This article presents a detailed guide centered around OpenBSD and Linux for enhancing network security through the implementation of dynamic IP filtering, WireGuard VPN configurations, and encrypted DNS services.
It covers initial setups, script-based automation, and firewall configurations to ensure secure, efficient, and scalable network management.
Whether you’re aiming to protect SSH access, secure your VPN connections, or block unwanted ads, this guide offers comprehensive instructions to fortify your network against vulnerabilities.
This project gets you:
getpara.sh
): This script resolves the current IP address for a specified FQDN and updates the PF table with any changes.pf.conf
): Includes rules for blocking, allowing SSH from specific IPs, handling Wireguard traffic, and default deny policies.dnscrypt-proxy
.crontab -e
@reboot /bin/sleep 30 && /usr/local/bin/wg-quick up wg0
@reboot /bin/sleep 30 && /usr/sbin/rcctl restart unbound
30 13 * * * /usr/sbin/syspatch -c
32 13 * * * /usr/sbin/syspatch
35 13 * * * /usr/sbin/pkg_add -u
30 4 * * 3 /usr/local/getpara.sh
0 0 * * * /usr/local/getpara.sh
2 0 * * * /usr/sbin/rcctl restart unbound
/etc/pf.conf
and check via pfctl -nf /etc/pf.conf
and load them via pfctl -f /etc/pf.conf
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
# Configuration Variables
dynamic_hosts_file="/usr/local/gotten-para" # Location for dynamic hosts
wireguard_port="51820" # Your WireGuard VPN port
wireguard_net="10.0.0.0/24" # Your WireGuard VPN network
ssh_allowed_ips="{6.6.6.6/32, 7.7.7.7/32}" # IPs allowed for SSH
wireguard_iface="wg0" # WireGuard interface identifier
# Block Ipv6 - remember hotspot leakage
block quick inet6
set skip on lo
# Block all incoming on vio0 but allow outgoing
block in on vio0 all
# NAT for outgoing traffic
match out on egress inet from !(egress:network) to any nat-to (egress:0)
# Allow SSH from specified IPs
pass in on vio0 proto tcp from $ssh_allowed_ips to (vio0) port 22 keep state
pass out quick on vio0 keep state
# Allow only IPs from <dynamic_hosts> to access WireGuard port on vio0
pass in on vio0 proto udp from <dynamic_hosts> to any port $wireguard_port keep state
pass out on vio0 proto udp to <dynamic_hosts> port $wireguard_port keep state
# Allow all on WireGuard interface
pass in on $wireguard_iface from $wireguard_net to any
pass out on $wireguard_iface from any to $wireguard_net
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
ddclient
+ any DYNDNS-hoster.myhost.myhoster.org
with your actual domain domain.I’ve deployed the following script on /usr/local/getpara.sh
it creates temp_gotten_para
as well as gotten-para
which contains the dynamic IPs to be added to the firewall for access.
#!/bin/sh
# FQDN to resolve
FQDN="myhost.myhoster.org"
# Variables
TEMP_IP_FILE="/usr/local/temp_gotten_para"
FINAL_IP_FILE="/usr/local/gotten-para"
MAX_IP_COUNT=3
IP_RETENTION_DAYS=10
# Resolve the current IP address of the FQDN
CURRENT_IP=$(dig +short $FQDN)
CURRENT_TIMESTAMP=$(date +%s)
# Ensure FINAL_IP_FILE exists
if [ ! -f "$FINAL_IP_FILE" ]; then
touch "$FINAL_IP_FILE"
fi
# Exit if no IP is resolved
[ -z "$CURRENT_IP" ] && echo "No IP address found for $FQDN" && exit 1
# Append current IP with timestamp to TEMP_IP_FILE for processing
echo "$CURRENT_TIMESTAMP $CURRENT_IP" >> "$TEMP_IP_FILE"
# Process TEMP_IP_FILE to ensure uniqueness, limit the number of IPs, and consider the retention period
awk -v max_count=$MAX_IP_COUNT -v retention_days=$IP_RETENTION_DAYS -v current_time=$CURRENT_TIMESTAMP '{
ip = $2
timestamp = $1
if (!seen[ip]++ && (current_time - timestamp) <= (retention_days * 86400)) {
print ip
if (++count >= max_count) exit
}
}' "$TEMP_IP_FILE" | sort -u | tail -n $MAX_IP_COUNT > "$FINAL_IP_FILE"
# Reload the PF table with the updated IP list
pfctl -t dynamic_hosts -T replace -f "$FINAL_IP_FILE" && echo "pf table reloaded with updated IP list."
For more information click here
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…