DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 2nd January 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Question Firewall Blocking Good Traffic

Hello,

First a quick text diagram.

{internet} <--> [PIX Firewall] <--> [OpenBSD PF] <--> [rest of internal net]

I believe my problem is with my PF firewall rules however if you feel otherwise I will investigate further on the PIX.

What is happening is that while PF is enabled. (works after disabling it)

I see the following (as an example) in my logs on the PIX:

Code:
6|Jan 01 2009|19:24:05|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12234 to CENSORED-IP/110 flags FIN ACK  on interface inside
6|Jan 01 2009|19:21:58|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12235 to CENSORED-IP/80 flags ACK  on interface inside
6|Jan 01 2009|19:21:48|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12235 to CENSORED-IP/80 flags RST ACK  on interface inside
6|Jan 01 2009|19:21:39|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12234 to CENSORED-IP/110 flags RST ACK  on interface inside
6|Jan 01 2009|19:21:10|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12229 to CENSORED-IP/80 flags ACK  on interface inside
6|Jan 01 2009|19:20:55|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12229 to CENSORED-IP/80 flags RST ACK  on interface inside
The connections are for port 80 which is software trying to get updates for itself. Also port 110 which is a connection to an external mail server.

PF Configuration:

Code:
#Last Modified Dec 29 2008

#Interfaces
ext_if="fxp0"
int_if="fxp1"

#Devices

dlbox = "{ 10.10.200.4 }"
main = "{ 10.10.200.13 }"
ftpsrv = "{ 192.168.233.3 }"
websrv = "{ 192.168.233.4 }"
exc2k3 = "{ 10.10.200.3 }"
voipnet = "{ 192.168.255.0/24 }"
sshport = "{ 2201 }"

#Options
set require-order yes
set block-policy drop
set loginterface $ext_if
set loginterface $int_if
set state-policy floating
set fingerprints "/etc/pf.os"
set ruleset-optimization none

#Timeout Settings
set optimization aggressive
set timeout { frag 10, tcp.established 3600 }
set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
set timeout { adaptive.start 5000, adaptive.end 10000 }

#Connection Normalization 

scrub all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble

#Queuing ALTQ
#Upload assumed aprox 80kb or 640Kb queued aprox 94%

altq on $ext_if cbq bandwidth 600Kb queue { tcpack, voip, dns, mainpc, webftp, dlbox, std }

queue std bandwidth 10% priority 1 cbq(borrow red default)
queue dlbox bandwidth 10% priority 2 cbq(borrow red)
queue webftp bandwidth 5% priority 3 cbq(borrow red)
queue mainpc bandwidth 10% priority 4 cbq(borrow red)
queue dns bandwidth 5% priority 5 cbq(borrow red)
queue tcpack bandwidth 20% priority 6 cbq(borrow red)
queue voip bandwidth 40% priority 7 cbq(borrow red) 

block in log on $ext_if

#TCP Traffic Out on $ext_if
pass out on $ext_if inet proto tcp from any to any modulate state queue(std, tcpack)
pass out quick on $ext_if inet proto tcp from $dlbox to any modulate state queue(dlbox, tcpack)
pass out quick on $ext_if inet proto tcp from $ftpsrv to any port ftp synproxy state queue(webftp, tcpack)
pass out quick on $ext_if inet proto tcp from $websrv to any port 10001 synproxy state queue(webftp, tcpack)
pass out quick on $ext_if inet proto tcp from $exc2k3 to any synproxy state queue(webftp, tcpack)
pass out quick on $ext_if inet proto tcp from $main to any modulate state queue(mainpc, tcpack)
pass out quick on $ext_if inet proto tcp from any to any port domain modulate state queue(dns, tcpack)

pass out quick on $ext_if inet proto tcp from $main to any port 63600  modulate state queue(dlbox, tcpack) 

#UDP Traffic Out on $ext_if
#pass out on $ext_if inet proto udp from any to any keep state queue(std, tcpack)
pass out quick on $ext_if inet proto udp from $main to any keep state queue(mainpc, tcpack)
pass out quick on $ext_if inet proto udp from any to any port ntp keep state queue(dns, tcpack)
pass out quick on $ext_if inet proto udp from any to any port domain keep state queue(dns, tcpack)
pass out quick on $ext_if inet proto udp from any to any port 514 queue(std, tcpack)
pass out log quick on $ext_if inet proto udp from any to any port 5060 keep state queue(voip, tcpack)
pass out log quick on $ext_if inet proto udp from any to any port 5000 keep state queue(voip, tcpack)
pass out log quick on $ext_if inet from $voipnet to any keep state queue(voip, tcpack)
pass out quick on $ext_if inet proto udp from any to any port 63600 keep state queue(dlbox, tcpack)

#TCP/UDP Traffic Out on $ext_if

#TCP Traffic In on $ext_if

pass in on $ext_if inet proto tcp from any to any port 63600 modulate state queue(dlbox, tcpack)
pass in quick on $ext_if inet proto tcp from any to any port 10001 modulate state

#UDP Traffic In on $ext_if

pass in on $ext_if inet proto udp from any to any port domain keep state queue(dns, tcpack)
pass in on $ext_if inet proto udp from any to any port 514 queue(std, tcpack)
pass in on $ext_if inet proto udp from any to any port 63600 keep state queue(dlbox, tcpack)
pass in log on $ext_if inet proto udp from any to any port 5060 keep state queue(voip, tcpack)
pass in log on $ext_if inet proto udp from any to any port 5000 keep state queue(voip, tcpack)

Hope someone can help!
Thanks a bunch!
Reply With Quote
 

Tags
openbsd pf block

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
See what process is generating DNS traffic? Bruco FreeBSD General 3 2nd July 2009 05:57 PM
PF Blocking VPN Traffic plexter OpenBSD Security 6 23rd January 2009 05:25 PM
Dynamic Traffic Shaping LordZ OpenBSD Security 6 19th January 2009 04:30 PM
PF Blocking schrodinger OpenBSD Security 6 6th October 2008 10:33 PM
Suggestions for Web Traffic Logging? Bruco FreeBSD Ports and Packages 16 18th September 2008 10:54 PM


All times are GMT. The time now is 01:02 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick