DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 27th April 2014
azdps azdps is offline
New User
 
Join Date: Apr 2014
Posts: 8
Thanked 0 Times in 0 Posts
Default packet filtering problem

I'm having problems setting up openbsd as a firewall. I believe my pf.conf is the problem. I've read everything I could on pf. From my lan computers I can ping using an ip address but can't ping using a host address. I can't surf the internet. Below is my network setup:

Code:
             internet
                |
                |
           cable modem
                |
                |
  ----  dynamic wan ip (em0) ----
 |                               |
 |          openbsd              |
 |                               |
  ----- 10.255.255.1 (em1) -----
                |
                |
       wireless access point
           10.255.255.2
                |
                |
       --------------------
      |                    |
      |                    |
 10.255.255.100     10.255.255.101
   desktop              netbook

Code:
# cat /etc/pf.conf

# macros
wan = "em0"
lan = "em1"

set block-policy return
set skip on lo0

match out on $wan from $lan:network nat-to ($wan)

pass in inet proto icmp all icmp-type { echoreq, unreach }
pass in on { $wan }
pass in on { $lan }

===============================================================================

# cat /etc/dhcpd.conf
#       $OpenBSD: dhcpd.conf,v 1.2 2008/10/03 11:41:21 sthen Exp $

option  domain-name "openbsd.ph.comcast.net";
option  domain-name-servers 10.255.255.1;

subnet 10.255.255.0 netmask 255.255.255.0 {
        option routers 10.255.255.1;
        range 10.255.255.100 10.255.255.120;
}

===============================================================================

# cat /etc/dhclient.conf
# $OpenBSD: dhclient.conf,v 1.2 2011/04/04 11:14:52 krw Exp $
#
# DHCP Client Configuration

initial-interval 1;
send host-name "openbsd";
request subnet-mask, broadcast-address, routers, domain-name,
        domain-name-servers, host-name;

===============================================================================


# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1

# cat /etc/hostname.em0
dhcp

# cat /etc/hostname.em1
inet 10.255.255.1 255.255.255.0

===============================================================================

# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 4c:72:b9:20:a5:aa
        priority: 0
        groups: egress
        media: Ethernet autoselect (1000baseT full-duplex,master)
        status: active
        inet6 fe80::4e72:b9ff:fe20:a5aa%em0 prefixlen 64 scopeid 0x1
        inet 128.223.65.98 netmask 0xffffff00 broadcast 128.223.65.255
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33192
        priority: 0
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 4c:72:b9:20:a5:cc
        priority: 0
        groups: egress
        media: Ethernet autoselect (1000baseT full-duplex,master)
        status: active
        inet6 fe80::4e72:b9ff:fe20:a5aa%em0 prefixlen 64 scopeid 0x1
        inet 72.223.65.98 netmask 0xffffff00 broadcast 72.223.65.255
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 4c:72:b9:20:a5:dd
        priority: 0
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        inet 10.255.255.1 netmask 0xffffff00 broadcast 10.255.255.255
        inet6 fe80::4e72:b9ff:fe20:a5ab%em1 prefixlen 64 scopeid 0x2
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33192
        priority: 0
        groups: pflog

===============================================================================


# netstat -rn -f inet
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            72.223.65.1        UGS        0       61     -     8 em0
10.255.255/24      link#2             UC         3        0     -     4 em1
10.255.255.100     bc:5f:f4:65:c5:69  UHLc       0      207     -     4 em1
10.255.255.111     18:af:61:01:63:2d  UHLc       0       25     -     4 em1
10.255.255.112     28:6a:ba:6d:16:3b  UHLc       0       71     -     4 em1
72.223.65/24       link#1             UC         1        0     -     4 em0
72.223.65.1        00:1e:be:ff:0a:d0  UHLc       1        0     -     4 em0
72.223.65.98       127.0.0.1          UGS        0        0 33192     8 lo0
127/8              127.0.0.1          UGRS       0        0 33192     8 lo0
127.0.0.1          127.0.0.1          UH         2       77 33192     4 lo0
224/4              127.0.0.1          URS        0        0 33192     8 lo0

===============================================================================

# pfctl -vvsr
@0 match out on em0 inet from 10.255.255.0/24 to any nat-to (em0:1) round-robin
  [ Evaluations: 211       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 2191 State Creations: 0     ]
@1 pass in inet proto icmp all icmp-type echoreq
  [ Evaluations: 211       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 2191 State Creations: 0     ]
@2 pass in inet proto icmp all icmp-type unreach
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 2191 State Creations: 0     ]
@3 pass in on em0 all flags S/SA
  [ Evaluations: 150       Packets: 47        Bytes: 5104        States: 1     ]
  [ Inserted: uid 0 pid 2191 State Creations: 43    ]
@4 pass in on em1 all flags S/SA
  [ Evaluations: 150       Packets: 879       Bytes: 60717       States: 30    ]
  [ Inserted: uid 0 pid 2191 State Creations: 105   ]

===============================================================================

# pfctl -s info
Status: Enabled for 0 days 00:02:43              Debug: err

State Table                          Total             Rate
  current entries                       34
  searches                            1130            6.9/s
  inserts                              161            1.0/s
  removals                             127            0.8/s
Counters
  match                                224            1.4/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              2            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  translate                              0            0.0/s

=================================================================================
Reply With Quote
  #2   (View Single Post)  
Old 27th April 2014
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,883
Thanked 190 Times in 160 Posts
Default

Please provide the complete output of dmesg(8).

The syntax of pf(4) rules has changed substantially through the last several years, so without knowing what version of OpenBSD you have installed, providing useful support will be difficult to impossible.
Reply With Quote
  #3   (View Single Post)  
Old 27th April 2014
azdps azdps is offline
New User
 
Join Date: Apr 2014
Posts: 8
Thanked 0 Times in 0 Posts
Default

dmesg output:

Code:
# dmesg
OpenBSD 5.4 (GENERIC.MP) #44: Tue Jul 30 12:13:32 MDT 2013
    deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Core(TM) i3-3220T CPU @ 2.80GHz ("GenuineIntel" 686-class) 2.80 GHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,AVX,F16C,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS
real mem  = 3592253440 (3425MB)
avail mem = 3522113536 (3358MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/06/13, SMBIOS rev. 2.7 @ 0xec470 (75 entries)
bios0: vendor Intel Corp. version "KBQ7710H.86A.0053.2013.1206.1031" date 12/06/2013
bios0: Intel Corporation DQ77KB
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT TCPA MCFG HPET SSDT SSDT SSDT ASF!
acpi0: wakeup devices PS2K(S3) PS2M(S3) UAR1(S3) MBTN(S1) P0P1(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) USB6(S3) USB7(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 99MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i3-3220T CPU @ 2.80GHz ("GenuineIntel" 686-class) 2.80 GHz
cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,AVX,F16C,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i3-3220T CPU @ 2.80GHz ("GenuineIntel" 686-class) 2.80 GHz
cpu2: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,AVX,F16C,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i3-3220T CPU @ 2.80GHz ("GenuineIntel" 686-class) 2.80 GHz
cpu3: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,AVX,F16C,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xf8000000, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 3 (P0P1)
acpiprt2 at acpi0: bus 1 (RP01)
acpiprt3 at acpi0: bus -1 (RP02)
acpiprt4 at acpi0: bus -1 (RP03)
acpiprt5 at acpi0: bus -1 (RP04)
acpiprt6 at acpi0: bus -1 (RP05)
acpiprt7 at acpi0: bus -1 (RP06)
acpiprt8 at acpi0: bus 2 (RP07)
acpiprt9 at acpi0: bus -1 (RP08)
acpiprt10 at acpi0: bus -1 (PEG0)
acpiprt11 at acpi0: bus -1 (PEG1)
acpiprt12 at acpi0: bus -1 (PEG2)
acpiprt13 at acpi0: bus -1 (PEG3)
acpiec0 at acpi0: Failed to read resource settings
acpicpu0 at acpi0: C2, C1, PSS
acpicpu1 at acpi0: C2, C1, PSS
acpicpu2 at acpi0: C2, C1, PSS
acpicpu3 at acpi0: C2, C1, PSS
acpipwrres0 at acpi0: FN00
acpipwrres1 at acpi0: FN01
acpipwrres2 at acpi0: FN02
acpipwrres3 at acpi0: FN03
acpipwrres4 at acpi0: FN04
acpitz0 at acpi0: critical temperature is 92 degC
acpitz1 at acpi0: critical temperature is 92 degC
acpibat0 at acpi0: BAT0 not present
acpibat1 at acpi0: BAT1 not present
acpibat2 at acpi0: BAT2 not present
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: LID0
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD02
bios0: ROM list: 0xc0000/0xe600 0xce800/0x1000 0xcf800/0x1000
cpu0: Enhanced SpeedStep 2794 MHz: speeds: 2800, 2700, 2600, 2500, 2400, 2300, 2200, 2100, 2000, 1900, 1800, 1700, 1600 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel Xeon E3-1200v2 Host" rev 0x09
vga1 at pci0 dev 2 function 0 "Intel HD Graphics 2500" rev 0x09
intagp0 at vga1
agp0 at intagp0: aperture at 0xe0000000, size 0x10000000
inteldrm0 at vga1
drm0 at inteldrm0
No connectors reported connected with modes
Cannot find any crtc or sizes - going 1024x768
inteldrm0: 1024x768
wsdisplay0 at vga1 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel 7 Series xHCI" rev 0x04 at pci0 dev 20 function 0 not configured
"Intel 7 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
em0 at pci0 dev 25 function 0 "Intel 82579LM" rev 0x04: msi, address 4c:72:b9:20:a5:cc
ehci0 at pci0 dev 26 function 0 "Intel 7 Series USB" rev 0x04: apic 2 int 16
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb0 at pci0 dev 28 function 0 "Intel 7 Series PCIE" rev 0xc4: apic 2 int 16
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 6 "Intel 7 Series PCIE" rev 0xc4: apic 2 int 18
pci2 at ppb1 bus 2
em1 at pci2 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 4c:72:b9:20:a5:dd
ehci1 at pci0 dev 29 function 0 "Intel 7 Series USB" rev 0x04: apic 2 int 23
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb2 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xa4
pci3 at ppb2 bus 3
pcib0 at pci0 dev 31 function 0 vendor "Intel", unknown product 0x1e47 rev 0x04
ahci0 at pci0 dev 31 function 2 "Intel 7 Series AHCI" rev 0x04: msi, AHCI 1.3
scsibus0 at ahci0: 32 targets
cd0 at scsibus0 targ 1 lun 0: <ASUS, DRW-24B1ST c, 1.05> ATAPI 5/cdrom removable
sd0 at scsibus0 targ 5 lun 0: <ATA, SanDisk iSSD P4, SSD> SCSI3 0/direct fixed naa.5001b4458a993254
sd0: 3825MB, 512 bytes/sector, 7835184 sectors, thin
ichiic0 at pci0 dev 31 function 3 "Intel 7 Series SMBus" rev 0x04: apic 2 int 18
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 4GB DDR3 SDRAM PC3-12800 SO-DIMM
spdmem1 at iic0 addr 0x52: 4GB DDR3 SDRAM PC3-12800 SO-DIMM
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
pckbc0 at isa0 port 0x60/5
kbc: cmd word write error
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
wbsio0 at isa0 port 0x2e/2: NCT6776F rev 0x33
lm1 at wbsio0 port 0xa00/8: NCT6776F
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
mtrr: Pentium Pro MTRR support
uhub2 at uhub0 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2
uhub3 at uhub1 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on sd0a (50be3b8be0aacd38.a) swap on sd0b dump on sd0b
Reply With Quote
  #4   (View Single Post)  
Old 27th April 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,685
Thanked 214 Times in 189 Posts
Default

Hello, and welcome!
Quote:
...I can ping using an ip address but can't ping using a host address.
I am guessing, but I believe you likely have a DNS configuration problem. Your dhcpd.conf tells your LAN to use 10.255.255.1 for name resolution. Do you have a DNS server on this platform? For OpenBSD 5.4, you have a choice of BIND or NSD -- see named(8) and nsd(8), and net/unbound is available as a package. Unbound will be part of the base OS for 5.6 in November.

If you prefer, you could change your dhcpd.conf to provide your ISP's nameservers, or other publicly available nameservers, and not run a local DNS service yourself.

Last edited by jggimi; 27th April 2014 at 11:35 PM. Reason: added option to reconfigure dhcpd.conf for externally provided DNS
Reply With Quote
  #5   (View Single Post)  
Old 28th April 2014
azdps azdps is offline
New User
 
Join Date: Apr 2014
Posts: 8
Thanked 0 Times in 0 Posts
Default

Prior to posting my problem I thought that possibly I was having a DNS issue as well. I attempted to change the name server from 10.255.255.1 to the 3 ISP provided name servers. Upon closer inspection on the proper way to separate the ISP DNS name servers in my dhcpd.conf file, I can see I made an error the first time I made the change. I forgot to include a comma to separate the DNS name servers which probably caused my connection to fail. I will attempt the change again, to see if that was my problem. I did not setup a DNS server in OpenBSD so I'm betting this is my problem. I'll report back on my findings. Thank you.
Reply With Quote
  #6   (View Single Post)  
Old 28th April 2014
azdps azdps is offline
New User
 
Join Date: Apr 2014
Posts: 8
Thanked 0 Times in 0 Posts
Default

jggimi looks like the DNS issue was one of my problems. I changed the DNS to use my ISP's domain name servers and initially I was still having the same problem. Turns out I had 2 problems, and not just the DNS issue. I had to modify my pf.conf file, and changed the following nat rule:

Code:
from:
match out on $wan from $lan:network nat-to ($wan)

to:
pass out on $wan from $lan:network nat-to ($wan)
Anyone have a clue as to why match doesn't work and pass does? I found someone who had posted a similar problem and pass worked but match didn't. No one responded as to why the match would not work.

http://daemonforums.org/showthread.php?t=5393

Unfortunatly, the forum rules won't allow me to enclose the above address in url tags until i have a least five posts

Last edited by ocicat; 28th April 2014 at 11:41 AM. Reason: activted link
Reply With Quote
  #7   (View Single Post)  
Old 28th April 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,685
Thanked 214 Times in 189 Posts
Default

The match rule does not block or pass. It sets options on matching rules, which will apply to later block or pass rules.

You had no later block or pass rule to which the match could be applied.

Incidentally, with standard filtering rules, the last matching rule is applied, so your pass rule for icmp packets is moot. It will never be applied as the following two rules will match all incoming packets.
Reply With Quote
  #8   (View Single Post)  
Old 28th April 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,685
Thanked 214 Times in 189 Posts
Default

I have been thinking more about this. You do not use a Default Deny approach, as recommended in the PF Users Guide -- there is no leading block all rule. There are no block rules in your configuration at all.

Pursuant to pf.conf(5) the default is to pass traffic when there is no matching rule, without creating state. Any match rule should apply to all matching traffic, also without creating or altering state. The documentation does not state an explicit pass or block is required, as I assumed above.

Since best practice is to operate with a Default Deny approach, perhaps your particular use case has not been previously tested by or reported to the Project.
Reply With Quote
  #9   (View Single Post)  
Old 29th April 2014
azdps azdps is offline
New User
 
Join Date: Apr 2014
Posts: 8
Thanked 0 Times in 0 Posts
Default

jggimi, the rule set I supplied was just a minimal set only intended to test my connection. I needed something very simple to see if I could establish a connection to the internet from my lan. After fixing my two problems, I'm moving on to create a more appropriate rule set. Looking at the pf users guide, I saw the following statement:

Quote:
There is an implicit pass all at the beginning of a filtering ruleset meaning that if a packet does not match any filter rule the resulting action will be pass.
I would have thought that the match rule set I had would have worked. Appears to work for many since I see it used in tutorials all over the web.
Reply With Quote
Old 29th April 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,685
Thanked 214 Times in 189 Posts
Default

I use match rules, but I have never used them with an implied pass as you did.

You might consider posting an informal problem report to misc@ or a formal report to bugs@. Just be sure to supply that dmesg with either report.
Reply With Quote
Old 3rd May 2014
azdps azdps is offline
New User
 
Join Date: Apr 2014
Posts: 8
Thanked 0 Times in 0 Posts
Default

Any suggestions on improving my ruleset? I just need to surf the internet, check email, and need access to shares on lan from computer within lan. Was trying to figure out how to allow host name lookups and ntp but with the rule below that I disabled, I was not longer able to surf the internet.

Code:
#########
## Macros
#########
wan = "em0"
lan = "em1"

#########
## Tables
#########
table <private_ips> const { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.1/8, 169.254.0.0/16,
172.16.0.0/12, 192.0.2.0/24, 192.88.99.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.
51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32 }

##########
## Options
##########
set skip on lo0

########################
## Traffic normalization
########################

match in log on $wan scrub (no-df)

##############################
## Network address translation
##############################

pass out on $wan from $lan:network nat-to ($wan)

###################
## Packet filtering
###################

# block and log inbound traffic
block in log

# block IPv6 traffic
block quick inet6 all

# block spoofed or forged IP's
antispoof quick for $wan

# block non-routable addresses
block in quick from no-route to any

# check unicast reverse path forwarding
block in quick from urpf-failed to any

# block private address blocks outside network
block in quick on $wan from <private_ips> to any
block out quick on $wan from any to <private_ips>

# drop broadcasts
block in quick on $wan from any to 255.255.255.255

# UDP (allow DNS lookups and time keeping)
#pass out on $wan proto udp from any to ($wan) port { domain, ntp } keep state


pass in on $lan
Reply With Quote
Old 3rd May 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,685
Thanked 214 Times in 189 Posts
Default

To be clear, is this the rule that caused problems?
Code:
#pass out on $wan proto udp from any to ($wan) port { domain, ntp } keep state
This passes UDP traffic for ports 53 and 123 outbound when that traffic is destined to addresses assigned to your em0 NIC. I don't think this rule is likely to match any traffic, so I'm unclear how it caused problems.

Your explicit rule to block any internet traffic to 255.255.255.255 is unnecessary as you have that address in the table you block with the immediately preceeding rule.

I recommend until you have your ruleset somewhat fixed that you add the log option to every rule, both block and pass. That way, you will be able to use tcpdump(8) with your pflog(4) device to see exactly what is being passed or blocked. You will be able to see every rule that matches ... and eventually be able to discern which rules are moot, and which are causing problems.
Reply With Quote
Old 19th May 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,685
Thanked 214 Times in 189 Posts
Default

A thread began on the misc@ mailing list today which may contain additional assistance. While the OP did not use an implicit pass as you did, the response from Peter Hansteen is noteworthy: you can log matches. He points to a slide from his PF tutorial with an example.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf filtering phyro OpenBSD Security 2 19th March 2013 09:05 AM
"Intel Packet of Death" not Intel's problem J65nko News 0 11th February 2013 07:26 PM
What tool for dynamic I.P filtering unixjingleman OpenBSD Security 1 2nd March 2011 11:31 AM
A PF packet tagging (policy filtering) question... Quaxo OpenBSD Security 2 30th March 2009 10:47 PM
Web content filtering Crypt FreeBSD Security 14 14th December 2008 02:38 PM


All times are GMT. The time now is 03:43 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick