OPNsense is an open source and easy-to-use FreeBSD based firewall and routing platform. 2018 – three years after OPNsense started as a fork of pfSense® and m0n0wall – OPNsense brings the rich feature set of commercial offerings with the benefits of open and verifiable sources. A strong focus on security and code quality drives the development of the project. The modern and intuitive web interface makes configuring firewall rules funny
In this talk, Thomas will outline OPNsense’s FreeBSD-based architecture and how you can take advantage of additional features using OPNsense plugins. He will also show how to initially setup an OPNsense firewall, and how you use datacenter-features like High Availability & Hardware Failover or Dual Uplinks.
Open (source) makes sense – also for your firewall
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niedermeier
1. OPNsense:
the “open” firewall for your
datacenter
@tk_tniedermeier
Thomas Niedermeier, Thomas-Krenn.AG
Open Source Data Center Conference, 2018/06/12
4. OPNsense
_ History and architecture
_ FreeBSD / HardenedBSD
_ Initial configuration and secure system
_ Mobile WAN / WAN failover
_ High availability
_ Plugins
_ pfSense or OPNsense?
8. IPFire 2.19 pfSense®
2.4 OPNsense®
18.1
Based on Linux®
Kernel 3.14 FreeBSD®
11.1 FreeBSD®
11.1
Stateful firewall ✔ ✔ ✔
Proxy cache ✔ ✔ ✔
VPN ✔ ✔ ✔
IDS ✔ ✔ ✔
HA cluster ✔ ✔
Multi-WAN ✔ ✔
Layer 2 (transparent) ✔ ✔
Two-factor auth. ( )✔ ✔
Also for mobile
LTE backup
with 4G modem
Also for VPN
roadwarrior
(eg. Google Auth.)
9. Comparison OPNsense and pfSense
OPNsense pfSense
License BSD Clause-2 Apache License 2.0
IPS Native via Suricata
best performance
Snort
no real inline mode
available
2FA Native integrated via TOTP mOTP available via plugin
AES-NI CPU feature
required
No, never Yes, beginning with
version 2.5 in community
edition
Source: https://techcorner.max-it.de/wiki/OPNsense_vs._pfSense_-_Im_Vergleich
10.
11. OPNsense
_ History and architecture
_ FreeBSD / HardenedBSD
_ Initial configuration and secure system
_ Mobile WAN / WAN failover
_ High availability
_ Plugins
_ pfSense or OPNsense?
12.
13. OpenServer
6.x
UnixWare
7.x
(System V
R5)
HP-UX
11i+
1969
1971 to 1973
1974 to 1975
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001 to 2004
2006 to 2007
2008
2005
2009
2010
2011
2012 to 2015
2016
2017
Open source
Mixed/shared source
Closed source
HP-UX
1.0 to 1.2
OpenSolaris
& derivatives
(illumos, etc.)
System III
System V
R1 to R2
OpenServer
5.0.5 to 5.0.7
OpenServer
5.0 to 5.04
SCO UNIX
3.2.4
SCO Xenix
V/386
SCO Xenix
V/386
SCO Xenix
V/286
SCO Xenix
Xenix
3.0
Xenix
1.0 to 2.3
PWB/Unix
AIX
1.0
AIX
3.0-7.2
OpenBSD
2.3-6.1
OpenBSD
1.0 to 2.2
SunOS
1.2 to 3.0
SunOS
1 to 1.1
Unix/32V
Unix
Version 1 to 4
Unix
Version 5 to 6
Unix
Version 7
Unnamed PDP-7 operating system
BSD
1.0 to 2.0
BSD
3.0 to 4.1
BSD 4.2
Unix
Version 8
Unix
9 and 10
(last versions
from
Bell Labs)
NexTSTEP/
OPENSTEP
1.0 to 4.0
Mac OS X
Server
Mac OS X,
OS X,
macOS
10.0 to 10.12
(Darwin
1.2.1 to 17)
Minix
1.x
Minix
2.x
Minix
3.1.0-3.4.0
Linux
2.x
Linux
0.95 to 1.2.x
Linux 0.0.1
BSD
4.4-Lite
&
Lite Release 2
NetBSD
0.8 to 1.0
NetBSD
1.1 to 1.2
NetBSD 1.3
NetBSD
1.3-7.1
FreeBSD
1.0 to
2.2.x
386BSD
BSD Net/2
Solaris
10
Solaris
11.0-11.3
System V
R4
Solaris
2.1 to 9
BSD 4.3
SunOS
4
HP-UX
2.0 to 3.0
HP-UX
6 to 11
System V
R3
UnixWare
1.x to 2.x
(System V
R4.2)
BSD 4.3
Tahoe
BSD 4.3
Reno
FreeBSD
3.0 to 3.2
FreeBSD
3.3-11.x
Linux
3.x
Linux
4.x OpenServer
10.x
1969
1971 to 1973
1974 to 1975
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001 to 2004
2006 to 2007
2008
2005
2009
2010
2011
2012 to 2015
2016
2017
DragonFly
BSD
1.0 to 4.8
BSD Net/1
Unix-like systems
14. OpenServer
6.x
UnixWare
7.x
(System V
R5)
HP-UX
11i+
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001 to 2004
2006 to 2007
2008
2005
2009
2010
2011
2012 to 2015
2016
2017
OpenSolaris
& derivatives
(illumos, etc.)
OpenServer
5.0.5 to 5.0.7
OpenServer
5.0 to 5.04
SCO UNIX
3.2.4
V/386
AIX
3.0-7.2
OpenBSD
2.3-6.1
OpenBSD
1.0 to 2.2
NexTSTEP/
OPENSTEP
1.0 to 4.0
Mac OS X
Server
Mac OS X,
OS X,
macOS
10.0 to 10.12
(Darwin
1.2.1 to 17)
Minix
1.x
Minix
2.x
Minix
3.1.0-3.4.0
Linux
2.x
Linux
0.95 to 1.2.x
Linux 0.0.1
BSD
4.4-Lite
&
Lite Release 2
NetBSD
0.8 to 1.0
NetBSD
1.1 to 1.2
NetBSD 1.3
NetBSD
1.3-7.1
FreeBSD
1.0 to
2.2.x
386BSD
BSD Net/2
Solaris
10
Solaris
11.0-11.3
Solaris
2.1 to 9
SunOS
4
HP-UX
6 to 11
UnixWare
1.x to 2.x
(System V
R4.2)
BSD 4.3
Reno
FreeBSD
3.0 to 3.2
FreeBSD
3.3-11.x
Linux
3.x
Linux
4.x OpenServer
10.x
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001 to 2004
2006 to 2007
2008
2005
2009
2010
2011
2012 to 2015
2016
2017
DragonFly
BSD
1.0 to 4.8
BSD Net/1
m0n0wall
pfSense
OPNsense
15. FreeBSD
_ Originally a fork from 386BSD
_ Originated in 1993
_ Since version 2.0 a fork from BSD 4.4-Lite
_ Free software, open source
_ Under BSD license (Berkeley Software Distribution)
16. FreeBSD
_ Relies on two development branches
_ CURRENT
_ „bleeding edge“ code
_ For developers and testers
_ Code probably contains lots of bugs
_ STABLE
_ Major-releases are built from this branch
_ After successful tests in the CURRENT branch
_ But also a development branch
_ Not suitable for general use
17. FreeBSD
_ Supported (current) versions
_ 10.4 (Legacy Release) → EOL: 31.10.2018
_ 11.1 (Production Release) → EOL: 11.2-RELEASE + 3 months (about August 2018)
_ Future versions
_ 11.2
_ Release in the end of June 2018 planned
_ 12.0
_ Release in November 2018 planned
18. FreeBSD
_ New support model
_ New since FreeBSD 11.0
_ Major versions now supported 5 years
_ Minor versions supported 3 months onlymore (if next minor version is released)
_ Released in February 2015
_ Previous support model (up to FreeBSD 10.*)
_ Normal
_ At least 12 months maintenance
_ Extended
_ At least 24 months maintenance
_ Every second and the last release of a STABLE version
Link: https://www.freebsd.org/de/security/security.html#model
19. HardenedBSD
_ Focus on higher security with layers
_ Fork from FreeBSD
_ Since 2014
_ Function ASLR implemented with project start
_ Address Space Layout Randomization
_ Goal: Mitigation of exploits
Link: https://hardenedbsd.org/content/freebsd-and-hardenedbsd-feature-comparisons
20. ASLR
_ Address Space Layout Randomization (ASLR)
_ Address space randomly allocated for programs, no longer predictable
_ Increases protection against buffer overflows
21. SEGVGUARD
_ Blind Return Oriented Programming (BROP)
_ ASLR can be leveraged under certain circumstances
_ BROP can generate ROP malicious code
_ Needs several attempts
_ Application crashes if BROP is not successful and then restarts
_ SEGVGUARD
_ Fixes the above mentioned brute force method of BROP
_ Prevents the restart of the attacked application
_ Inspired by the Linux PaX patch
Link: https://hardenedbsd.org/content/projects
22. OPNsense
_ History and architecture
_ FreeBSD / HardenedBSD
_ Initial configuration and secure system
_ Mobile WAN / WAN failover
_ High availability
_ Plugins
_ pfSense or OPNsense?
23. Initial configuration and secure system
_ Default firewall rule settings
_ LAN→WAN: all allowed
_ WAN→LAN: all denied
_ Create firewall aliases (for IP lists)
_ FireHOL list
_ Spamhaus
_ Threat from inside
_ Restrict LAN→WAN
_ Enable FireHOL list or Spamhaus
25. Initial configuration and secure system
_ Create firewall aliases
_ Placeholders for real hosts, networks or ports
_ FireHOL list
_ level1: Includes fullbogons, Spamhaus DROP & EDROP, dshield, malware lists
_ level2: Addition to level1
_ level3: Addition to level1+2
_ level4: Addition to level1+2+3
_ Spamhaus
_ DROP: Don't route or peer, includes direct allocated networks
_ EDROP: Extension to DROP, includes also suballocated networks
STEP 2
The more
levels applied
= higher risk of
false positives
30. Initial configuration and secure system
_ Intrusion Prevention System (IPS) Suricata
_ Multi-threaded (Snort is single-threaded)
_ Performance impact
_ at least 2 GB RAM
_ at least 10 GB disk for logging
_ Disable offloading → then Suricata can inspect packets
_ Impact on the throughput performance
_ Benchmarks RI1102D
STEP 4
49. Initial configuration and secure system
_ Proxy
_ Virus scanner via ICAP (Internet Content Adaption Protocol – RFC 3507)
_ Remote Access Control Lists (similar to IP lists, for domains)
STEP 5
50.
51.
52.
53.
54.
55.
56.
57.
58.
59.
60.
61. OPNsense
_ History and architecture
_ FreeBSD / HardenedBSD
_ Initial configuration and secure system
_ Mobile WAN / WAN failover
_ High availability
_ Plugins
_ pfSense or OPNsense?
70. OPNsense
_ History and architecture
_ FreeBSD / HardenedBSD
_ Initial configuration and secure system
_ Mobile WAN / WAN failover
_ High availability
_ Plugins
_ pfSense or OPNsense?
71. High availability
_ Based on the CARP protocol
„Common Address Redundancy Protocol“
_ Active-passive configuration
_ Advantages
_ If the active firewall fails, the passive one takes over
_ No intervention by users needed
_ Minimal interruption of services
_ Tip: Configure HA beforehand, configure the system, rules and
plugins afterwards
72. High availability
_ Components
_ CARP
_ IP protocol 112
_ Multicast packets for status updates
_ OR: Direct to a specific IP
_ Unique Virtual Host ID (vhid) for every virtual interface
_ pfSync
_ Dedicated interface
_ Direct cabling between the two firewalls
_ Increases security and performance
_ XMLRPC sync
_ Ensures that the configuration of the backup server is in sync
73. High availability
_ Setup and configuration
_ System → High Availability → Settings
_ Master
_ Setup WAN, LAN and pfSync IP
_ Virtual IPs
– Type carp
– For LAN and WAN
_ Slave
_ Setup WAN, LAN and pfSync IP (different IPs to the master!)
_ Outbound NAT → Use virtual IP
_ Config samples: OPNsense Wiki - Configure CARP
74. High availability - Sample configuration
Source: https://wiki.opnsense.org/_images/900px-Carp_setup_example.png
75.
76. OPNsense
_ History and architecture
_ FreeBSD / HardenedBSD
_ Initial configuration and secure system
_ Mobile WAN / WAN failover
_ High availability
_ Plugins
_ pfSense or OPNsense?
77. Plugins
_ A vast variety of plugins
_ Easy to install
_ Path: System → Firmware → Plugins
81. OPNsense
_ History and architecture
_ FreeBSD / HardenedBSD
_ Initial configuration and secure system
_ Mobile WAN / WAN failover
_ High availability
_ Plugins
_ pfSense or OPNsense?