DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 15th November 2008
ikevmowe ikevmowe is offline
New User
 
Join Date: Nov 2008
Posts: 5
Thanked 0 Times in 0 Posts
Default port forwarding

[ COMP1 ] [ COMP3 ]
| |
---+------+-----+------- xl0 [ OpenBSD ] fxp0 -------- ( Internet )
|
[ COMP2 ]



Please help me to configure the /etc/pf.conf that my OpenBSD can forward port 55555 to port 22. I have sshd installed on COMP3, and I want to ssh to COMP3 from Internet. I have following rules, but it doesn't work. Please help.

# macros
ext_if="fxp0"
int_if="xl0"

comp3="192.168.0.3"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

## my port forwarding rule
rdr on $ext_if proto tcp from any to any port 55555 -> 192.168.0.3 port 22


# filter rules
block in

pass out keep state

pass in quick on $int_if
Reply With Quote
  #2   (View Single Post)  
Old 15th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,157
Thanked 182 Times in 149 Posts
Default

Code:
## my port forwarding rule
rdr on $ext_if proto tcp from any to any port 55555   tag SSH -> \
  192.168.0.3 port 22 

# filter rules
block in

pass in quick on $ext_if tagged SSH 
pass out 

pass in quick on $int_if
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 16th November 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,719
Thanked 214 Times in 189 Posts
Default

You're using a non-Internet-routable RFC 1918 address (192.168.0.3) but you do not show any Network Address Translation (NAT) configured in PF.

If fxp0 has a real internet address, you'll need to configure NAT if you want any of the devices on your local network to be able to connect to the internet.

If fxp0 uses a different RFC 1918 subnet, then NAT occurs between fxp0 and your ISP.

http://openbsd.rt.fm/faq/pf/nat.html
Reply With Quote
  #4   (View Single Post)  
Old 16th November 2008
ikevmowe ikevmowe is offline
New User
 
Join Date: Nov 2008
Posts: 5
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by J65nko View Post
Code:
## my port forwarding rule
rdr on $ext_if proto tcp from any to any port 55555   tag SSH -> \
  192.168.0.3 port 22 

# filter rules
block in

pass in quick on $ext_if tagged SSH 
pass out 

pass in quick on $int_if
I have tried out above rules. However, I don't see port 55555 is open. SSH it failed.
Reply With Quote
  #5   (View Single Post)  
Old 16th November 2008
ikevmowe ikevmowe is offline
New User
 
Join Date: Nov 2008
Posts: 5
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jggimi View Post
You're using a non-Internet-routable RFC 1918 address (192.168.0.3) but you do not show any Network Address Translation (NAT) configured in PF.
I have below nat rule,

nat on $ext_if from !($ext_if) to any -> ($ext_if)

Is this ok(Secure)?
Reply With Quote
  #6   (View Single Post)  
Old 16th November 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,719
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by ikevmowe View Post
Is this ok(Secure)?
Yes.
Reply With Quote
  #7   (View Single Post)  
Old 16th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,157
Thanked 182 Times in 149 Posts
Default

Quote:
Originally Posted by ikevmowe View Post
I have tried out above rules. However, I don't see port 55555 is open. SSH it failed.
You also need a rule to pass out the traffic
Code:
pass out quick on $int_if tagged SSH
Thing like this can be figured easily if you have a block log (all) rule, which copies blocked packets to the pflog0 device.
By running tcpdump you then can see these packets
Code:
# tcpdump -eni pflog0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #8   (View Single Post)  
Old 16th November 2008
ikevmowe ikevmowe is offline
New User
 
Join Date: Nov 2008
Posts: 5
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by J65nko View Post
You also need a rule to pass out the traffic
Code:
pass out quick on $int_if tagged SSH
I have the following rules. Port 55555 is still not open.
Code:
# macros
ext_if="fxp0"
int_if="xl0"

comp3="192.168.0.3"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

nat on $ext_if from !($ext_if) to any -> ($ext_if)

## my port forwarding rule
rdr on $ext_if proto tcp from any to any port 55555   tag SSH -> \
  192.168.0.3 port 22 


# filter rules
block in

pass in quick on $ext_if tagged SSH 
pass in quick on $int_if

pass out quick on $int_if tagged SSH
pass out keep state
Reply With Quote
  #9   (View Single Post)  
Old 16th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,157
Thanked 182 Times in 149 Posts
Default

If you run tcpdump on the external interface do you see the packets coming in on port 55555?
Code:
tcpdump -ni fxp0
You either need a friend to ssh in to your box, or use a free shell account provider like http://silenceisdefeat.org, to ssh in to your box. Remember that the connection really does need to enter the external interface through the internet.

Please read http://openbsd.org/faq/pf/rdr.html#reflect why connections initiated from the local lan will never get redirected
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 16th November 2008
ikevmowe ikevmowe is offline
New User
 
Join Date: Nov 2008
Posts: 5
Thanked 0 Times in 0 Posts
Default

My friend tested it, and I have tried tcpdump it, I do not see any packets coming in on port 55555. Are there anything wrong with my rules?
Reply With Quote
Old 16th November 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,719
Thanked 214 Times in 189 Posts
Default

If that is your complete rule set, you are not logging PF data.

Each filter rule you want to log must explicitly state it, whether a block or a pass. J65nko's example, above, will log only blocked packets. If you want to log passing packets, those rules must include "log", also.

http://openbsd.rt.fm/faq/pf/logging.html
Reply With Quote
Old 16th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,157
Thanked 182 Times in 149 Posts
Default

Quote:
Originally Posted by ikevmowe View Post
My friend tested it, and I have tried tcpdump it, I do not see any packets coming in on port 55555. Are there anything wrong with my rules?
If you run tcpdump on the external interface (tcpdump -ni fxp0) , you will see the packets as they arrive, and before pf gets a chance to block them.

If tcpdump -ni fxp0 doesn't show packets with destination port 55555 then your friend possibly forget to tell ssh to use 55555 instead of the default 22.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 17th November 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,719
Thanked 214 Times in 189 Posts
Default

True. My comments were directed to logging pf actions -- which will record any logged block/pass rule as it is applied (tcpdump -ni pflog0, or tcpdump -nr /var/log/pflog)
Reply With Quote
Old 21st November 2008
ivanatora ivanatora is offline
Real Name: Ivan
Fdisk Soldier
 
Join Date: Jul 2008
Location: Bulgaria
Posts: 51
Thanked 2 Times in 1 Post
Default

Code:
rdr on $ext_if proto tcp from any to any port 55555 ...
from any to any?
Maybe: from any to $ext_ip ?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD, vpnc and packets forwarding problems Tritone OpenBSD General 3 2nd July 2009 09:59 PM
SSH on port 443 maxrussell General software and network 4 6th April 2009 05:16 AM
x11 forwarding over ssh not working kasse OpenBSD General 14 23rd December 2008 02:21 PM
VNC port forwarding help revzalot OpenBSD Security 3 10th September 2008 06:59 AM
vlc port failing maxrussell FreeBSD Ports and Packages 11 27th May 2008 04:38 PM


All times are GMT. The time now is 05:44 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick