commit 469d9f8d4b708f40564749bf91ad112863fae1cb from: smytht via: GitHub date: Wed Jun 05 11:58:46 2024 UTC update files to reflect nshtutorial update index.html and index.md tidy up basics.md to improve pagination add improved nsh manual examples commit - 15028c6e86bfe90e1d663a123ad5210bb2bc6b01 commit + 469d9f8d4b708f40564749bf91ad112863fae1cb blob - /dev/null blob + 5a18b726fd4d0435615f0e2df849965fa05549a6 (mode 644) --- /dev/null +++ basics.md @@ -0,0 +1,571 @@ + +class: center, middle + +# NSH Basics + + +### Section 1 + +--- +## Unix Based Routers with a Unified Config. + +- Some people are not comfortable with Unix Command line +- Some router clis are not much better +- However some modern router clis are significatnly easier to use. +- Staff Training, how many staff know Unix ? + - Cli skills level ? + - Unix skills level ? +- Linux BSD and other systems have inconsistent configuration / command syntax + +--- +## enter NSH *N*etwork *SH*ell & its goals + +- Shell and interpreter for configuring OpenBSD as a network appliance +- Guide the user in configuration with + - brief command help with help command or ? + - double command line completion + - manual command to provide more detail in an easy to navigate help system +- allow a competent network engineer to harness the full power of OpenBSD without prior Unix Experience. +- keep configuration minimal (hide system default config values) +- unified configuration one configuration file to control all aspects of the router. +- intuitive configuration language similar to that commonly deployed commercial routers / switch +- dont rewrite / translate daemon configuration syntax (wrap around existing config systnax) + +--- +## NSH *N*etwork *SH*ell History + +Project started by Chris Cappuccio in 2002 + +- Developed on a part time basis over the years +- Tom Smyth joined the project as OpenBSD NSH package maintainer in March 2021 +- Stefan Sperling joined the project in January 2023 + +--- +## Getting Started with NSH - *N*etwork *SH*ell (Interactively) + +NSH can be set as a users default shell or started by executing nsh +- NSH has 3 main interactive modes + - unprivileged mode is entered if a standard user executes nsh + - allows user to run basic diagnostic commands such as ping tracert, show route, show arp + - enable privileged mode is entered if the root user executes nsh or if a normal user enters the command 'enable' + - (read config including sensitive config, but config cannot be modified (safety)) + - privileged config mode is entered from privileged mode by entering the command 'configure' + - (modify configuration) + +```shell +nsh# nsh +% NSH v1.1 +nsh/enable +nsh(p)/configure +nsh(config-p)/exit +nsh(p)/disable +nsh/ +``` +- NB the different prompts for different NSH modes! + +--- +## Getting Started with NSH - *N*etwork *SH*ell non interactive use + +- NSH can be used to load configuration from a file (batch changes/ automation) +- update config - execute a series of NSH commands from a file + +```shell +#nsh –c /home/config-script-to-update-config +``` +- Initialise config (startup config) +```shell +#nsh –i /etc/nshrc +``` + +--- +## Getting Started with NSH - command help + +- command ? - display brief command help for "command" + +```shell +nsh(config-p)/pf ? +% Arguments may be abbreviated + + enable enable pf firewall + disable disable pf firewall + edit edit, test and stage firewall rules + check-config test and display staged firewall rules + reload test and apply staged firewall rules +nsh(config-p)/ +``` +- command [tab] [tab] displays a horisontal list of command options for "command" + +```shell +nsh(config-p)/pf +check-config disable edit enable reload +nsh(config-p)/ +``` + +--- +## Getting Started with NSH - Read The Fine Manual + +- The manual is accessible within nsh with the manual command + +```shell + manual [search tag] +``` +- Display the nsh manual page. If a search tag is specified then jump to + the first section matching this tag if one or more matching tags exist. +- Alterntively one can access the nsh manual page in other OpenBSD shells with the man command + +```shell + man nsh +``` + +--- +## Getting Started with NSH - manual [command] + +- manual command - opens the nsh manual at the correct page for "command" +- makes use of search tags in mandoc +- user can jump forward to next search tag with [t] +- user can jump back to previous search tag with [shift] [T] +- command [tab] [tab] displays a horisontal list of command options + for "command" + +- E.g. manual bridge +```shell +nsh(bridge-bridge101)/manual bridge +``` + +--- +## Getting Started with NSH - manual bridge command output + +```shell + [no] bridge [bridge-name] + Modify bridge configuration on the named bridge or layer 2 forwarding + interfaces such as, bridge(4), veb(4), tpmr(4). See also OpenBSD manual + pages for bridge(4), veb(4), tpmr(4) and ifconfig(8) (accessible via the + following nsh commands): + + !man bridge + !man ifconfig + - e.g. configure bridge settings on bridge1, and display bridge + configuration help. + E.g show available bridge configuration commands. + + nsh(config-p)/bridge bridge100 + nsh(bridge-bridge100)/? + % Commands may be abbreviated. + % Type 'exit' at a prompt to leave bridge configuration mode. + % Bridge configuration commands are: + + description Bridge description + member Bridge member(s) + span Bridge spanning port(s) +``` + +--- +## Getting Started with NSH - manual command - [tab] [tab] +-Display all available search terms or commands in manual + +```shell +nsh(config-p)/manual +ah ftp-proxy ldp protected span +arp group ldpd quit ssh +autoconf help lladdr rdomain switch +bgp hostname macaddress reboot switchport +bgpctl hsrp manual relay sync +bgpd icmp mbuf relayd syncdev +bridge ifstate monitor resolv tcp +bridgeport ifstated mpls resolv.conf telnet +carp igmp multicast rip tftp +config ike nameserver ripd tftp-proxy +configure iked ndp route tpmr +crontab ikev2 nppp route6 traceroute +dhcp inetd ntpd sadb unsetenv +dhcpd interface ospf sasync veb +dvmrpd isakmpd patch setenv vpls +eigrp kernel pfsync shell vxlan +enable l2vpn ping6 smtp wg +esp label pipex smtpd wireguard +flow ldap powerdown snmp write-config +flush ldapd privileged snmpd +nsh(config-p)/manual +``` + +--- +## Getting Started with NSH - manual Command - search tags + +- user can jump forward to next search tag with [t] +- user can jump back to previous search tag with [shift] [T] + +```shell + show bridge [bridge-interface | veb-interace | tpmr-interface] + + Without specifying an argument, it displays all layer2 forwarding devices + configured on the system, and all members of each layer2 forwarding + device, and any description of the layer2 forwarding device. Layer 2 + forwarding devices supported by this command include bridge(4) standard + bridge, veb(4) virtual ethernet bridge and the tpmr(4) two port mac relay + device. +``` + +--- +## NSH - manual Command search tag continued + +```shell + e.g. Display all layer2 forwarding devices and their member ports + + nsh(p)/show bridge + % Bridge Status Member Interfaces + bridge1 down + Description: - + bridge100 up vlan100 + Description: Tom-Smyths-Bridge + veb200 up vlan200 + Description: Chris-Cappuccios-Bridge + tpmr102 up vether1102 vether2102 + Description: dlg-bridge + nsh(p)/ + e.g. Display the information the tpmr102 layer2 forwarding device + +``` + +--- +## Getting Started with NSH - show command + +- show commands are read only, they do not alter the state of the system, + they are intended to give the user full visibility on selected aspects + of the state of the system. +- E.g. show arp - displays Address Resolution Protocol + +```shell +nsh/show arp +Host Ethernet Address Netif Expire Flags +10.0.2.2 52:54:00:12:35:02 em0 12m37s +10.0.2.15 08:00:27:bd:cb:77 em0 permanent l +``` + +--- +## Getting Started with NSH - show route Command + +-E.g. show route display the IP route table of the system + +```shell +nsh/show route +Flags: U - up, G - gateway, H - host, L - link layer, R - reject (unreachable), + D - dynamic, S - static, T - MPLS, c - CLONED, l - LOCAL + +% IPv4: +Destination Gateway Flags Refs Use Mtu Interface +0.0.0.0/0 10.0.2.2 UGS 6 881 - em0 +224.0.0.0/4 127.0.0.1 URS 0 53 32768 lo0 +10.0.2.0/24 10.0.2.15 U 1 0 - em0 +10.0.2.2 52:54:00:12:35:02 UHLc 1 17 - em0 +10.0.2.15 08:00:27:bd:cb:77 UHL 0 43 - em0 +10.0.2.255 10.0.2.15 UH 0 0 - em0 +127.0.0.0/8 127.0.0.1 UGRS 0 0 32768 lo0 +127.0.0.1 127.0.0.1 UH 1 2 32768 lo0 + +``` + +--- +## Getting Started with NSH - brief diagnostics + +- NSH user can set the desired verbosity levels of any command run after + setting the verbosity +- NSH displays brief diagnostics by default. +```Shell +nsh/no verbose +% Diagnostic mode disabled +``` + +```Shell +nsh/show interface em0 +% em0 + Interface is up (last change 13:42:23), protocol is up + Interface type Ethernet (Broadcast), hardware address 08:00:27:bd:cb:77 + Media type autoselect (1000baseT full-duplex), status active + Internet address 10.0.2.15/24 + rdomain 0, MTU 1500 bytes (hardmtu 16110), Line Rate 1000 Mbps + 40634 packets input, 26668678 bytes, 0 errors, 0 drops + 32334 packets output, 12272854 bytes, 0 errors, 0 unsupported + 656 input, 379 output (average bytes/packet) + 0 collisions +``` + +--- +## Getting Started with NSH - verbose diagnostics + +- NSH user can use the verbose command to increase the level of detai displayed + by subsequent nsh commands. + +```Shell +nsh/verbose +% Diagnostic mode enabled +``` +```Shell +nsh/show interface em0 +% em0 + Interface is up (last change 13:42:15), protocol is up + Interface type Ethernet (Broadcast), hardware address 08:00:27:bd:cb:77 + Media type autoselect (1000baseT full-duplex), status active + Internet address 10.0.2.15/24 + rdomain 0, MTU 1500 bytes (hardmtu 16110), Line Rate 1000 Mbps + 40632 packets input, 26668498 bytes, 0 errors, 0 drops + 32332 packets output, 12272674 bytes, 0 errors, 0 unsupported + 656 input, 379 output (average bytes/packet) + 0 collisions + Flags: + + Hardware features: + + Supported media types on em0: + media 10baseT + media 10baseT, mediaopt full-duplex + media 100baseTX + media 100baseTX, mediaopt full-duplex + media 1000baseT, mediaopt full-duplex + media 1000baseT + media autoselect +``` +--- +## Getting Started with NSH - show monitor + +- show monitor is the implementation of route monitor in OpenBSD which displays any changes to the + RIB Routing Information Base on the system + +```shell +nsh/show monitor +% Entering monitor mode ... press ENTER or ^C to leave ... +% Message of size 192 on Tue May 23 12:33:35 2023 +% RTM_ADD: Add Route: len 192, table 0, pid: 92724, seq 1, errno 0, flags: +% locks: inits: +% sockaddrs: + 100.64.0.0 127.0.0.1 255.192.0.0 lo0 127.0.0.1 +% Message of size 192 on Tue May 23 12:33:48 2023 +% RTM_DELETE: Delete Route: len 192, table 0, pid: 83139, seq 1, errno 0, flags: +% locks: inits: +% sockaddrs: + 100.64.0.0 127.0.0.1 255.192.0.0 lo0 127.0.0.1 +^C% select: Interrupted system call +``` +- E.g. above shows that an admin was adding and then removing a static route to 100.64.0.0/10 pointing to the loopack +--- +## Getting Started with NSH - config contexts - global context + +- global configuration context contains configuration items that modify the sytem configuration such as: + - hostname + - enabling daemons such as + - sshd + - snmpd + - relayd + +```shell +nsh(config-p)/show run +! +hostname nsh +``` +--- +## Getting Started with NSH - config contexts - interface context + +- interface / bridge configuration context -allows the user query and change what is setup on the +- interface or bridge +- allows for unique per interface configuration +- similar behavior to other router / switch operatingg systems that are widely deployed. + +```shell +nsh(config-p)/interface vio0 +nsh(interface-vio0)/show active-config +interface vio0 + group egress + autoconf4 +! +``` +--- +## Getting Started with NSH - show active-config + +- One of the Design goals of NSH to have all config in one location +- Large configurations can be challenging when a user wants to just check and modify a small part of the config +- The show active-config command allows the user to display configuration on the currently active bridge or interface + - before configuration changes are made + - after configuration changes are entered + - validate current context and configuration +```shell +nsh(config-p)/interface em0 +nsh(interface-em0)/show active-config +interface em0 + group egress + autoconf4 +! +``` +- The show active-config command only displays the active configuration in the currently selected interface or bridge +- This saves alot of scrolling on large configuratons! +--- +## Getting Started with NSH - show active-config +- show active configuration works in bridge context as well + +```shell +nsh(config-p)/interface bridge101 +nsh(bridge-bridge101)/show active-config +bridge bridge101 + description new bridge for nshtutorial demo + group bridge + shutdown +! +``` +--- + +## Getting Started with NSH - show ip + +- Display a list of configured IP addresses + - on what interfaces they are configured + - on what rdomain are they are configured + - how the IP address was configured +```shell +nsh(config-p)/show ip +Address Interface RDomain Type +10.0.2.15 em0 0 dhcp +127.0.0.1 lo0 0 static +::1 lo0 0 static +fe80:4::1 lo0 0 link-local +nsh(config-p)/ +``` +--- +## Getting Started with NSH - show autoconf + +- Displays a list dynamic / autoconfigured IP addresses, + - what interfaces they are bound to + - what other configuration was imported + - default gateway + - dns servers + - and where the configuration was pulled from +```shell +nsh(config-p)/show autoconf +em0 [Bound] + inet 10.0.2.15 netmask 255.255.255.0 + default gateway 10.0.2.2 + nameservers 192.168.67.221 + lease 23 hours + dhcp server 10.0.2.2 +nsh(config-p)/ +``` +--- +## Getting Started with NSH - Firewall configuration - pf command + +- Firewall can be configured in NSH with pf command + +```shell +nsh(config-p)/pf ? +% Arguments may be abbreviated + + enable enable pf firewall + disable disable pf firewall + edit edit, test and stage firewall rules + check-config test and display staged firewall rules + reload test and apply staged firewall rules +nsh(config-p)/ +``` +--- +## Getting Started with NSH - Firewall configuration - pf edit + +- pf edit command will edit the firewall with your preferred editor + +```shell +nsh(config-p)/pf edit +/var/run/pf.conf.0 is empty. Load an example config? [Y/n] +``` +- If there was no firewall rules previously edited in NSH you will be asked, do you want to load an example configuration +- example config files are generally copied from /etc/examples +- it is recommended to load an example to get you started, and edit to suit your needs. +--- + +## Getting Started with NSH - Firewall configuration - pf edit +```shell + $OpenBSD: pf.conf,v 1.4 2018/07/10 19:28:35 henning Exp $ +# +# See pf.conf(5) for syntax and examples. +# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 +# in /etc/sysctl.conf if packets are to be forwarded between interfaces. + +# increase default state limit from 100'000 states on busy systems +#set limit states 500000 + +set skip on lo + +# filter rules and anchor for ftp-proxy(8) +#anchor "ftp-proxy/*" +#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 + +pass # establish keep-state + +``` +- Default pf rules as loaded by NSH +- Editor combined with pfctl is used to minimise code base of NSH +- Has an advantage of allowing users to edit config of multiple interdependent daemons and config before activating them +--- + +## Getting Started with NSH - Firewall configuration - pf edit + +- General configuration for pf + +- Useful for debugging, applying default timeout values, etc. + +```shell +# $OpenBSD: pf.conf,v 1.4 2018/07/10 19:28:35 henning Exp $ +# +# See pf.conf(5) for syntax and examples. +# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 +# in /etc/sysctl.conf if packets are to be forwarded between interfaces. +INSERT BAD SYNTAX Error +# increase default state limit from 100'000 states on busy systems +#set limit states 500000 +``` +- NSH tests the config when saving the configuration on exiting the editor + +```shell +/var/run/pf.conf.0:6: syntax error +nsh(config-p)/ +``` + +--- + +## Getting Started with NSH - Firewall configuration - pf check-config -error + +- you can run a check of the staged pf with the command +- pf check-config +```shell +nsh(config-p)/pf check-config +Loaded 714 passive OS fingerprints +/var/run/pf.conf.0:6: syntax error +set skip on { lo } +nsh(config-p)/ +``` +- This is the equivalent of the pfctl -nvv command +- Checks the staged config (not the active config) + +## Getting Started with NSH - Firewall configuration - pf check-config -error + +- Shows config until the first error is encountered + +```shell +ksh# pfctl -nvvf /etc/pf.conf +Loaded 714 passive OS fingerprints +/var/run/pf.conf.0:6: syntax error +set skip on { lo } +ksh# +``` +- Where was the error in the config ? +--- + +## Getting Started with NSH - Firewall configuration - pf check-config -success + +- pf check-config +- If syntax check passes it will display the list of rules in order. + +```shell +nsh(config-p)/pf check-config +Loaded 714 passive OS fingerprints +set skip on { lo } +@0 block return all +@1 pass all flags S/SA +@2 block return in on ! lo0 proto tcp from any to any port 6000:6010 + +``` +--- + blob - /dev/null blob + a462c0e296daf4cb770cbb55c0bb1e8514d114c4 (mode 644) --- /dev/null +++ index.html @@ -0,0 +1,1910 @@ + + + + Network Management with the OpenBSD and NSH BSDCan 2024 + + + + + + + + + blob - /dev/null blob + ee59ebdcadc46aeb38081f8d2e6fdcf3619972c1 (mode 644) --- /dev/null +++ index.md @@ -0,0 +1,1880 @@ +class: center, middle + +# Network Management with the OpenBSD and NSH + + +## BSDCan 2024 + +## Presenter: Tom Smyth + +### Based on PF Tutorial materials developed by Peter Hansteen & Massimiliano Stucchi. + +--- + +## whoami (who am I), part Peter: + +### Peter Hansteen + +- Sysadmin, [OpenBSD](https://www.openbsd.org) user since before the millenium + +- Wrote [The Book of PF](https://www.nostarch.com/pf3), now in its third edition + +- Blog at [bsdly.blogspot.com](https://bsdly.blogspot.com) about (lack of) sanity in IT + +- Works at [Tietoevry Create](https://tietoevry.com/en/create) + +- Yes, I'll do another book any decade now + +--- + +## whoami (who am I), part Max: + +### Massimiliano Stucchi + + - Technical Advisor at The Internet Society + - Here representing myself only + + - IPv6 "Enthusiast" + + + - https://stucchi.ch + - @stucchimax@social.secret-wg.org + +--- +## whoami (who am I), part Tom: + +### Tom Smyth + + - working in IT since 2000 + - CTO wireless Connect Ltd. an ISP in Ireland + - Opinions are mine and may be my companies also :) + - PF student, an avid reader of the Book of PF. + - I really Enjoy networking with OpenBSD + - Maintainer of the NSH network Shell for OpenBSD. + +--- + +## Introduce yourself + +- A quick introduction about yourself: + + - Your name + + - Your favourite BSD + + - Your experience with networking + + - Your experience with PF + + - Your goal(s) + +??? + +This introduction serves for us to understand the level of the room, and decide on how to better suit +the tutorial. + +Getting an idea of the level makes it so that we might quickly go through the basics, and focus on something +more advanced, rather than spend time on something that everybody knows already. + +--- + +## Agenda + +1. Introduction to NSH +2. NSH Basic functionality +3. Excercise: Selecting your prefered Editor +4. Exercise: Modifying Interface configuration +5. Exercise: Modifying Firewall settings +6. Exercise: Hosting Services, redirects +7. Installing NSH on OpenBSD +8. Exercise: Installing NSH on OpenBSD +9. Tips +10. Troubleshooting +11. Exercise: +12. End + +--- + +class: center, middle + +# NSH Basics + + +### Section 1 + +--- +## Unix Based Routers with a Unified Config. + +- Some people are not comfortable with Unix Command line +- Some router clis are not much better +- However some modern router clis are significatnly easier to use. +- Staff Training, how many staff know Unix ? + - Cli skills level ? + - Unix skills level ? +- Linux BSD and other systems have inconsistent configuration / command syntax + +--- +## enter NSH *N*etwork *SH*ell & its goals + +- Shell and interpreter for configuring OpenBSD as a network appliance +- Guide the user in configuration with + - brief command help with help command or ? + - double command line completion + - manual command to provide more detail in an easy to navigate help system +- allow a competent network engineer to harness the full power of OpenBSD without prior Unix Experience. +- keep configuration minimal (hide system default config values) +- unified configuration one configuration file to control all aspects of the router. +- intuitive configuration language similar to that commonly deployed commercial routers / switch +- dont rewrite / translate daemon configuration syntax (wrap around existing config systnax) + +--- +## NSH *N*etwork *SH*ell History + +Project started by Chris Cappuccio in 2002 + +- Developed on a part time basis over the years +- Tom Smyth joined the project as OpenBSD NSH package maintainer in March 2021 +- Stefan Sperling joined the project in January 2023 + +--- +## Getting Started with NSH - *N*etwork *SH*ell (Interactively) + +NSH can be set as a users default shell or started by executing nsh +- NSH has 3 main interactive modes + - unprivileged mode is entered if a standard user executes nsh + - allows user to run basic diagnostic commands such as ping tracert, show route, show arp + - enable privileged mode is entered if the root user executes nsh or if a normal user enters the command 'enable' + - (read config including sensitive config, but config cannot be modified (safety)) + - privileged config mode is entered from privileged mode by entering the command 'configure' + - (modify configuration) + +```shell +nsh# nsh +% NSH v1.1 +nsh/enable +nsh(p)/configure +nsh(config-p)/exit +nsh(p)/disable +nsh/ +``` +- NB the different prompts for different NSH modes! + +--- +## Getting Started with NSH - *N*etwork *SH*ell non interactive use + +- NSH can be used to load configuration from a file (batch changes/ automation) +- update config - execute a series of NSH commands from a file + +```shell +#nsh –c /home/config-script-to-update-config +``` +- Initialise config (startup config) +```shell +#nsh –i /etc/nshrc +``` + +--- +## Getting Started with NSH - command help + +- command ? - display brief command help for "command" + +```shell +nsh(config-p)/pf ? +% Arguments may be abbreviated + + enable enable pf firewall + disable disable pf firewall + edit edit, test and stage firewall rules + check-config test and display staged firewall rules + reload test and apply staged firewall rules +nsh(config-p)/ +``` +- command [tab] [tab] displays a horisontal list of command options for "command" + +```shell +nsh(config-p)/pf +check-config disable edit enable reload +nsh(config-p)/ +``` + +--- +## Getting Started with NSH - Read The Fine Manual + +- The manual is accessible within nsh with the manual command + +```shell + manual [search tag] +``` +- Display the nsh manual page. If a search tag is specified then jump to + the first section matching this tag if one or more matching tags exist. +- Alterntively one can access the nsh manual page in other OpenBSD shells with the man command + +```shell + man nsh +``` + +--- +## Getting Started with NSH - manual [command] + +- manual command - opens the nsh manual at the correct page for "command" +- makes use of search tags in mandoc +- user can jump forward to next search tag with [t] +- user can jump back to previous search tag with [shift] [T] +- command [tab] [tab] displays a horisontal list of command options + for "command" + +- E.g. manual bridge +```shell +nsh(bridge-bridge101)/manual bridge +``` + +--- +## Getting Started with NSH - manual bridge command output + +```shell + [no] bridge [bridge-name] + Modify bridge configuration on the named bridge or layer 2 forwarding + interfaces such as, bridge(4), veb(4), tpmr(4). See also OpenBSD manual + pages for bridge(4), veb(4), tpmr(4) and ifconfig(8) (accessible via the + following nsh commands): + + !man bridge + !man ifconfig + - e.g. configure bridge settings on bridge1, and display bridge + configuration help. + E.g show available bridge configuration commands. + + nsh(config-p)/bridge bridge100 + nsh(bridge-bridge100)/? + % Commands may be abbreviated. + % Type 'exit' at a prompt to leave bridge configuration mode. + % Bridge configuration commands are: + + description Bridge description + member Bridge member(s) + span Bridge spanning port(s) +``` + +--- +## Getting Started with NSH - manual command - [tab] [tab] +-Display all available search terms or commands in manual + +```shell +nsh(config-p)/manual +ah ftp-proxy ldp protected span +arp group ldpd quit ssh +autoconf help lladdr rdomain switch +bgp hostname macaddress reboot switchport +bgpctl hsrp manual relay sync +bgpd icmp mbuf relayd syncdev +bridge ifstate monitor resolv tcp +bridgeport ifstated mpls resolv.conf telnet +carp igmp multicast rip tftp +config ike nameserver ripd tftp-proxy +configure iked ndp route tpmr +crontab ikev2 nppp route6 traceroute +dhcp inetd ntpd sadb unsetenv +dhcpd interface ospf sasync veb +dvmrpd isakmpd patch setenv vpls +eigrp kernel pfsync shell vxlan +enable l2vpn ping6 smtp wg +esp label pipex smtpd wireguard +flow ldap powerdown snmp write-config +flush ldapd privileged snmpd +nsh(config-p)/manual +``` + +--- +## Getting Started with NSH - manual Command - search tags + +- user can jump forward to next search tag with [t] +- user can jump back to previous search tag with [shift] [T] + +```shell + show bridge [bridge-interface | veb-interace | tpmr-interface] + + Without specifying an argument, it displays all layer2 forwarding devices + configured on the system, and all members of each layer2 forwarding + device, and any description of the layer2 forwarding device. Layer 2 + forwarding devices supported by this command include bridge(4) standard + bridge, veb(4) virtual ethernet bridge and the tpmr(4) two port mac relay + device. +``` + +--- +## NSH - manual Command search tag continued + +```shell + e.g. Display all layer2 forwarding devices and their member ports + + nsh(p)/show bridge + % Bridge Status Member Interfaces + bridge1 down + Description: - + bridge100 up vlan100 + Description: Tom-Smyths-Bridge + veb200 up vlan200 + Description: Chris-Cappuccios-Bridge + tpmr102 up vether1102 vether2102 + Description: dlg-bridge + nsh(p)/ + e.g. Display the information the tpmr102 layer2 forwarding device + +``` + +--- +## Getting Started with NSH - show command + +- show commands are read only, they do not alter the state of the system, + they are intended to give the user full visibility on selected aspects + of the state of the system. +- E.g. show arp - displays Address Resolution Protocol + +```shell +nsh/show arp +Host Ethernet Address Netif Expire Flags +10.0.2.2 52:54:00:12:35:02 em0 12m37s +10.0.2.15 08:00:27:bd:cb:77 em0 permanent l +``` + +--- +## Getting Started with NSH - show route Command + +-E.g. show route display the IP route table of the system + +```shell +nsh/show route +Flags: U - up, G - gateway, H - host, L - link layer, R - reject (unreachable), + D - dynamic, S - static, T - MPLS, c - CLONED, l - LOCAL + +% IPv4: +Destination Gateway Flags Refs Use Mtu Interface +0.0.0.0/0 10.0.2.2 UGS 6 881 - em0 +224.0.0.0/4 127.0.0.1 URS 0 53 32768 lo0 +10.0.2.0/24 10.0.2.15 U 1 0 - em0 +10.0.2.2 52:54:00:12:35:02 UHLc 1 17 - em0 +10.0.2.15 08:00:27:bd:cb:77 UHL 0 43 - em0 +10.0.2.255 10.0.2.15 UH 0 0 - em0 +127.0.0.0/8 127.0.0.1 UGRS 0 0 32768 lo0 +127.0.0.1 127.0.0.1 UH 1 2 32768 lo0 + +``` + +--- +## Getting Started with NSH - brief diagnostics + +- NSH user can set the desired verbosity levels of any command run after + setting the verbosity +- NSH displays brief diagnostics by default. +```Shell +nsh/no verbose +% Diagnostic mode disabled +``` + +```Shell +nsh/show interface em0 +% em0 + Interface is up (last change 13:42:23), protocol is up + Interface type Ethernet (Broadcast), hardware address 08:00:27:bd:cb:77 + Media type autoselect (1000baseT full-duplex), status active + Internet address 10.0.2.15/24 + rdomain 0, MTU 1500 bytes (hardmtu 16110), Line Rate 1000 Mbps + 40634 packets input, 26668678 bytes, 0 errors, 0 drops + 32334 packets output, 12272854 bytes, 0 errors, 0 unsupported + 656 input, 379 output (average bytes/packet) + 0 collisions +``` + +--- +## Getting Started with NSH - verbose diagnostics + +- NSH user can use the verbose command to increase the level of detai displayed + by subsequent nsh commands. + +```Shell +nsh/verbose +% Diagnostic mode enabled +``` +```Shell +nsh/show interface em0 +% em0 + Interface is up (last change 13:42:15), protocol is up + Interface type Ethernet (Broadcast), hardware address 08:00:27:bd:cb:77 + Media type autoselect (1000baseT full-duplex), status active + Internet address 10.0.2.15/24 + rdomain 0, MTU 1500 bytes (hardmtu 16110), Line Rate 1000 Mbps + 40632 packets input, 26668498 bytes, 0 errors, 0 drops + 32332 packets output, 12272674 bytes, 0 errors, 0 unsupported + 656 input, 379 output (average bytes/packet) + 0 collisions + Flags: + + Hardware features: + + Supported media types on em0: + media 10baseT + media 10baseT, mediaopt full-duplex + media 100baseTX + media 100baseTX, mediaopt full-duplex + media 1000baseT, mediaopt full-duplex + media 1000baseT + media autoselect +``` +--- +## Getting Started with NSH - show monitor + +- show monitor is the implementation of route monitor in OpenBSD which displays any changes to the + RIB Routing Information Base on the system + +```shell +nsh/show monitor +% Entering monitor mode ... press ENTER or ^C to leave ... +% Message of size 192 on Tue May 23 12:33:35 2023 +% RTM_ADD: Add Route: len 192, table 0, pid: 92724, seq 1, errno 0, flags: +% locks: inits: +% sockaddrs: + 100.64.0.0 127.0.0.1 255.192.0.0 lo0 127.0.0.1 +% Message of size 192 on Tue May 23 12:33:48 2023 +% RTM_DELETE: Delete Route: len 192, table 0, pid: 83139, seq 1, errno 0, flags: +% locks: inits: +% sockaddrs: + 100.64.0.0 127.0.0.1 255.192.0.0 lo0 127.0.0.1 +^C% select: Interrupted system call +``` +- E.g. above shows that an admin was adding and then removing a static route to 100.64.0.0/10 pointing to the loopack +--- +## Getting Started with NSH - config contexts - global context + +- global configuration context contains configuration items that modify the sytem configuration such as: + - hostname + - enabling daemons such as + - sshd + - snmpd + - relayd + +```shell +nsh(config-p)/show run +! +hostname nsh +``` +--- +## Getting Started with NSH - config contexts - interface context + +- interface / bridge configuration context -allows the user query and change what is setup on the +- interface or bridge +- allows for unique per interface configuration +- similar behavior to other router / switch operatingg systems that are widely deployed. + +```shell +nsh(config-p)/interface vio0 +nsh(interface-vio0)/show active-config +interface vio0 + group egress + autoconf4 +! +``` +--- +## Getting Started with NSH - show active-config + +- One of the Design goals of NSH to have all config in one location +- Large configurations can be challenging when a user wants to just check and modify a small part of the config +- The show active-config command allows the user to display configuration on the currently active bridge or interface + - before configuration changes are made + - after configuration changes are entered + - validate current context and configuration +```shell +nsh(config-p)/interface em0 +nsh(interface-em0)/show active-config +interface em0 + group egress + autoconf4 +! +``` +- The show active-config command only displays the active configuration in the currently selected interface or bridge +- This saves alot of scrolling on large configuratons! +--- +## Getting Started with NSH - show active-config +- show active configuration works in bridge context as well + +```shell +nsh(config-p)/interface bridge101 +nsh(bridge-bridge101)/show active-config +bridge bridge101 + description new bridge for nshtutorial demo + group bridge + shutdown +! +``` +--- + +## Getting Started with NSH - show ip + +- Display a list of configured IP addresses + - on what interfaces they are configured + - on what rdomain are they are configured + - how the IP address was configured +```shell +nsh(config-p)/show ip +Address Interface RDomain Type +10.0.2.15 em0 0 dhcp +127.0.0.1 lo0 0 static +::1 lo0 0 static +fe80:4::1 lo0 0 link-local +nsh(config-p)/ +``` +--- +## Getting Started with NSH - show autoconf + +- Displays a list dynamic / autoconfigured IP addresses, + - what interfaces they are bound to + - what other configuration was imported + - default gateway + - dns servers + - and where the configuration was pulled from +```shell +nsh(config-p)/show autoconf +em0 [Bound] + inet 10.0.2.15 netmask 255.255.255.0 + default gateway 10.0.2.2 + nameservers 192.168.67.221 + lease 23 hours + dhcp server 10.0.2.2 +nsh(config-p)/ +``` +--- +## Getting Started with NSH - Firewall configuration - pf command + +- Firewall can be configured in NSH with pf command + +```shell +nsh(config-p)/pf ? +% Arguments may be abbreviated + + enable enable pf firewall + disable disable pf firewall + edit edit, test and stage firewall rules + check-config test and display staged firewall rules + reload test and apply staged firewall rules +nsh(config-p)/ +``` +--- +## Getting Started with NSH - Firewall configuration - pf edit + +- pf edit command will edit the firewall with your preferred editor + +```shell +nsh(config-p)/pf edit +/var/run/pf.conf.0 is empty. Load an example config? [Y/n] +``` +- If there was no firewall rules previously edited in NSH you will be asked, do you want to load an example configuration +- example config files are generally copied from /etc/examples +- it is recommended to load an example to get you started, and edit to suit your needs. +--- + +## Getting Started with NSH - Firewall configuration - pf edit +```shell + $OpenBSD: pf.conf,v 1.4 2018/07/10 19:28:35 henning Exp $ +# +# See pf.conf(5) for syntax and examples. +# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 +# in /etc/sysctl.conf if packets are to be forwarded between interfaces. + +# increase default state limit from 100'000 states on busy systems +#set limit states 500000 + +set skip on lo + +# filter rules and anchor for ftp-proxy(8) +#anchor "ftp-proxy/*" +#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 + +pass # establish keep-state + +``` +- Default pf rules as loaded by NSH +- Editor combined with pfctl is used to minimise code base of NSH +- Has an advantage of allowing users to edit config of multiple interdependent daemons and config before activating them +--- + +## Getting Started with NSH - Firewall configuration - pf edit + +- General configuration for pf + +- Useful for debugging, applying default timeout values, etc. + +```shell +# $OpenBSD: pf.conf,v 1.4 2018/07/10 19:28:35 henning Exp $ +# +# See pf.conf(5) for syntax and examples. +# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 +# in /etc/sysctl.conf if packets are to be forwarded between interfaces. +INSERT BAD SYNTAX Error +# increase default state limit from 100'000 states on busy systems +#set limit states 500000 +``` +- NSH tests the config when saving the configuration on exiting the editor + +```shell +/var/run/pf.conf.0:6: syntax error +nsh(config-p)/ +``` + +--- + +## Getting Started with NSH - Firewall configuration - pf check-config -error + +- you can run a check of the staged pf with the command +- pf check-config +```shell +nsh(config-p)/pf check-config +Loaded 714 passive OS fingerprints +/var/run/pf.conf.0:6: syntax error +set skip on { lo } +nsh(config-p)/ +``` +- This is the equivalent of the pfctl -nvv command +- Checks the staged config (not the active config) + +## Getting Started with NSH - Firewall configuration - pf check-config -error + +- Shows config until the first error is encountered + +```shell +ksh# pfctl -nvvf /etc/pf.conf +Loaded 714 passive OS fingerprints +/var/run/pf.conf.0:6: syntax error +set skip on { lo } +ksh# +``` +- Where was the error in the config ? +--- + +## Getting Started with NSH - Firewall configuration - pf check-config -success + +- pf check-config +- If syntax check passes it will display the list of rules in order. + +```shell +nsh(config-p)/pf check-config +Loaded 714 passive OS fingerprints +set skip on { lo } +@0 block return all +@1 pass all flags S/SA +@2 block return in on ! lo0 proto tcp from any to any port 6000:6010 + +``` +--- + +class: center, middle + +# Exercise 1 + + +### Protecting your host + +--- +## Excercise 1 - Let's start + +- Lab environment: + - Open your favourite browser, then + - Go to [labs.pftutorial.net](https://labs.pftutorial.net) + +- check that pf is indeed loaded and running (*hint*: [pfctl](http://man.openbsd.org/pfctl)) + +- Try accessing other lab hosts + +--- + +## Exercise 1 - net config + +- Configure the external interface on gateway + +- _vi /etc/hostname.vio0_ + +```shell + inet 10.255.255.XX/24 + !route add 0/0 10.255.255.254 + inet6 fd18:b5d:cafe::XX/64 + !route add -inet6 2000::/3 fd18:b5d:cafe::a + !route add -inet6 fd00::/8 fd18:b5d:cafe::a +``` + +- and then _vi /etc/resolv.conf_ + + +```shell + nameserver 10.255.255.254 + nameserver fd18:b5d:cafe::a +``` + +followed by + +```shell + sh /etc/netstart +``` + + +--- + +## Exercise 1 - on gateway + +- Start with a block ruleset + +```shell + block + pass quick inet6 proto tcp from fd18::/16 to port ssh + pass quick inet6 proto icmp6 from fd18::/16 +``` + +- Allow traffic to be generated from your host, and allow ICMPv6 + +```shell + pass from self +``` + +and then, reload _pf.conf_ + +```shell + pfctl -vnf /etc/pf.conf + pfctl -f /etc/pf.conf +``` + +- **NB:** Reload pf this way after every statement in the exercises + +--- + +## Exercise 1 - Tests + +- From your gateway ping a host + +- First IPv6 + +```shell + # ping6 fd18:b5d:cafe::a + PING fd18:b5d:cafe::a (fd18:b5d:cafe::a): 56 data bytes + 64 bytes from fd18:b5d:cafe::a: icmp_seq=0 hlim=64 time=0.548 ms + 64 bytes from fd18:b5d:cafe::a: icmp_seq=1 hlim=64 time=0.492 ms + 64 bytes from fd18:b5d:cafe::a: icmp_seq=2 hlim=64 time=0.494 ms + +``` + +- Then IPv4 + +```shell + # ping stucchi.ch + PING stucchi.ch (37.59.51.141): 56 data bytes + 64 bytes from 37.59.51.141: icmp_seq=0 ttl=56 time=6.264 ms + 64 bytes from 37.59.51.141: icmp_seq=1 ttl=56 time=6.273 ms + 64 bytes from 37.59.51.141: icmp_seq=2 ttl=56 time=6.117 ms +``` + +--- + +## Exercise 1 - Wrap up + +- Does ping work? + +- Do other commands work? + - working from total block, proceed to make restricted workstation + - name resolution + - _http_ and _https_ + +- Access public web sites, other Internet resources. + +- What would it take to access the other lab hosts? + +--- + +class: center, middle + + +# Questions ? + +??? + +Let's ask if there are any questions before continuing. Make sure we have everyone onboard. + +--- + +class: center, middle + +# NSH Interaction with interfaces + + +### Section 2 + +--- +## NSH compared with Openbsd + +- mg /etc/hostname.em0 +- sh /etc/netstart em0 + +- is equivalent to the following command + +```shell +nsh(interface-em0)/? +% Commands may be abbreviated. +% Type 'exit' at a prompt to leave interface configuration mode. +% Interface configuration commands are: + + inet IPv4/IPv6 addresses + ip Alias for "inet" command + autoconf4 IPv4 Autoconfigurable address (DHCP) + description Interface description + group Interface group + rdomain Interface routing domain + rtlabel Interface route labels + priority Data packet priority + llpriority Link Level packet priority + mtu Maximum Transmission Unit + metric Routing metric + link Link level options + arp Address Resolution Protocol + staticarp Always use static ARP to find other hosts +... +``` + +--- +## Introducing NAT + +- **N**etwork **A**ddress **T**ranslation ([RFC1631](https://tools.ietf.org/html/rfc1631) onwards) + +- -> 'Hide' several hosts behind 1 or more public addresses, using [RFC1918](https://tools.ietf.org/html/rfc1918) addresses +- -> can be used by ISPs for conserving scarce IP addresses in large networks (CG-NAT) 100.64.0.0/10 + +- Modern PF has _nat-to_ on 'pass' and 'match' rules: + +```shell + match out on $extif inet nat-to ($extif) +``` + +- *Neat trick*: egress is the interface group that has a default route, you can filter on it + + +```shell + match out on egress inet nat-to (egress) +``` + + + +- In modern networks we **should** (also) have IPv6 (inet6) + +??? + +NAT, the stopgap measure that's old enough to drink, more than 22 years old. NAT was created as a temporary measure that hasn't been replaced by now. Not even IPv6. + +We haven't discusses "egress" yet, so this is the right time to introduce it. + +Spend some time discussing it, along with the rest of the NAT specifications. + +Unfortunately, there's also NAT for IPv6, called NAT66 + +--- +## A (filtering) Gateway + +_"I decide which packets pass"_ + +#### Enable forwarding: + +- Temporarily set from command line with [sysctl](http://man.openbsd.org/sysctl): + +```shell + # sysctl net.inet.ip.forwarding=1 + # sysctl net.inet6.ip6.forwarding=1 +``` + +- Make permanent in [/etc/sysctl.conf](http://man.openbsd.org/sysctl.conf) + +```shell + net.inet.ip.forwarding=1 + net.inet6.ip6.forwarding=1 +``` + + +--- +## The minimal gateway + +- Do you *NAT* for IPv4? Of course you do. + +- Do you run IPv6? Of course you do. + +```shell + ext_if=bge0 + int_if=bge1 + match out on egress inet nat-to ($ext_if) + block all + pass proto tcp from { self, $int_if:network } +``` + +- The "pass" rule, withouth _inet_ or _inet6_ applies to both + +**Keep in mind**: This is a point of policy enforcement + +--- +## A Point of policy enforcement + +- Now some policy, and macros + +```shell + ext_if=bge0 + int_if=bge1 + + client_out = "{ ftp-data, ftp, ssh, domain, pop3, auth, nntp, http, \ + https, 2628, 5999, 8000, 8080 } + udp_services = "{ domain, ntp }" + + match out on egress inet nat-to ($ext_if) +* block +* pass quick proto { tcp, udp } to port $udp_services keep state +* +* pass proto tcp from $int_if:network to port $client_out +* +* pass proto tcp to self port ssh +``` + +- What services do your clients consume? + +??? + +Log to on the system we have for showing out, and then show the rules there and how they expand to different parts. + +--- +## Letting dhcpd(8) direct access + +OpenBSD [dhcpd(8)](http://man.openbsd.org/dhcpd) can interact with your ruleset via tables: + +*/etc/rc.conf.local* +```shell +dhcpd_flags="-L leased_ip_table -A abandoned_ip_table -C changed_ip_table bge1" +``` + +```shell + ext_if=bge0 + int_if=bge1 +* table <abandoned_ip_table> persist counters +* table <changed_ip_table> persist counters +* table <leased_ip_table> persist counters + + client_out = "{ ftp-data, ftp, ssh, domain, pop3, auth, nntp, http, \ + https, 2628, 5999, 8000, 8080 }" + udp_services = "{ domain, ntp }" + + match out on egress inet nat-to ($ext_if) + block + pass quick proto { tcp, udp } to port $udp_services keep state +* pass proto tcp from <leased_ip_table> to port $client_out + pass proto tcp to self port ssh +``` +**=>** only pass traffic from hosts with active leases from *me* + +??? + +Maybe move this slide to a later section. + +--- +## Redirects (and divert-to) + + Modern PF has two classes of redirect + + * **rdr-to** on match and pass rules - rewrite destination address while filtering (locally or even to other hosts) + +```shell + pass in on egress to port www rdr-to $webserver +``` + + + * **divert-to** on match and pass rules - [divert()](http://man.openbsd.org/divert) socket for local use + +```shell + pass in on egress to port smtp divert-to 127.0.0.1 port spamd +``` + + +--- + +## FTP Proxy + +- If your users need to access FTP services, [ftp-proxy](http://man.openbsd.org/ftp-proxy) is what you need + +- FTP does not easily pass through a block firewall, some help is needed + + +```shell +$ doas rcctl enable ftpproxy6 +``` + +- or for IPv4 + +```shell +$ doas rcctl enable ftpproxy +``` + +- and then add an anchor and divert rules to your config + +```shell +anchor "ftp-proxy/*" + ... +pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 +pass in quick inet6 proto tcp to port ftp divert-to ::1 port 8021 +pass out proto tcp from $proxy to port ftp +``` + +There is even a reverse mode (**-R**) for when you host FTP servers, see [man ftp-proxy](http://man.openbsd.org/ftp-proxy) + +--- + +class: center, middle + +# Exercise 2 + + +### Protecting your network + +--- + +## Exercise 2 - Goals + +- Your network grows, you become a gateway + +- Extend the configuration to enable the network to access the internet + +--- +background-image: url(images/exercise2.png) + +## Exercise 2 - Your network + + +--- + +## Exercise 2 + +- Turn on ip forwarding (sysctl) + +```shell + # sysctl net.inet.ip.forwarding=1 + # sysctl net.inet6.ip6.forwarding=1 +``` + +- Set up NAT + +```shell + match out on egress inet nat-to (egress) +``` + +Also, pass traffic from that local net + +--- +## Exercise 2 - preparation + +- Configure the hosts with the following IPv6 addresses + - *Gateway (vio1):* fd18:b5d:XX::a/64 + - *Host1:* fd18:b5d:XX::80/64 + - *Host2:* fd18:b5d:XX::25/64 +

+ +- On Host1 and Host2, set fd18:b5d:XX::a as the default IPv6 gateway + +- and also the following IPv4 addresses + - *Gateway (vio1):* 192.168.XX.1/24 + - *Host1:* 192.168.XX.2/24 + - *Host2:* 192.168.XX.3/24 + +- On Host1 and Host2 set 192.168.XX.1 as the default IPv4 gateway + +--- + +## Exercise 2 - check your results + +- From client 1, ping a host on the internet + +- First IPv6 + +```shell + # ping6 stucchi.ch + PING stucchi.ch (2001:41d0:8:6ed8::80): 56 data bytes + 64 bytes from 2001:41d0:8:6ed8::80: icmp_seq=1 hlim=56 time=7.414 ms + 64 bytes from 2001:41d0:8:6ed8::80: icmp_seq=2 hlim=56 time=6.333 ms + 64 bytes from 2001:41d0:8:6ed8::80: icmp_seq=3 hlim=56 time=6.441 ms +``` + +- Then IPv4 + +```shell + # ping stucchi.ch + PING stucchi.ch (37.59.51.141): 56 data bytes + 64 bytes from 37.59.51.141: icmp_seq=0 ttl=56 time=6.264 ms + 64 bytes from 37.59.51.141: icmp_seq=1 ttl=56 time=6.273 ms + 64 bytes from 37.59.51.141: icmp_seq=2 ttl=56 time=6.117 ms +``` + +--- +# Exercise 2b: FTP + +Try fetching *ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-extended-latest* + +```shell + # wget ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-extended-latest +``` + +Check your result + +If it didn't work, configure FTP-proxy and try again. + + +--- + +class: center, middle + +# Installing NSH + + +### Section 4 + +--- + +## Installing NSH Package and build + +- NSH is available as a package +- Recommend installing the package as it sets up scripts nicely + +```shell +pkg_add nsh +``` +- NSH is available on github +- NSH will be available on got +- Build the latest master snapshot + +```shell +git clone https://github.com/yellowman/nsh +cd nsh +make +su +make install +``` +--- +--- +## Installing NSH - Integrating NSH as main admin interface* + +- Caution advised on existing production systems!!! +- Scripts are available to import most settings into running config file + +```shell +git clone https://github.com/yellowman/nsh +cd nsh +cd scripts +cd shell +``` +-If you want to have NSH take over completely +- and move config files into /var/run/ + +```shell +chmod 700 extensive-nsh-openbsd-integration.sh +su +./extensive-nsh-openbsd-integration.sh +``` + +--- +## Installing NSH setting NSH as the default shell for a user + +- Login as the user +- locate nsh +- at the command prompt run chsh -s /usr/local/bin/nsh +```shell +chsh -s /usr/local/bin/nsh +``` +class: center, middle +# Exercise 3 + + +### Offering services + +--- + +## Excercise 3 - Goals + +- You're now offering services +


+- **Host 1** will provide **http** service +


+- **Host 2** will provide **smtp** service +


+- We need to setup: + - The services + - Redirects + - Firewall rules + +--- +background-image: url(images/exercise3.png) +class: right +## Exercise 3 - Network + +??? + +This is not exactly the network we have, but could be thought as such. + +Host1 and Host2 are in what could be considered our DMZ. + + +--- +## Exercise 3 - on Host1 + +- We need to configure and start httpd + +```shell + # cp /etc/examples/httpd.conf /etc/httpd.conf + + < comment out the HTTPS part > + + # rcctl enable httpd + # rcctl start httpd + httpd(ok) +``` + +--- +## Exercise 3 - on Host2 + +- Change the config to listen on all interfaces: + - Change the appropriate line in + +### /etc/mail/smtpd.conf + +```shell + listen on all +``` +

+- Then start the daemon + +```shell + # rcctl enable smtpd + # rcctl start smtpd + smtpd(ok) +``` +- (It might take a while) + +--- +## Exercise 3 - on gateway + +### /etc/pf.conf + +```shell +webserver_v4 = "$IP_addr_of_host1" +webserver_v6 = "fd18:b5d:XX::80" +webports = "{ http, https }" +emailserver_v4 = "$IP_addr_of_host2" +emailserver_v6 = "fd18:b5d:XX::25" +email = "{ smtp, pop3, imap, imap3, imaps, pop3s }" + +match in on egress inet proto tcp to egress port $webports rdr-to $webserver_v4 +match in on egress inet proto tcp to egress port $email rdr-to $emailserver_v4 + +pass inet proto tcp to $webserver_v4 port $webports +pass inet proto tcp to $emailserver_v4 port $email +pass log inet proto tcp from $emailserver_v4 to port smtp + +pass inet6 proto tcp to $webserver_v6 port $webports +pass inet6 proto tcp to $emailserver_v6 port $email +pass log inet6 proto tcp from $emailserver_v6 to port smtp +``` + +- **NB:** No redirects are needed for IPv6 + +--- +## Exercise 3 - checks + +- Try connecting to the HTTP and SMTP port of your friends/neighbours: +

+- From Gateway: + +```shell + telnet -6 fd18:b5d:XX::80 80 + telnet -4 10.255.255.XX 80 + +``` +

+- and + +```shell + telnet -6 fd18:b5d:XX::25 25 + telnet -4 10.255.255.XX 25 + +``` + +--- + +## Tips + +- Decide your network topology + - DMZ (?) + - Multi-customer (?) + - Multi-customer, Multi-DMZ(?) + +- Segment off your subnets + - IPv4 (Do you NAT)? + - IPv6 + - Do you do NAT64? + +- Per subnet (customer) + - Which services do you expose? + - Write the rules + - pamper^H^H^H^H^Hproxying + +--- + +class: center, middle + +# Tips + + +### Section 5 + +--- +# Choosing your ISP, a quick guide + +- Are they national or regional IX members? +

+- Do they have geographical redundancy ? + - or do you need to arrange that for yourself ? +

+- Do they actually understand your questions about peering, routing, multiple paths? + - (avoid consumer oriented SOHO-only shops) +

+- Do they _suck_? + +--- +## Getting transit + +- Find well peered transit providers + - Can improve quality and shorten AS paths + - No capacity problems +


+- Find your top traffic destinations: + - Can improve quality + - Peer with them or find closer upstream + - Traffic profile from flow collectors can be useful + +--- + +## Common mistakes + +- No diversity + - All reached over same cable + - All connect to the same transit + - All have poor onward transit and peering arrangements +


+- Signing up with too many transit providers + - Lots of small circuits + - These cost more per Mbps than larger ones + +--- +## Basic OpenBGPd configuration, operation and interaction with PF + + - **B**order **G**ateway **P**rotocol + - Manage and exchange route information with BGP peers + + - Once you have the ASn registered, do the basic config. + + - In your *pf.conf*: + - enable BGP to pass between your routers and your peers' -- **TCP and UDP 179** + + - **Neat trick**: Define tables in your [pf.conf](http://man.openbsd.org/pf.conf) + - bgpd maintains them via **pftable** attributes on [bgpd.conf](http://man.openbsd.org/bgpd.conf) objects + +--- +## Use cases for OSPF, BGP or ECMP + +- **OSPF:** **O**pen **S**hortest **P**ath **F**irst + - is a IGP **I**interior **G**ateway **P**rotocol + - Each router maintains link state information for links and networks within your AS + - Calculates routing cost + - Use [ospf6d](http://man.openbsd.org/ospf6d) for IPv6 + - Use [ospfd](http://man.openbsd.org/ospfd) for IPv4 + - Need to *pass proto ospf* between routers. + +- **BGP:** announces and receives routes + - can be both an IGP or EGP **E**xterior **G**ateway **P**rotocol + - highly scalable (Internet scale) + - can be used for signaling and sending additional information with route announcements + - Use [bgpd](http://man.openbsd.org/bgpd) + - need to *pass proto tcp port 179* between routers + +--- +## Use cases for OSPF, BGP or ECMP (cont) + +- **ECMP:** **E**qual **C**ost **M**ulti-**P**ath + - target reachable via more than one route + - load distribution or redundancy over multiple links + - **Tip** Use [ifstated](http://man.openbsd.org/ifstated) to handle link downtime. + +--- +## BCP38, MANRS and Internet peering + +"[**BCP38**](https://tools.ietf.org/html/bcp38)" -- Discussed also in another effort + +**M**utually **A**greed **N**orms for **R**outing **S**ecurity (MANRS) + +- Define four concrete actions network operators should implement +- Coordination + - Keep your contacts updated +- Validation + - Route objects, RPKI, BGPSec +- Anti-spoofing + - uRPF + - Filtering on external Interfaces facing external suppliers + - Drop inbound Traffic with a src IP claiming to be from your networks / private networks. + - Drop outbound Traffic with a src IP address that is not in your Public IP network range. +- Build a visible community of security-minded operators +- Valuable resource: [The Routing Manifesto](https://www.routingmanifesto.org/) + +--- +## Introducing VXLAN in your network + +[vxlan](http://man.openbsd.org/vxlan) - the **V**irtual e**X**tensible **L**ocal **A**rea **N**etwork tunnel interface +

+- Pushes layer 2 network (Ethernet frames) over layer 3 (IP) tunnels + - 24-bit *vnetid* (vs max 4k VLANs) +

+- Has *no* built in security +- Intended for '*trusted*' (Datacenter, inter-hypervisor) environments + - Otherwise, consider transport over IPSEC. +

+- Default transport over **UDP 4789** (aka **vxlan**) + - make sure that traffic passes between endpoints + +--- +# Introducing VXLAN in your network + +```shell + # ifconfig vxlan0 tunnel 192.168.100.101 192.168.200.201 vnetid 17 + # ifconfig vxlan0 10.11.12.100/24 + +``` +

+```shell + # ifconfig vxlan0 tunnel 192.168.200.201 192.168.100.101 vnetid 17 + # ifconfig vxlan0 10.11.12.101/24 + +``` +

+```shell +table <vxendpoints> { 192.168.200.201 192.168.200.204 } +pass from <vxendpoints> to port vxlan +``` +

+Buy [Reyk](http://www.bsdcan.org/2017/schedule/speakers/227.en.html) a beer. + + +--- +## Readable and maintainable toolsets + +- **Macros** + - descriptive names, keep uniform +- **Tables** + - descriptive names + - consider daemon/scripting interface +- **Interface groups** + - you know egress already + - make your own and filter on them +- **Anchors** + - group rules by common criteria + - tagging + - interface or group +- Service names vs port numbers + +- **Comments** - yes, you **will** forget why this was a good idea + +--- +## Useful 3rd party packages (ports) for OpenBSD + +OpenBSD base operating system can be supplimented by the following packages and features: + +- pftop - a curses-based utility for real-time display of +active states and rules for pf. It is a cross between top +and pfctl -sr and pfctl -ss. + - pftop can be installed with the following command + + pkg_add pftop + + - nsh **n**etwork **sh**ell + - nsh can be installed with the following command + + pkg_add nsh + + +--- +## Now let's add wireless + +- Wireless used to be hard, (WPA in particular), now it's 'just another interface' +

+- 802.11* support in OpenBSD has a,b,g,n, ac only in some drivers (bwfm(4)) +

+- Not all drivers support hostap + - check man pages before buying kit for access point use +

+- Optionally setup with commercial APs for radio part + - do DHCP, filtering, authentication and so forth from OpenBSD + +--- +class: center, middle + + +# Questions ? + +??? + +Let's ask if there are any questions before continuing. Make sure we have everyone onboard. + +--- + +class: center, middle + +# Troubleshooting + + +### Section 6 + +#### "It's all your fault. Until you track down and fix the root cause." +--- +## Troubleshooting 101: ICMP(v6) + +- ICMP: **I**nternet **C**ontrol **M**essage **P**rotocol + +- The *ping of death* scare is almost over, let's enable [ping](http://man.openbsd.org/ping): +

+```shell + icmp_types = "{ echoreq, unreach }" + + pass inet proto icmp all icmp-type $icmp_types keep state + + pass inet proto icmp from $localnet icmp-type $icmp_types + pass inet proto icmp to $ext_if icmp-type $icmp_types + pass inet6 proto icmp6 from $localnet icmp6-type $icmp6_types + pass inet6 proto icmp6 to $ext_if icmp6-type $icmp6_types +``` +

+- **echoreq**: lets [ping](http://man.openbsd.org/ping) do its thing + +- **unreach**: lets you do _path MTU discovery_ (PMTUD) + +--- + +## Troubleshooting 101: Statistics + +- Statistics can be had with **[pfctl](http://man.openbsd.org/pfctl) -s info** + +For statistics (bytes/packets passed per rule) attach _labels_ per rule + +```shell +pass log proto { tcp, udp } to $emailserver port smtp label "mail-in" +pass log proto { tcp, udp } from $emailserver to port smtp label "mail-out" +``` + +```shell +$ doas pfctl -vs rules +pass inet proto tcp from any to 192.0.2.225 port = smtp flags S/SA keep state label "mail-in" +[ Evaluations: 1664158 Packets: 1601986 Bytes: 763762591 States: 0 ] +[ Inserted: uid 0 pid 24490 ] +pass inet proto tcp from 192.0.2.225 to any port = smtp flags S/SA keep state label "mail-out" +[ Evaluations: 2814933 Packets: 2711211 Bytes: 492510664 States: 0 ] +[ Inserted: uid 0 pid 24490 ] +``` + +--- +## Troubleshooting 101: Statistics + +- If you need to pass the data to a script + - Or a database + - A graphing engine + +


+ +```shell +$ doas pfctl -zvsl +mail-in 1664158 1601986 763762591 887895 682427415 714091 81335176 +mail-out 2814933 2711211 492510664 1407278 239776267 1303933 252734397 +``` + +--- +## Troubleshooting 101: log to pflog + +Rules with the **log** keyword log packet data to the [pflog](http://man.openbsd.org/pflog) device(s) + +```shell +# log blocked packets +block log(all) + +# logs initial packet of matching connections: +pass log proto tcp to port ssh + +# logs all matching packets: +pass log(all) proto tcp to port ssh log(all) + +# logs matches on this and all succeeding rules +pass log(matches) proto tcp to port ssh + +# logs all packets matches on this and all succeeding rules +pass log(all, matches) proto tcp to port ssh +``` + + +```shell +match log(all, matches) # log *everything* +``` + + + +--- +## Troubleshooting 101: tcpdump, read from pflog + +- [tcpdump](https://man.openbsd.org/tcpdump) is your friend + +- Let it loose on the pflog device: + +```shell +$ doas tcpdump -n -e -ttt -i pflog0 +tcpdump: WARNING: snaplen raised from 116 to 160 +tcpdump: listening on pflog0, link-type PFLOG +May 29 21:06:27.165561 rule def/(match) pass in on bge1: 192.168.103.126.15526 > +213.187.179.198.22: . ack 2951513182 win 16332 (DF) [tos 0x10] +May 29 21:06:27.166934 rule 16/(match) pass in on bge0: 158.36.191.135.22 > +213.187.179.198.59516: . ack 1734404306 win 64800 [tos 0x8] +May 29 21:06:27.166939 rule 2/(match) match in on bge0: 158.36.191.135.22 > +213.187.179.198.59516: . ack 1 win 64800 [tos 0x8] +May 29 21:06:27.168340 rule def/(match) pass out on bge1: 213.187.179.198.22 > +192.168.103.126.15526: P 69:153(84) ack 0 win 17520 [tos 0x10] +May 29 21:06:27.169150 rule def/(match) pass out on bge1: 213.187.179.198.22 > +192.168.103.126.15526: P 153:333(180) ack 0 win 17520 [tos 0x10] +May 29 21:06:27.169265 rule def/(match) pass out on bge1: 213.187.179.198.22 > +``` + +- **NB** rule number, matches your *loaded* rule set + +--- +## Troubleshooting 101: Hitting and avoiding limits + +- On busy systems, you may need to raise limits from default values + +- Check with: + +```shell +$ doas pfctl -s info +``` +- versus the output of **pfctl -s memory** and **pfctl -s timeouts** + +- You may need to bump up from defaults: + +```shell +# increase state limit from 10'000 states on busy systems +set limit states 100000 +# increase no of source nodes +set limit src-nodes 100000 +``` + + +--- +## Troubleshooting 101: netflow aka pflow (IPFIX) + +- Records TCP/IP *flow* metadata + - srcIP + - dstIP + - (srcPort, dstPort) + - startTime + - endTime + - Packets + - Bytes + +- OpenBSD has the [pflow(4)](http://man.openbsd.org/pflow) virtual network interface + - which generates the datagrams from the state table + +- Useful for network monitoring, DDoS protection, etc. + +--- +## Troubleshooting 101: netflow setup + +- Set up a *sensor*: + +```shell +$ cat /etc/hostname.pflow0 +flowsrc 192.168.103.1 flowdst 192.168.103.252:9995 +pflowproto 10 +``` + +- Then configure your *collector* at the **flowdst** IP address for analysis and network overlordship. + +

+- Lots of collector options available in ports: nfsen, flow-tools, pmacct, FastNetMon and others. + +- More info: + - Michael W. Lucas: [Network Flow Analysis](https://www.nostarch.com/networkflow) + - and Peter N. M. Hansteen: [Yes, You Too Can Be An Evil Network Overlord - On The Cheap With OpenBSD, pflow And nfsen](http://bsdly.blogspot.ca/2014/02/yes-you-too-can-be-evil-network.html). + + +--- +## Flow Anlyser example Fastnetmon +- Example of a typcial flow anlayser software fastnetmon: + - User can view FastNetMon statistics via the CLI client fastnetmon_client +```shell +# fastnetmon_client +FastNetMon 1.1.7 master git- Try Advanced edition: https://fastnetmon.com +IPs ordered by: packets +Incoming traffic 1505664 pps 15397 mbps 85 flows +37.203.[redacted] 59184 pps 485 mbps 0 flows +37.203.[redacted] 45040 pps 504 mbps 0 flows +37.203.[redacted] 26924 pps 270 mbps 0 flows +185.55.[redacted] 24211 pps 240 mbps 0 flows +5.134.[redacted] 23872 pps 290 mbps 0 flows +45.11.[redacted] 23634 pps 250 mbps 0 flows +185.55.[redacted] 22451 pps 255 mbps 0 flows +45.11.[redacted] 20943 pps 254 mbps 0 flows +185.55.[redacted] 20298 pps 246 mbps 0 flows +5.134.[redacted] 20188 pps 236 mbps 0 flows +``` +- With FastNetMon one can implement mitigations based on tresholds + - Packets per second pps + - Bandwidth per second Mbps +--- + +class: center, middle + +# Exercise 4 + + +### Queueing + +--- + +## Exercise 4 - Goals + +- With the configs from exercise 3, now add: +


+- A set of queues, and +


+- Statements to add rules to the queues + +--- + +## Exercise 4 - on Gateway + +- Configure the queues +

+ +### /etc/pf.conf + +```shell +queue rootq on $ext_if bandwidth 20M + queue main parent rootq bandwidth 20479K min 1M max 20479K qlimit 100 + queue default parent main bandwidth 9600K min 6000K max 18M default + queue http parent main bandwidth 9600K min 6000K max 18M + queue smtp parent main bandwidth 9600K min 6000K max 18M + queue spamd parent rootq bandwidth 1K min 0K max 1K qlimit 300 +``` + +--- +## Exercise 4 - on Gateway + +- and then apply them to the match statements + +### /etc/pf.conf + +```shell +match in on egress inet proto tcp to egress port $webports rdr-to $webserver_v4 \ + queue http +match in on egress inet proto tcp to egress port $email rdr-to $emailserver_v4 \ + queue smtp + +pass inet6 proto tcp to $webserver_v6 port $webports set queue http +pass inet6 proto tcp to $emailserver_v6 port $email set queue smtp +pass log inet6 proto tcp from $emailserver_v6 to port smtp set queue smtp + +``` + +--- + + +## Exercise 4 - Check + +- Check the queues have been effectively created + +```shell + # systat queues + +``` +


+- or, alternatively + +```shell + # pfctl -vsq + +``` +--- + +class: center, middle + + +# Questions ? + +### Last chance... + +### or nshtutorial@ogmaconnect.com +for tutorial specific questions about NSH + +#### or nsh@lists.deschutesdigital.com for general questions for the community and community based help. + +Let's ask if there are any questions before continuing. Make sure we have everyone onboard. + +--- + +## Web accessible resources +### OpenBSD website and documentation + + + +[http://www.openbsd.org/](http://www.openbsd.org/) The official OpenBSD website – to donate: [http://www.openbsd.org/donations.html](http://www.openbsd.org/donations.html) and please do donate, corporates may prefer [https://www.openbsdfoundation.org/](https://www.openbsdfoundation.org/) - a Canadian non-profit + +[The PF User Guide on the OpenBSD web site](http://www.openbsd.org/faq/index.html) + +[OpenBSD online man pages](http://man.openbsd.org/) + +Note: You can convert the man page of pf.conf to PDF for reading in your favourite reader with the command: + +man -T pdf pf.conf > pf.conf.pdf + +--- +## Resources + +### Books / e-Books +Michael W Lucas: [Absolute OpenBSD, 2nd ed.](https://www.nostarch.com/openbsd2e) + +Peter N. M. Hansteen: [The Book of PF, 3rd ed.](https://www.nostarch.com/pf3) + +Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman [Building Internet Firewalls, 2nd ed.](https://www.oreilly.com/library/view/building-internet-firewalls/) + +### Blogs +[http://undeadly.org/](http://undeadly.org/) - The OpenBSD Journal news site + +[http://bsdly.blogspot.com/](http://bsdly.blogspot.com/) - Peter's rants^H^H^H^H^Hblog posts + +[http://www.tedunangst.com/flak/](http://www.tedunangst.com/flak/) tedu@ on developments + + +--- +background-image: url(images/end.png) + +- + +??? + +Notes for this slide + +--- +background-image: url(images/end2.png) + +- + +??? + +Notes for this other slide + + +--- blob - /dev/null blob + 643e1d5a9f42c83dfa796705dd5d6c1aceb49230 (mode 644) Binary files /dev/null and nshtutorial.pdf differ