddd ml l1 gggg4 p4 p4 mn l12 dddg2"
Reveille: t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f..
Close Encounters: <cd<a#~<a#>f
Lord of the Dance (aka Simple Gifts): t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf.
Loony Toons theme: t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8
standard villain's entrance music: mst200o2ola.l8bc.~a.~>l2d#
a trope from 'The Right Stuff' score by Bill Conti: olcega.a8f>cd2bgc.c8dee2
opening bars of Bach's Toccata and Fugue in D Minor": msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4
opening bars of the theme from Star Trek Classic: l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2
~~~
~~~
echo 'echo -e "<cd<a#~<a#>f" > /dev/speaker' >> /etc/rc.local
echo '"O3L30cO4L30cO5L30cO5L30g" > /dev/speaker' >> /etc/rc.local
~~~
#### Unbound
~~~
ln -s /var/unbound/etc/unbound.conf /etc/unbound.conf
~~~
~~~
# $OpenBSD: unbound.conf,v 1.14 2018/12/16 20:41:30 tim Exp $
server:
interface: 127.0.0.1
interface: 172.16.1.254
#interface: 127.0.0.1@5353 # listen on alternative port
# interface: ::1
do-ip6: no
# override the default "any" address to send queries; if multiple
# addresses are available, they are used randomly to counter spoofing
#outgoing-interface: 192.0.2.1
#outgoing-interface: 2001:db8::53
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 172.16.1.254/16 allow
access-control: ::0/0 refuse
access-control: ::1 allow
hide-identity: yes
hide-version: yes
# Uncomment to enable DNSSEC validation.
#
#auto-trust-anchor-file: "/var/unbound/db/root.key"
#val-log-level: 2
# Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains
# https://tools.ietf.org/html/rfc8198
#
#aggressive-nsec: yes
# Serve zones authoritatively from Unbound to resolver clients.
# Not for external service.
#
#local-zone: "local." static
#local-data: "mycomputer.local. IN A 192.0.2.51"
#local-zone: "2.0.192.in-addr.arpa." static
#local-data-ptr: "192.0.2.51 mycomputer.local"
# UDP EDNS reassembly buffer advertised to peers. Default 4096.
# May need lowering on broken networks with fragmentation/MTU issues,
# particularly if validating DNSSEC.
#
#edns-buffer-size: 1480
# Use TCP for "forward-zone" requests. Useful if you are making
# DNS requests over an SSH port forwarding.
#
#tcp-upstream: yes
remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock
# Use an upstream forwarder (recursive resolver) for some or all zones.
#
#forward-zone:
# name: "." # use for ALL queries
# forward-addr: 192.0.2.53 # example address only
# forward-first: yes # try direct if forwarder fails
~~~
~~~
rcctl enable unbound
rcctl start unbound
~~~
#### Install Prometheus node exporter
~~~
pkg_add go git gmake python-3.6 colorls gnuwatch mtr pftop curl bash
ln -s /usr/local/bin/python3 /usr/local/bin/python
cd /home/sacha
go get github.com/prometheus/node_exporter
cd /home/sacha/go/src/github.com/prometheus/node_exporter
gmake
mv node_exporter /usr/local/bin/
~~~
##### script de démarage: /etc/rc.d/node_exporter
~~~
vim /etc/login.conf
(...)
node_exporter:\
:tc=daemon:
~~~
~~~
cap_mkdb /etc/login.conf
groupadd -g 2222 _node_exporter
useradd -u 2222 -g 2222 -c "Prometheus Node Exporter agent" -d /var/empty -s /sbin/nologin -L node_exporter _node_exporter
~~~
* /etc/rc.d/node_exporter
~~~
#!/bin/sh
#
daemon="/usr/local/bin/node_exporter"
node_exporter_textfile_dir="/var/node_exporter"
daemon_flags="--collector.textfile.directory==${node_exporter_textfile_dir}"
daemon_user="_node_exporter"
daemon_group="_node_exporter"
. /etc/rc.d/rc.subr
pexp="${daemon}.*"
rc_bg=YES
rc_reload=NO
rc_pre() {
if ! id ${daemon_user}; then
groupadd _node_exporter
useradd -g _node_exporter -c "Prometheus Node Exporter agent"\
-d /var/empty -s /sbin/nologin -L node_exporter _node_exporter
fi
if [ ! -d ${node_exporter_textfile_dir} ]; then
install \
-d \
-o ${daemon_user} \
-g ${daemon_group} \
-m 1755 \
${node_exporter_textfile_dir}
fi
}
rc_start() {
${rcexec} "${daemon} ${daemon_flags} < /dev/null 2>&1"
}
rc_cmd $1
~~~
~~~
chmod 0755 /etc/rc.d/node_exporter
chown root:wheel /etc/rc.d/node_exporter
rcctl enable node_exporter
rcctl start node_exporter
~~~
---
## Firewall
~~~
touch /etc/BLACKLIST
vi /etc/WHITELIST
~~~
### Standard: 1 ADSL
~~~
#######################################################
# Firewall PF - OpenBSD - #
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- #
# V1.0 - 20190612 #
#######################################################
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# MACROS #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
#-----------------------------------------#
# Interfaces #
#-----------------------------------------#
#=====----> ADSL
ADSL = "pppoe0"
#=====----> LAN
LAN = "em2"
LAN_VoIP = "em3"
#-----------------------------------------#
# Hosts #
#-----------------------------------------#
#-----------------------------------------#
# W H I T E L I S T #
#-----------------------------------------#
table <WHITELIST> persist file "/etc/WHITELIST"
#-----------------------------------------#
# B L A C K L I S T #
#-----------------------------------------#
table <BLACKLIST> counters persist file "/etc/BLACKLIST"
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# OPTIONS #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
set loginterface $ADSL
#set optimization aggressive
set block-policy drop
set skip on lo0
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# LOG #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
match log all
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# NORMALISATION #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# Nettoyer les paquets entrant
match in scrub (reassemble tcp random-id)
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# NAT #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
match out on $ADSL inet from ($LAN:network) to any nat-to ($ADSL)
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# FILTRAGE #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
block log all
#-----------------------------------------#
# Anti-Flood #
#-----------------------------------------#
#NOFLOOD ="synproxy state (source-track rule max-src-conn 500, max-src-conn-rate 50/10, overload <BLACKLIST> flush global)"
NOFLOOD ="keep state (source-track rule, max-src-states 100)"
block in log quick on $ADSL from no-route to any
block out log quick on $ADSL from no-route to any
block in log quick on $ADSL from any to 255.255.255.255
#-----------------------------------------#
# Blacklists #
#-----------------------------------------#
block in quick from <BLACKLIST>
block in log quick on $ADSL inet proto icmp from any to any icmp-type redir
block in log quick on $ADSL inet6 proto icmp6 from any to any icmp6-type redir
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# Anti-spoof #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
antispoof log quick for $ADSL label "antispoof"
#---------------------------------------#
# ICMP #
#---------------------------------------#
pass inet proto icmp all icmp-type { echorep, echoreq, timex, unreach }
#---------------------------------------#
# Trace Route #
#---------------------------------------#
pass in on { $LAN } proto udp from any to any port 33433 >< 33626 keep state
#---------------------------------------#
# WHITELIST #
#---------------------------------------#
pass in quick on $ADSL proto tcp from <WHITELIST> to any port 55555
#---------------------------------------#
# LAN #
#---------------------------------------#
#=====----> Firewall to Lan
pass out on $LAN inet to $LAN:network
#=====----> ssh LAN
pass in quick on $LAN proto tcp from $LAN:network to $LAN port 55555
#pass in quick proto tcp from any to port 55555
#=====----> dns
pass in quick on $LAN proto udp from $LAN:network to $LAN port 53
#=====----> dhcp
pass in quick on $LAN inet from $LAN:network to 255.255.255.255
#=====----> Permit Lan to output
pass in on $LAN inet from $LAN:network to any
pass out on $LAN inet from $LAN:network to any
#---------------------------------------#
# ACCEPT OUTGOING #
#---------------------------------------#
pass out on $ADSL
~~~