DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
Old 25th November 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Re: your OpenVPN setup

How did you configure OpenVPN on your OpenBSD box? Most people have a lot of problems in getting it connected to a VPN service.

Re: filter rules

From http://www.swissvpn.net/index.php?co...ng=en#selected
Quote:
How can I ensure that my computer only connects to the Internet via SwissVPN, and not directly?

The most reliable way of achieving this is by installing a separate router/firewall between your computer and the Internet. Configure the firewall to only allow outbound connections with the following protocols:
  • DNS (TCP/UDP port 53)
  • HTTPS (TCP port 443), for OpenVPN

I played a little bit with a pf.conf ruleset and enabled logging so the working can be verified by running tcpdump on the pflog0 device.

Code:
set block-policy return
set skip on lo
set loginterface egress

# --- OUTGOING services: TCP
pass out log quick on egress inet proto tcp from egress to any port https
pass out log quick on tun0   inet proto {tcp, udp, icmp} 

pass out     quick on egress inet proto udp to 192.168.222.10 port 53

# --- INCOMING services: TCP
pass in quick on egress inet proto tcp from egress:network to port ssh

# -- DEFAULT policy 
block quick inet proto udp from any port 1900 to any port 1900
block quick inet proto udp from any to any port { 138 137 139 }
block return log all
# -------------------------------------------------------------------------
# use 'tcpdump -eni pflog0' to watch blocked packets in real time
# use 'tcpdump -en -r /var/log/pflog' to read the blocked packets log file 
# -------------------------------------------------------------------------
With the SwissVPN.net demo account I only can do DNS lookups, ping (ICMP) and access (TCP) their website, but that all works with this ruleset.
So you could give it a try

PS: I needed pass out quick on egress inet proto udp to 192.168.222.10 port 53 else I could not setup the VPN connection. And that is the reason that after stopping OpenVPN is still could do DNS lookups. But I could neither do pings or visit a website after stopping,
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 25th November 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

The output of # pfctl -vvs rules:
Code:
@0 pass out log quick on egress inet proto tcp from 192.168.222.243 to any port = 443 flags S/SA
  [ Evaluations: 45        Packets: 228       Bytes: 41607       States: 1     ]
  [ Inserted: uid 0 pid 5362 State Creations: 1     ]
@1 pass out log quick on tun0 inet proto tcp all flags S/SA
  [ Evaluations: 28        Packets: 68        Bytes: 32060       States: 0     ]
  [ Inserted: uid 0 pid 5362 State Creations: 4     ]
@2 pass out log quick on tun0 inet proto udp all
  [ Evaluations: 20        Packets: 34        Bytes: 4267        States: 0     ]
  [ Inserted: uid 0 pid 5362 State Creations: 17    ]
@3 pass out log quick on tun0 inet proto icmp all
  [ Evaluations: 2         Packets: 8         Bytes: 672         States: 0     ]
  [ Inserted: uid 0 pid 5362 State Creations: 2     ]
@4 pass out quick on egress inet proto udp from any to 192.168.222.10 port = 53
  [ Evaluations: 1         Packets: 2         Bytes: 196         States: 0     ]
  [ Inserted: uid 0 pid 5362 State Creations: 1     ]
BTW because the addresses can change, the rules need to use (egress) and maybe (tun0). To find out if that is really needed is left as an exercise for the student
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 25th November 2014
trystan trystan is offline
Port Guard
 
Join Date: Nov 2014
Posts: 15
Default

Quote:
Originally Posted by J65nko View Post
Re: your OpenVPN setup

How did you configure OpenVPN on your OpenBSD box? Most people have a lot of problems in getting it connected to a VPN service.
I didn't need to configure Openvpn at all. I installed it using pkg_add

Quote:
Originally Posted by J65nko View Post
pass out quick on egress inet proto udp to 192.168.222.10 port 53 else I could not setup the VPN connection. And that is the reason that after stopping OpenVPN is still could do DNS lookups. But I could neither do pings or visit a website after stopping,
Your statement "But I could neither do pings or visit a website after stopping," is exactly the aim of my pf rules, that is, to block the web browser from accessing websites, FTP and pings whenever my VPN connection is lost all of a sudden, without human intervention.

Do I have to add your rule pass out quick on egress inet proto udp to 192.168.222.10 port 53 to my pf rules (see below):

Code:
wan="em0"
vpn="tun0"
set block-policy drop
block log all
set skip on lo
pass out quick on egress inet proto udp to 192.168.xxx.xxx port 53
pass out on $wan proto udp from any to a.b.c.d port 443 keep state
pass out on $vpn proto tcp from any to any port {80 443} keep state
pass out on $vpn proto {tcp udp} from any to any port 53 keep state
Reply With Quote
Old 25th November 2014
trystan trystan is offline
Port Guard
 
Join Date: Nov 2014
Posts: 15
Default

Quote:
Originally Posted by J65nko View Post
BTW because the addresses can change, the rules need to use (egress) and maybe (tun0).
Sorry, specifically what rules are you referring to?
Reply With Quote
Old 25th November 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

192.168.222.10 is my caching nameserver on my LAN. It is only used for resolving the name of the VPN service provider to the IP address at the start of the OpenVPN connection. When the VPN connection is running all DNS traffic will go through the VPN tunnel.

I use a script to startup OpenVPN that also changes installs a new /etc/resolv.conf containing the nameservers of the VPN service. Two reasons:
  • A good ISP does not allow non-customers to use their DNS servers. When using a VPN my DNS traffic appears to originate from a "foreign" netblock. So it will be blocked by my ISP.
  • The NSA can not find out which sites I visit by monitoring my normal not-VPNed DNS traffic.

Re: (egress) and (tun0)

Whenever an IP adress is not static but dynamic and thus can change, and you want your rule set to adapt to the new IP address, you will have to embed the address or interface identier in a "(" and ")" pair.

RE: pass out on $vpn proto tcp from any to any port {80 443} keep state

Why do have port 80 there? You only need port 443
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 25th November 2014
trystan trystan is offline
Port Guard
 
Join Date: Nov 2014
Posts: 15
Default

Quote:
Originally Posted by J65nko View Post
192.168.222.10 is my caching nameserver on my LAN.
Like you, my machine is on a LAN. Though the LAN is not under my control.

192.168.xxx.xxx is dynamic in my case. Sometimes it can be 192.168.1.xxx, other times 192.168.200.xxx and yet other times 192.168.170.xxx. How shall I modify the pf rule in this case?

Quote:
Originally Posted by J65nko View Post
Why do have port 80 there? You only need port 443
Thanks for correcting me. Is there any harm by including port 80?
Reply With Quote
Old 25th November 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by J65nko View Post
...The NSA can not find out which sites I visit by monitoring my normal not-VPNed DNS traffic....
What stops them from owning and operating the VPN service you've hired?
Reply With Quote
Old 25th November 2014
trystan trystan is offline
Port Guard
 
Join Date: Nov 2014
Posts: 15
Default

Quote:
Originally Posted by jggimi View Post
What stops them from owning and operating the VPN service you've hired?
Excellent question.

If I were President of the United States, I'd curtail the budget and scope of powers of the NSA and divert those resources to building the public trust of Americans in their legal system and improving race relations. (cf. the verdict of the grand jury on the Michael Brown's case.
Reply With Quote
Old 25th November 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I wan't trying to make a political statement. It came out that way, but I was just trying to point out that selecting a third party VPN provider is an issue of trust, similar to the way we trust third party CAs with our keys.
Reply With Quote
Old 25th November 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Re: pass out quick on egress inet proto udp to 192.168.222.10 port 53

Actually the aim of this DNS rule was to make the rules as tight as possible. Probably you could leave out specifying the IP address.

Programs that need to do DNS requests consult the file /etc/resolv.conf which nameserver to use. In my case:
Code:
# Generated by vio0 dhclient
search utp.xnet
nameserver 192.168.222.10
lookup file bind
An easy method to check is to use dig for a DNS query:
Code:
$ dig daemonforums.org

; <<>> DiG 9.4.2-P2 <<>> daemonforums.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8229
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;daemonforums.org.              IN      A

;; ANSWER SECTION:
daemonforums.org.       1064    IN      A       95.170.82.241

;; Query time: 3 msec
;; SERVER: 192.168.222.10#53(192.168.222.10)
;; WHEN: Tue Nov 25 21:52:15 2014
;; MSG SIZE  rcvd: 50
When I do the same lookup after OpenVPN is running:
Code:
[snip]
;; QUESTION SECTION:
;daemonforums.org.              IN      A

;; ANSWER SECTION:
daemonforums.org.       3600    IN      A       95.170.82.241
[snip]
;; Query time: 61 msec
;; SERVER: 80.254.79.157#53(80.254.79.157)
;; WHEN: Tue Nov 25 22:06:30 2014
;; MSG SIZE  rcvd: 163
The /etc/resolv.conf during the VPN session:
Code:
# Tue Nov 25 22:06:07 CET 2014 : resolv.conf generated for OpenVPN connection 
lookup file bind
nameserver 80.254.79.157
nameserver 80.254.77.39
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Tags
pf rules, vpn, workstation

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Improving the security of your SSH private key files J65nko News 1 24th May 2013 09:17 PM
Need suggestions on what to name this project TerryP Off-Topic 10 6th November 2010 03:13 PM
looking for external drive buy suggestions gosha General Hardware 20 5th September 2009 05:32 AM
VPN setup suggestions needed mikesg OpenBSD Security 8 4th September 2009 09:45 PM
Software suggestions rex FreeBSD General 10 17th May 2008 12:00 AM


All times are GMT. The time now is 02:57 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick