News & Updates

Created a weblog

johan — Tue, 29 Aug 2006 09:54:20 +0000

Well, I thoughts it’s time that I join the rest of the world and start a weblog myself. I’m planning to talk about updates on the site, about running OpenBSD firewalls, vpn systems and other general uses of OpenBSD or just general security concerns or solutions. Enjoy!

The future of PFW

johan — Wed, 13 Sep 2006 06:36:59 +0000

Well, as you might have noticed, there hasn’t really been any major updates to PFW for a little while. The reason is that in it’s current form, it’s really reached as far as it can go. Almost all of the functionality of pf has now been included and I’ve been thinking recently about where to go from here. Roughly, the options as I see them are:

Leave PFW as is and just update with new feature as they become available in pf. Things that could be improved though and still keep the same model, would include
- smoother ssh connections to new hosts and better troubleshooting messages when it fails
- Better system information pages
Add things like IPsec, Interface and CARP configuration that are already included in OpenBSD and would improve the overall administration experience without breaking the current model of being a complete standalone interface to OpenBSD.
Add even more things like interfaces to snort, snort2pf and OpenVPN. This would of course have to be installed on the target firewall and checks needs to be created to see if they are there.
Another way would be to create a more traditional firewall management software where we break what’s being added after the firewall has been taken under the control of PFW. I’ve been thinking of creating firewall images from inside such an interface so a firewall could be deployed that would automatically be under control of PFW and no further configuration would be needed on the firewall side of things. Everything would be controlled and managed from PFW. To make this worthwhile, logs would need to be sent back to PFW so that we can create a reporting tool for what the firewall is doing. The drawback of this is that it would make PFW larger in the sense that it would possibly be to complex to install on just one box if all you wanted is 1 OpenBSD firewall with a web interface.
Yet another path that we could take with PFW is to remove some of the remote admin functionality and create more of an integrated experience for 1 firewall or 1 firewall cluster. In this scenario PFW would be the “master” firewall in a firewall cluster and we somehow create additional clusters that would serve as slaves. This could be something like m0n0wall on speed if you want. We try to create a minimalistic complete firewall based on OpenBSD that has the added functionality on top of what m0n0wall can do with the failover mechanism of CARP. Maybe some form of admin locking mechanism could be created so that you would still manage local configuration parameters like ip settings even if the current node in the cluster is not the active one.

As you can see, there’s several options to take and I’m not really sure where to go from here.

Please let me know what you think.

Doing some pfw coding again

johan — Tue, 26 Sep 2006 20:09:31 +0000

Well, I must confess, I haven’t been doing any pfw coding for a while and today I started doing some stuff again. I’ve been working on a webified install helper that can significantly reduce the number of install steps needed to get up and running, and with the upcoming 0.8 release I will focus on streamlining the getting started quickly features. One thing that will change is that pfw will create and use it’s own ssh key instead of using the root key of the underlying os. I’ve been thinking of removing localhost as a “special case” and use ssh to login to localhost as well. That will make the process simpler as all hosts are being treated equally (without some being more equal than others) and will also remove the dependancy on having sudo configured on localhost. This needs to be worked on a little bit more though as I really want it to be foolproof as it changes the current behaviour of pfw. Doing it like this is also the first step in possibly creating a pfw installation that can run in a chrooted environment. This won’t happen in the next release and I have been playing with running ssh inside a chrooted shell and last time I tried I got it to work and for some reason I couldn’t get the resolver to work, and I could ssh from within the chrooted environment to the outside using ip addresses. We will see what will happen. Please let me know what you would like to see for the next release?

pfw iso image on OpenBSD 4.0 released

johan — Sun, 05 Nov 2006 03:42:35 +0000

The pfw iso image based on OpenBSD 4.0 has been released and also updated to include the OpenBSD security fixes 001-003. You can download the iso from http://www.allard.nu/pfw/download/iso/4.0.

If you want to purchase the iso image, please see the information at http://www.allard.nu/pfw/iso.

Happy pfw:ing

OpenBSD iso available for download

johan — Wed, 15 Nov 2006 09:23:15 +0000

As you might know, I have been providing stripped down OpenBSD iso installations for my pfw project. For some time now, I have been thinking about providing regular a OpenBSD iso as well. So now I have. If you have purchased the pfw iso image you can now download a regular OpenBSD iso as well, free of charge. The reason this is only available if you’ve already purchased the pfw iso is not to interfere with the sales of the OpenBSD cd’s.

This ISO image creates an up to date OpenBSD installations. It include OpenSSH 4.5 and all the security fixes from http://www.openbsd.org/errata.html.

Included in the iso is also a site40.tgz file. If you choose to install this file, the following will happen:

Bash and Zsh will be installed (always nice with choices), with nice bashrc and zshrc files.
pftop, lsof and screen will be installed (nice to have)
Ruby will be installed (my scripting language of choice)
You will be prompted to install a non-root user during install

The following configuration changes will happen:

Postfix will replace Sendmail for sending email (the smtp listener is disabled)
ssh version 1 will be disabled
ksh will be set as the shell for root (can’t stand csh)
Soft dependencies will be set on all UFS partitions.
the csh skel files will be deleted
sudo will allow users in the wheel group to authenticate as root

You can download the regular OpenBSD iso from http://www.allard.nu/iso/download/4.0 using the same username and password that you use to download the pfw iso.

If you want to purchase the pfw iso image, please see http://www.allard.nu/pfw/iso and you will get this great OpenBSD iso as well.

Enjoy!

IPsec clients screencast

johan — Tue, 10 Jul 2007 10:27:46 +0000

I’ve just updated the OpenBSD IPsec client pages with some more recent info, including how to setup tunnels using the more modern ipsec.conf file. To top it all off, I’ve created a screencast on how to set this up, which should make things much easier for you to get up and running with a recent installation:

http://www.allard.nu/openbsd/ipsecclients/basic_setup/

Enjoy!

Announcing the OpenBSD MailServer Project

johan — Sun, 29 Jul 2007 10:58:35 +0000

Following the success of the PFW iso images, I have now released a MailServer following a similar concept. With this MailServer, you will get a state of the art open source mailserver using:

Posffix MTA
Dovecot POP/IMAP Server
SpamAssassin and Clam AV
IlohaMail webmail interface
Webmail interface to manage users, domains and forwardings

Everything configured using Secure by Default standards and all setup so that you can have a mailserver up an running in 5 minutes. You just need to add your domains and users and you’re good to go.

I’m selling this for $49, which if you value your own time at anything, very cheap. Many hours have gone down researching the best products for each component and many hours working out the best way of making them work together.

I certainly also recommend you downloading the VMware image as a way of testing that the MailServer Project indeed would be something for you.

You can find the OpenBSD MailServer Project here.

Enjoy!

November MailServer update

johan — Wed, 14 Nov 2007 09:22:58 +0000

Well, it’s been an interesting couple of weeks with lots of development on the MailServer project. The product is definitely maturing quite nicely and today I updated the VMware image and posted on the VMware Virtual Appliance directory. The VMware image is now based on the latest updated MailServer fixes and I’m sorry the 2000 people or so that already downloaded the old VMware image that had a few issues. Please give it another go with this new version and you will be much happier. The old version also had severe hard drive space limitations and this new one has a lot more space.

The most interesting changes that has happened is that I’ve started to develop a gui to change user account settings, like changing Antispam white and black listings and adding a Vacation function that can be set to automatically be removed at a certain date.

There’s still a lot more things that I want to do with the MailServer, and the next step is to update the base image to OpenBSD 4.2. After that I will most likely turn my attention to create a Dashboard that will display CPU and memory usage. I also have a very nice ajax based log viewer that will update log entries without reloading the page working and not yet finalised. This will hopefully be added in the next couple of weeks.