DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th April 2013
CyberJet's Avatar
CyberJet CyberJet is offline
Real Name: Ramon
BSD Student
 
Join Date: Feb 2009
Location: Miami FL
Posts: 98
Thanked 0 Times in 0 Posts
Default Pf.conf:29 syntax error

Greetings to All,

I'm running OpenBSD 5.2 GENERIC #339 i386

I'm trying to build my pf.conf. I have tried using the one posted here by Oko:
http://www.daemonforums.org/showthread.php?t=4187

When I input the statement:
Code:
scrub in all random-id fragment reassemble 
scrub out all random-id fragment reassemble
I get syntax error. So, I removed the statements and run:
Code:
pfctl -f /etc/pf.conf
I get no errors. I decided to do a very simple statement as described in:
http://www.openbsd.gr/faq/pf/scrub.html

So I used the simple statement:
Code:
scrub in all
It produces error:
Code:
Pf.conf:29 syntax error
pfctl: Syntax error in config file: pf rules not loaded
I'm using nano to edit file and I'm not adding a carriage return.

Questions:

What am I doing wrong?

Are all the rules not loaded because of this error?

Thank you and regards to all
__________________
Speak softly and carry BSD!
Reply With Quote
  #2   (View Single Post)  
Old 24th April 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,708
Thanked 214 Times in 189 Posts
Default

www.openbsd.gr is NOT up to date. Look at the timestamp on that webpage:
Code:
$OpenBSD: scrub.html,v 1.15 2008/07/30 10:35:44 nick Exp $
Please note the release of OpenBSD described at www.openbsd.gr and compare that with the information at www.openbsd.org -- and then you will understand why www.openbsd.org does not have a link to www.openbsd.gr on its list of mirrors.
Reply With Quote
  #3   (View Single Post)  
Old 24th April 2013
CyberJet's Avatar
CyberJet CyberJet is offline
Real Name: Ramon
BSD Student
 
Join Date: Feb 2009
Location: Miami FL
Posts: 98
Thanked 0 Times in 0 Posts
Default

Thanks for the info jggimi,

I don't understand, I downloaded this from the public mirror under the openbsd.org. So, do I have a bogus OBSD?
__________________
Speak softly and carry BSD!
Reply With Quote
  #4   (View Single Post)  
Old 24th April 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,708
Thanked 214 Times in 189 Posts
Default

The official website is www.openbsd.org -- which is a mirror of the much smaller server running site openbsd.org.

I do not find a reference to www.openbsd.gr on either site.

Current country mirrors: AR CA CA CA DK FR JP MY NO RE SI TW US
Reply With Quote
  #5   (View Single Post)  
Old 24th April 2013
CyberJet's Avatar
CyberJet CyberJet is offline
Real Name: Ramon
BSD Student
 
Join Date: Feb 2009
Location: Miami FL
Posts: 98
Thanked 0 Times in 0 Posts
Default

Please forgive me, I don't underdstand.

You mentioned:
Quote:
www.openbsd.gr is NOT up to date. Look at the timestamp on that webpage:
Code:
$OpenBSD: scrub.html,v 1.15 2008/07/30 10:35:44 nick Exp $
How did you determined this? Should I re-install OBSD on my system?

I did a man pf and I get PF(4)

Thanks...
__________________
Speak softly and carry BSD!
Reply With Quote
  #6   (View Single Post)  
Old 24th April 2013
CyberJet's Avatar
CyberJet CyberJet is offline
Real Name: Ramon
BSD Student
 
Join Date: Feb 2009
Location: Miami FL
Posts: 98
Thanked 0 Times in 0 Posts
Default

Ok, I see where the confusions started from. I'm very sorry to waste your time.

So, what is the correct syntax for scrub on while working on PF(4)?

Thanks...
__________________
Speak softly and carry BSD!
Reply With Quote
  #7   (View Single Post)  
Old 24th April 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,708
Thanked 214 Times in 189 Posts
Default

The PF User's Guide has an example of the match filter used with scrub. Note, please, that the PF User's Guide is only for the most recent release, which at this time is OpenBSD 5.2. (OpenBSD 5.3 is expected to be released on or about 1 May.)

The options for scrub can be found in the PACKET NORMALIZATION section of the pf.conf(5) man page, which has a second example of the match filter used with scrub and a different set of normalization options. A third example may be found in the EXAMPLES section of the man page. Lastly, the definitive syntax for scrub may be found in the GRAMMAR section of the man page.
Reply With Quote
  #8   (View Single Post)  
Old 25th April 2013
CyberJet's Avatar
CyberJet CyberJet is offline
Real Name: Ramon
BSD Student
 
Join Date: Feb 2009
Location: Miami FL
Posts: 98
Thanked 0 Times in 0 Posts
Default

Thanks again jggimi,

I'll look at example #2, since my OBSD is 5.2, and has the same number of interfaces just different labels. I really appreciate your imput.


Regards...
__________________
Speak softly and carry BSD!
Reply With Quote
  #9   (View Single Post)  
Old 29th April 2013
CyberJet's Avatar
CyberJet CyberJet is offline
Real Name: Ramon
BSD Student
 
Join Date: Feb 2009
Location: Miami FL
Posts: 98
Thanked 0 Times in 0 Posts
Default

Good Afternoon to All,

Jggimi,

I have read the PF FAQs that you suggested, thank you. I'm posting my pf.conf, please let me know how I can make it more efficient and more importantly that I'm interpreting everything correctly before I put my host on the net.

Code:
#================Macros======================
ext_if="bge0" # external interface
int_if="fxp0"  # internal interface
dmz_if="xl0" # dmz interface

internal_network="192.168.2.0/24"
external_network="1xx.xx.xx.0/xx"

tcp_ports="{22, 80, 443}"
tcp_services="{22, 80, 443}"
udp_services="{domain, ntp}"

#================Tables======================
table <firewall> const { self }
#================Options=====================
set skip on lo0
set block-policy drop 
set optimization normal
set loginterface ext_if
#================Queueing=====================



#=============Filter Rules====================
block log all
match in all scrub (no-df)
block in quick from urpf-failed
block in from no-route to any
antispoof quick for {lo0 $int_if $ext_if}

block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from {10.0.0.0/8, 172.16.0.0/12, \
               192.168.0.0/16, 255.255.255.255/32} to any

block return in quick on $int_if proto tcp from ! 192.168.2.1 \
   to $int_if port ssh

pass in on $int_if from $internal_network
pass out on $int_if to $internal_network
pass out on $ext_if proto { tcp udp icmp } all modulate state

pass out on $ext_if from $int_if:network to any nat-to $ext_if
Does it matter in the order that I have place the filtering rules on?
I have set block policy to drop, is it more secure to have set to return instead? I have read somewhere it consumes more resources to have set to drop. Am I missing anything?

Your input is greatly appreciated.

Regards,...
__________________
Speak softly and carry BSD!
Reply With Quote
Old 29th April 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,708
Thanked 214 Times in 189 Posts
Default

Quote:
Does it matter in the order that I have place the filtering rules on?
Yes.
  • For standard rules, the last matching rule applies.
  • For "quick" rules, if the rule matches, it is applied and no later rules are evaluated.
Quote:
I have set block policy to drop, is it more secure to have set to return instead?
I believe that there is exactly the same level of security to drop or return, and that return is is more polite, as it allows the sending system to record a rejection without waiting for a timeout. A "drop" is silent, no response is sent. Some may believe that a "drop" is more secure, as there is no response, but as all IP address on the Internet are under constant attack, with or without responses, I don't believe there is any security improvement using drop.
Quote:
I have read somewhere it consumes more resources to have set to drop. Am I missing anything?
As mentioned above, drop requires the sending system to wait until a timeout is reached before releasing resources, which is why I believe return is more polite. It is my understanding there is no performance difference on the receiving system running PF.

You asked for advice on your pf.conf. I noticed:
  1. You are using RCF 1918 addresses (192.168) without defining any Network Address Translation rules. This will likely be a problem.
  2. Your $internal_network and $external_network macros are defined but never used. This should not cause any problems; it merely tends to indicate you built your pf.conf file with copy/paste.
Reply With Quote
Old 29th April 2013
CyberJet's Avatar
CyberJet CyberJet is offline
Real Name: Ramon
BSD Student
 
Join Date: Feb 2009
Location: Miami FL
Posts: 98
Thanked 0 Times in 0 Posts
Default

Thanks for your prompt and instructive response.

You wrote:

You are using RCF 1918 addresses (192.168) without defining any Network Address Translation rules. This will likely be a problem.

I have to study how to do this definition.

You also mentioned:

Your $internal_network and $external_network macros are defined but never used. This should not cause any problems; it merely tends to indicate you built your pf.conf file with copy/paste.

I thought that copy/paste was to easy and on top of that I could not SSH into the OBSD box so I typed them in with the hope of understanding the commands as I read along with the manual. I also did it this way so that I can test each individual rule to make sure that the syntax was correct. I'm paying my dues. I'm still trying to understand how to safely use the defined macros/tables. What I am working towards is, to put a web and ftp server on the DMZ which I have not defined just yet. I really do appreciate your comments.

Regards,...
__________________
Speak softly and carry BSD!
Reply With Quote
Old 29th April 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,708
Thanked 214 Times in 189 Posts
Default

Quote:
...I could not SSH into the OBSD box...
I saw this rule:
Code:
block return in quick on $int_if proto tcp from ! 192.168.2.1 \
   to $int_if port ssh
Your file does not say why you have this rule. It blocks access to the router from any internal connection that has an address other than 192.168.2.1.

I recommend adding comments for the purpose of every rule. That way, several years from now, you won't have to ask yourself, "WTF?!!?" when you read the rule set.

Lastly, I do see a nat-to rule after all; its the last rule in your set. My apologies. I guess I'm used to seeing NAT in match rules at the top of a ruleset, rather than as a pass rule at the bottom.
Reply With Quote
Old 29th April 2013
CyberJet's Avatar
CyberJet CyberJet is offline
Real Name: Ramon
BSD Student
 
Join Date: Feb 2009
Location: Miami FL
Posts: 98
Thanked 0 Times in 0 Posts
Default

Jggimi thanks again,

Prior to my last post I did some troubleshooting since I could not SSH into the box, by enabling DHCP. That was a no go. I then disabled pf and had the same problem. So it had to be the cable, changed the cable and it was all good. The only issue I have is that it takes about 15+ seconds after I initiate Putty, with the username to get a response for the password.

You are absolutely right. Your last response alerted me that I should have documented my rules. I'm in the process of doing that to prevent that WTF! It will also aid me in re-enforcing my learning.

Quote:
Lastly, I do see a nat-to rule after all; its the last rule in your set. My apologies. I guess I'm used to seeing NAT in match rules at the top of a ruleset, rather than as a pass rule at the bottom.
Is there a best practice as to where the NAT rules should be placed?

I defined, Macros, Tables, Queueing, Filtering, Should create another section? or where in the difined section should I place NAT rules?

Regards,...
__________________
Speak softly and carry BSD!
Reply With Quote
Old 29th April 2013
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by CyberJet View Post
Is there a best practice as to where the NAT rules should be placed?
You might benefit from studying Hansteen's online manuscript for using pf(4):

http://home.nuug.no/~peter/pf/

You will find examples where he discusses rule sets utilizing NAT.

The above manuscript was also the basis for Hansteen's book, The Book of PF.
Reply With Quote
Old 30th April 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,708
Thanked 214 Times in 189 Posts
Default

Quote:
Is there a best practice as to where the NAT rules should be placed?
I'm not sure if the practice is articulated as "Best", but I prefer to see overarching rules such as nat-to and scrub used in match rules, and the best place for match rules is at the top of the filter rules.

Historically, NAT and packet normalizations had their own rules that came before the filter set, so when we migrated to match we all left them in the same location, ahead of the pass/block rules. The match rules differ from block/pass in that the parameters they set always apply, the "last matching" rule does not apply to them.

(I note Peter Hansteen uses match rules and puts them in above all block/pass rules also. Anything Peter does with PF is, to me, a Best Practice. )
Reply With Quote
Old 30th April 2013
CyberJet's Avatar
CyberJet CyberJet is offline
Real Name: Ramon
BSD Student
 
Join Date: Feb 2009
Location: Miami FL
Posts: 98
Thanked 0 Times in 0 Posts
Default

Good evening Jggimi,

Sounds like great advise. I'm looking forward to futher reading. I'll report back as my comprehension on the subject improves.


Regards,...
__________________
Speak softly and carry BSD!
Reply With Quote
Old 30th April 2013
CyberJet's Avatar
CyberJet CyberJet is offline
Real Name: Ramon
BSD Student
 
Join Date: Feb 2009
Location: Miami FL
Posts: 98
Thanked 0 Times in 0 Posts
Default

Good evening Ocicat,

I appreciate your imput, I'll be getting deeper into it.

Regards,...
__________________
Speak softly and carry BSD!
Reply With Quote
Old 3rd May 2013
CyberJet's Avatar
CyberJet CyberJet is offline
Real Name: Ramon
BSD Student
 
Join Date: Feb 2009
Location: Miami FL
Posts: 98
Thanked 0 Times in 0 Posts
Default

Greetings to All,

I finally figured out why:

Code:
scrub in all
Produces:

Code:
Pf.conf:29 syntax error
pfctl: Syntax error in config file: pf rules not loaded
Scrub was demoted after release of OBSD 4.6. Please note:
http://home.nuug.no/~peter/pf/en/scrub.html

Solved!
__________________
Speak softly and carry BSD!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Am I blind? syntax error: `(' unexpected guitarscn Programming 1 10th November 2010 08:53 PM
shc unistd.h:239: error: syntax error before '&' token laraaj OpenBSD General 3 11th September 2010 07:21 AM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM
I need help with make.conf syntax troberts FreeBSD Ports and Packages 4 1st June 2008 03:58 AM
relayd (and hoststated) give syntax error for 'check script' gwl OpenBSD Security 2 2nd May 2008 04:53 PM


All times are GMT. The time now is 06:39 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick