DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 12th March 2013
Popelicious Popelicious is offline
New User
 
Join Date: Mar 2013
Posts: 5
Default Migrating from iptables to pf, a love story

Hello everybody, I'm a network admin in a small company. I'm in charge of modernizing the firewalls, two very old linux boxes with iptables.

Now, I could just go and install some CentOS with iptables and relax with a cup of coffee while my boss looks approvingly, or I could go with new (for me) and sexy powerfull pf on OpenBSD that i fell in love with. I'm going for the second option

So, as part 1 of my plan I have been researching all I can on pf, as a practice installed OpenBSD on a small machine and tried to write my pf.conf. Once done i tried to swap this small firewall we have that has nat and forwards ldap and port 8080 to 2 different machines in preparation for the big changes. It doesn't work

I humbly ask for some guidance as I kinda have a deadline for this of 2 weeks and I'm stuck.

The network is like this:
Isp router forwards all ports to rl0 interface (192.168.0.9, then the nfe0 iface (192.168.200.151) goes to the servers network.

I'll paste my pf.conf down here:

Code:
set skip on lo

# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021

# anchor for relayd(8)
#anchor "relayd/*"

pass        # to establish keep-state

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010

#######MACROS########
ext_if = "rl0"
int_if = "nfe0"
pub_ip = "6.6.6.6"
IntNet = "{ 192.168.200.0/24, 192.168.122.0/24 }"
server1 = "192.168.200.31"
server2 = "192.168.122.103"

######PROTECTION####
#antispoof log quick on $ext_if
######RULES########
block all
pass in on $int_if from $IntNet
pass out on $int_if from $IntNet
pass out on $ext_if from $int_if to any nat-to $ext_if

pass in on $ext_if proto tcp from 6.6.6.6 port 389 rdr-to $server1 port 389
pass in on $ext_if proto tcp from 6.6.6.6 port 8080 rdr-to $server2 port 8080
Thanks a lot guys.

Last edited by Popelicious; 13th March 2013 at 10:52 AM.
Reply With Quote
  #2   (View Single Post)  
Old 12th March 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Some tips:
  • Organize your rules by interface, direction, protocol.
  • Use log in your rules to trouble shoot. pf will make all the logged packets appear on the pflog0 interface.
    You can view these packets using tcpdump:
    Code:
    # tcpdump -eni pflog0
  • Keep in mind that pf uses a "last matching rule wins" strategy.
    The following rules will pass all traffic because it is the last matching rule:
    Code:
    block all
    pass all
    block all
    pass all
    Use the quick keyword to escape this "last matching rule wins" strategy.
  • If you are new to pf build your rule set incrementally.
    The father of Pascal and Modula, Niklaus Wirth called this approach "stepwise refinement".
  • Use interface groups and interface modifiers to get rid of those $ext_if and $IntNet macroes:
    Code:
    # ifconfig 
    
    xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
            lladdr 00:10:4b:d1:ab:5d
            priority: 0
            groups: egress
            media: Ethernet autoselect (100baseTX full-duplex)
            status: active
    
    [snip]
    xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
            lladdr 00:10:5a:14:52:a5
            priority: 0
            groups: internal
            media: Ethernet 100baseTX full-duplex
            status: active
            inet 192.168.222.10 netmask 0xffffff00 broadcast 192.168.222.255
    Now you can use rules like
    Code:
    pass in quick on internal inet proto tcp from internal:network .......
    pass out quick on egress inet proto tcp from any to any port = 80
    You can define the interface group in a hostname.if(5) file:
    Code:
    # cat /etc/hostname.xl1
    
    inet       192.168.222.10 255.255.255.0 NONE group internal
    inet alias 192.168.222.11 255.255.255.255
    !ifconfig xl1 media 100baseTX mediaopt full-duplex
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 12th March 2013
Popelicious Popelicious is offline
New User
 
Join Date: Mar 2013
Posts: 5
Default

Thank for the tricks, I'll try to log pf tomorrow and see where is the problem.

Cheers.
Reply With Quote
  #4   (View Single Post)  
Old 16th March 2013
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Hi J65nko !
I'd like to thank you so much for those interesting tips !
Reply With Quote
  #5   (View Single Post)  
Old 5th April 2013
Popelicious Popelicious is offline
New User
 
Join Date: Mar 2013
Posts: 5
Default

Hello everyone. After thinkering with pf and reading all the pf stuff i could find i got a ruleset working for my conf.

My only problem is that i can only reach the services behind the pf box if i use the same machine as a gateway for the box that is running those services, something that unfortunatelly can't be done.

At the minute I have 2 routers from my ISP with 8 public ip's each, one of them being 192.168.0.1 and the other is 192.168.10.1.
The .0.1 router uses NAT for his 8 public ip's and .10.1 routes his 8 public ip's to a single iptables based firewall, with if_ext 192.168.10.5 and if_int 192.168.200.25.

My pf box is behind one of the nat adresses, and everything seems to be fine if i use it as gw for all the boxes i i redirect ports to. The problems arises when i redirect ports to a box that has gw 192.168.200.25.

For example, lets say i have 192.168.200.93 as the www server, the pf box is 192.168.200.152 If i have set .200.93 gateway as .200.152 (the pf box) everything works and i can access the www server from outside with no problems.
Now, if that gateway gets changed to the .200.25 box it won't.

What is eating me is that this configuration does work for other machines if i use iptables, so i'm sure it's my pf configuration.

Here is it:
Code:
#interfaces
ext_if="rl0"  
int_if="nfe0" 

#ftp
anchor "ftp-proxy/*"
pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021

#networks
lan="192.168.200/24"  
ip="public ip"

#services pf box
servicios_tcp="{domain}" 
servicios_udp="{domain}" 
servicios_icmp="echoreq"

# internal server
serv_ip="192.168.200.93"
servicios_serv="{ldap,smtp,www,https,imaps}"

#block policy and log
set block-policy return
set loginterface $ext_if
set skip on {lo enc0}

#scrub in all #commented due to testing


block in log all 
pass out keep state
pass quick on { lo }
antispoof quick for { lo $int_if }

pass in quick log on $int_if

#nat
match out log on egress from $int_if:network to any nat-to (egress) #test nat

match in log on $ext_if proto tcp from any to any port 80 rdr-to $serv_ip port 80
match in log on $ext_if proto tcp from any to any port 443 rdr-to $serv_ip port 443

pass in on $ext_if inet proto tcp from any to ($ext_if) port $servicios_tcp keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $servicios_udp keep state
pass in inet proto icmp all icmp-type $servicios_icmp keep state
synproxy state
pass in on $ext_if proto tcp from any to any port $servicios_serv flags S/SA synproxy state
Anyone can explain to me what is happening?

Thanks

Last edited by Popelicious; 5th April 2013 at 12:30 PM.
Reply With Quote
  #6   (View Single Post)  
Old 10th April 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Without a detailed network diagram it is very difficult to visualize your network setup and thus to diagnose your problem.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 10th April 2013
Popelicious Popelicious is offline
New User
 
Join Date: Mar 2013
Posts: 5
Default

Hey, thanks for the answer. Sorry for the confused explanation.

Ok, I''l try to post a diagram today.

Thanks.
Reply With Quote
  #8   (View Single Post)  
Old 19th April 2013
Popelicious Popelicious is offline
New User
 
Join Date: Mar 2013
Posts: 5
Default

Hi guys, just updating situation here. I set up an OpenBSD box with pf, pftop and pfstats and I'm using it as firewall for my users connection to the outside. It's working greatly.

I still need to solve the problem I posted previously, I will post soon a network diagram.

Thanks.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD A Puffy in the corporate aquarium [success story] vermaden News 2 22nd April 2011 01:08 AM
spoofing with iptables dk_netsvil General software and network 6 29th October 2008 08:22 PM
iptables fw redundancy revzalot Other BSD and UNIX/UNIX-like 3 17th June 2008 04:51 PM
Problem after migrating the /var and its contents to another partition harisman FreeBSD General 2 9th May 2008 04:59 PM


All times are GMT. The time now is 07:35 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick