This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
openbsd:hardening [2020/06/03 08:33] net_wayfarer Incomplete rewrite process for pf section. |
openbsd:hardening [2020/06/05 09:51] net_wayfarer PF section is mostly done. Not going to go rambling on with it and will update it with links as needed. |
||
---|---|---|---|
Line 38: | Line 38: | ||
# A list of mirrors can be found at https://www.openbsd.org/ftp.html. | # A list of mirrors can be found at https://www.openbsd.org/ftp.html. | ||
echo "https://cdn.openbsd.org/pub/OpenBSD" > /etc/installurl | echo "https://cdn.openbsd.org/pub/OpenBSD" > /etc/installurl | ||
- | # Alternatively, if wget is installed, one can scrape an up-to-date list of HTTPS mirrors using the | + | # Alternatively, one can scrape an up-to-date list of HTTPS mirrors using the following typed |
- | # following typed method, and must uncomment at least one of the following https:// prefixed lines. | + | # method, and must uncomment at least one of the following https:// prefixed lines. |
- | # wget "https://www.openbsd.org/build/mirrors.dat" -O - | grep -e "^GC" -e "^UHS" | uniq | sed 's/^GC/\#\#/;s/^UHS/\#\#/' | tee /etc/installurl 2>&1 >/dev/null | + | # ftp -o - "https://www.openbsd.org/build/mirrors.dat" 2>/dev/null | grep -e "^GC" -e "^UHS" | uniq | sed 's/^GC/\#\#/;s/^UHS/\#\#/' | tee /etc/installurl 2>&1 >/dev/null |
# | # | ||
################################################################## | ################################################################## | ||
Line 168: | Line 168: | ||
## give a reply. The following is a two part process and must be implemented to achieve the desired effect. | ## give a reply. The following is a two part process and must be implemented to achieve the desired effect. | ||
## | ## | ||
+ | ## | ||
+ | ## By default, openbsd drops packets, https://www.openbsd.org/faq/pf/options.html | ||
## # set block-policy drop | ## # set block-policy drop | ||
## | ## | ||
## We do not send out any reset (RST) packets back, especially if the ports are closed. | ## We do not send out any reset (RST) packets back, especially if the ports are closed. | ||
- | ## | + | ## https://www.openbsd.org/faq/pf/filter.html#defdeny |
## # block all | ## # block all | ||
+ | ## | ||
+ | ## Under no circumstances should this PF section be deemed as complete. A seasoned system administrator | ||
+ | ## will know how to write a proper firewall configuration tailored to their network, as each and every | ||
+ | ## network is unique in their own ways. However, the following below are some general recommended | ||
+ | ## reading on writing a proper firewall configuration. Do not simply just copy and paste rules into your own | ||
+ | ## machine. Do take time in reading up and consulting the various information that are available in both free | ||
+ | ## and paid (book) forms. | ||
+ | ## | ||
+ | ## # https://harrykar.blogspot.com/2010/07/openbsd-packet-filteringpf.html | ||
+ | ## # http://daemonforums.org/showthread.php?t=8419 | ||
## | ## | ||
################################################################## | ################################################################## |