DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 5th December 2013
bsd_matt bsd_matt is offline
Port Guard
 
Join Date: Oct 2013
Posts: 12
Default Perfectly Frustrating/Part 2

The company I work for has a /26 subnet, and we have several servers (httpd, mail, ftp, ssh, etc..) that I need to poke hole in the firewall to allow access.

Basic setup:
OBSD v5.4
em0 = Internet connection (all /26 public IP's are aliased in /etc/hostname.em0)
em1 = future DMZ
em2 = LAN (192.168.0.xxx)

Right now everything is on the LAN, my workstation and the servers.
I have a rule on the firewall that allows SSH access to my workstation as follows:
This works 100%

This is the result from tcpdump:
Code:
rule 2/(match) match in on em0: 72.38.43.86.2776 > 50.x.x.x.22: 
rule 13/(match) pass in on em0: 72.38.43.86.2776 > 192.168.0.191.22:
rule 11/(match) pass out on em2: 72.38.43.86.2776 > 192.168.0.191.22:
These are the rules in pf.conf that match:
Code:
RULE #2:   match in log all scrub (no-df)
RULE #13: pass in log on egress inet proto { tcp, udp } to $testing_pub_ip port { ssh } rdr-to $bsd_matt
RULE #11: pass in log on { $int_if }
As I said this works perfectly. What doesn't work if I add a rule to allow a hole for another computer. (i.e. ssh access to a different computer)
New Line:
Code:
 
pass in log on egress inet proto { tcp, udp } to $sync_pub_ip port { ssh } rdr-to $netfs
tcpdump looks like its working:

rule 2/(match) match in on em0: 72.38.43.86.3553 > 50.x.x.x.22
rule 15/(match) pass in on em0: 72.38.43.86.3553 > 192.168.0.152.22
rule 11/(match) pass out on em2: 72.38.43.86.3553 > 192.168.0.152.22

But the server at 192.168.0.152 never sees the ssh attempt. By watching:

tail -f /var/log/auth.log


So in summary:
I have a line in my pf.conf that works perfectly, but it only connects to one computer. When I edit it to connect to other computers it doesn't work..

Last edited by ocicat; 5th December 2013 at 04:42 PM. Reason: fixed incorrect [/code] tag
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf = Perfectly Frustrating? =) bsd_matt OpenBSD Security 6 16th October 2013 08:40 PM
OpenBSD installation goes perfectly passthejoe OpenBSD Installation and Upgrading 4 16th November 2012 02:40 AM
OBSD 4.9 Frustrating kernel panic on boot edwebdev OpenBSD General 1 16th July 2011 09:37 PM
pf.conf examples (part 2) lumiwa OpenBSD Security 3 13th January 2010 05:07 AM
shell: how to take part of the line... graudeejs Programming 8 6th September 2008 11:13 PM


All times are GMT. The time now is 09:01 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick