LinuxQuestions.org - Laptop safe with OpenBSD.

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - Laptop safe with OpenBSD. (https://www.linuxquestions.org/questions/linux-newbie-8/laptop-safe-with-openbsd-4175460693/)

Laptop safe with OpenBSD.

Hallo everybody.
I,am selfemployed, my laptop is my workplace. Last 10 years i worked with Windows XP+SP3. In spite of all security mesurements - one day I lost everything. Now I decided to work with more stable and secure Linux.
Since few weeks i collect my experiences with Mint/Ubuntu/, Debian7/wheezy/
Ubuntu 12.04 Precise Pangolin and at least with OpenBSD.
What I need is clear manual or tutorial, HOWTU install and configure iptables firewall. There is a lot of stuff in network even ready to go scripts .src.
I downloaded a few of them meanwhile, but I never done it before and need support. Step after step. Script .src is ready to use, but how to implement it?
Please, whot I need is a tutorial or link with examples !!!
From the beginning to the end.

My laptop; Lenovo T60p, 4 GB RAM, CPU - IntelCoreDuo T-2600, 32-bit.
4 partitions, each with different OS.

Not especially. To understand iptables logic - it would take weeks, to implement it properly - years of experience.
I need it faster. I downloaded /one of many/ ready konfig script .src - for workstation. Now question is, whats next?
How to implement it, how to use it, how to make it - step after step. On Debian7 /for example/.

OpenBSD does not use iptables -- it uses a different (and IMO superior) firewall called PF, which has a different configuration syntax. You can find the basic documentation here.

In order for us to provide more help, you really need to state more about what you're trying to accomplish. What services (if any) do you wish to allow? Do you wish to filter outgoing traffic as well as incoming, etc.?

A basic firewall script would simply deny all inbound traffic except that related to an outgoing connection that your system opened. Something like:

Code:

iptables -F ALL

iptables -P INPUT DENY

iptables -P OUTPUT DENY

iptables -P FORWARD DENY

iptables -A INPUT -i lo -s 127.0.0.1/8 -d 127.0.0.1/8 -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -j DROP

iptables -A OUTPUT -j ACCEPT

Whether or not this will actually do what you want is another matter...

[QUOTE
I,am selfemployed, my laptop is my workplace. Last 10 years i worked with Windows XP+SP3. In spite of all security mesurements - one day I lost everything. Now I decided to work with more stable and secure Linux.[/QUOTE]

Whoa, there. I'm confused.

1. "Lost everything"?...you had no backups, given that a laptop is your main and only system?
2. Windows XP is a legacy OS, there are newer and better versions.
3. You used the same laptop for 10 years?
4. How could you "lose everything", short of a hard drive crash?

@guyonearth
I,am absolutely aware, it was my voult. I don,t wont talk about it. It was break in to my HDD. All data has gone.
But now everything what I need is much more secure laptop.There is no need to talk about konfiguration file, i got it.
There is a need to talk how to implement it an start. My aim is "Stateful Packet Filtering"
NOW:
Downloaded file "firewall.src" is in katalog "Downloads"
# makra
ext_if = "xl0"
int_if = "fxp0"

tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

comp3 = "192.168.0.3"

# opcje
set block-policy return
set loginterface $ext_if

set skip on lo0

# normalizacja datagramów
match in all scrub (no-df)

# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port 80 -> $comp3

# regułki filtra pakietów
block in

pass out keep state

anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state

pass in on $ext_if inet proto tcp from any to $comp3 port 80 \
flags S/SA synproxy state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in quick on $int_if
Next to do:
----------
Next to do:
---------
Next to do:
---------
Finish.

@btmiller
How do you think, what will be easier for me to do: iptables with Debian or Ubuntu, OR Packet Filter with OpenBSD? I already downloaded iptables configuration file, with OpenBSD would be for me absolute beginning.

iptables forum ? OpenBSD forum ?

I don't think there's much of a difference between PF and iptables in terms of ease of use. You have to know something about firewalls to use either effectively.

The problem is that you still haven't answered my questions. You say that you want a more secure laptop, but you don't define specifically what you mean. Do you want to allow any external connections at all? if so, which hosts and services? The PF configuration that you downloaded is just a sample that is designed for a network gateway as opposed to a standalone machine -- it does a lot of things (e.g. reverse NAT via rdr to pass incoming port 80 [HTTP] requests to a Web server on the local network). It also allows incoming connections to port 22 (SSH) and 113 (identd). This is probably not something you want for a standalone laptop.

I hate to break it to you, but you can't just download random configurations from the Internet and expect to be able to use them without some understanding of what they're actually doing. It's not hard to gain that understanding, but you have to be willing to spend a little time reading and learning. This is true regardless of whether you use iptables or PF. For iptables, why not start with the small script I gave you in post #4 and adapt it to your needs? What I like to do to load the rules at boot is to save my iptables script somewhere (like /root/firewall.sh) and then add something to the network startup init script or rc.local to run the script at boot time. This is slightly suboptimal since there's a very brief window (a few seconds) between the time the network starts and when the firewall is brought up, but that hasn't been a huge concern in my environment. For you it might be different. Red Hat based distros used to have a command ("service iptables save" IIRC) that would save the currently loaded ruleset to a configuration file and lopad them when the network was brought up. I'm not entirely sure how Debian based boxes do it (hopefully someone more experience than I can tell you). I usually don't rely as much on host based firewalls since my work network has a fairly sophisticated network firewall with publicly accessible services off in a DMZ network, but of course for a laptop you will need to rely on the host based firewall.

Hopefully this is not too confusing. The summary is that setting up a firewall requires a little bit of knowledge and research on your part. You also need to know what you want to accomplish ... deny all incoming traffic, some incoming traffic, some outgoing traffic, etc. No one but you can decide on what you need. If you can state that clearly, we can help you craft a policy that will meet your needs.

@btmiller
I do nothing more, since a few days, as learning. The problem is im not sure if I,am not loosing my time reading absolute rubbish.
I, am not able to estimate what is good stof what is not.On this page:https://calomel.org/ is new PF script, just to use it.
I know what You think, but I,am self-made man, nobody never lerned me all details. My knowledge is unsystematic but really not small.I got idea, please ask me what You wont to know - I will answer and it will be a lesson for me.O,k?

Man I highly doubt you'll get any real help with this attitude! we dont even know what you mean by secure or about the connection betwen losing your data and your need to have a firewall!

I wish you good luck but the way I see it nobody can help you if you refuse to help yourself

@ulkoma
Everyone of you started with training or study, with teachers, books, exercises, homeworks, tests and so on.
I don,t expect so much. just a few questions to show me the proper direction - 20-30 questions.
many milions people are now in my situation, they never done it before - but they have to do it now! And what?
Dont you file it now, this subject will be not only for me but for others as well.

Most Linux implementations are fairly secure by default, and many already have a firewall configured (Ubuntu, OpenSuSE, etc.) Without knowing how your computer was compromised in the first place, it's hard to give advice. If you were originally compromised through an exploit that only ran on Windows, i.e. a trojan or malware, or something like that, there is no need to worry about that on a Linux system.

@
I understand Your answer.
Closing this subject, my last question.What should I do to implement and start work this: OpenBSD v5.1 pf.conf from https://calomel.org/pf_config.html on OpenBSD? let me go ahead a few steps.