This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
openbsd:hardening [2020/06/03 08:33] net_wayfarer Incomplete rewrite process for pf section. |
openbsd:hardening [2020/06/05 09:51] net_wayfarer PF section is mostly done. Not going to go rambling on with it and will update it with links as needed. |
||
|---|---|---|---|
| Line 38: | Line 38: | ||
| # A list of mirrors can be found at https://www.openbsd.org/ftp.html. | # A list of mirrors can be found at https://www.openbsd.org/ftp.html. | ||
| echo "https://cdn.openbsd.org/pub/OpenBSD" > /etc/installurl | echo "https://cdn.openbsd.org/pub/OpenBSD" > /etc/installurl | ||
| - | # Alternatively, if wget is installed, one can scrape an up-to-date list of HTTPS mirrors using the | + | # Alternatively, one can scrape an up-to-date list of HTTPS mirrors using the following typed |
| - | # following typed method, and must uncomment at least one of the following https:// prefixed lines. | + | # method, and must uncomment at least one of the following https:// prefixed lines. |
| - | # wget "https://www.openbsd.org/build/mirrors.dat" -O - | grep -e "^GC" -e "^UHS" | uniq | sed 's/^GC/\#\#/;s/^UHS/\#\#/' | tee /etc/installurl 2>&1 >/dev/null | + | # ftp -o - "https://www.openbsd.org/build/mirrors.dat" 2>/dev/null | grep -e "^GC" -e "^UHS" | uniq | sed 's/^GC/\#\#/;s/^UHS/\#\#/' | tee /etc/installurl 2>&1 >/dev/null |
| # | # | ||
| ################################################################## | ################################################################## | ||
| Line 168: | Line 168: | ||
| ## give a reply. The following is a two part process and must be implemented to achieve the desired effect. | ## give a reply. The following is a two part process and must be implemented to achieve the desired effect. | ||
| ## | ## | ||
| + | ## | ||
| + | ## By default, openbsd drops packets, https://www.openbsd.org/faq/pf/options.html | ||
| ## # set block-policy drop | ## # set block-policy drop | ||
| ## | ## | ||
| ## We do not send out any reset (RST) packets back, especially if the ports are closed. | ## We do not send out any reset (RST) packets back, especially if the ports are closed. | ||
| - | ## | + | ## https://www.openbsd.org/faq/pf/filter.html#defdeny |
| ## # block all | ## # block all | ||
| + | ## | ||
| + | ## Under no circumstances should this PF section be deemed as complete. A seasoned system administrator | ||
| + | ## will know how to write a proper firewall configuration tailored to their network, as each and every | ||
| + | ## network is unique in their own ways. However, the following below are some general recommended | ||
| + | ## reading on writing a proper firewall configuration. Do not simply just copy and paste rules into your own | ||
| + | ## machine. Do take time in reading up and consulting the various information that are available in both free | ||
| + | ## and paid (book) forms. | ||
| + | ## | ||
| + | ## # https://harrykar.blogspot.com/2010/07/openbsd-packet-filteringpf.html | ||
| + | ## # http://daemonforums.org/showthread.php?t=8419 | ||
| ## | ## | ||
| ################################################################## | ################################################################## | ||