Thread: SSH is being blocked from WAN however public IP shown in server log
View Single Post
  #3   (View Single Post)  
Old 29th October 2012
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
  
Join Date: Mar 2012
Posts: 73
Default
Hi the rule set is this:

Code:
#macros

int_if="hme1"
ext_if="tun0"

tcp_services="{ 22,23 }"
icmp_types="echoreq"

#Port Macros

<port definitions - no SSH port here>

#Server Macros

<server IP's>



#Network Macros

<Network Ranges>

#Queueing

# The downstream is 8000kb, Voice services get 600Kb regardless,
# and can get more when nobody else wants theirs.
<inbound queues for tun0>

# The upstream is 900kb, Voice services get 600Kb regardless,
# and can get more when nobody else wants theirs.
<outbound queues for tun0>

#options

set block-policy return
set loginterface tun0
set skip on "{ lo }"

# scrub incoming packets
match in all scrub (no-df)

# Proxy rules

anchor "ftp-proxy/*" 

pass in quick on $int_if inet proto tcp to any port ftp \
    divert-to 127.0.0.1 port 8021 

#match rules

match out on tun0 from $int_net to any nat-to ($ext_if) 

#filter rules

block in log
block out log

# activate spoofing protection for all interfaces
block in quick from urpf-failed

block in quick on $ext_if proto tcp to port $tcp_services 
block out quick on $int_if proto tcp to port $tcp_services 


pass out quick log    
pass out quick on $ext_if from $int_net to any nat-to ($ext_if)

antispoof quick for { lo, hme1 }

pass in quick on $int_if inet proto tcp from $int_net to port $tcp_services queue ssh_in

pass in quick on $ext_if inet proto tcp to port $dns_ports rdr-to $<dns-server> synproxy state queue dns_in

pass in quick on $ext_if inet proto udp to port $dns_ports rdr-to $<dns-server> synproxy state queue dns_in

....

<more inbound port definitions for other services>

block in on egress inet proto icmp all icmp-type $icmp_types



pass in quick  on $int_if

Minus the few posting adjustments I made that's the ruleset.


I have chedcked the rules over with the pfctl -s(x) command to see which ones are being used and what's happening but still I'm not quite sure.

Also the QoS services haven't been activated either 100% as I really needed them for the VoIP system however, on an 8Mb DSL line it's really not going to make much difference as my bandwidth is always fully in use.


After the event and posting here I devcided to add the rule:

Code:
block out quick on $int_if proto tcp to port $tcp_services
to ensure that anything SSH or telnet coming from the OBSD box is blocked and so far seems to work.


I'm just worried that this could have been something like a trojan horse or some other form of packet manipulations style attack?


I even am considering using Snort as an IDS/IPS solution however not sure if 400MHz + 360MB RAM would be able to cope with MySQL/Apache/Snort et el.... - things like Jnettop and Nload already slow the internet speeds down to a halt I found out. ?
Reply With Quote