DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th March 2010
Simon Simon is offline
Port Guard
 
Join Date: Jan 2010
Posts: 30
Thanked 0 Times in 0 Posts
Wink No redirection pass with one interface ?

Hi,

I m doing some tests with my virtualbox machine.
I use a virtual machine with only one interface. (I use OpenBSD 4.6)
I try to redirect all webpage to my website.
But my rdr pass on... doesnt' work.
Perhaps, it works with more than one interface. ?
When i do pfctl -nf /etc/pf.conf : no errors
i can go to my website, ping works.
But redirection doesn't work for example, when i type :
lynx www.google.fr, it doesn't send me to my website.
can you help me ?

here my pf ruleset
---------------------
Code:
me="egress:network"
mywebsite="www.mywebsite.com"
set skip on lo
set drop policy drop
match in scrub all (no-df max-mss 1440)
rdr pass on egress proto tcp from $me to ! $mywebsite \
                 port 80 -> $mywebsite port 80
block log all
pass out on egress proto icmp all icmp-type { echoreq unreach }
pass out on egress proto tcp from $me to $mywebsite port 80

Last edited by Simon; 5th March 2010 at 06:23 PM. Reason: more info
Reply With Quote
  #2   (View Single Post)  
Old 5th March 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Your redirect rule is not working for any number of reasons. One of those possibilities is requiring DNS to be operative before your rules are loaded at boot time. Look at the output of # pfctl -s rules to see if you've got the IP address resolved after a standard boot. Depending on how DNS is configured in your environment, this could be a problem.

Another possibility is that you have not enabled IPv4 packet forwarding. It's a sysctl.

I also note you are using an external IP address instead of 127.0.0.1 for your redirect. While it may work with a NIC address, you will gain greater efficiencies through the loopback interface.

Here's a real world example that only permits authenticated WiFi users (authpf, IPSec, or in a table of guest uses) to go on the web. Everyone else gets a page delivered from virtual host on the webserver with an unauthorized usage message. The syntax is a little different as this is -current:
Code:
# redirect unauthorized IP users to a local web page.  This includes both
# the approved addresses in tables, as well as IPSec traffic.
#
pass log quick proto tcp from {<authpf_users> <guests> <wired>} to any port www
pass log quick proto tcp from any to any port www tagged ipsec
pass in log quick proto tcp from $internal_net to any port www \
    rdr-to 127.0.0.1 port 8080
Reply With Quote
  #3   (View Single Post)  
Old 5th March 2010
Simon Simon is offline
Port Guard
 
Join Date: Jan 2010
Posts: 30
Thanked 0 Times in 0 Posts
Default

IPV4 forwarding is not enabled in my sysctl config, i use only one interface, it is not necessary to enable that.
pfctl -s rules, i can see my public address ip in rules.
But my redirection still not works.
Reply With Quote
  #4   (View Single Post)  
Old 5th March 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

The section of the PF FAQ on Redirection and Reflection says (highlight mine):
Quote:
...redirection rules apply only to packets that pass through the specified interface....Connecting to the external address...does not mean the packets will actually pass through its external interface. The TCP/IP stack on the firewall compares the destination address of incoming packets with its own addresses and aliases and detects connections to itself as soon as they have passed the internal interface. Such packets do not physically pass through the external interface, and the stack does not simulate such a passage in any way. Thus, PF never sees these packets on the external interface, and the redirection rule, specifying the external interface, does not apply.
What I would do, if I were you: use the loopback interface. If that alone does not solve the problem, then enable packet forwarding, and see if it makes a difference.

If both of those things do not help, then your next step is to trace your rules with tcpdump(8) and pflog(4), as described in the PF FAQ's chapter on logging.
Reply With Quote
  #5   (View Single Post)  
Old 5th March 2010
Simon Simon is offline
Port Guard
 
Join Date: Jan 2010
Posts: 30
Thanked 0 Times in 0 Posts
Default

thank you.
Reply With Quote
  #6   (View Single Post)  
Old 5th March 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

  1. I wonder how you can visit your website when you are not allowing out DNS traffic (udp) on port 53
    Code:
    block log all
    pass out on egress proto icmp all icmp-type { echoreq unreach }
    pass out on egress proto tcp from $me to $mywebsite port 80
  2. You are interpreting the directions as seen by pf, not correctly

    pf sees the directions IN and OUT like this diagram
    Code:
       INTERNET
           |
           |
     OUT   |      IN 
      |    |      |
     /|\   |      |
      |    |     \|/
      |    |      |
    -------|------------
          pppoe
      11.22.33.44
    
    ---------------------
    That is why your redirection will never take place
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 7th March 2010
Simon Simon is offline
Port Guard
 
Join Date: Jan 2010
Posts: 30
Thanked 0 Times in 0 Posts
Default

Sorry (to J65nko), i forget to write a line (not in the virtual machine) :
pass out on egress proto udp from $me to any port domain
Reply With Quote
  #8   (View Single Post)  
Old 7th March 2010
Simon Simon is offline
Port Guard
 
Join Date: Jan 2010
Posts: 30
Thanked 0 Times in 0 Posts
Default

i don't understand why it doesn't work.

my pf.conf :
--------------
me="egress:network"
mywebsite="www.mywebsite.com"
set skip on lo
set drop policy drop
match in scrub all (no-df max-mss 1440)
rdr pass on egress proto tcp from $me to ! $mywebsite \
port 80 -> $mywebsite port 80
block log all
pass out on egress proto icmp all icmp-type { echoreq unreach }
pass out on egress proto udp from $me to any port domain
pass out on egress proto tcp from $me to $mywebsite port 80
Reply With Quote
  #9   (View Single Post)  
Old 7th March 2010
Simon Simon is offline
Port Guard
 
Join Date: Jan 2010
Posts: 30
Thanked 0 Times in 0 Posts
Default

...After a long time...

It never works because i use the openbsd box has a workstation so there's no traffic IN (i let only out : ping, domain port, 80 (monsite)); when i use Lynx on the box, i do only traffic out, isn't it ?
Conclusion:
My rdr line is useless. Is there a way to accomplish what i want to do? Implement squid ?

Last edited by Simon; 7th March 2010 at 07:35 AM. Reason: More info
Reply With Quote
Old 7th March 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Since we don't know what it is you are actually trying to do.... perhaps you could actually explain it.

Did you try my recommendation of using 127.0.0.1 instead of $mywebsite? I only recommended it two or three times.
Reply With Quote
Old 7th March 2010
Simon Simon is offline
Port Guard
 
Join Date: Jan 2010
Posts: 30
Thanked 0 Times in 0 Posts
Default

To Jggimi :
I have already done "website redirection" using rdr rules with firewall for companies, it works fine. Now i want only for "test", try to do the same thing but on an OpenBSD machine as a workstation (only one interface). I tried 127.0.0.1 instead of $mywebsite, it doesn't work, i have the same mistake, the rdr line is not used.

I continue to think that :
It never works because i use the openbsd box has a workstation so there's no traffic IN (i let only out : ping, domain port, 80 (monsite)); when i use Lynx on the box, i do only traffic out.
Reply With Quote
Old 8th March 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

Quote:
Originally Posted by Simon View Post
I continue to think that :
It never works because i use the openbsd box has a workstation so there's no traffic IN (i let only out : ping, domain port, 80 (monsite)); when i use Lynx on the box, i do only traffic out.
That is exactly what I pointed out in http://www.daemonforums.org/showthre...4476#post30568.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Web interface for rTorrent Beastie FreeBSD Ports and Packages 0 24th August 2009 11:53 AM
PF rdr pass question nimnod FreeBSD General 2 1st May 2009 08:55 PM
NAT with only one interface zapov General software and network 4 16th February 2009 03:45 AM
Redirection c0mrade Other BSD and UNIX/UNIX-like 1 11th July 2008 05:19 AM
Web interface for pf? windependence OpenBSD Security 4 20th May 2008 03:58 AM


All times are GMT. The time now is 06:16 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick