DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th November 2018
thefronny thefronny is offline
Port Guard
 
Join Date: Oct 2008
Posts: 37
Default Default route has changed

I had a little hiccup tonight and am not sure if I applied the right fix.

System, my firewall, was fine. I applied the most recent patches (005_ - 008_) without issue and rebooted. Everything came up OK but I couldn't get out to the internet. I could ping all the machine's interfaces, and the inside address of the router but there it stopped. Long story short; the default route had been 192.168.1.2, the outside IP address of the firewall. I'm under the impression this is set at boot by the content of /etc/mygate. The fix was to 'route flush' and set the route to 192.168.1.1, the inside address of the router. I have no idea why 192.168.1.2 no longer worked as the default route. pf's rules had not been changed, and I have changed nothing on the router itself because I locked myself out a couple weeks ago with a fat finger and since it was working fine I haven't bothered to reset it. Assuming having the four new patches installed is just a cosmic coincidence. The reboot might be the culprit.

My question is, from a security standpoint, does it matter which interface is used as the default route as long as it routes? The router has firewall capability but I have disabled it as I like running my own firewall to see who is poking at my system and to make learning this stuff the real deal. The router is now pretty much just a modem between the copper and the CAT5. Is there a security issue involved with the routing as it is, to the router's inside interface rather than the firewall's outside interface?

Thanks much, hope this is clear.
Reply With Quote
  #2   (View Single Post)  
Old 30th November 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Let's start with a level-set on routing. Please excuse me if this is review.

---

In IP, a routing table contains two entries: a destination subnet, and the "next hop" to get there. For example, let us pretend that communication is to flow between system A and system E:

[A] - [B] - [C] - [D] - [E]

The routing table in system A needs to have an entry for a subnet which includes the address of system E, which points to the "next hop" system B. That's all it needs. B then needs to know about C, and so on. For returning traffic, system E needs to know to use its "next hop" D to reach A.

---

Your router's address changed, and your OpenBSD system had been statically configured. To use my example, if your OpenBSD firewall is "B" and your "outside" local router is "C", the address of "C" changed on that "B to C" local network.

---

A default route is a "next hop" entry for the subnet 0.0.0.0/0. This is "all IP addresses." A system on a local network with a single router will have a default route entry that points to the "next hop" local router. That is the only way to reach "all IP addresses" that aren't on the local subnet.

Last edited by jggimi; 30th November 2018 at 11:36 AM. Reason: typos and clarity
Reply With Quote
  #3   (View Single Post)  
Old 30th November 2018
thefronny thefronny is offline
Port Guard
 
Join Date: Oct 2008
Posts: 37
Default

Quote:
Originally Posted by jggimi View Post
Let's start with a level-set on routing. Please excuse me if this is review.

---

In IP, a routing table contains two entries: a destination subnet, and the "next hop" to get there. For example, let us pretend that communication is to flow between system A and system E:

[A] - [B] - [C] - [D] - [E]

The routing table in system A needs to have an entry for a subnet which includes the address of system E, which points to the "next hop" system B. That's all it needs. B then needs to know about C, and so on. For returning traffic, system E needs to know to use its "next hop" D to reach A.

---

Your router's address changed, and your OpenBSD system had been statically configured. To use my example, if your OpenBSD firewall is "B" and your "outside" local router is "C", the address of "C" changed on that "B to C" local network.

---

A default route is a "next hop" entry for the subnet 0.0.0.0/0. This is "all IP addresses." A system on a local network with a single router will have a default route entry that points to the "next hop" local router. That is the only way to reach "all IP addresses" that aren't on the local subnet.
Thank you for this. Much more clear for me now.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Route some ip outside VPN afdruiprek OpenBSD Security 13 29th August 2017 02:41 PM
Route to enc0 WeakSauceIII OpenBSD Security 11 1st June 2015 07:40 PM
No Route to Host rtwingfield FreeBSD Installation and Upgrading 9 25th May 2015 03:05 AM
route on openbsd hpabsdbeginner1 OpenBSD General 2 15th April 2014 07:17 PM
Can the default python be changed to a newer version? Mr-Biscuit FreeBSD General 5 7th April 2011 05:33 AM


All times are GMT. The time now is 04:57 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick