DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd July 2010
sgeorge sgeorge is offline
Siju
 
Join Date: Jul 2010
Posts: 1
Thanked 0 Times in 0 Posts
Default pfctl anchors manipulation clarification on 4.7

Hi,

I have been playing with anchors lately and I am missing some thing.

The machine is "4.7 GENERIC#558 i386"

The pf.conf is

Code:
int_if="vr0"
ext_ifA="sk0"
ext_ifT="vr1"

set loginterface sk0
set skip on lo

match out on $ext_ifA inet from $int_if:network \
       to any nat-to ($ext_ifA)
match out on $ext_ifT inet from $int_if:network \
       to any nat-to ($ext_ifT)

block in log (all)

anchor atelonly
load anchor atelonly from "/etc/pf-confs/anchor-atelonly"

anchor tataonly
anchor atelandtata

pass in log (all, to pflog1) on $int_if
Now the firewall is running on these rules

Code:
# pfctl -sr
match out on sk0 inet from 172.16.0.0/12 to any nat-to (sk0) round-robin
match out on vr1 inet from 172.16.0.0/12 to any nat-to (vr1) round-robin
block drop in log (all) all
anchor "atelonly" all
anchor "tataonly" all
anchor "atelandtata" all
pass in log (all, to pflog1) on vr0 all flags S/SA keep state

# pfctl -sA
 atelandtata
 atelonly
 tataonly
# pfctl -a atelandtata -sr
# pfctl -a tataonly -sr
# pfctl -a atelonly -sr
pass out log (all, to pflog2) quick on sk0 all flags S/SA keep state
#
I have the following pflog interfaces

Code:
pflog1: flags=41<UP,RUNNING> mtu 33200
       priority: 0
       groups: pflog
pflog2: flags=141<UP,RUNNING,PROMISC> mtu 33200
       priority: 0
       groups: pflog
pflog3: flags=141<UP,RUNNING,PROMISC> mtu 33200
       priority: 0
       groups: pflog
pflog4: flags=41<UP,RUNNING> mtu 33200
       priority: 0
       groups: pflog
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200
       priority: 0
       groups: pflog
in pflog2 I can see the traffic passing out through sk0 to the
internet. Fine :-)

now I run the following commands to stop traffic to the internet
through sk0 and use the second internet connection instead.
So my idea is to

1) change the default route to that of the second internet connection by

#route change -inet default 1ss.2ee.1ff.1

2) Load the ahcnor tataonly with rules from

Code:
# cat /etc/pf-confs/anchor-tataonly

ext_ifT="vr1"

pass out log (all, to pflog3) quick on $ext_ifT
by

#pfctl -a tataonly -f "/etc/pf-confs/anchor-tataonly"

3) clear rules and states created by them from anchor "atelonly" by

#pfctl -a atelonly -F all

Now I execute the following commands and these are the outputs

Code:
# route change -inet default 121.247.145.1
change net default: gateway 121.247.145.1
# pfctl -a tataonly -f "/etc/pf-confs/anchor-tataonly"
# pfctl -a atelonly -F all
rules cleared
0 tables deleted.
#
Now according to the pfctl man page

-F all Flush all of the above. ( i.e including states )

-a anchor
Apply flags -f, -F, and -s only to the rules in the specified
anchor.

So as said the rules in the anchor atelonly is flushed

Code:
# pfctl -sr
match out on sk0 inet from 172.16.0.0/12 to any nat-to (sk0) round-robin
match out on vr1 inet from 172.16.0.0/12 to any nat-to (vr1) round-robin
block drop in log (all) all
anchor "atelonly" all
anchor "tataonly" all
anchor "atelandtata" all
pass in log (all, to pflog1) on vr0 all flags S/SA keep state
# pfctl -a atelonly -sr
# pfctl -a tataonly -sr
pass out log (all, to pflog3) quick on vr1 all flags S/SA keep state
#
and I can see traffic going out to the internet through vr1 on pflog3

but there is still traffic going out through the insternet through sk0
which can be seen in pflog2.

So I guess the states made by those rules in the anchor "atelonly"
were not cleared?

How do I clear only those states?

I now tried

doing a

Code:
# pfctl -a atelonly -F states
1469 states cleared
before doing

Code:
# pfctl -a atelonly -F all
then I lose my ssh connection with the firewall :-(
Is it because it clears all the states instead on the ones created by
"-a atelonly" ?

How do I flush just the states created by an anchor ruleset when I flush them?

anchor "atelandtata" holds nothing now but if I do a

#pfctl -a atelandtata -ss

it shows all the states.

but the man page says

-a anchor
Apply flags -f, -F, and -s only to the rules in the specified
anchor.

Am I misunderstanding the wordings by some means?
Could some one please explain?

Thanks :-)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Blinkenlights for all: Cisco's building automation system vulnerable to manipulation J65nko News 0 27th May 2010 04:26 PM
flush states pfctl joostvgh OpenBSD Security 3 27th January 2010 06:50 PM
pfctl -s info counters don't change audio FreeBSD Security 2 16th July 2008 11:01 PM


All times are GMT. The time now is 02:47 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick