OpenBSD: Tips and Tricks

OpenBSD: Squid proxy server

I found a nice howto to setup a OpenBSD box as a Webproxy server including clam anti-virus.

You can find the howto here

Continue Reading…

Posted by Administrator on May 21, 2007

OpenVPN with FreeBSD, PF and Windows XP

This describes howto use a OpenVPN client installed on windows to connect to a VPN concentrator installed on a FreeBSD box protected by PF.

Continue Reading…

Posted by Administrator on Dec 08, 2006

PF ruleset optimalization part: 1

This is the first installment in a series of three articles about PF. I originally wrote them as chapters for a book, but then publication was cancelled. Luckily, the rights could be salvaged, and now you get to enjoy them as undeadly.org exclusives. In celebration of the upcoming OpenBSD 4.0 release. ;)

  • Firewall Ruleset Optimization o Goals o The significance of packet rate o When pf is the bottleneck o Filter statefully o The downside of stateful filtering o Ruleset evaluation o Ordering rulesets to maximize skip steps o Use tables for address lists o Use quick to abort ruleset evaluation when rules match o Anchors with conditional evaluation o Let pfctl do the work for you
  • Testing Your Firewall (read)
  • Firewall Management (read)
Continue Reading…

Posted by Administrator on Oct 29, 2006

A transparent proxy with squid and pf

Introduction

squid is a caching web proxy, it’s set up between web browsers and servers, fetching documents from servers on behalf of browsers. It can accelerate web access by caching frequently requested pages and serving them from its cache. It can also be used to filter pop-up ads and malware or to enforce access control (which clients may request what pages based on different authentication methods).

Traditionally, the proxy is an optional component, and browsers are configured to actively use the proxy. Transparent proxying means forcing all web traffic through the proxy without the cooperation (or knowledge) of the clients. Once all browser connections pass through the proxy, outgoing connections to external hosts can be restricted to the proxy, and direct connections from local clients can be blocked.

Continue Reading…

Posted by Administrator on Oct 21, 2006

Using OpenBSD’s spamd as a greylist mail filter

I have an exchange server that doesn’t do a very good job of filtering spam. The server sits inside the firewall/NAT and is reached through port-forwarding. I wanted to stick a device in between the Exchange server and the firewall to filter spam, so I needed a device that would work as a bridge. Spamd works with the pf firewall to redirect smtp traffic that is passing through the bridge to the spamd process. Once a server’s IP address is added to the whitelist by spamd, traffic from that machine passes through the bridge unfiltered. Outbound SMTP traffic is also unfiltered. The users are unaffected because Microsoft Outlook doesn’t use SMTP to inject mail into the server, and so the only thing that should be talking to port 25 (SMTP) should be other mail servers.

Continue Reading…

Posted by Administrator on Oct 09, 2006