Projet

Général

Profil

Actions

Openbsd apu » Historique » Révision 4

« Précédent | Révision 4/5 (diff) | Suivant »
sacha, 11/11/2020 21:37


Firewall OpenBSD on PCEngines APU

DISCLAIMER: This is not a step by step guide.

This is a toolbox on various config files, scripts (like prometheus startup scripts, sounds on boot...) and various tips (adding hardware power button).

Install an OpenBSD image

Getting the OpenBSD image

The list of the mirrors is here: https://www.openbsd.org/ftp.html
Get the last version, here 6.5

wget ftp://ftp.irisa.fr/pub/mirrors/OpenBSD/6.5/amd64/install65.fs

Write the image to an USB Key

My usb key is on /dev/sde

dd if=install65.fs of=/dev/sde bs=1M

Boot USB & install

Select the tty output in 115200 on com0

SeaBIOS (version rel-1.12.0.1-0-g393dc9c)

Press F10 key now for boot menu

Booting from Hard Disk...
Using drive 0, partition 3.
Loading......
probing: pc0 com0 com1 com2 com3 mem[639K 1918M a20=on] 
disk: hd0+ hd1+*
>> OpenBSD/amd64 BOOT 3.43
boot> stty com0 115200
boot> set tty com0
switching console to com>> OpenBSD/amd64 BOOT 3.43
boot>

Replying to answears

Welcome to the OpenBSD/amd64 6.5 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I

Terminal type? [vt220]
System hostname? (short form, e.g. 'foo') cerbere
Password for root account? (will not echo) 
Password for root account? (again) 
Start sshd(8) by default? [yes] 
Change the default console to com0? [yes] 
Available speeds are: 9600 19200 38400 57600 115200.
Which speed should com0 use? (or 'done') [115200] 
Setup a user? (enter a lower-case loginname, or 'no') [no] 
Since no user was setup, root logins via sshd(8) might be useful.
WARNING: root is targeted by password guessing attacks, pubkeys are safer.
Allow root ssh login? (yes, no, prohibit-password) [no] yes

Available disks are: sd0 sd1.
Which disk is the root disk? ('?' for details) [sd0] 
No valid MBR or GPT.
Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole] 

80% /
10% swap
10% /var/log

Configuration

/etc/sysctl.conf

net.inet.ip.forwarding=1
net.inet.gre.allow=1

/root/.profile

export PS1="\H|\t|:\w\\$"                                                                                                                                               

umask 022

#export LS_OPTIONS='--color=auto'
alias ls='/usr/local/bin/colorls -G'
alias ll='ls -l'
alias l='ls -lA'
alias d="du --max-depth=1 -h"
#alias carp='ifconfig carp |grep -e "MASTER" -e "BACKUP" && ifconfig -g carp'

# Some more alias to avoid making mistakes:
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
alias df='df -h'
alias b='echo "\n IP BLACKLISTED\n========================================================";pfctl -t BLACKLIST -T show;echo "\n TOP 10 states\n========================================================";pfctl -sS |sort -nrk4 |head -n 10 '
echo
echo "________________________________________________________________________"
echo
who
echo "________________________________________________________________________"
echo
last -n 20
echo "________________________________________________________________________"
echo
uptime
echo "________________________________________________________________________"

/home/sacha/.profile

# $OpenBSD: dot.profile,v 1.5 2018/02/02 02:29:54 yasuoka Exp $
#
# sh/ksh initialization

PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games
export PATH HOME TERM

export PS1="\H|\t|:\w\\$"

alias ls='colorls -G'
alias ll='ls -l'
alias l='ls -lA'
alias d="du --max-depth=1 -h"

# Some more alias to avoid making mistakes:
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
alias df='df -h'

echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"
echo
echo -n "     " && uname -a
echo
echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"
echo
w
echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"
echo && echo


/etc/ssh/sshd_config

Port 55555
PasswordAuthentication no
ChallengeResponseAuthentication no
  • Ajouter le réseau local sur em2 sour la forme 10.10.département/24

/etc/dhcpd.conf

En fonction du réseau local, exemple:

subnet 10.10.79.0 netmask 255.255.255.0 {
  range 10.10.79.100 10.10.79.199;
  default-lease-time 600;
  max-lease-time 7200;
  option subnet-mask 255.255.255.0;
  option broadcast-address 10.10.79.255;
  option routers 10.10.79.254;
  option domain-name-servers 10.10.79.254, 185.233.100.100;
  option domain-name "niort.rosedor.fr";
}
echo 'dhcpd_flags="em2"' >>/etc/rc.conf.local

/etc/resolv.conf

search brest.openlux.fr 
nameserver 10.10.79.254
lookup file bind

/etc/ntpd.conf

# $OpenBSD: ntpd.conf,v 1.14 2015/07/15 20:28:37 ajacoutot Exp $
#
# See ntpd.conf(5) and /etc/examples/ntpd.conf

#listen on 172.16.1.254 
servers fr.pool.ntp.org

boot sound

  • Exemples:
echo -e "l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker
echo -e "<cd<a#~<a#>f" > /dev/speaker
echo "o2 AAA ml o2l8F P16 o3l16C o2 l4A  l8F o3P16l16C o2 l4A p4 o3 EEE ml l8F P16 o3l16C o2 l4A- l8F o3P16l16C o2 l4A"  > /dev/speaker
echo -e "ec" > /dev/speaker
echo -e "t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f.." > /dev/speaker
echo -e "<cd<a#~<a#>f" > /dev/speaker
echo -e "t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf.">/dev/speaker
echo -e "t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8" > /dev/speaker
echo -e "olcega.a8f>cd2bgc.c8dee2" > /dev/speaker
echo -e "msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4" > /dev/speaker
echo -e "l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker

Beatles
"T255O3< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A F#A B A F# L1 E.< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A L2 F#.> L4 C# < L2 B A L1 B B L1 N0< < L2 A > > > L4 C# < L2 B > L2 C# < L2 A.> L4 C# < A B > L2 C#.< < L2 A > > > L4 C# < L2 B > C# < L2 A.L4 N0 A L2 B AL2 N0 > L2 C# < B A N0L4 F# A B E A B D A B A G# F# E"

sw
"t136 mn o3 l8 ddgfe-dc o2 b-ag o3 d2. l12 ddd l8 g4 p4 p2 p2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t136 mn o3 l8 p4 mn o2 l8 d4 e4.e o3c o2 bag l12 gab l8 a8. e16f+4d8. d e4.e o3 c o2 bag o3 d8.o2   a16 ml a4a4 mn d4 e4.e O3 c o2 bag l12 gaba8. e16 f+4 o3 d8. d16 l16   g8. fe-8. d c8. o2 b-a8. g o3 d2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 co2 b o3c l2 ml o2a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2ba ml l2 o3gdd mn l6 co2bo3c l2 ml o2a1a4 p4 mn l6 o3 mn ddd ml l1 gggg4 p4 p4 mn l12 dddg2"



Reveille: t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f..
Close Encounters: <cd<a#~<a#>f
Lord of the Dance (aka Simple Gifts): t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf.
Loony Toons theme: t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8
standard villain's entrance music: mst200o2ola.l8bc.~a.~>l2d#
a trope from 'The Right Stuff' score by Bill Conti: olcega.a8f>cd2bgc.c8dee2
opening bars of Bach's Toccata and Fugue in D Minor": msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4
opening bars of the theme from Star Trek Classic: l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2


echo 'echo -e "<cd<a#~<a#>f" > /dev/speaker' >> /etc/rc.local
echo '"O3L30cO4L30cO5L30cO5L30g" > /dev/speaker' >> /etc/rc.local

Unbound

ln -s /var/unbound/etc/unbound.conf /etc/unbound.conf
# $OpenBSD: unbound.conf,v 1.14 2018/12/16 20:41:30 tim Exp $

server:
        interface: 127.0.0.1
        interface: 172.16.1.254
        #interface: 127.0.0.1@5353      # listen on alternative port
#       interface: ::1
        do-ip6: no

        # override the default "any" address to send queries; if multiple
        # addresses are available, they are used randomly to counter spoofing
        #outgoing-interface: 192.0.2.1
        #outgoing-interface: 2001:db8::53

        access-control: 0.0.0.0/0 refuse
        access-control: 127.0.0.0/8 allow
        access-control: 172.16.1.254/16 allow 
        access-control: ::0/0 refuse
        access-control: ::1 allow

        hide-identity: yes
        hide-version: yes

        # Uncomment to enable DNSSEC validation.
        #
        #auto-trust-anchor-file: "/var/unbound/db/root.key"
        #val-log-level: 2

        # Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains
        # https://tools.ietf.org/html/rfc8198
        #
        #aggressive-nsec: yes

        # Serve zones authoritatively from Unbound to resolver clients.
        # Not for external service.
        #
        #local-zone: "local." static
        #local-data: "mycomputer.local. IN A 192.0.2.51"
        #local-zone: "2.0.192.in-addr.arpa." static
        #local-data-ptr: "192.0.2.51 mycomputer.local"

        # UDP EDNS reassembly buffer advertised to peers. Default 4096.
        # May need lowering on broken networks with fragmentation/MTU issues,
        # particularly if validating DNSSEC.
        #
        #edns-buffer-size: 1480

        # Use TCP for "forward-zone" requests. Useful if you are making
        # DNS requests over an SSH port forwarding.
        #
        #tcp-upstream: yes

remote-control:
        control-enable: yes
        control-interface: /var/run/unbound.sock

# Use an upstream forwarder (recursive resolver) for some or all zones.
#
#forward-zone:
#       name: "."                               # use for ALL queries
#       forward-addr: 192.0.2.53                # example address only
#       forward-first: yes                      # try direct if forwarder fails
rcctl enable unbound
rcctl start unbound

Install Prometheus node exporter

pkg_add go git gmake python-3.6 colorls gnuwatch mtr pftop curl bash 
ln -s /usr/local/bin/python3 /usr/local/bin/python
cd /home/sacha
go get github.com/prometheus/node_exporter
cd /home/sacha/go/src/github.com/prometheus/node_exporter
gmake
mv node_exporter /usr/local/bin/
script de démarage: /etc/rc.d/node_exporter
vim /etc/login.conf
(...)
node_exporter:\
  :tc=daemon:
cap_mkdb /etc/login.conf
groupadd -g 2222 _node_exporter
useradd -u 2222 -g 2222 -c "Prometheus Node Exporter agent" -d /var/empty -s /sbin/nologin -L node_exporter _node_exporter
  • /etc/rc.d/node_exporter
#!/bin/sh
#

daemon="/usr/local/bin/node_exporter"
node_exporter_textfile_dir="/var/node_exporter"
daemon_flags="--collector.textfile.directory==${node_exporter_textfile_dir}"
daemon_user="_node_exporter"
daemon_group="_node_exporter"

. /etc/rc.d/rc.subr

pexp="${daemon}.*"
rc_bg=YES
rc_reload=NO

rc_pre() { 
    if ! id ${daemon_user}; then
        groupadd _node_exporter
        useradd -g _node_exporter -c "Prometheus Node Exporter agent"\
        -d /var/empty -s /sbin/nologin -L node_exporter _node_exporter
    fi
    if [ ! -d ${node_exporter_textfile_dir} ]; then
        install \
            -d \
            -o ${daemon_user} \
            -g ${daemon_group} \
            -m 1755 \
            ${node_exporter_textfile_dir}
    fi
}

rc_start() {
    ${rcexec} "${daemon} ${daemon_flags} < /dev/null 2>&1"
}

rc_cmd $1
chmod 0755 /etc/rc.d/node_exporter
chown root:wheel /etc/rc.d/node_exporter

rcctl enable node_exporter
rcctl start node_exporter

Firewall

touch /etc/BLACKLIST
vi /etc/WHITELIST

Standard: 1 ADSL

#######################################################
#         Firewall PF - OpenBSD -                     #
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- #
# V1.0 - 20190612                                     #
#######################################################


#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
#               MACROS                  #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

#-----------------------------------------#
#               Interfaces                #
#-----------------------------------------#
#=====----> ADSL
ADSL       = "pppoe0"


#=====----> LAN
LAN             = "em2"
LAN_VoIP        = "em3"

#-----------------------------------------#
#               Hosts                     #
#-----------------------------------------#


#-----------------------------------------#
#       W H I T E  L I S T                #
#-----------------------------------------#
table <WHITELIST> persist file "/etc/WHITELIST"

#-----------------------------------------#
#       B L A C K  L I S T                #
#-----------------------------------------#
table <BLACKLIST> counters persist file "/etc/BLACKLIST"

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
#               OPTIONS                 #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
set loginterface $ADSL

#set optimization aggressive
set block-policy drop

set skip on lo0 


#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
#               LOG                     #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
match log all


#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
#               NORMALISATION           #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

# Nettoyer les paquets entrant
match in scrub (reassemble tcp random-id)

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
#                NAT                    #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
match out on $ADSL inet from ($LAN:network) to any nat-to ($ADSL)

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
#               FILTRAGE                #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
block log all

#-----------------------------------------#
#               Anti-Flood                #
#-----------------------------------------#
#NOFLOOD ="synproxy state (source-track rule max-src-conn 500, max-src-conn-rate 50/10, overload <BLACKLIST> flush global)"
NOFLOOD ="keep state (source-track rule, max-src-states 100)"

block in log quick on $ADSL from no-route to any
block out log quick on $ADSL from no-route to any
block in log quick on $ADSL from any to 255.255.255.255

#-----------------------------------------#
#               Blacklists                #
#-----------------------------------------#
block in quick from <BLACKLIST>

block in log quick on $ADSL inet proto icmp from any to any icmp-type redir
block in log quick on $ADSL inet6 proto icmp6 from any to any icmp6-type redir

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
#               Anti-spoof                  #
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
antispoof log quick for $ADSL label "antispoof"

#---------------------------------------#
#               ICMP                    #
#---------------------------------------#
pass inet proto icmp all icmp-type { echorep, echoreq, timex, unreach }

#---------------------------------------#
#               Trace Route             #
#---------------------------------------#
pass in on { $LAN } proto udp from any to any port 33433 >< 33626 keep state

#---------------------------------------#
#               WHITELIST               #
#---------------------------------------#
pass in quick on $ADSL proto tcp from <WHITELIST> to any port 55555 

#---------------------------------------#
#                 LAN                   #
#---------------------------------------#

#=====----> Firewall to Lan
pass out on $LAN inet to $LAN:network


#=====----> ssh LAN
pass in quick on $LAN proto tcp from $LAN:network to $LAN port 55555
#pass in quick proto tcp from any to port 55555

#=====----> dns
pass in quick on $LAN proto udp from $LAN:network to $LAN port 53 

#=====----> dhcp
pass in quick on $LAN inet from $LAN:network to 255.255.255.255 

#=====----> Permit Lan to output
pass in on $LAN inet from $LAN:network to any

pass out on $LAN inet from $LAN:network to any


#---------------------------------------#
#            ACCEPT OUTGOING            #
#---------------------------------------#
pass out on $ADSL

Mis à jour par sacha il y a environ 4 ans · 4 révisions