Projet

Général

Profil

Openbsd apu » Historique » Version 5

sacha, 11/11/2020 21:41

1 1 sacha
> > {{\>toc}}
2
3 3 sacha
# Firewall OpenBSD on PCEngines APU
4 1 sacha
5 4 sacha
**DISCLAIMER: This is not a step by step guide.**
6 1 sacha
7 3 sacha
This is a toolbox on various config files, scripts (like prometheus startup scripts, sounds on boot...) and various tips (adding hardware power button).
8 1 sacha
9 3 sacha
10 1 sacha
## Install an OpenBSD image
11
12
13
### Getting the OpenBSD image 
14
15
The list of the mirrors is here: https://www.openbsd.org/ftp.html
16
Get the last version, here 6.5
17
18
~~~
19
wget ftp://ftp.irisa.fr/pub/mirrors/OpenBSD/6.5/amd64/install65.fs
20
~~~
21
22
### Write the image to an USB Key
23
24
My usb key is on /dev/sde
25
26
~~~
27
dd if=install65.fs of=/dev/sde bs=1M
28
~~~
29
30
### Boot USB & install
31
32
Select the tty output in 115200 on com0
33
34
~~~
35
SeaBIOS (version rel-1.12.0.1-0-g393dc9c)
36
37
Press F10 key now for boot menu
38
39
Booting from Hard Disk...
40
Using drive 0, partition 3.
41
Loading......
42
probing: pc0 com0 com1 com2 com3 mem[639K 1918M a20=on] 
43
disk: hd0+ hd1+*
44
>> OpenBSD/amd64 BOOT 3.43
45
boot> stty com0 115200
46
boot> set tty com0
47
switching console to com>> OpenBSD/amd64 BOOT 3.43
48
boot>
49
~~~
50
51
Replying to answears
52
~~~
53
Welcome to the OpenBSD/amd64 6.5 installation program.
54
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I
55
56
Terminal type? [vt220]
57
System hostname? (short form, e.g. 'foo') cerbere
58
Password for root account? (will not echo) 
59
Password for root account? (again) 
60
Start sshd(8) by default? [yes] 
61
Change the default console to com0? [yes] 
62
Available speeds are: 9600 19200 38400 57600 115200.
63
Which speed should com0 use? (or 'done') [115200] 
64
Setup a user? (enter a lower-case loginname, or 'no') [no] 
65
Since no user was setup, root logins via sshd(8) might be useful.
66
WARNING: root is targeted by password guessing attacks, pubkeys are safer.
67
Allow root ssh login? (yes, no, prohibit-password) [no] yes
68
69
Available disks are: sd0 sd1.
70
Which disk is the root disk? ('?' for details) [sd0] 
71
No valid MBR or GPT.
72
Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole] 
73
~~~
74
75
80% /
76
10% swap
77
10% /var/log
78
79
### Configuration
80
81
82
#### /etc/sysctl.conf       
83
                                                                                                                                   
84
~~~
85
net.inet.ip.forwarding=1
86
net.inet.gre.allow=1
87
88
~~~
89
90
#### /root/.profile
91
92
~~~
93
export PS1="\H|\t|:\w\\$"                                                                                                                                               
94
95
umask 022
96
97
#export LS_OPTIONS='--color=auto'
98
alias ls='/usr/local/bin/colorls -G'
99
alias ll='ls -l'
100
alias l='ls -lA'
101
alias d="du --max-depth=1 -h"
102
#alias carp='ifconfig carp |grep -e "MASTER" -e "BACKUP" && ifconfig -g carp'
103
104
# Some more alias to avoid making mistakes:
105
alias rm='rm -i'
106
alias cp='cp -i'
107
alias mv='mv -i'
108
alias df='df -h'
109
alias b='echo "\n IP BLACKLISTED\n========================================================";pfctl -t BLACKLIST -T show;echo "\n TOP 10 states\n========================================================";pfctl -sS |sort -nrk4 |head -n 10 '
110
echo
111
echo "________________________________________________________________________"
112
echo
113
who
114
echo "________________________________________________________________________"
115
echo
116
last -n 20
117
echo "________________________________________________________________________"
118
echo
119
uptime
120
echo "________________________________________________________________________"
121
~~~
122
123
#### /home/sacha/.profile
124
125
~~~
126
# $OpenBSD: dot.profile,v 1.5 2018/02/02 02:29:54 yasuoka Exp $
127
#
128
# sh/ksh initialization
129
130
PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games
131
export PATH HOME TERM
132
133
export PS1="\H|\t|:\w\\$"
134
135
alias ls='colorls -G'
136
alias ll='ls -l'
137
alias l='ls -lA'
138
alias d="du --max-depth=1 -h"
139
140
# Some more alias to avoid making mistakes:
141
alias rm='rm -i'
142
alias cp='cp -i'
143
alias mv='mv -i'
144
alias df='df -h'
145
146
echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"
147
echo
148
echo -n "     " && uname -a
149
echo
150
echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"
151
echo
152
w
153
echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"
154
echo && echo
155
156
157
~~~
158
159
#### /etc/ssh/sshd_config
160
161
~~~
162
Port 55555
163
PasswordAuthentication no
164
ChallengeResponseAuthentication no
165
~~~
166
167
+ Ajouter le réseau local sur em2 sour la forme 10.10.département/24
168
169
#### /etc/dhcpd.conf
170
171
En fonction du réseau local, exemple:
172
173
~~~
174
subnet 10.10.79.0 netmask 255.255.255.0 {
175
  range 10.10.79.100 10.10.79.199;
176
  default-lease-time 600;
177
  max-lease-time 7200;
178
  option subnet-mask 255.255.255.0;
179
  option broadcast-address 10.10.79.255;
180
  option routers 10.10.79.254;
181
  option domain-name-servers 10.10.79.254, 185.233.100.100;
182
  option domain-name "niort.rosedor.fr";
183
}
184
~~~
185
186
~~~
187
echo 'dhcpd_flags="em2"' >>/etc/rc.conf.local
188
~~~
189
190
191
#### /etc/resolv.conf 
192
193
~~~
194
search brest.openlux.fr 
195
nameserver 10.10.79.254
196
lookup file bind
197
~~~
198
199
200
#### /etc/ntpd.conf
201
202
~~~
203
# $OpenBSD: ntpd.conf,v 1.14 2015/07/15 20:28:37 ajacoutot Exp $
204
#
205
# See ntpd.conf(5) and /etc/examples/ntpd.conf
206
207
#listen on 172.16.1.254 
208
servers fr.pool.ntp.org
209
210
~~~
211
212 5 sacha
#### Some music with the buzzer
213 1 sacha
214
* Exemples:
215
216
~~~
217
echo -e "l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker
218
echo -e "<cd<a#~<a#>f" > /dev/speaker
219
echo "o2 AAA ml o2l8F P16 o3l16C o2 l4A  l8F o3P16l16C o2 l4A p4 o3 EEE ml l8F P16 o3l16C o2 l4A- l8F o3P16l16C o2 l4A"  > /dev/speaker
220
echo -e "ec" > /dev/speaker
221
echo -e "t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f.." > /dev/speaker
222
echo -e "<cd<a#~<a#>f" > /dev/speaker
223
echo -e "t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf.">/dev/speaker
224
echo -e "t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8" > /dev/speaker
225
echo -e "olcega.a8f>cd2bgc.c8dee2" > /dev/speaker
226
echo -e "msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4" > /dev/speaker
227
echo -e "l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker
228
229
Beatles
230
"T255O3< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A F#A B A F# L1 E.< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A L2 F#.> L4 C# < L2 B A L1 B B L1 N0< < L2 A > > > L4 C# < L2 B > L2 C# < L2 A.> L4 C# < A B > L2 C#.< < L2 A > > > L4 C# < L2 B > C# < L2 A.L4 N0 A L2 B AL2 N0 > L2 C# < B A N0L4 F# A B E A B D A B A G# F# E"
231
232
sw
233
"t136 mn o3 l8 ddgfe-dc o2 b-ag o3 d2. l12 ddd l8 g4 p4 p2 p2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t136 mn o3 l8 p4 mn o2 l8 d4 e4.e o3c o2 bag l12 gab l8 a8. e16f+4d8. d e4.e o3 c o2 bag o3 d8.o2   a16 ml a4a4 mn d4 e4.e O3 c o2 bag l12 gaba8. e16 f+4 o3 d8. d16 l16   g8. fe-8. d c8. o2 b-a8. g o3 d2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 co2 b o3c l2 ml o2a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2ba ml l2 o3gdd mn l6 co2bo3c l2 ml o2a1a4 p4 mn l6 o3 mn ddd ml l1 gggg4 p4 p4 mn l12 dddg2"
234
235
Reveille: t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f..
236
Close Encounters: <cd<a#~<a#>f
237
Lord of the Dance (aka Simple Gifts): t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf.
238
Loony Toons theme: t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8
239
standard villain's entrance music: mst200o2ola.l8bc.~a.~>l2d#
240
a trope from 'The Right Stuff' score by Bill Conti: olcega.a8f>cd2bgc.c8dee2
241
opening bars of Bach's Toccata and Fugue in D Minor": msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4
242
opening bars of the theme from Star Trek Classic: l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2
243
244
245
~~~
246
247 5 sacha
My musics:
248 1 sacha
~~~
249
echo 'echo -e "<cd<a#~<a#>f" > /dev/speaker' >> /etc/rc.local
250
echo '"O3L30cO4L30cO5L30cO5L30g" > /dev/speaker' >> /etc/rc.local
251
~~~
252
253
#### Unbound
254
255 5 sacha
Duno why the config file is in var ? Creating a symling to found it
256
257 1 sacha
~~~
258
ln -s /var/unbound/etc/unbound.conf /etc/unbound.conf
259
~~~
260
261
~~~
262
# $OpenBSD: unbound.conf,v 1.14 2018/12/16 20:41:30 tim Exp $
263
264
server:
265
        interface: 127.0.0.1
266
        interface: 172.16.1.254
267
        #interface: 127.0.0.1@5353      # listen on alternative port
268
#       interface: ::1
269
        do-ip6: no
270
271
        # override the default "any" address to send queries; if multiple
272
        # addresses are available, they are used randomly to counter spoofing
273
        #outgoing-interface: 192.0.2.1
274
        #outgoing-interface: 2001:db8::53
275
276
        access-control: 0.0.0.0/0 refuse
277
        access-control: 127.0.0.0/8 allow
278
        access-control: 172.16.1.254/16 allow 
279
        access-control: ::0/0 refuse
280
        access-control: ::1 allow
281
282
        hide-identity: yes
283
        hide-version: yes
284
285
        # Uncomment to enable DNSSEC validation.
286
        #
287
        #auto-trust-anchor-file: "/var/unbound/db/root.key"
288
        #val-log-level: 2
289
290
        # Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains
291
        # https://tools.ietf.org/html/rfc8198
292
        #
293
        #aggressive-nsec: yes
294
295
        # Serve zones authoritatively from Unbound to resolver clients.
296
        # Not for external service.
297
        #
298
        #local-zone: "local." static
299
        #local-data: "mycomputer.local. IN A 192.0.2.51"
300
        #local-zone: "2.0.192.in-addr.arpa." static
301
        #local-data-ptr: "192.0.2.51 mycomputer.local"
302
303
        # UDP EDNS reassembly buffer advertised to peers. Default 4096.
304
        # May need lowering on broken networks with fragmentation/MTU issues,
305
        # particularly if validating DNSSEC.
306
        #
307
        #edns-buffer-size: 1480
308
309
        # Use TCP for "forward-zone" requests. Useful if you are making
310
        # DNS requests over an SSH port forwarding.
311
        #
312
        #tcp-upstream: yes
313
314
remote-control:
315
        control-enable: yes
316
        control-interface: /var/run/unbound.sock
317
318
# Use an upstream forwarder (recursive resolver) for some or all zones.
319
#
320
#forward-zone:
321
#       name: "."                               # use for ALL queries
322
#       forward-addr: 192.0.2.53                # example address only
323
#       forward-first: yes                      # try direct if forwarder fails
324
~~~
325
326
~~~
327
rcctl enable unbound
328
rcctl start unbound
329
~~~
330
331
#### Install Prometheus  node exporter
332
333
~~~
334
pkg_add go git gmake python-3.6 colorls gnuwatch mtr pftop curl bash 
335
ln -s /usr/local/bin/python3 /usr/local/bin/python
336
cd /home/sacha
337
go get github.com/prometheus/node_exporter
338
cd /home/sacha/go/src/github.com/prometheus/node_exporter
339
gmake
340
mv node_exporter /usr/local/bin/
341
~~~
342
343
##### script de démarage: /etc/rc.d/node_exporter
344
345
~~~
346
vim /etc/login.conf
347
(...)
348
node_exporter:\
349
  :tc=daemon:
350
~~~
351
352
~~~
353
cap_mkdb /etc/login.conf
354
groupadd -g 2222 _node_exporter
355
useradd -u 2222 -g 2222 -c "Prometheus Node Exporter agent" -d /var/empty -s /sbin/nologin -L node_exporter _node_exporter
356
~~~
357
358
* /etc/rc.d/node_exporter
359
360
~~~
361
#!/bin/sh
362
#
363
364
daemon="/usr/local/bin/node_exporter"
365
node_exporter_textfile_dir="/var/node_exporter"
366
daemon_flags="--collector.textfile.directory==${node_exporter_textfile_dir}"
367
daemon_user="_node_exporter"
368
daemon_group="_node_exporter"
369
370
. /etc/rc.d/rc.subr
371
372
pexp="${daemon}.*"
373
rc_bg=YES
374
rc_reload=NO
375
376
rc_pre() { 
377
    if ! id ${daemon_user}; then
378
        groupadd _node_exporter
379
        useradd -g _node_exporter -c "Prometheus Node Exporter agent"\
380
        -d /var/empty -s /sbin/nologin -L node_exporter _node_exporter
381
    fi
382
    if [ ! -d ${node_exporter_textfile_dir} ]; then
383
        install \
384
            -d \
385
            -o ${daemon_user} \
386
            -g ${daemon_group} \
387
            -m 1755 \
388
            ${node_exporter_textfile_dir}
389
    fi
390
}
391
392
rc_start() {
393
    ${rcexec} "${daemon} ${daemon_flags} < /dev/null 2>&1"
394
}
395
396
rc_cmd $1
397
~~~
398
399
400
~~~
401
chmod 0755 /etc/rc.d/node_exporter
402
chown root:wheel /etc/rc.d/node_exporter
403
404
rcctl enable node_exporter
405
rcctl start node_exporter
406
~~~
407
408
---
409
410
## Firewall
411
412
413
~~~
414
touch /etc/BLACKLIST
415
vi /etc/WHITELIST
416
~~~
417
418
419
### Standard: 1 ADSL
420
421
~~~
422
#######################################################
423 2 sacha
#         Firewall PF - OpenBSD -                     #
424 1 sacha
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- #
425
# V1.0 - 20190612                                     #
426
#######################################################
427
428
429
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
430
#               MACROS                  #
431
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
432
433
#-----------------------------------------#
434
#               Interfaces                #
435
#-----------------------------------------#
436
#=====----> ADSL
437 2 sacha
ADSL       = "pppoe0"
438 1 sacha
439 2 sacha
440 1 sacha
#=====----> LAN
441
LAN             = "em2"
442
LAN_VoIP        = "em3"
443
444
#-----------------------------------------#
445
#               Hosts                     #
446
#-----------------------------------------#
447
448
449
#-----------------------------------------#
450
#       W H I T E  L I S T                #
451
#-----------------------------------------#
452
table <WHITELIST> persist file "/etc/WHITELIST"
453
454
#-----------------------------------------#
455
#       B L A C K  L I S T                #
456
#-----------------------------------------#
457
table <BLACKLIST> counters persist file "/etc/BLACKLIST"
458
459
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
460
#               OPTIONS                 #
461
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
462 2 sacha
set loginterface $ADSL
463 1 sacha
464
#set optimization aggressive
465
set block-policy drop
466
467
set skip on lo0 
468
469
470
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
471
#               LOG                     #
472
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
473
match log all
474
475
476
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
477
#               NORMALISATION           #
478
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
479
480
# Nettoyer les paquets entrant
481
match in scrub (reassemble tcp random-id)
482
483
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
484
#                NAT                    #
485
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
486 2 sacha
match out on $ADSL inet from ($LAN:network) to any nat-to ($ADSL)
487 1 sacha
488
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
489
#               FILTRAGE                #
490
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
491
block log all
492
493
#-----------------------------------------#
494
#               Anti-Flood                #
495
#-----------------------------------------#
496
#NOFLOOD ="synproxy state (source-track rule max-src-conn 500, max-src-conn-rate 50/10, overload <BLACKLIST> flush global)"
497
NOFLOOD ="keep state (source-track rule, max-src-states 100)"
498
499
block in log quick on $ADSL from no-route to any
500
block out log quick on $ADSL from no-route to any
501
block in log quick on $ADSL from any to 255.255.255.255
502
503
#-----------------------------------------#
504
#               Blacklists                #
505
#-----------------------------------------#
506
block in quick from <BLACKLIST>
507
508
block in log quick on $ADSL inet proto icmp from any to any icmp-type redir
509
block in log quick on $ADSL inet6 proto icmp6 from any to any icmp6-type redir
510
511
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
512
#               Anti-spoof                  #
513
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
514
antispoof log quick for $ADSL label "antispoof"
515
516
#---------------------------------------#
517
#               ICMP                    #
518
#---------------------------------------#
519
pass inet proto icmp all icmp-type { echorep, echoreq, timex, unreach }
520
521
#---------------------------------------#
522
#               Trace Route             #
523
#---------------------------------------#
524
pass in on { $LAN } proto udp from any to any port 33433 >< 33626 keep state
525
526
#---------------------------------------#
527
#               WHITELIST               #
528
#---------------------------------------#
529
pass in quick on $ADSL proto tcp from <WHITELIST> to any port 55555 
530
531
#---------------------------------------#
532
#                 LAN                   #
533
#---------------------------------------#
534
535
#=====----> Firewall to Lan
536
pass out on $LAN inet to $LAN:network
537
538
 
539
#=====----> ssh LAN
540
pass in quick on $LAN proto tcp from $LAN:network to $LAN port 55555
541
#pass in quick proto tcp from any to port 55555
542
543
#=====----> dns
544
pass in quick on $LAN proto udp from $LAN:network to $LAN port 53 
545
546
#=====----> dhcp
547
pass in quick on $LAN inet from $LAN:network to 255.255.255.255 
548
549
#=====----> Permit Lan to output
550
pass in on $LAN inet from $LAN:network to any
551
552
pass out on $LAN inet from $LAN:network to any
553
554
 
555
#---------------------------------------#
556
#            ACCEPT OUTGOING            #
557
#---------------------------------------#
558
pass out on $ADSL
559
~~~
560 5 sacha
561
562
## Power button
563
564
https://www.conrad.ch/de/p/sci-r13-81a-05bk-drucktaster-125-v-ac-0-5-a-1-x-aus-ein-tastend-1-st-701074.html
565
https://www.conrad.ch/de/p/konfektionierte-litze-polzahl-gesamt-2-rastermass-2-54-mm-741213-1-st-741213.html