|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Need suggestions on improving my pf rules
i wish to have all internet traffic to go through my vpn; when my vpn is disconnected, all internet traffic can not go out of my workstation/desktop (not server).
here's my pf rules. would appreciate if you can suggest improvements to them: Code:
wan="em0" vpn="tun0" block all block in log all set block-policy drop set skip on lo antispoof for $wan inet block in from urpf-failed to any block inet proto icmp icmp-type echoreq block out inet6 all block in inet6 all pass out on $wan proto tcp from any to a.b.c.d port 443 modulate state pass out on $vpn proto tcp from any to any port 80 modulate state pass out on $vpn proto tcp from any to any port 443 modulate state pass out on $vpn proto udp from any to any port 53 modulate state |
|
|||
Quote:
In addition to posting your rule set, please provide system information as well. ie. $ sysctl kern.version
|
|
|||
Quote:
Code:
kern.version=OpenBSD 5.6-current (GENERIC.MP) #525:Mon Nov 3 19:42:34 MST 2014 deraadt@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP Last edited by ocicat; 21st November 2014 at 12:29 PM. Reason: Please use [code] & [/code] tag when posting command output. |
|
|||
@ jggimi
Thanks for your feedback. Below is the modified set of rules. Your feedback is appreciated. Code:
wan="em0" vpn="tun0" set block-policy drop block in log all block all set skip on lo antispoof for $wan inet block in from urpf-failed to any block in from no-route to any block inet proto icmp icmp-type echoreq pass out on $wan proto udp from any to a.b.c.d. port 443 keep state pass out on $vpn proto tcp from any to any port 80 keep state pass out on $vpn proto tcp from any to any port 443 keep state pass out on $vpn proto udp from any to any port 53 keep state |
|
||||
1. For readability, you could combine rules with lists. For example, your two rules:
Code:
pass out on $vpn proto tcp from any to any port 80 modulate state pass out on $vpn proto tcp from any to any port 443 modulate state Code:
pass out on $vpn proto tcp from any to any port {80 443} modulate state 2. These four rules are unnecessary, since they block specific incoming packets. Your block all rule above them already covers all incoming (and outgoing) packets: Code:
antispoof for $wan inet block in from urpf-failed to any block in from no-route to any block inet proto icmp icmp-type echoreq 3. Domain Name resolution packets greater than 512-bytes will be blocked, since you only pass UDP protocol, as I mentioned previously. |
|
|||
Code:
block in log all block all Code:
block log all If a DNS reply is too large for an UDP packet, the DNS server sets the "truncated" bit in the UDP reply. This is a hint for the receiver to re-issue the DNS request but now over TCP. So for DNS you should have: Code:
pass out on $vpn proto tcp from any to any port 53 pass out on $vpn proto udp from any to any port 53
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
@ jggimi
In my earlier version, I used "modulate state" while in the second, I used "keep state". Which is preferable? J65nko suggested Code:
pass out on $vpn proto tcp from any to any port 53 pass out on $vpn proto udp from any to any port 53 Code:
pass out on $vpn proto {tcp udp} from any to any port 53 |
|
|||
Quote:
|
|
||||
The modulate stateful option is not needed with a BSD workstation. It's purpose is to protect OSes that do not randomize TCP ISN values. See State Modulation in pf.conf(5).
Quote:
# pfctl -sr . Lists make your ruleset easier to understand.
|
|
|||
@ jggimi
Incorporating both your and J65nko's feedback my pf rules should like like: Code:
wan="em0" vpn="tun0" set block-policy drop block log all set skip on lo pass out on $wan proto udp from any to a.b.c.d port 443 keep state pass out on $vpn proto tcp from any to any port {80 443} keep state pass out on $vpn proto {tcp udp} from any to any port 53 keep state |
|
|||
@ jggimi
In Code:
pass out on $wan proto udp from any to a.b.c.d port 443 keep state 2. Suppose I have a bunch of 15 resolved IP addresses of remote VPN servers such as 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4.... ........... 15.15.15.15 Can I put them as a list? as in Code:
pass out on $wan proto udp from any to {1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 5.5.5.5 up to and including 15.15.15.15} port 443 keep state |
|
||||
Quote:
Quote:
Quote:
Domain names are resolved only when the ruleset is loaded, and never inspected again. At boot time, name resolution may not be possible through the network. (e.g.: /etc/hosts file lookup may be required for resolution, rather than a nameserver on the network.) If an external nameserver has been compromised, you may not be reaching the VPN gateway you intended. Quote:
Last edited by jggimi; 23rd November 2014 at 02:16 PM. Reason: typo |
|
||||
Quote:
Quote:
Code:
pass out on $vpn proto tcp from any to any port {80 443} keep state Quote:
Code:
pass out on $vpn proto {tcp udp} from any to any port 53 keep state Quote:
|
|
|||
@jggimi
If I remove the below rules: Code:
pass out on $vpn proto tcp from any to any port {80 443} keep state pass out on $vpn proto {tcp udp} from any to any port 53 keep state Quote:
|
|
|||
In OpenBSD port of OpenVPN revisited I posted to method to verify whether DNS requests are passing through the VPN tunnel.
I will install OpenVPN and check what is a proper pf.conf ruleset
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 23rd November 2014 at 10:20 PM. |
|
|||
Quote:
Can you let me know if I need to add more rules to improve my pf.conf? |
|
||||
Quote:
Another best practice is to follow J65nko's advice in every one of his posts: use logging, and watch PF pass or block packets with tcpdump(8). You can then adjust rules as needed. Guidance can be found in the Logging chapter of the PF User's Guide. Last edited by jggimi; 24th November 2014 at 11:55 PM. Reason: clarity |
Tags |
pf rules, vpn, workstation |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Security Improving the security of your SSH private key files | J65nko | News | 1 | 24th May 2013 09:17 PM |
Need suggestions on what to name this project | TerryP | Off-Topic | 10 | 6th November 2010 03:13 PM |
looking for external drive buy suggestions | gosha | General Hardware | 20 | 5th September 2009 05:32 AM |
VPN setup suggestions needed | mikesg | OpenBSD Security | 8 | 4th September 2009 09:45 PM |
Software suggestions | rex | FreeBSD General | 10 | 17th May 2008 12:00 AM |