CS & IT Solutions

I would like to automatically assign IP address to computers attached to my network rather than setting them manually everytime they are attached to my network. This time, I’m going to write how I install and configure the ISC DHCP on my FreeBSD Router.

What is DHCP

Dynamic Host Configuration Protocol (DHCP) is a protocol for automate the assignment of IP addresses in a network. Each computer connected to a network must have a unique IP, and without DHCP TCP/IP information must be assigned manually on each computer.

Installing ISC DHCP

The ISC DHCP server is a free implementation for the DHCP protocol. The software is available at DHCP Site

Before you install DHCP, you need to make sure the bpf device is compiled into your kernel. If you are using the default kernel (GENERIC) then it is built into your kernel by default.

To install ISC DHCP Server using ports on FreeBSD type (as root):

# cd /usr/ports/net/isc-dhcp3-server
# make install clean

Once you have finished installing, we can move on to configuring the server. A sample configuration file is located in /usr/local/etc/dhcpd.conf.sample and you can copy it or rename it to dhcpd.conf.

Configuration Read the rest of this entry »

This tutorial will cover firewall principles and implementation of a firewall in FreeBSD with IPFW.

“Firewall (networking), a logical barrier designed to prevent unauthorized or unwanted communications between sections of a computer network”  Wikipedia.org
Well this is a general description. In order to make a successfull firewall a good understanding of firewalling principles and security measures to prevent different kinds of attacks is needed.

1. Type of attacks

a. Unauthorized access
People who succeed to access your servers/network from inside or outside  (for example by finding weak passwords with bruteforce programs). Preventing unauthorized access can be done by automaticaly force users from time to time to change their passwords, by enforcing them to choose strong passwords (not word from dictionary, letters and numbers, 8-10 characters minimum), by deleting accounts of people that do not work anymore for respective organization/company. A good policy of preventing unauthorized access does not refer only to server accounts but also to implement a security policy for network resources (file servers and print servers).

b. Exploits of bugs in programs
Some of the applications within operating system or userland applications installed on the server might have bugs/vulnerabilities. Those vulnerabilities might be exploited to gain access. To prevent that kind of security problems a good advice is to disable all services you do not need. Run only minimum/necessary services. Also be informed about security vulnerabilities of your installed applications (there are a lot of internet resources regarding security vulnerabilities) and when a version of your installed application is vulnerable, patch it. Also from time to time audit your server security.

c. Spoofing
This techinique is used to fake a host, in order to comunicate to victim host, creating the idea that victim communicate to a real/known host. To protect against this type of attacks it is recommended to setup the firewall to  verify datagrams’s authenticity, block datagram routing with invalid source address. Also can be introduced into firewall a system for connection control mechanism to introduce unpredictibility (generating random ports for every connection, TCP sequence numbers and allocation of dynamic port address. Read the rest of this entry »

So if you want PF to do only one thing, and that is to block particular ip’s here is how you do it. Keep in mind, this configuration is a horrible idea for a traditional firewall. So first begin with creating /etc/pf.conf, I use vi, you can use whatever.

ext_if=”re0″ # External interface

#Block all Ip’s in the banned table
table { 192.168.1.1 }
block quick from to any
block quick from any to

pass out keep state
pass in quick on ext_if

conf if your looking for a traditional firewall, this is for the sole purpose of blocking a single IP or IP ranges.

You will need to replace re0 with your interface name and put your IP’s to be blocked in the banned table.

You can put entire classes of IP’s if you want like: 204.152.64.0/23
and the table should be comma seperated so something like:

table { 192.168.1.1, 204.152.64.0/23 }

Also to get pf.conf to start(FreeBSD, anyway), you need to put this in the rc.conf:

pf_enable=”YES”
pf_rules=”/etc/pf.conf”
pf_flags=”"
pflog_enable=”YES”
pflog_logfile=”/var/log/pflog”
pflog_flags=”"

I’ll go more in depth on more stuff you can do with pf in the next post, or wait, maybe a powershell post, I don’t know. I am not promising anything.

source here

I’ve long been a fan of FreeBSD (although I also use a Mac, Linux, and Windows machine — right tool for the job, and all that), and one of the things I like best about the various BSDs is the ease with which you can set up a stateful packet-filtering firewall. To put it simply, pf rocks.

Setting it up for the first time, though, can be a bit of a chore. If you are interested in giving pf a look, here’s how you do it on FreeBSD.

Recompile your kernel
For the sake of argument, let’s assume that we are going to be setting up a machine called “zeus” as a gateway server with a few simple services running on it. We first need to compile the pf stuff into the kernel, and then install our new kernel. First, get to the right directory:

[tcs@zeus] ~> su -
Password:
1:28PM up 60 days, 3:54, 1 user, load averages: 0.03, 0.01, 0.00
[root@zeus] ~# cd /usr/src/sys/i386/conf/

Now, copy the file GENERIC to some new file (I’m calling my zeus):

[root@zeus] ~# cp GENERIC ZEUS

Edit the file ZEUS and add the following lines just below “options ADAPTIVE_GIANT”: Read the rest of this entry »

How do I configure tables to drop large number of IPs?

Open pf.conf file, enter:

# nano /etc/pf.conf

Add following code:

table  persist file "/etc/pf.blocked.ip.conf"
ext_if="em1" # interface connected to internet

Add following code to drop and log all ips / subnet listed in /etc/pf.blocked.ip.conf, file

block drop in log (all) quick on $ext_if from  to any

Save and close the file. Now create file /etc/pf.blocked.ip.conf file using nano text editor, enter:

nano /etc/pf.blocked.ip.conf

Sample output:

192.168.1.0/24
202.54.1.5
# 202.54.4.5

The file /etc/pf.blocked.ip.conf should contain a list of IP addresses and/or CIDR network blocks, one per line. Any line beginning with # is treated as a comment and ignored by pf.

To load new rules, simply type:

# sh /root/reloadpf Read the rest of this entry »