DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 31st January 2012
alpha202ej alpha202ej is offline
Port Guard
 
Join Date: Dec 2011
Posts: 10
Thanked 0 Times in 0 Posts
Default Dual WAN & HTTPS Sites

Hi everyone,

Anyone ever have any issues accessing certain HTTPS sites? We have have our OpenBSD box acting as the firewall and it utilizes an aysmetrical dual WAN connection (two different ISPs). The error that is most telling is from LogMeIn where it states I have an IP address mismatch. This doesn't make sense to me since I have a rule that forces HTTPS traffic to only go through the first WAN interface. Furthermore, I also went ahead an reloaded my PF to only utilize the one interface and still have the same issue (did a pfctl -F all -f /etc/pf.conf).

Below is my pf.conf.

Code:
# PF Configuration

############
## MACROS ##
############

# Interfaces
int_if  = "vr0" #Internal Interface
ext_if1 = "vr1" #External Interface T1
ext_if2 = "axe0" #External Interface WiMAX
ext_gw1 = "x.x.x.x"
ext_gw2 = "y.y.y.y"
vpn_if  = "tun0" #VPN Tunnel
vlan100 = "vlan100" #VLAN Interface 10.0.2.0/24

# Misc
ext = "{ vr1, axe0 }"
localnet = "10.0.0.0/24"
vlan100net = "10.0.2.0/24"
abcnet = "10.21.0.0/16"
vpnnet = "172.25.0.0/24"
#SH_Ext = "x.x.x.x"
SH_Int = "10.0.0.11"
nonroute = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              0.0.0.0/8, 240.0.0.0/4 }"
snglextports = "{ 21, 22, 443, 1194, 3389, 8008, 10000 }"
abc_scanner = "{ 21, 80, 443, 990, 2002, 3000:3019 }"
DHCP = "{ 67, 68 }"
icmp_types = "echoreq"
voipport = "{ 4569 }"

# Addresses
MFC8780 = "10.0.0.5"

# Ports
RDP = "{ 3389 }"

# FTP Pass
anchor "ftp-proxy/*"
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021

############
## TABLES ##
############


####################
## GLOBAL OPTIONS ##
####################

set skip on lo0

###########################
## TRAFFIC NORMALIZATION ##
###########################


####################
## QUEUEING RULES ##
####################


#########################################
## TRANSLATION RULES (NAT) & SCRUBBING ##
#########################################

match in all scrub (no-df max-mss 1440)

match out on $vpn_if from $localnet nat-to $vpn_if
match out on $ext_if1 from $localnet nat-to ($ext_if1)
match out on $ext_if2 from $localnet nat-to ($ext_if2)
match out on $ext_if1 from $vlan100net nat-to ($ext_if1)
match out on $ext_if2 from $vlan100net nat-to ($ext_if2)

###################
## FILTERS RULES ##
###################

#antispoof for $int_if
#antispoof for $ext_if1
#antispoof for $ext_if2

block in log
block out log

# Block Non-Routable Addresses
#block drop in quick on $ext_if from $nonroute to any
#block drop out quick on $ext_if from any to $nonroute

pass inet proto { tcp, udp } from { self, $localnet, $vlan100net, $vpnnet }

# Single WAN - DISABLED
#pass out log on $ext_if1 proto { tcp udp icmp } all

### Dual WAN Configuration
pass in log on $int_if from { $localnet, $vpnnet } route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin
pass in on $vlan100 from $vlan100net route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin

# Single External Connection Path for Secure Ports
pass in on $int_if proto { tcp, udp } from { $localnet, $vpnnet } to port $snglextports route-to ($ext_if1 $ext_gw1)

# General "Pass Out" Rules For External Interface
pass out on $ext_if1
pass out on $ext_if2

# Route Packets From any IPs on on $ext_if1 to $ext_gw1 and the same for ext_if2 and $ext_gw2
pass out on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2)
pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1)

pass in inet proto tcp to port ssh
pass inet proto icmp

# VPN
pass quick on $vpn_if
pass in on !$ext_if1 to $abcnet
pass in on !$ext_if2 to $abcnet
pass in quick proto udp from any to port 1194

block in on ! lo0 proto tcp to port 6000:6010
Anyone know what might be going on because at this point I am baffled. Thanks!
Reply With Quote
  #2   (View Single Post)  
Old 31st January 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,612
Thanked 214 Times in 189 Posts
Default

I think that you should add "log" to all of your rules, both pass and block, and use tcpdump with pflog0, and watch which pass rules apply.

I say this because watching pass rules may show you that the packets you want to direct to a single ISP with route-to are matching unintended rules. Unless "quick" is used, in PF, the last matching rule wins.

I see this rule, which I think you want to apply to this traffic:
Code:
# Single External Connection Path for Secure Ports pass in on $int_if proto { tcp, udp } from { $localnet, $vpnnet } to port $snglextports route-to ($ext_if1 $ext_gw1)
but the very next set of rules will find a match, since they pass all outbound traffic, and negate your prior matching rules:
Code:
# General "Pass Out" Rules For External Interface pass out on $ext_if1 pass out on $ext_if2
Use tcpdump, and see if it helps you debug this.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Open Source E-commerce sites under attack! CyberJet News 0 29th July 2011 02:07 PM
https ports on PF mug23 OpenBSD Security 5 4th March 2011 10:11 PM
Best Way to sync web sites roundkat OpenBSD General 2 14th September 2008 01:48 PM
Collect visited sites bichumo General software and network 3 8th August 2008 06:32 PM
Cool sites 18Googol2 Off-Topic 0 2nd May 2008 09:19 AM


All times are GMT. The time now is 11:29 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick