Now that I have OpenBSD installed on my RAID server at work, I figured that I would write a few tutorials about the things I have done with it. If for nothing else, so I can remember and repeat them if something happens.

I noticed looking at /var/log/authlog that a significant number of failed attempts at root and invalid user login attempts were occurring from seemingly random IP addresses (thousands of dictionary attacks). These are probably boxen that have been hacked into and they haven’t figured it out yet. My first approach was to use pf(4) to filter these IP addresses. With this I found simple pf.conf code using tables and reject code to reject an IP address list.

This worked well and good until I realized the endless array of hacked boxen out there. So I had to figure out something more.

What I ended up doing is called packet tagging, which is actually a pretty cool concept. The idea is you filter all content through a bridge and mark the packets that you want and reject the rest.

The first thing to do was to create a bridge. This can be done by building a bridgename.if(5) configuration file.

In this I add my external device re0 and bring up the bridge0. I then run a !command in which I use brconfig(8) to add rules to the bridge. In this case I pass all data in by a src MAC address and tag it friendly. Now just the bridge won’t do much good. You now have to put the rules in pf.conf(5).

These rules block all incoming traffic, set up a macro for my external device re0 and then says to allow all packets to any port in, which are tagged friendly. The most excellent part is that it reads almost as easy as you think it. Very well done.

Lastly, I made pf start at boot.

This setup has some pros and cons.

Pros:

• No packets get in unless I specifically allow the computer access. This give another layer of security beyond weak password protection.
• This cleans up my /var/log/authlog and I can then actually see that everyone is on a proper backup schedule and minimize overlap

The two cons I can think of right now is that I cannot access the server from an unknown computer. This can be easily remidied by having another server I have on the friendly list and access through that computer or just make sure that all the data I need is on my USB stick. The second is that MAC addresses are easily spoofed. But that requires local access, which is pretty rare.

I may or may not keep this configuration. But for now it was a good exercise in bridge and pf configuring.