A couple bits of OpenBSD goodness.

From SecurityFocus (Zero to IPSec in 4 minutes):

Until recently, setting up an open-source IPSec solution has been woefully complex and involved wading through an alphabet soup of committee-designed protocols. Many people give up on IPSec after their first peek at the horrible and complex software documentation, opting instead to install some sort of commercial SSL VPN which seems much simpler. For those who have been through this exercise, a jumble of SAs, ESPs, AHs, SPIs, CAs, certs, FIFOs, IKEs and policy jargon inside RFCs is enough to give anyone a headache. However, there is good new on the IPSec front: it has all finally been covered up with a nice, simple way to set it up under OpenBSD.

In this short article we'll look at how to get a fully functional IPSec VPN up and running between two fresh OpenBSD machines in about four minutes flat. The goal here certainly isn't to give an exhaustive overview of all the option available in IPSec or OpenBSD, but rather just how quickly and easily we can be up and running when others take days or weeks to do the same thing.

If you need to do something cheap, flexible, or interesting related to data communications, you can't go wrong with OpenBSD. I'll probably wait until my OpenBSD 3.9 CDs arrive, but one of my next big work projects is to build a "clean room" network for conducting security related research. I want to be able to work on the network remotely, so I'll be taking advantage of OpenBSD's IPSec implementation.

For those who prefer the port knocking way of doing things, here's a variation on the theme by way of the OpenBSD Journal (Alternative to Port-Knocking using OpenBSD PF + OSFP):

poplix@papuasia.org has written up an interesting proof-of-concept
for an alternative to port-knocking type solutions which basically
employs PF's support of OSFP-based rulesets along with a userland util.
for modifying IP header values etc.

From writeup:

"The idea is to use os fingerprints as a key. An user can invent a
specific sequence of header values that will identify his fake os,
add it to fingerprints database and use it in the firewall.
The result is an OBSD machine that is totally stealth to port scans
but the owner can log into it using his specific set of header values."


Full details are here:
http://tripp.dynalias.org/p0fspoof.txt

Port knocking falls into the clever rather than secure category as far as I'm concerned. As the first comment in the OpenBSD Journal thread suggests, "port knocking is just another plain text password." I'm not sure why someone would use this sort of strategy for access control when they could set up a proper VPN, but it does have some academic value.

One more bit of OpenBSD love before I send this one out. The OpenBSD Journal has an article on OliveBSD, an OpenBSD 3.8 based Live CD:

From the just-like-rabbits department: Following on the heels of the release last month of Anonym.OS, there is a new kid on the OpenBSD live CD block, OliveBSD. Put together by Gabriel Paderni, who made use of the article on ONLAMP by Kevin Lo.

While I'm more interested in the idea of an OpenBSD live CD than I am in the OliveBSD implementation, this is on my increasingly long list of things to check out in the near future. I've got an OpenBSD based filtering ethernet bridge implementation that I've used for a number of small projects over the course of the last couple of years that is getting a little long in the tooth. I'm planning on updating it to OpenBSD 3.9 in the near future and I would like to implement the project as a live CD this time around.

Rebuilding the OpenBSD kernel

From Daemon News '200501' : '"Rebuilding the OpenBSD kernel "':

The kernel is the core of the operating system. It is the binary file that the computer loads first and stores in memory. Because it is stored in memory, the kernel needs to be as small as possible. The kernel usually lives in the root directory ('/') and by default is called 'bsd'.

Users who want their OpenBSD machine to perform specific functions or need additional device drivers might want to customize their kernel. In other OS's, like some types of Linux, it is very popular to rebuild the kernel because the default is so bloated. For most users, the default OpenBSD kernel is sufficient; however, you should still apply kernel patches, which will require rebuilding and installing a fresh kernel.

You will need the system source code and patches. I will assume both of these have been installed. If not, check out my Patching OpenBSD instructions. You can apply many patches to the kernel source before rebuilding, but make sure you apply them in order!

This is another one of those things that I occasionally need to do, but not often enough to become fluent. I will need to build a custom OpenBSD kernel for my tfw project, so maybe this will save a couple of google searches.

Firewalling with PF manuscript updated, BSD-licensed (From the OpenBSD Journal)

From Firewalling with PF manuscript updated, BSD-licensed:

Reader Dan writes in to say: "Peter N. M. Hansteen has put an updated version of the Firewalling with PF manuscript which he presented in Oslo last week. His document (lecture) talks about firewalls and related functions, with examples from real life with the OpenBSD project's PF (Packet Filter). He discusses pf firewall configuration on various BSDs - FreeBSD, OpenBSD and NetBSD. The document is a work in progress, he plans on updating it periodically."

One of my long neglected personal projects is a customized OpenBSD transparent firewall distribution (details here - http://www.unt.edu/security/tfw/). The current version (based on OpenBSD 3.4) is rock solid. I've got a few dedicated users of this project, so I thought I should try to track OpenBSD releases a little more closely. While researching the current state of affairs for OpenBSD's packet filter (pf), I came across the referenced tutorial from Peter N. M. Hansteen. I would highly recommend Hansteen's lecture on pf to anyone who is interested in building an OpenBSD firewall.