DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 7th December 2010
Monkey Monkey is offline
New User
 
Join Date: Dec 2009
Posts: 7
Thanked 0 Times in 0 Posts
Unhappy Setting up an OpenBSD firewall

Hi,

I want to set up an OpenBSD 4.8 firewall to protect my home internal network and split my internet connection using NAT. Here is my working pf.conf:

Code:
ext_if="pppoe0"
int_if="xl1"

lan_ip1="192.168.0.2"
lan_ip2="192.168.0.3"
lan_ip3="192.168.0.12"
port1="50301"
port2="6885"
port3="48000"

set skip on lo
set block-policy return

match on pppoe0 scrub (max-mss 1440)

pass out on $ext_if from !($ext_if) to any nat-to ($ext_if)

#Rules for Vuze bittorent client (192.168.0.2):
pass in on $ext_if proto tcp from any to any port $port1 rdr-to $lan_ip1
pass in on $ext_if proto udp from any to any port $port1 rdr-to $lan_ip1
The NAT is working fine, I have access to the internet from the internal network but there is no protection for attacks from the internet. To secure it all I added the following rules:
Code:
ext_if="pppoe0"
int_if="xl1"

lan_ip1="192.168.0.2"
lan_ip2="192.168.0.3"
lan_ip3="192.168.0.12"
lan_net="192.168.0.0/24"
port1="50301"
port2="6885"
port3="48000"

set skip on lo
set block-policy return

match on pppoe0 scrub (max-mss 1440)

pass out on $ext_if from !($ext_if) to any nat-to ($ext_if)

block all

antispoof quick for $int_if inet

pass in on $int_if from $lan_net to any
pass out on $int_if from any to $lan_net

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

#Rules for Vuze bittorent client (192.168.0.2):
pass in on $ext_if proto tcp from any to any port $port1 rdr-to $lan_ip1
pass in on $ext_if proto udp from any to any port $port1 rdr-to $lan_ip1
With that I have access to the internet only on the OpenBSD firewall machine, not from the internal network
Everything seem ok, does anybody can spot the problem?

THanks in advance
Reply With Quote
  #2   (View Single Post)  
Old 7th December 2010
wesley wesley is offline
Real Name: Wesley
Fdisk Soldier
 
Join Date: Aug 2009
Location: Reunion Island
Posts: 71
Thanked 1 Time in 1 Post
Default

Be sure you have ip.net.forwarding=1 in your /etc/sysctl.conf

Here a sample of a 4.7 ruleset :
http://mouedine.net/ruleset47.aspx
Compatible with 4.8 RELEASE
Reply With Quote
  #3   (View Single Post)  
Old 7th December 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,116
Thanked 182 Times in 149 Posts
Default

Use block log all to direct the blocked packets to the pflog0 interface.
Run tcpdump on pflog0 to view what is being blocked.
Code:
# tcpdump -eni pflog0
Generate some traffic from your LAN and tcpdump will give you some clues which rule(s) you will have to add.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD firewall with only one physical NIC idosch OpenBSD Security 5 25th April 2010 12:11 AM
DIY OpenBSD Firewall Appliance mikesg OpenBSD Security 34 6th January 2010 06:17 AM
issues with setting up symon on openbsd badguy OpenBSD Security 12 22nd July 2009 02:21 AM
OpenBSD firewall resources J65nko OpenBSD Security 0 1st June 2008 02:28 AM
setting up a proxy server in OpenBSD 4.3 jrake OpenBSD General 1 14th May 2008 06:43 PM


All times are GMT. The time now is 06:37 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick