DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th May 2011
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default Pf problem

here's my pf ruleset:

Code:
# vi /etc/pf.conf
table <internet> { 0.0.0.0/0 }

tcp_services    = "{ ssh, www, http, https, domain, auth, 1863, 21, 20, 25, 110, 143, 465, 993, 995, 3724, 6112, 1119, 1700, 25565 }"
udp_services    = "{ domain }"

intern_ip       = "192.168.2.0/24"
dns_ip          = "{ 195.238.2.21, 195.238.2.22}"
rapidshare_ip   = "{ 195.122.131.0/24, 62.67.50.0/24, 212.162.2.0/24, 62.140.7.0/24, 130.117.156.250}"
firewall_ip     = "{192.168.2.1, 127.0.0.1}"

ext_if = "dc0"
int_if = "rl0"
loc_if = "lo0"

#NAT
nat pass on $ext_if from $int_if:network to any -> $ext_if

pass in quick on $loc_if from $firewall_ip
pass out quick on $loc_if from $firewall_ip

block all

#block rps
block in quick on $int_if inet proto tcp from $intern_ip to $rapidshare_ip

#default tcp traffic
pass in quick on $int_if inet proto tcp from $intern_ip to any port $tcp_services
pass out quick on $ext_if inet proto tcp from $ext_if to any port $tcp_services

#to darkstat page
pass in quick on $int_if inet proto tcp from $intern_ip to $firewall_ip port 667

#dns
pass in quick on $int_if inet proto udp from $intern_ip to $dns_ip port "domain"
pass out quick on $ext_if inet proto udp from $ext_if to $dns_ip port "domain"

#ssh to firewall
pass in quick on $int_if inet proto tcp from $intern_ip to $ext_if port 22

#ping
pass in quick on $int_if inet proto icmp from $intern_ip to any icmp-type "echoreq"
pass out quick on $int_if inet proto icmp from $intern_ip to any icmp-type "echoreq"
yet still (http://img542.imageshack.us/i/113v.jpg/) people are using ports that should be closed.
i am quite certain this is done by using torrents.
also i installed a dnsspoofer which blocks all url's containing the word *tracker* so torrents should be blocked by pf ánd by dnsspoof..
Reply With Quote
  #2   (View Single Post)  
Old 24th May 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,711
Thanked 214 Times in 189 Posts
Default

Still on that OpenBSD 4.6 Frankensystem of yours, eh? I can tell from your "nat" rules, which don't exist in newer releases.
The most recent release of this OS is 4.9, and support of 4.6 ended with the release of 4.8 more than half a year ago. Only the most recent release and its immediate predecessor are supported.
With a quick glance at this, it looks like your problem may be your improper use of a quoted macro variable. Try:

# pfctl -s rules

To see what rules are actually produced by your pf.conf file.

Recommendation: Do not post real internet addresses here that may give an indication of your actual internet address. This forum is open to the public. Feel free to edit your post accordingly, and redact 195.x.x.x addresses, for example.
Reply With Quote
  #3   (View Single Post)  
Old 24th May 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Still trying to use technology to enforce policy, eh? I could tell by reading your post.
Reply With Quote
  #4   (View Single Post)  
Old 24th May 2011
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

yeah i am not easy to control a 60 people network on a 4mbit line tho..

here's the output

Code:
# pfctl -s rules
pass in quick on lo0 inet from 192.168.2.1 to any flags S/SA keep state
pass in quick on lo0 inet from 127.0.0.1 to any flags S/SA keep state
pass out quick on lo0 inet from 192.168.2.1 to any flags S/SA keep state
pass out quick on lo0 inet from 127.0.0.1 to any flags S/SA keep state
pass out quick on rl0 inet proto tcp from any to 192.168.2.1 flags S/SA keep state
block drop log all
block drop in quick on rl0 inet proto tcp from 192.168.2.0/24 to 195.122.131.0/24
block drop in quick on rl0 inet proto tcp from 192.168.2.0/24 to 62.67.50.0/24
block drop in quick on rl0 inet proto tcp from 192.168.2.0/24 to 212.162.2.0/24
block drop in quick on rl0 inet proto tcp from 192.168.2.0/24 to 62.140.7.0/24
block drop in quick on rl0 inet proto tcp from 192.168.2.0/24 to 130.117.156.250
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to 192.168.2.1 port = 667 flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to 127.0.0.1 port = 667 flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = ssh flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = www flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = https flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = domain flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = auth flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = 1863 flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = ftp flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = ftp-data flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = smtp flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = pop3 flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = imap flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = smtps flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = imaps flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = pop3s flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = 3724 flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = 6112 flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = 1119 flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = 1700 flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = 25565 flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = ssh flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = www flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = https flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = domain flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = auth flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = 1863 flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = ftp flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = ftp-data flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = smtp flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = pop3 flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = imap flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = smtps flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = imaps flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = pop3s flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = 3724 flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = 6112 flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = 1119 flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = 1700 flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = 25565 flags S/SA keep state
pass in quick on rl0 inet proto udp from 192.168.2.0/24 to DNSIP port = domain keep state
pass in quick on rl0 inet proto udp from 192.168.2.0/24 to DNSIP2 port = domain keep state
pass in quick on rl0 inet proto udp from 192.168.2.0/24 to any port 27000:27015 keep state
pass in quick on rl0 inet proto udp from 192.168.2.0/24 to any port = 4380 keep state
pass in quick on rl0 inet proto udp from 192.168.2.0/24 to any port = 1500 keep state
pass in quick on rl0 inet proto udp from 192.168.2.0/24 to any port = 3005 keep state
pass in quick on rl0 inet proto udp from 192.168.2.0/24 to any port = 3101 keep state
pass in quick on rl0 inet proto udp from 192.168.2.0/24 to any port = 28960 keep state
pass out quick on dc0 inet proto udp from 192.168.0.2 to 195.238.2.21 port = domain keep state
pass out quick on dc0 inet proto udp from 192.168.0.2 to 195.238.2.22 port = domain keep state
pass in quick on rl0 inet proto icmp from 192.168.2.0/24 to any icmp-type echoreq keep state
pass out quick on rl0 inet proto icmp from 192.168.2.0/24 to any icmp-type echoreq keep state
Reply With Quote
  #5   (View Single Post)  
Old 24th May 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,711
Thanked 214 Times in 189 Posts
Default

The macro is not a problem. What I see:
  • All of your filter rules are "quick" -- excepting your one block log all for default deny. The first matching quick rule will win.
  • You have no inbound rules on dc0, except what may come from stateful processing of its outbound rules.
  • You do not have unlimited ports open. Your "test" that you posted may not have been run externally, or not from the right subnet, or, you have other NAT translations ahead of this OpenBSD box, affecting port responses seen by the testing platform.
Reply With Quote
  #6   (View Single Post)  
Old 24th May 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Warn the 60 users that they could lose access if caught downloading torrents, don't cripple the entire network by trying to thwart them.

As long as you don't redirect any ports to the users, they will get a bad ratio and be throttled/banned from most torrent trackers anyway.

Blocking outgoing access to ports indiscriminately could potentially block legitimate traffic, you gain nothing from doing so.

I recommend education over censorship, explain why they can't use the network for those purposes and establish a written network use policy and a guideline for punishment.

That is the best way to handle this, I believe I've written this before to someone else.. perhaps it was you?
Reply With Quote
  #7   (View Single Post)  
Old 24th May 2011
joostvgh joostvgh is offline
Port Guard
 
Join Date: Jan 2010
Posts: 38
Thanked 0 Times in 0 Posts
Default

this could be the best way, but here's my situation:
I am in a student house, lots of 'I don't care' people here, who 'abuse' the internet.

I myself am a student who likes to use the internet for browsing, fun, and school, also for downloading but at night when nobody needs the internet. The housekeeper allowed me to install a server and operate it (by using putty, so no physical access) to control the internet, since every year there are problems with students not obeying the 'rules' although everyone is clearly informed (every year there are multiple meetings with all students, and the network/internet subject is treated there too).
So, we could state that everyone is well educated about the topic. This doesn't help, so you talk about punishing: I cannot disconnect anyone physically from the network, nor do I have the time to monitor the internet traffic, let alone analyse it.
Blocking legitimate traffic: House rules state the internet is used only for school purposes (which of course is very outdated, but it's in the rules). Also since I have access to the server through putty, I can open any port I want, at any time. When I first installed the server people came to me about applications not working, e-mail etc., all problems which have been solved by now.

I really understand your advice and I appreciate it, also would apply it if I had the correct means to do so. Furthermore, there's more people who appreciate the current policy then those who dislike it!

The problem I spoke of in my first post was that someone was generating a lot of upload traffic, which severely slowed down the network. I spoke to this person in the meantime, and he said it was not a torrent but a problem with dropbox (which actually doesnt really change the core of the problem). I believe he was speaking the truth because he supports the server-thingy and supports me too.

@jggimi:
- the quick identifier was meant for every rule, also the block is the first rule (after the nat rules) so it shouldn't make any difference removing it
- dc0 is the 'outside' network which leads to the router/modem and eventually internet. should i apply any rules? block all applies to this network too, correct? unless stateful connections are opened, as you mentioned.
- about the nat rules: yes, current topology is: pc's - (192.168.2.1/24) - openbsd -(192.168.0.1/24) - router/modem - (isp subnet) - internet
so there's twice a nat, maybe there could be the issue?
Reply With Quote
  #8   (View Single Post)  
Old 24th May 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,711
Thanked 214 Times in 189 Posts
Default

You should not remove the block all -- it provides a "default deny" rule.

Keep in mind: 1) If a "quick" rule is matched, that rule wins. All PF analysis stops right there, with that pass or block. 2) If a rule does not have "quick", the last rule to match wins. Your block all does not have quick, and it will always match.

-----------------------

Test your network firewall from OUTSIDE the net. Your test, conducted from the inside, was against 192.168.2.113. I assume from somewhere else on your 192.168.2.x subnet. Not a valid test, therefore.

You may want to add "log" options to all of your rules, so you can log those things you permit as well as those you deny for later analysis with netstat(1).

Active states can be monitored with systat(1), also.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Boot problem. Geometry problem? gulanito FreeBSD Installation and Upgrading 0 3rd July 2009 03:03 AM


All times are GMT. The time now is 07:26 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick