Thread: AuthPF Configuration
View Single Post
  #20   (View Single Post)  
Old 16th July 2014
EverydayDiesel EverydayDiesel is offline
Shell Scout
  
Join Date: Jan 2009
Posts: 124
Default
Quote:
Originally Posted by jggimi View Post
I'm confused by the rule I highlighted below in red. It would only work if the innermost device is a webserver and an SSH server. I don't think that's what you intended, since your innermost device is intended to be a client.

Every TCP or UDP packet is defined by TWO different ports. An origination port, also called a source port, and a destination port. The $TCP_PORT numbers you defined are destination port numbers. Destination port numbers are listened to by servers, and sent to by clients typically using high numbered, random source ports.
Code:
TCP_PORT = "{ 80 ssh }"
UDP_PORT = "{ 53 }"

pass in on athn0 proto tcp from any to $user_ip port $TCP_PORT
pass out on athn0 proto udp from any to $user_ip port $UDP_PORT

pass from $user_ip to any
If you want the authenticated device to be able to reach servers listening at the ports defined by $TCP_PORT, try this rule instead:

pass in proto tcp from $user_ip to any port $TCP_PORT

Check your pass rules -- most are written without consideration of destination port numbers associated with the server, not the client
Make sure the log option is defined on every block rule - in that way you will be able to see the traffic that does not match any of your pass rules, and is caught by the block rules.

But, for better analysis of new rulesets, add the log option to your pass rules also. In that way, you can see which pass rule applies to passed traffic -- it may not be the rule you expect.

I am running the SSH daemon and the HTTPD daemon on the same box (its a box that just does wireless connections)

is this still what i want?

pass in proto tcp from $user_ip to any port $TCP_PORT

--------------------------------------------------------------------

Can you tell me why this

Code:
pass log from any to any
is not the same as

Code:
pass out log on xl0 from any to any
pass in log on xl0 from any to any

pass in log on authn0 from any to any
pass out log on authn0 from any to any


EDIT:

Quote:
Avoid the use of on <interface> except where required, such as nat-to directives. Can from and to be used to define the rule?
Avoid the use of in or out except where necessary. Can from and to be used to define the rule?
I usually use the interface and or in/out because of spoofing. Its something i learned when i first got into openbsd. Why do you say not to use them?
Last edited by EverydayDiesel; 16th July 2014 at 02:20 AM.
Reply With Quote