DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th November 2012
latux latux is offline
New User
 
Join Date: Nov 2012
Posts: 2
Thanked 0 Times in 0 Posts
Default pf.conf and nat

Hello Community,
i am a newbie with BSD and i try to understand how a system at work is running.
I have a "OpenBSD 4.5 GENERIC#1749 i386" to work.
This host is running as a firewall with 4 ethernet ports.
Now i have to realise a NAT between 2 networks: mgt_if and extra_if
Code:
#macros:
mgt_if="10.1.0.254"
extra_if="192.168.50.254"

#host on extra_if
host1="192.168.50.100"
#pool auf clients on mgt_if
table <client> const {10.1.0.11, 10.1.0.12, 10.1.0.21, 10.1.0.31}
No host from "extra" should communicate with hosts on "mgt_if"
only "host1" can do it with the clients defined in the "<client>" table, realising ssh, vnc, snmtp (monitoring)

i try a lot of nat settings, but it´s not working:
Code:
nat on $mgt_if from $host1 to any -> ($mgt_if:0)
nat on $mgt_if from ($extra_if:0:network) to any -> ($mgt_if:0)
nat on $mgt_if inet from $host1 to any -> ($mgt_if:0)
nat on $mgt_if inet from ($extra_if:0:network) to any -> ($mgt_if:0)
nat on $mgt_if inet proto { tcp, udp } from $host to any -> ($mgt_if:0)
nat on $mgt_if inet proto { tcp, udp } from ($extra_if:0:network) to any -> ($mgt_if:0)
can someone help me?
thanks in advance
Laurent
Reply With Quote
  #2   (View Single Post)  
Old 25th November 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by latux View Post
I have a "OpenBSD 4.5 GENERIC#1749 i386" to work.
OpenBSD 4.5 was released in May 2009 -- roughly 3.5 years ago. Official support for OpenBSD releases lasts one calendar year following the date of release which means that official support for OpenBSD 4.5 ended over two years ago.

Use of old releases is also problematic given that pf(4) has had radical changes made to its implementation & usage in the past few years. If you have been using the PF User's Guide for guidance (& it is a solid source of information for all things related to pf(4)...), recognize that it is targets the current release which is OpenBSD 5.2 -- released in November 2012. Information found in the Guide may or may not apply as expected to such an old release as 4.5.

Both information on pf(4) & NAT can be found in the Guide. More tutorial information can be found in Hansteen's online manuscript:

http://home.nuug.no/~peter/pf/

Yet as cautioned earlier, these documents refer to versions of OpenBSD newer than 4.5.

Last edited by ocicat; 25th November 2012 at 01:14 AM. Reason: clarity
Reply With Quote
  #3   (View Single Post)  
Old 25th November 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,149
Thanked 182 Times in 149 Posts
Default

Are you sure you need NAT?

If you need those two networks be able to communicate with each other you don't need NAT at all.
You can do that with routing and the needed pf.conf tweaks to permit those two networks to communicate.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 25th November 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,149
Thanked 182 Times in 149 Posts
Default

Your specification:
  • An OBSD firewall box with 4 interfaces.
    For sake of completeness I just randomly choose the unknown LAN's and netmasks.
    Code:
                           I N T E R N E T
                                  |
                                  |
                                  |
                                  |
                 +----------------|---------------+
                 |          11.11.11.11/30        |
                 |        external interface      |
                 |                                |
                 |   10.                  E 192.  | 
                 |    1.  M               X 168.  | 
      MGT LAN ------  0.  G               T  50. --------- EXTRA LAN
                 |  254   T               R 254   |
                 |  /24                   A /24   |
                 |                                |
                 |        internal interface      |
                 |            10.20.30.1/24       | 
                 +----------------|---------------+
                                  |
                                  |
                                  |
                                  |
                            INTERNAL  LAN
                            10.20.30.0/24
  • I have to realise a NAT between 2 networks: mgt_if and extra_if.
    Code:
    #macros:
    mgt_if="10.1.0.254"
    extra_if="192.168.50.254"
    
    #host on extra_if
    host1="192.168.50.100"
    
    # clients on mgt_if
    table <client> const {10.1.0.11, 10.1.0.12, 10.1.0.21, 10.1.0.31}
  • No host from "EXTRA" should communicate with hosts on "MGT"
    Only "host1" is allowed to communicate with the clients defined in the "<client>" table, for ssh, vnc, and snmtp (monitoring).

What does 'host1' (192.168.50.100) on the EXTRA network need to communicate with the 10.1.0.x hosts listed in your client table?

That host needs a route and no NAT is needed. It should know that in order to send packets for the MGT network it should send them through 192.168.50.254 on the firewall. In other words: for 'host1' 192.168.50.254 is the gateway to the 10.1.0.0/24 network.

Three options for the routing on 'host1' (192.168.50.100):
  • Add a default route:
    Code:
    route add default 192.168.50.254
  • Add a route to the 10.1.0.0/24 network
    Code:
    route add 10.1.0.0/24 192.168.50.254
  • Add routes for each individual host
    Code:
    route add 10.1.0.11 192.168.50.254
    route add 10.1.0.12 192.168.50.254
    route add 10.1.0.21 192.168.50.254
    route add 10.1.0.31 192.168.50.254

The three routing options for the 10.1.0.11, 10.1.0.12, 10.1.0.21, and 10.1.0.31 hosts on the MGT network:
  • Add a default route:
    Code:
    route add default 10.1.0.254
  • Add a route to the 192.168.50.254 network:
    Code:
    route add 192.168.50.0/24 10.1.0.254
  • Only add a route to 'host1' (192.168.50.100):
    Code:
    route add 192.168.50.100 10.1.0.254

You can change the pf.conf till you weigh an ounce, but if you do not have the routing configured correctly, those hosts will never be able to communicate with each other.

Please remember that you only need NAT on the external interface because the 10.x.x.x and 192.168.x.x network addresses are not routable on the internet. But on your internal networks these addresses are routable.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 8th December 2012
latux latux is offline
New User
 
Join Date: Nov 2012
Posts: 2
Thanked 0 Times in 0 Posts
Default

Hello J65nko
thanks a lot for your explications.
Your network plan is great, but i have an other constellation:

Code:
                                                            VPN
                                                             |
                  +-------------------------+                |
                  |                         |           10.1.0.254
192.168.50.0/24 --|-Monitoring (intra_if)   |               (gw)
                  |                         |                |
192.168.51.0/24 --|-FTP-Server (extra_if)   |-- 10.1.0.0/24--|
                  |                         |  (clients - mgt_if)
192.168.52.0/24 --|-FTP-Clients (sto_if)    |  (.11/.12/.21/.31)
                  |                         |
                  +-------------------------+
The clients (on 10.1.0.0/24) are communicating over a VPN with the World.
They are connected on the OBSD-FW (mgt_if) to be able to communicate with other FTP-Clients (sto_if) and servers (extra_if), who are localized on the internet. This is the reason, why i have this FW between.
The machine on intra_if will do monitoring of all hosts.
On the FW, i have rules to grant communication between:
- ftp servers/clients (ftp-proxy)
- some ftp-servers (trusted) with my mgt_if workstations (ftp-proxy)

So now, i want to realise at first, monitoring from intra_if (192.168.50.100) to mgt_if (10.1.0.0/24)
The FW should grant ssh, vnc, snmp (161-162) to mgt_if
That´s it
The host (192.168.50.100) have already a route to communicate with mgt_if (route add 10.1.0.0/24 192.168.50.254)
But i can not add a route on the mgt_if-hosts to intra_if (route add 192.168.50.0/24 10.1.0.xxx). That the reason, i was thinking, i can work with a NAT to realise this.
Thanks in advance again
Reply With Quote
  #6   (View Single Post)  
Old 8th December 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,149
Thanked 182 Times in 149 Posts
Default

The mgt_if clients that are communicating over the VPN with the world, they have 10.1.0.254 as the default gateway? Is this correct?

The VPN connection is the reason why those mgt_if clients cannot have, say 10.1.0.1, as the default route. If 10.1.0.1 could be their default route, it would allow them to communicate with the intra_if, the 'extra_if' and 'sto_if' hosts.

Quote:
Originally Posted by latux
But i can not add a route on the mgt_if-hosts to intra_if (route add 192.168.50.0/24 10.1.0.xxx).
What is the reason you cannot add this route? Even under Windows you can add static routes
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Where should I put my config? "rc.conf" or "rc.conf.local"? fender0107401 OpenBSD General 2 2nd April 2012 02:53 AM
Help with pf.conf A_Sorenby OpenBSD Security 14 21st June 2011 09:52 PM
Pf.conf erict35 OpenBSD Security 1 30th January 2010 10:19 PM
pf.conf lumiwa FreeBSD Security 11 20th September 2008 01:01 AM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM


All times are GMT. The time now is 11:21 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick