DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 23rd December 2011
mikygee mikygee is offline
New User
 
Join Date: Oct 2011
Posts: 7
Thanked 0 Times in 0 Posts
Default Openbsd 4.9 ftp as a client

Hello,

I'm trying to write rules to let the ftp go out. My OpenBSD acts as a client and pf is located on that same machine. There is no other filtering.
I use OpenBSD 4.9 and the syntax differs from one version to another (betwen 4.8 and 5.0).


I've done these actions

I've started ftp-proxy
PHP Code:
# ftp-proxy -dv
# ps aux | grep ftp
proxy    16931  0.0  0.0   356   896 ??  Is    Wed11PM    0:00.04 /usr/sbin/ftp-proxy 

I've added those rules in pf.conf
PHP Code:
anchor "ftp-proxy/*"
pass out proto tcp from any to any port ftp
pass in quick proto tcp to port ftp rdr
-to 127.0.0.1 port 8021 
The forwarding is enabled
PHP Code:
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=

I've reloaded the rules
PHP Code:
# pfctl -f /etc/pf.conf 
And it doesn't work


The control channel works but as soon as I start the data channel it doesn't (for example ls in ftp)
PHP Code:
# tcpdump -n -e -ttt -i pflog0
Dec 23 23:19:59.472942 rule 0/(matchblock out on re0192.168.1.7.40771 129.128.5.191.64429S 839425086:839425086(0win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 45926882[|tcp]> (DF
In the ftp-proxy -dv (I did not deamonized it) I see nothing. I think the flow is not properly passed to the daemon.
And this rule do not match
PHP Code:
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 
because the flow is gererated locally and not from the lan

Does anyone have an idea ?
Reply With Quote
  #2   (View Single Post)  
Old 24th December 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,116
Thanked 182 Times in 149 Posts
Default

ftp-proxy will only work for clients who connect through the machine:
  • incoming ftp traffic entering on the external interface
    For example when you run a ftp server
  • local lan client ftp traffic entering on the internal interface.

For allowing ftp connections initiated by the ftp-proxy box, itself you have to open port 21 for the ftp command channel. The ftp data channel need ports >1024.

If you don't want to leave such a wide range of ports open you could use a pf 'anchor' to temporarily open this >1024 range. Or you could only open this range for a small selection of ftp servers, for example some of he nearest by OpenBSD ftp mirrors.



I
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 24th December 2011
mikygee mikygee is offline
New User
 
Join Date: Oct 2011
Posts: 7
Thanked 0 Times in 0 Posts
Default

Hello,

Thank you for pointing out the right direction. I will no longer try to search towards ftp-proxy.

I have written these two rules
PHP Code:
pass out quick on $int_if inet proto tcp from $int_add to any port 21
pass out log quick on $int_if inet proto tcp from $int_add to any port 1024
:65535 
as you adviced me and it works. But I didn't want to do this in the first place because I want to filter things tightly.

I have read the faq about anchors but I don't get how to use it.
I think it starts like this.
PHP Code:
anchor "myftp" pass out quick on $int_if inet proto tcp from $int_add to any port 21 
The desired effect is: if a connexion for a specific host is opened on port 21 then create a dynamic rule to open ports > 1024 for that host.

Do you know how to do this ?
Reply With Quote
  #4   (View Single Post)  
Old 24th December 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,116
Thanked 182 Times in 149 Posts
Default

I am not using an anchor, I use the following on my workstation:

Code:
table <ftp_sites> { 
        ftp.openbsd.org
        ftp.eu.openbsd.org
        anga.funkfeuer.at
        ftp.wu-wien.ac.at
        ftp.nluug.nl
        ftp5.usa.openbsd.org
        ftp3.usa.openbsd.org
        obsd.cec.mtu.edu
        ftp.halifax.rwth-aachen.de
        ftp.dk.freebsd.org
        }


table <ftp_local> { 
    192.168.222.0/24
    }

# -- sysctls
# net.inet.ip.porthifirst=49152
# net.inet.ip.porthilast=65535

FTPfirst = 49152
#FFTPlast = 65535

# -- outgoing ftp
pass out quick on egress inet proto tcp from egress to <ftp_sites> port ftp label "$nr:$proto:FTP_CMD_OUT"
pass out quick on egress inet proto tcp from egress port >= 1023 to <ftp_sites> port >= $FTPfirst label "$nr:$proto:FTP_DATA_OUT"

# allow local network clients to access ftp server on workstation

pass in quick on egress inet proto tcp from <ftp_local> to egress port ftp label "$nr:$proto:FTP_CMD_IN"
pass in quick on egress inet proto tcp from <ftp_local>  port >= 1023 to egress port >= $FTPfirst label "$nr:$proto:FTP_DATA_IN"
IMHO http://www.openbsd.org/faq/pf/anchors.html explains anchors rather well,

Quote:
Manipulation of anchors is performed via pfctl. It can be used to add and remove rules from an anchor without reloading the main ruleset.
To list all the rules in the anchor named ssh:
Code:
    # pfctl -a ssh -s rules
To flush all rules from the same anchor:
Code:
    # pfctl -a ssh -F rules
The same section also tells you how add rules saved in a file to the anchor:

Quote:
Rules can also be saved and loaded from a text file:

Code:
    # cat >> /etc/anchor-goodguys-www
    pass in proto tcp from 192.0.2.3 to any port 80
    pass in proto tcp from 192.0.2.4 to any port { 80 443 }

    # pfctl -a goodguys -f /etc/anchor-goodguys-www
So the simplest thing would be to define an empty anchor in your rule set. Create a text file with the ftp rules. Load these into the anchor, when you need them. Flush them from the anchor, when you are done.

Not too difficutl isn't it
Yes, I know, been there too. Sometimes we fail to see the forest, because there are so many trees
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 24th December 2011
mikygee mikygee is offline
New User
 
Join Date: Oct 2011
Posts: 7
Thanked 0 Times in 0 Posts
Default

Hello,

First thank you for your answers.

I got confused when I read the word dynamic.
From what I understand now is that you use anchors when you want to add a rule without reloading all the rules. I understood previously that pfctl would create new rules if a condition is matched (if I go on a certain IPDest/PortDest, it add rule X)

From what you wrote previously:
1) On your work station, you give a very limited access to external ftp sites and you use tables=> Ideally I would like to have access to any site
2) The anchors method that you used requires a manual action, it's kind of dynamic but I can't say it is in my dream scenario that I wrote above =)

Reading your pf configuration, I have another question. What is the difference between portfirst/last and porthifirst/last ?
Trust me, I already read man 3 sysctl before asking the question and the trees are still hiding the forest.

It says
Quote:
ip.portfirst
Minimum registered port number for TCP/UDP port
allocation. Registered ports can be used by ordinary
user processes or programs executed by ordinary users.
Cannot be less than 1024 or greater than 49151. Must be
less than ip.portlast.

ip.porthifirst
Minimum dynamic/private port number for TCP/UDP port
allocation. Dynamic/private ports can be used by
ordinary user processes or programs executed by ordinary
users. Cannot be less than 49152 or greater than 65535.
Must be less than ip.porthilast.
The only difference is that they talk about registered ports in the first statement and dynamic/private in the second statement.

When my OpenBSD is going to do an http or ftp request, it's going to use the hi port, correct ?
In which case, would it use the range 1024-49151 then ?

Merry Christmas
Reply With Quote
  #6   (View Single Post)  
Old 25th December 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,116
Thanked 182 Times in 149 Posts
Default

According to http://en.wikipedia.org/wiki/Registered_port
Quote:
A registered port is a network port (a sub-address defined within the Internet Protocol, in the range 1–65535) assigned by the Internet Assigned Numbers Authority (IANA) (or by Internet Corporation for Assigned Names and Numbers (ICANN) before March 21 2001[1]) for use with a certain protocol or application.

Ports with numbers lower than those of the registered ports are called well known ports; ports with numbers greater than those of the registered ports are called dynamic and/or private ports.[2]

* Ports 0-1023 - well known ports
* Ports 1024-49151 - Registered port: vendors use for proprietary applications
* Ports >49151 - dynamic / private ports
You can find a list of the ports in /etc/services

It is easy to check if you start tcpdump before running a local ftp session with ftp localhost
Code:
$ sudo tcpdump -eni lo0
tcpdump: listening on lo0, link-type LOOP
127.0.0.1.1268 > 127.0.0.1.21: S
127.0.0.1.21 > 127.0.0.1.1268: S A
127.0.0.1.1268 > 127.0.0.1.21: A
Actually a lot of more info is shown, but I trimmed it away

Here the source port is >1023

Code:
$ netstat -an -f inet
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp          0      0  127.0.0.1.21           127.0.0.1.1268         ESTABLISHED
tcp          0      0  127.0.0.1.1268         127.0.0.1.21           ESTABLISHED
tcp          0      0  *.21                   *.*                    LISTEN
The netstat output shows these ftp command channel ports.
It also shows that there is service LISTENing on port 21. This is the ftpd daemon. Setting up a daemon
to LISTEN to a port <1024 requires root privilege.

When I do a ftp 'ls', the ftp data channel is set up with

Code:
127.0.0.1.24290 > 127.0.0.1.50320: S
127.0.0.1.50320 > 127.0.0.1.24290: S A
127.0.0.1.24290 > 127.0.0.1.50320: A
So the source port >1023 and <= 49151, while the destination port is in the >49151 - 65535 range

Another ftp 'ls' creates a new data channel, with the same ranges used

Code:
127.0.0.1.4326 > 127.0.0.1.60464: S 
127.0.0.1.60464 > 127.0.0.1.4326: S A 
127.0.0.1.4326 > 127.0.0.1.60464: A
A ftp 'cd Desktop' this one

Code:
127.0.0.1.29882 > 127.0.0.1.52039: S 
127.0.0.1.52039 > 127.0.0.1.29882: S A 
127.0.0.1.29882 > 127.0.0.1.52039: A
When I use gmail netstat -an -f inet shows:
Code:
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp          0      0  192.168.222.20.25960   192.168.222.10.22      ESTABLISHED
Because I use ntpd(8):
Code:
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
udp          0      0  192.168.222.20.34895   85.12.29.43.123       
udp          0      0  192.168.222.20.17778   131.211.8.244.123     
udp          0      0  192.168.222.20.6308    87.195.109.207.123
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 25th December 2011 at 02:24 AM.
Reply With Quote
  #7   (View Single Post)  
Old 25th December 2011
mikygee mikygee is offline
New User
 
Join Date: Oct 2011
Posts: 7
Thanked 0 Times in 0 Posts
Default

Thank you for this example. I have looked at my pf logs and found the same.

But correct me if i'm wrong, these tests are in contradiction with what's written in wikipedia.
Quote:
An ephemeral port is a short-lived transport protocol port...used by the Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or the Stream Control Transmission Protocol (SCTP) as the port assignment for the client end of a client–server communication to a well known port on a server...The Internet Assigned Numbers Authority (IANA) suggests the range 49152 to 65535 for dynamic or private ports.
In you example, in my logs and on my OpenBSD connect to port 21 or 123 with a port between 1024 and 49151.

Isn't it illogical ?
Reply With Quote
  #8   (View Single Post)  
Old 25th December 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,116
Thanked 182 Times in 149 Posts
Default

English is not my native language, I had to look up what ephemeral meant

But you have to differentiate between source ports and destination ports. The client, usually the one initiating the connection, uses a source port randomly chosen from the 1024-49151range.

The destination port can be one of all three ranges, <1024, 1024 - 49151, or >49151
A ssh connection uses destination port 22, a connection to a mysql server port 3306, and as I posted previously, a short-lived ftp data channel connection uses the >49151 range.
Quote:
127.0.0.1.4326 > 127.0.0.1.60464: S
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #9   (View Single Post)  
Old 25th December 2011
mikygee mikygee is offline
New User
 
Join Date: Oct 2011
Posts: 7
Thanked 0 Times in 0 Posts
Default

Thank you. I think this is now clear to me.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Which mail client do you use? guitarscn Off-Topic 17 11th November 2010 03:12 PM
OBSD client hangs mounting NFS; Linux client doesn't amorphousone OpenBSD General 7 26th August 2010 05:21 AM
Server-Client c0mrade Programming 3 18th March 2009 05:22 PM
IM Client schrodinger OpenBSD Packages and Ports 6 16th September 2008 02:09 PM
DDNS Client revzalot OpenBSD Installation and Upgrading 3 12th August 2008 02:21 AM


All times are GMT. The time now is 12:40 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick