|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
||||
Help needed with understanding PF rules
Hi,
I've created a router/NAT combo in OpenBSD 5.0 RELEASE and am trying to access outside of the NAT. However, I seem to be running into issues regarding the blocking of packets?? This is what I'm basing my PF rules on: http://www.openbsd.org/faq/pf/nat.html http://www.openbsd.org/faq/pf/example1.html and here is my pf.conf file: Code:
#macros int_if="em1" tcp_services="{ 22 }" icmp_types="echoreq" imap_box="10.0.0.9" http_box="10.0.0.8" #options set block-policy return set loginterface em0 set skip on "{ lo, em1 }" # HTTP Proxy rules #anchor "http-proxy/*" #pass in quick on $int_if inet proto tcp to any port http \ # divert-to 172.16.8.40 port 3128 #match rules #match out on egress inet from !(egress) to any nat-to (egress:0) match out on em1 from 10.0.0.0/24 to any nat-to 172.16.8.13 #filter rules block in log pass out quick pass out quick on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13 #pass out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13 antispoof quick for { lo } pass in quick on egress inet proto tcp from any to (egress) port $tcp_services #pass in quick on egress inet proto tcp to (egress) port 143 rdr-to $imap_box synproxy state pass in quick on em0 inet proto tcp to port 143 rdr-to $imap_box synproxy state pass in quick on em1 inet proto tcp to port 143 rdr-to $imap_box synproxy state #pass in out on em0 inet proto tcp to port 143 rdr-to $imap_box synproxy state #pass on em0 from any to $imap_box binat-to em0 pass on em1 from $imap_box to any binat-to em0 pass in quick on egress inet proto tcp to (egress) port 80 rdr-to $http_box synproxy state block in on egress inet proto icmp all icmp-type $icmp_types pass in quick on $int_if #pass out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13 I have managed to gain access to the IMAP server running behind the router/NAT from outside (inside the production network) however, the systems behind the router/NAT don't seem to able to access anything outside...... as I'm trying to update the ports tree using FreeBSD but it cops out using FTP. I am testing with: Code:
pfctl -sr pfctl -ss tcpdump -eni pflog0 I don't seem to be able to see anything wrong however, can anyone help me out? Regards! Last edited by sparky; 23rd March 2012 at 07:30 PM. |
|
|||
For a quick NAT-test, you could try changing the nat-to interface to the external interface and try the following:
Code:
block log all match out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13 pass in on em1 from 10.0.0.0/24 keep state pass out on em0 keep state Last edited by denta; 23rd March 2012 at 06:28 PM. |
|
||||
Quote:
|
|
||||
Thanks for the responses!
Quote:
Code:
tcpdump -eni pflog0 src 10.0.0.5 Quote:
Is binat a way of using more then 1 WAN IP address on one interface? Quote:
|
|
||||
Right so I've enabled the ftp-proxy service which I've checked using netstat -ap tcp and it's up!
Code:
Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 localhost.8021 *.* LISTEN This is my pf.conf file now: Code:
#macros int_if="em1" tcp_services="{ 22 }" icmp_types="echoreq" imap_box="10.0.0.9" http_box="10.0.0.8" #options set block-policy return set loginterface em0 set skip on "{ lo, em1 }" # Proxy rules #anchor "http-proxy/*" #pass in quick on $int_if inet proto tcp to any port http \ # divert-to 172.16.8.40 port 3128 pass in quick on $int_if inet proto tcp to any port ftp \ divert-to 127.0.0.1 port 8021 #match rules #match out on egress inet from !(egress) to any nat-to (egress:0) match out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13 #filter rules block in log pass out quick pass out quick on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13 #pass out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13 antispoof quick for { lo, em1 } pass in quick on egress inet proto tcp from any to (egress) port $tcp_services #pass in quick on egress inet proto tcp to (egress) port 143 rdr-to $imap_box synproxy state pass in quick on em0 inet proto tcp to port 143 rdr-to $imap_box synproxy state #pass in quick on em1 inet proto tcp to port 143 rdr-to $imap_box synproxy state #pass in out on em0 inet proto tcp to port 143 rdr-to $imap_box synproxy state #pass on em0 from any to $imap_box binat-to em0 pass on em1 from $imap_box to any binat-to em0 pass in quick on egress inet proto tcp to (egress) port 80 rdr-to $http_box synproxy state block in on egress inet proto icmp all icmp-type $icmp_types pass in quick on $int_if #pass out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13 Code:
setenv http_proxy http://172.16.8.40:3128 setenv ftp_proxy ftp://172.16.8.40:3128 setenv https_proxy https://172.16.8.40:3128 pfctl -ss shows: Code:
# pfctl -ss all tcp 10.0.0.1:22 <- 10.0.0.10:53250 ESTABLISHED:ESTABLISHED all tcp 10.0.0.9:143 (172.16.8.13:143) <- 172.16.8.12:55195 ESTABLISHED:ESTABLISHED all tcp 172.16.8.12:55195 -> 10.0.0.9:143 ESTABLISHED:ESTABLISHED all tcp 10.0.0.9:143 (172.16.8.13:143) <- 172.16.8.12:55210 ESTABLISHED:ESTABLISHED all tcp 172.16.8.12:55210 -> 10.0.0.9:143 ESTABLISHED:ESTABLISHED all tcp 10.0.0.9:143 (172.16.8.13:143) <- 172.16.8.12:55211 ESTABLISHED:ESTABLISHED all tcp 172.16.8.12:55211 -> 10.0.0.9:143 ESTABLISHED:ESTABLISHED all tcp 10.0.0.1:22 <- 10.0.0.10:53307 ESTABLISHED:ESTABLISHED all tcp 172.16.8.40:3128 <- 10.0.0.5:58513 ESTABLISHED:ESTABLISHED all tcp 172.16.8.13:52735 (10.0.0.5:58513) -> 172.16.8.40:3128 ESTABLISHED:ESTABLISHED |
|
|||
You could also check the rules themselves, and see how many packets are being "matched" by each rule. Example snipped output of /sbin/pfctl -sr -vv
Code:
@5 block drop in quick on vr0 from <china:2601> to any [ Evaluations: 30160 Packets: 283 Bytes: 20721 States: 0 ] [ Inserted: uid 0 pid 30316 State Creations: 0 ] |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Help needed with PF ruleset | spaghetti_bolognese | OpenBSD Security | 1 | 14th September 2010 11:37 AM |
help needed | Thelmaster | OpenBSD Installation and Upgrading | 8 | 10th May 2010 07:44 PM |
Understanding Fdisk, Slice, and the MBR (Master Boot Record) | FBSD | Guides | 1 | 20th February 2010 08:33 PM |
Desperate help needed for KDE | disappearedng | FreeBSD General | 12 | 17th July 2008 05:21 PM |
Understanding the FreeBSD kernel | TomAmundsen | FreeBSD General | 3 | 7th July 2008 02:48 PM |