View Single Post
  #3   (View Single Post)  
Old 4th March 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,974

Originally Posted by mug23 View Post

I'm new to this forum...
...installed on OpenBSD 4.4....
Officially, support for OpenBSD 4.4 ended on October 18, 2009. And, there have been innumerable changes to PF since then.

In order to self manage PF, since your support person is no longer available, you will need a copy of the PF User's Guide applicable for 4.4. The PF User's Guide currently at the OpenBSD project website (and mirrors) is for OpenBSD 4.8, and in May, will be updated for 4.9.

I'll cobble up a 4.4 version of the guide for you and attach it to this thread, but will not be able to get to it for many hours, so don't expect it until tomorrow. Meanwhile...
.. I'm currently having some issues with trying to access certain web sites that is on https. I seem to not able to load some https sites and somehow, the firewall seems to be blocking port 443 traffic. The https web site trys to load once I give it the correct username and password, but all of sudden it kicks me out. It happens on a few of the https sites I try to get to...
If you are able to reach your https:// websites in order to authenticate, then whatever your problem is, it is not a port 443 problem, since an https URL will use port 443 as the destination port by default.
...For testing, I connected a laptop directly on the DMZ and that https web site loaded with no problems. Also, I cannot get to my company's web mail also using https and now I'm able to access it while the laptop is still in the DMZ.
OpenBSD comes with a tool called tcpdump. You can use it to monitor PF block/pass decisions. It requires root (superuser) access on the firewall. Assuming you have that, and assuming your prior admin set up logging -- a big if -- you could find out what rules are blocking and passing traffic. But each rule to be tracked would need to have a "log" flag included, and many PF admins neglect to do so.
1). Can anyone tell me how to find out if port 443 is open?
Reaching -any- https: URL and getting a web page back, as I mentioned above, requires port 443 to be open. The tcpdump tool can tell you if rules are blocking or passing traffic, if logging has been set up for individual block and pass rules. Reading your pf.conf file and looking for port 443 rules (or rules that refer to https) may give you an indication as well. Note that port 443 is a DESTINATION port number at the server, the sending port number can be completely random.
....2). If that ports is not open, how can I open it? Not sure what script to use.
It's not a script at all, it's a text file, as mentioned above. The default name is pf.conf, stored in /etc. Meanwhile, please take a look at 4.8's PF User's Guide for a general description of PF and how it is utilized, even though rule syntax has changed significantly since 2008, when 4.4 was in development.

Last edited by jggimi; 4th March 2011 at 04:14 PM. Reason: fixed link
Reply With Quote