DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 22nd August 2011
tomp's Avatar
tomp tomp is offline
Real Name: Tom Purvis
Local Area Nitwit
 
Join Date: Aug 2011
Location: Colorado
Posts: 17
Thanked 0 Times in 0 Posts
Default why won't my table work?

I've been working on understanding rules in pf.conf and I've made some progress, but I don't pretend to really get it all yet. I've been trying to define some groupings among our users in order to allow traffic from only some users to some ports. My basic plan is to have rank and file users be served DHCP addresses from the firewall box, and have blocks of static addresses that will be given privileges as needed. Tables of IP addresses stored in files seems like the cleanest way to define these groupings.

Problem is that I can't seem to make a simple example work.

I've set up a closed test network, one PC with an http server, a site at port 80 and another at 81. That machine sits on the "outside" lan connected to my firewall's rl0 NIC, the other one which is serving as client sits on the inside on rl1.

I want "everyone" to be able to get to port 80 on the outside, but only developers to be able to get to 81.

Here's my pf.conf currently not working:

Code:
#       $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#
#  RockyMountainTrail.com Packet Filter Config File: Aug 18, 2011
ext_if="rl0"
int_if="rl1"
localnet=$int_if:network
outsidenet=$ext_if:network
tcp_services="{ 80 }"
tcp_services_dev="{ 81 }"
udp_services="{ domain, ntp, dhcpd-sync }"
netbios_services="{ netbios-ns, netbios-dgm, netbios-ssn }"
icmp_types="echoreq"
table <developers> persist file "/etc/developers"
#table <developers> { 192.168.0.10 }
# begin settings
set block-policy drop
set skip on lo
antispoof quick for $ext_if
# This is the NAT line:
match out on $ext_if from $localnet nat-to ($ext_if)
block log on $ext_if all
pass out inet proto tcp from <developers> to port $tcp_services_dev keep state
pass out inet proto { tcp, udp } from { self, $localnet } to port $tcp_services
pass inet proto { tcp, udp } from $outsidenet to $localnet port $netbios_services
pass inet proto { tcp, udp } to port $udp_services keep state
pass inet proto icmp all icmp-type $icmp_types
# allow sh to come in from "outside"
pass in proto tcp from $outsidenet to $ext_if port { ssh }
I tried making the <developers> table a simple single IP address (you can see that attempt commented out, did not work either). Developers contains

Code:
192.168.0.8
192.168.0.9
192.168.0.10
Sorry if this is a totally stupid mistake. I have a feeling that it is and I don't want to waste anybody's time, but I'm just not finding anything that points me to what's wrong. And I've spent a stupid amount of time trying to figure it out. (Some of the rules you see are based on wild-ass guesses from multiple attempts to conjure a solution out of what the log is spitting out as the connection request for port 81 fails).

Thanks as always.
Reply With Quote
  #2   (View Single Post)  
Old 23rd August 2011
tomp's Avatar
tomp tomp is offline
Real Name: Tom Purvis
Local Area Nitwit
 
Join Date: Aug 2011
Location: Colorado
Posts: 17
Thanked 0 Times in 0 Posts
Default problem was not table

For the rest of the confused folks reading this who didn't know, my problem was not the table. I put the IP Addresses into a Macro and tried to refer to it, the rule still didn't work, so then I put the addresses literally into the rule and it still didn't work.

Eventually I figured out at least this riddle. This pf.conf works with my table, defined in the file /etc/developers:
Code:
ext_if="rl0"
int_if="rl1"
localnet=$int_if:network
outsidenet=$ext_if:network
tcp_services="{ www, https, sftp, ntp, pop3, smtp, ms-sql-s }"
tcp_dev_services="{ 81 }"
udp_services="{ domain, ntp, dhcpd-sync }"
proxy="127.0.0.1"
netbios_services="{ netbios-ns, netbios-dgm, netbios-ssn }"
icmp_types="{ echoreq, unreach }"
table <developers> persist file "/etc/developers"
# begin settings
set block-policy drop
set skip on lo
antispoof quick for $ext_if
block all
# This is the NAT line:
match out on $ext_if from $localnet nat-to ($ext_if)
# begin granular rules
block in log on $ext_if all
# allow sh to come in from "outside"
pass in quick proto tcp to $ext_if port { ssh }
pass inet proto { tcp, udp } to port $udp_services keep state
pass inet proto icmp all icmp-type $icmp_types
pass inet proto tcp from $localnet to port $tcp_services
pass inet proto tcp from <developers> to port $tcp_dev_services
pass inet proto tcp from self
The final line, pass inet proto tcp from self, which should allow localhost to talk to any port on either side of the box, seems to be the enabler.

Just a bit more information for people like me who are still trying to figure this out. I'll post everything else I learn even if nobody else participates in this thread.

Last edited by tomp; 23rd August 2011 at 09:47 PM.
Reply With Quote
  #3   (View Single Post)  
Old 24th August 2011
tomp's Avatar
tomp tomp is offline
Real Name: Tom Purvis
Local Area Nitwit
 
Join Date: Aug 2011
Location: Colorado
Posts: 17
Thanked 0 Times in 0 Posts
Default And one more reply to myself

I have arrived at a pf.conf that works in my test environment. It has a couple port forwarding redirects that I won't include here because they are internal business. But this works for FTP from inside the firewall to the 'net, it allows MS SQL Server tcp client access to db servers outside the firewall from inside, and it allows a selection of tcp/ip ports to be passed.

I post it because I hope that another clueless newb who googles to this thread will find it useful.

Code:
# Macros:
ext_if="rl0"
int_if="rl1"
localnet=$int_if:network
outsidenet=$ext_if:network
tcp_services="{ www, https, ftp, ftp-data, ssh, sftp, ntp, pop3, smtp, ms-sql-s, 4022 }"
tcp_dev_services="{ 81 }"
udp_services="{ domain, ntp, dhcpd-sync, ms-sql-m }"
proxy="127.0.0.1"
netbios_services="{ netbios-ns, netbios-dgm, netbios-ssn }"
icmp_types="{ echoreq, unreach }"
# Tables:
table <developers> persist file "/etc/developers"
# begin settings
set block-policy drop
set skip on lo
antispoof quick for $ext_if
block log all
# This is the NAT line:
match out on $ext_if from $localnet nat-to ($ext_if)
# block incoming traffic
block in log on $ext_if all
# FTP Proxy rules:
pass in quick on $int_if proto tcp to port 21 rdr-to $proxy port 8021
anchor "ftp-proxy/*"
# begin granular rules
pass inet proto tcp from self
# allow sh to come in from "outside":
pass in quick proto tcp to $ext_if port { ssh }
# list of acceptable services:
pass inet proto tcp from $localnet to port $tcp_services
# needed for SQL Server tcp/ip access:
pass inet proto udp from $localnet to port ms-sql-m
# UDP and ICMP rules:
pass inet proto { tcp, udp } to port $udp_services keep state
pass inet proto icmp all icmp-type $icmp_types
Reply With Quote
  #4   (View Single Post)  
Old 25th August 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,802
Thanked 214 Times in 189 Posts
Default

I'm not sure, Tom, what trouble you were actually having, because I can't always just look at a configuration file and figure out what may be going wrong.

For me, I find it easiest to log every filter rule, pass or block, as a matter of course. I then use tcpdump(8) to confirm which rule is applicable to the packets of interest.

You probably already know it, but just in case:
  • For any packet, the last matching rule in the file applies.
However, if a rule is "quick", a matching packet immediately stops all further tests, and the rule is applied. I avoid "quick" rules, to avoid confusing myself.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
static ip's not showing up in routing table birdmansdomain OpenBSD General 4 27th November 2009 12:57 AM
I think I just mangled my partition table Mantazz FreeBSD Installation and Upgrading 2 2nd July 2009 09:55 PM
PHP~MYSQL - Get list of all the fields within a table cksraj Programming 2 22nd April 2009 05:57 AM
table formatting (could not find better title) gosha Programming 10 19th March 2009 06:33 PM
Ajax dynamic table/spreadsheet robbak Programming 1 7th June 2008 10:33 PM


All times are GMT. The time now is 12:02 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick