pf-badhost

CiotBSD · #1 **(View Single Post)** 6th May 2020

Hi, all.

@home, I manage a little server, on OpenBSD.

- 3 zones DNS, with nsd
- web service for one domain.

And to protect a litlle I attempt to use this project "pf-badhost".

No problem to install, and configure.

But, When I active rules for PF, I surprise dig requests are not possible.
(I add rules to exclude LAN subnets on the file install)

----

Before, active PF rules;

Code:

$ dig @ns1.stephane-huc.net ebnh.fr.eu.org

; <<>> DiG 9.16.2-Debian <<>> @ns1.stephane-huc.net ebnh.fr.eu.org
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37696
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ebnh.fr.eu.org.			IN	A

;; ANSWER SECTION:
ebnh.fr.eu.org.		3600	IN	A	88.136.16.221

;; AUTHORITY SECTION:
ebnh.fr.eu.org.		3600	IN	NS	ns1.stephane-huc.net.
ebnh.fr.eu.org.		3600	IN	NS	ns2.he.net.
ebnh.fr.eu.org.		3600	IN	NS	ns3.he.net.
ebnh.fr.eu.org.		3600	IN	NS	ns4.he.net.
ebnh.fr.eu.org.		3600	IN	NS	ns5.he.net.

;; Query time: 4 msec
;; SERVER: 88.136.16.221#53(88.136.16.221)
;; WHEN: mer. mai 06 19:42:29 CEST 2020
;; MSG SIZE  rcvd: 168

After:

Code:

$ dig @ns1.stephane-huc.net ebnh.fr.eu.org

; <<>> DiG 9.16.2-Debian <<>> @ns1.stephane-huc.net ebnh.fr.eu.org
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached

----

My PF Rules:

Code:

# pfctl -sr
match log all scrub (no-df random-id min-ttl 64 reassemble tcp max-mss 1440)
block drop in on ! lo inet6 from ::1 to any
block drop in on ! lo inet from 127.0.0.0/8 to any
block drop in inet6 from ::1 to any
block drop in on lo0 inet6 from fe80::1 to any
block drop in inet from 127.0.0.1 to any
block drop in on ! egress inet6 from 2001:470:cc33::/64 to any
block drop in on ! egress inet from 192.168.***.0/24 to any
block drop in on re0 inet6 from fe80::261c:4ff:fe08:8c05 to any
block drop in inet6 from 2001:470:cc33::3 to any
block drop in inet from 192.168.88.3 to any
anchor "relayd/*" all
(...)
block return in quick on egress from <pfbadhost> to any
block return out quick on egress from any to <pfbadhost>
(...)
block return log all
pass out all flags S/SA keep state (if-bound)
# and, below all others in and out pass
(…)

----

If I wrote thoses rules after my pass in and pass out rules, as final rules, I can request again with dig!

----

Any idea?!

jggimi · #2 **(View Single Post)** 6th May 2020

pf-badhost is not in the ports tree. For support, contact the developer directly. https://www.geoghegan.ca/contact.html

J65nko · #3 **(View Single Post)** 6th May 2020

pf uses a "last matching rule wins" strategy. You can circumvent this by either using the "quick" keyword or reorder your ruleset.
These blocking rules at the beginning of your ruleset can be overridden by later rules:

Code:

block drop in on ! lo inet6 from ::1 to any
block drop in on ! lo inet from 127.0.0.0/8 to any
block drop in inet6 from ::1 to any
block drop in on lo0 inet6 from fe80::1 to any
block drop in inet from 127.0.0.1 to any
block drop in on ! egress inet6 from 2001:470:cc33::/64 to any
block drop in on ! egress inet from 192.168.***.0/24 to any
block drop in on re0 inet6 from fe80::261c:4ff:fe08:8c05 to any
block drop in inet6 from 2001:470:cc33::3 to any
block drop in inet from 192.168.88.3 to any

A simple way to check whether any of these rules are preventing name lookup is to add the following macro:

Code:

LQ = "log quick"
block drop in $LQ on ! lo inet6 from ::1 to any
block drop in $LQ on ! lo inet from 127.0.0.0/8 to any
block drop in $LQ inet6 from ::1 to any

Repeat this for those other rules.

In a SSH session to your server run tcpdump(8) on the pflog0 interface.

Code:

# tcpdump -eni pflog0

Now run your dig command and if one of these rules blocks something it will end up on pflog0 and will be parsed and shown by tcpdump(8).
An example on my firewall:

Quote:

01:52:12.595180 rule 33/(match) block in on vr0: 192.168.2.254 > 224.0.0.1: igmp query (DF) [ttl 1]

After debugging you can simple redefine the LQ macro to either "quick" or nothing "".

BTW Usually blocking internal loopback traffic is a bad idea. That is why "set skip on lo0" exists

CiotBSD · #4 **(View Single Post)** 7th May 2020

In my first post, the view of rules is the result of `pfctl -sr`.

I will investigate as you recommand me @J65nko.

Actually, I put rules PF for pf-badhost at the final.

---

My writings PF:

Code:

auth_tcp_ports = "{ domain http 25 }"
auth_tcps_ports = "{ https smtp 587 }"
auth_udp_ports = "{ domain ntp mdns }"

dns_port = "domain"
ssh_port = "247"

host  = "192.168.***.3"
host6 = "2001:470:cc33::3"
ntwk  = "192.168.***.0/24"
ntwk6 = "2001:470:cc33::/64"

aoks = "allow-opts"
fks = "flags S/SA keep state"
fms = "flags S/SA modulate state"

icmp_auth   = "{ 8 11 12 }"
icmp_block  = "{ 4 6 15 16 17 18 31 32 33 34 35 36 37 38 39 }"
icmp6_auth  = "{ unreach, toobig, timex code 0, timex code 1, paramprob code 1, paramprob code 2, echoreq, routeradv, neighbrsol, neighbradv }"
icmp6_block = "{ 100 101 127 138 139 140 144 145 146 147 150 200 201 }"
icmp6_in    = "{ redir }"

icmp_sto = "(max-src-conn-rate 10/1)"
ssh_sto = "(max-src-conn 10, max-src-conn-rate 10/60, overload <t_abuse_ssh> flush global)"

table <abuse_ssh> counters persist
table <t_adm>  const { 192.168.***.1 192.168.***.47 192.168.***.147 }
table <t_adm6> const { fd**:c107:b5d:1::47 fd**:c107:b5d:1::147 }
table <auth_lan> const { 192.168.**.0/24 192.168.***.0/24 }
table <pfbadhost> persist file "/etc/pf-badhost.txt"

set block-policy return
set fingerprints "/etc/pf.os"
set loginterface egress
set optimization normal
set reassemble yes
set ruleset-optimization profile
set skip on lo
set state-policy if-bound
set timeout { tcp.established 600, tcp.closing 60 }

match log all scrub (max-mss 1440 min-ttl 64 no-df random-id reassemble tcp)

antispoof for egress

anchor "relayd/*"

block drop quick log on egress inet6 proto icmp6 icmp6-type $icmp6_block

block drop quick on egress inet proto icmp icmp-type 3 code 6
block drop in quick on egress inet proto icmp icmp-type 3 code 7
block drop quick on egress inet proto icmp icmp-type 3 code 8
block drop quick on egress inet proto icmp icmp-type $icmp_block

block drop in quick log on egress proto tcp from <abuse_ssh> to egress port 22    label "ssh brute"

block drop in quick on egress inet6 from { urpf-failed no-route } to any
block drop quick on egress inet6 from any to { no-route }

block drop in quick on egress inet from { urpf-failed no-route } to any
block drop quick on egress inet from any to { no-route }

block return in on ! lo0 proto tcp to port 6000:6010

block return out log proto {tcp udp} user _pbuild

block in log on egress inet proto { tcp udp } from any to ! egress port 53

block in log on egress proto tcp to egress port 11211

block log 
pass out

# in/out icmpv6
pass quick on egress inet6 proto icmp6 icmp6-type $icmp6_auth $aoks
pass in quick on egress inet6 proto icmp6 icmp6-type $icmp6_in $aoks
# in icmp 
pass in quick on egress inet proto icmp from any to egress icmp-type 3 code 3   $aoks $icmp_sto
pass in quick on egress inet proto icmp from any to egress icmp-type $icmp_auth $aoks $icmp_sto
# out icmp
pass out quick on egress inet proto icmp from egress to any icmp-type 3 code 3  $aoks $icmp_sto
pass out quick on egress inet proto icmp from egress to any icmp-type $icmp_auth $aoks $icmp_sto

# in admin hosts
pass in quick on egress inet  proto tcp from <t_adm>  to $host  $fms
pass in quick on egress inet6 proto tcp from <t_adm6> to $host6 $fms 
pass in quick log on egress inet  proto tcp from <t_adm>  to $host  port $ssh_port $fms
pass in quick log on egress inet6 proto tcp from <t_adm6> to $host6 port $ssh_port $fms 

# in 80
pass in quick log on egress inet  proto tcp to $host  port 80 $fms
pass in quick log on egress inet6 proto tcp to $host6 port 80 $fms

# in 50
pass in quick on egress proto tcp from any to { $host $host6 } port $dns_port $fms
pass in quick on egress proto udp from any to { $host $host6 } port $dns_port $aoks

# out 50
pass out on egress proto tcp from { $host $host6 } to any port $dns_port $fms
pass out on egress proto udp from { $host $host6 } to any port $dns_port $aoks

# out auth others port
pass out on egress proto tcp from egress to any port $auth_tcp_ports  $fms
pass out on egress proto tcp from egress to any port $auth_tcps_ports $fms 
pass out on egress proto udp from egress to any port $auth_udp_ports $aoks

block in quick on egress from <pfbadhost>
block out quick on egress to <pfbadhost>