DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 11th December 2013
capt_cosmo capt_cosmo is offline
New User
 
Join Date: Dec 2013
Posts: 9
Thanked 0 Times in 0 Posts
Default PF: Two internal interfaces and routing

Hi,

I have a problem regarding my pf ruleset.

My network setup looks as following:

Code:
                            Internet
                                ^
                                |
                          if_wan [pppoe0]
                                |
                                v
(client1..n) <-- if_wlan --> bsd-router <-- if_lan --> (clientn+1..m)
As you can see, I've got two internal interfaces: wlan and lan.

I'd like to achieve the following state:
1a. if_lan can connect to the wlan-clients through if_wlan
1b. if_lan can connect to the sshd on the bsd-router
1c. if_lan can connect to the internet through if_wan
2a. if_wlan can connect to the dhcpd on the bsd-router
2b. if_wlan can connect to the internet

Short:
if_lan -> if_wan, if_wlan, bsd-router:ssh
if_wlan -> if_wan, bsd-router:dhcp

Coming from the iptables world, my current approach seems a little odd to me – although
it seems to work out just fine. Anyways, the relevant lines are:

Code:
# lan:network -> lan:ssh
pass in quick on $if_lan proto tcp from $if_lan:network to $if_lan port ssh

# lan -> {wlan, internet}
block in log quick on $if_lan to $if_lan
pass in quick on $if_lan from $if_lan:network to $if_wlan:network
pass in quick on $if_lan from $if_lan:network

# lan -> router:dhcp
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 67
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 68

# wlan -> pppoe
block in log quick on $if_wlan to $if_lan:network
block in log quick on $if_wlan to $if_wlan:network
pass in quick on $if_wlan from $if_wlan:network
pass out quick on $if_wlan from $if_lan:network
I assumed to state rules just like:
Code:
pass in quick on $if_lan from $if_lan:network to ($if_wan)  # allow if_lan -> internet
pass in quick on $if_lan from $if_lan:network to $if_wlan:network # allow if_lan ->
if_wlan
pass in quick on $if_lan from $if_lan:network to $if_lan port ssh
Those lines I expected to work prevent me from connecting to the internet... Note: I also tried using "(egress)" instead of "($if_wan)".

(I wanted to post a link to the entire ruleset but unfortunately I can't because I need to have at least five posts. Instead I'll just post it here, sorry)
The whole ruleset:
Code:
# interfaces
if_lan="vr0"
if_wan="pppoe0"
if_wlan="vr2"
 
if_wan_bandwith="1400Kb"
 
# tables
table <private_nets> const { 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
 
# qos definitions
que_low_ports = "{ http, https, 8080, smtp, smtps, 6881:6889 }"
#                           |-- SIP --|  |ICQ|  | Jabber |       |-- Playstation Net --|
que_int_ports_tcp = "{ ssh, 5060, 5061,  5190,  5222, 5223, irc, 3478, 3479, 3480, 5223 }"
#                      |-- SIP --|  |-- PSN --|
que_int_ports_udp = "{ 5060, 5061,  3478, 3479 }"
 
# options
##############
# allow lo communication
set skip on lo
set block-policy drop
 
# hygiene
##############
# scrubbing
match     in all                 scrub (no-df random-id)
match out on $if_wan all scrub (random-id)
match     on $if_wan     scrub (max-mss 1440)
 
# qos
###############
altq on $if_wan priq bandwidth $if_wan_bandwith queue { que_low, que_def, que_int, que_dns, que_ack }
 
queue que_low priq(default) qlimit 80
queue que_def priority 2
queue que_int priority 4 priq(red)
queue que_dns priority 5 qlimit 25
queue que_ack priority 6
 
# nat
###############
match out on $if_wan inet from { $if_lan:network, $if_wlan:network } to any nat-to ($if_wan) static-port
 
# filtering
###############
# block all packets
block all
 
# enable spoofing protection
antispoof quick for { lo $if_wan $if_lan $if_wlan }
 
# reject ipv6
block quick on $if_wan inet6 all
 
# block private addresses on external interfaces
block drop in  quick on $if_wan from <private_nets>
block drop out quick on $if_wan to   <private_nets>
 
# allow output for wan, fill queues
pass out quick on $if_wan proto tcp to port $que_low_ports queue (que_low, que_ack)
pass out quick on $if_wan proto tcp to port $que_int_ports_tcp queue (que_int, que_ack)
pass out quick on $if_wan proto udp to port $que_int_ports_udp queue (que_int, que_ack)
pass out quick on $if_wan proto { tcp, udp } to port domain queue (que_dns, que_ack)
pass out quick on $if_wan queue (que_def, que_ack)
 
# enable input
# lan:network -> lan:ssh
pass in quick on $if_lan proto tcp from $if_lan:network to $if_lan port ssh
 
# lan -> {wlan, internet}
block in log quick on $if_lan to $if_lan
pass in quick on $if_lan from $if_lan:network to $if_wlan:network
pass in quick on $if_lan from $if_lan:network
 
# lan -> router:dhcp
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 67
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 68
 
# wlan -> pppoe
block in log quick on $if_wlan to $if_lan:network  
block in log quick on $if_wlan to $if_wlan:network
pass in quick on $if_wlan from $if_wlan:network
pass out quick on $if_wlan from $if_lan:network
Thanks for any suggestions.

Sören
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
two lan interfaces and one network peric0 OpenBSD General 1 29th March 2012 02:16 AM
Routing internal requests to external IPs jdude FreeBSD General 1 9th July 2009 07:25 AM
PPTP Server, no internet connectivity (routing between interfaces?) godfrank FreeBSD Ports and Packages 5 15th April 2009 04:44 PM
Redirect Internal Network to Internal Website plexter OpenBSD Security 12 12th February 2009 08:00 PM
PHP database interfaces TerryP Programming 6 11th September 2008 01:03 PM


All times are GMT. The time now is 04:10 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick