DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th June 2014
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default pf - controlling port forwarding inside the network

Hello in my network I only allow certian ports in and out however some users have figured out how too redirect port 80. How can I prevent this from happening?

I know one of the ways is though windows internet connection sharing.
Reply With Quote
  #2   (View Single Post)  
Old 13th June 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

If you restate your question, I might be able to answer it. I'm not sure what you mean by users redirecting port 80.

Here is some level-setting, in case it helps.

----
  • The TCP and UDP protocols reserve two 16-bit values called port numbers. Each data packet has a source port number and a destination port number.When we think of common services and their assigned port numbers, it is the destination port number we consider, even though there is a second, source port number used in UDP and TCP communication. That is because the source port number is often a high numbered, random port from a pool.
  • You can find many standard and default destination port numbers for UDP and TCP services in /etc/services.
Routers that forward traffic via Network Address Translation (NAT) can do "port forwarding". While translating the IP address they can also translate the destination port number. For example, you might forward traffic destined for port 80 on your NAT router to a webserver that is listening on port 8080.

Firewall rules that focus on port numbers for rules and policies can be fooled by knowledgeable users, who use common destination port numbers for other types of TCP or UDP traffic. Examples might be to use destination port 53 (DNS) or destination port 443 (HTTPS) for other type of traffic.

Users can operate their own NAT routers and have multiple devices share a single IP address. This could be a turnkey device, a workstation, or a smartphone or tablet. Even a workstation with Windows can do this. You mentioned Internet Connection Sharing. All that is is Microsoft supplied NAT routing software for a Windows workstation with two or more network interfaces.
Reply With Quote
  #3   (View Single Post)  
Old 13th June 2014
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default

Basically I have my isp. Which goes into a openbsd box on eth0. Then pf nats and filters everything and provides Internet for the internal computers on eth1. One of the users behind the eth1 has internet sharing enabled and is broadcasting wireless. I basically want to block everything except for his traffic to that one machine.... (static ip)

Isp --> openbsd --> his machine (with internet sharing turned on) --> other machines through his connectio


I basically want to block the other machines through his computer
Reply With Quote
  #4   (View Single Post)  
Old 13th June 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Congratulations. You have a user who is operating a NAT router, just like you are. Yours is OpenBSD with PF, his is Windows with ICS.

All of the traffic routed through his workstation will appear to come from it, or be destined for it. However, the Time-To-Live (TTL) value may be greater than 1. The TTL may be greater than 1 for traffic that isn't going to or coming from his private network, also. This is not a guaranteed way to differentiate.

You would have to implement a Deep Packet Inspection facility, and even then, you may still have difficulty differentiating between workstation-specific traffic and traffic routed through it.

For inspecting the contents of the packets, which PF does not do, OpenBSD has relayd(8). This might offer a partial solution. See reyk@'s paper from last year on recent advances in the tool, and the relayd.conf(5) man page for the scope of the analysis it can perform.

You are entering an "arms race" with your user. If you make changes to attempt to block his private network but not his workstation -- such as setting TTL to 1 for all traffic destined to it -- he can circumvent those kinds of restrictions. All he needs is Google, or Bing, and a little time.

If you cannot control your user -- such as having him agree to approved encryption and security on his wireless network, and approved devices to connect, you have two more options:

1. Block traffic between his workstation and the rest of the LAN by placing it in its own subnet, and do not permit traffic to route between the subnets.
If you are sharing the same Ethernet segment, you can block IP packets on the LAN this way, however you cannot block non-IP Ethernet frames. With an alias address on your router's NIC, he and his network can reach the Internet but not any other IP device on your LAN.
2. Block him entirely.

Last edited by jggimi; 13th June 2014 at 10:14 PM. Reason: clarity
Reply With Quote
  #5   (View Single Post)  
Old 14th June 2014
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Quote:
Originally Posted by jggimi View Post
2. Block him entirely.
I would have done this first. When he came to me complaining that he couldn't get to the internet, I would have made the reason very clear why I blocked him...and why I would do so again should I suspect he is violating the rules of using my connection a second time =)
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
  #6   (View Single Post)  
Old 14th June 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Here's an example configuration of a DMZ subnet sharing the same Ethernet segment as a LAN. The OpenBSD router has a NIC with two assigned addresses, one on each subnet. The additional address (and subnetting) is configured with the alias operand of ifconfig(8).

All devices use DHCP for address assignment. The isolated device is given its private subnet address by DHCP, assigned by MAC address. The DMZ device must be trusted to not alter the MAC.

The DMZ is on 10.99.99.0/30, which is four addresses: the network address (10.99.99.0), the two endpoints (router 10.99.99.1 and DMZ device 10.99.99.2), and the broadcast address (10.99.99.3).

The LAN is on 10.1.1.0/24, with the router at 10.1.1.1.

The hostname.<nic> file for the router has both addresses and subnet sizes:
Code:
inet 10.1.1.1/24
alias 10.99.99.1/30
The dhcpd.conf uses the shared-network declaration to have multiple subnets on the same NIC:
Code:
option  domain-name "<your domain>";
option  domain-name-servers <my nameservers>;

shared-network <my network name> {

        subnet 10.99.99.0 netmask 255.255.255.252 {
                option routers 10.99.99.1;
                host static-client {
                        hardware ethernet <my DMZ device's MAC address>;
                        fixed-address 10.99.99.2;
                }
        }
        subnet 10.1.1.0 netmask 255.255.255.0 {
                option routers 10.1.1.1;
                range 10.1.1.101 10.1.1.200;
        }
}
Traffic is isolated via PF. In this particular example, there is a pass all then the traffic between subnets is blocked, and finally a pass for dhcpd traffic between the subnets, as dhcpd will use the primary address for its responses to the client.
Code:
pass all
block from 10.1.1.0/24 to 10.99.99.0/3
block from 10.99.99.0/3 to 10.1.1.0/24
pass on <my nic> proto {udp tcp} from any to any port {67 68}
This was tested briefly in a lab today, for syntax and basic functionality.
Reply With Quote
  #7   (View Single Post)  
Old 14th June 2014
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Quote:
Originally Posted by jggimi View Post
The dhcpd.conf uses the shared-network declaration to have multiple subnets on the same NIC:
Interesting approach. I've always used vlandevs with a trunk parent device (LACP, usually)...but you have to have an LACP-capable switch to do that.

I didn't realize you could run a shared net like this. Very interesting.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
  #8   (View Single Post)  
Old 14th June 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Yes. I thought of this because a year or two ago, someone posted here recommending that we isolate Windows platforms each to its own /30. A little lightbulb went on. And I remembered it today when EverydayDiesel described his issue.

A DHCP "fixed" address assignment is no more secure than a static IP address. There must be trust by the admin that the user will use them. If the system cannot be trusted, then the admin must select one of these three options:
  1. a VLAN must be used
  2. an isolated Ethernet segment must be deployed.
  3. the admin must reconfigure the user's workstation using a 30-pound/13-Kilo sledgehammer.
Option 3 is probably the most fun. But alas, it is also career limiting.

Last edited by jggimi; 14th June 2014 at 02:28 AM. Reason: typos. Sheesh.
Reply With Quote
  #9   (View Single Post)  
Old 14th June 2014
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

I do recall the /30 discussion =)

This is probably the reason I never investigated shared-network, as I'd rather have a bit more control over my users (my wife would kill me for saying that heh). I have a vlan capable switch and a port-limited firewall, so vlans just made more sense for me, but deploying a separate segment (as you've mentioned) is another great option.

And while certainly humorous, I don't think the user would agree with your interpretation of /30 as meaning "pounds of sledgehammer" required =P
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
Old 14th June 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

No, the user would have to agree to abide by the /30. The sledgehammer is to be used by the admin if the user attempts to circumvent the /30.



Reply With Quote
Old 4th July 2014
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default

i dont know if it helps at all but i did notice this in the tcpdump output last night.

Code:
rule2/(match) block in on xl1: 192.168.0.1.500 > 192.255.255.255.500: RIPv2-resp[items 1] : {192.168.1.0/255.255.255.9}(1)
Since 192.168.1.0 doesnt exist on my network I am guessing that this is his network. Even though this is a blocked rule, is there any indication here that would show how to block attacks like this?
Reply With Quote
Old 4th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

1. It's not an "attack" - it's a broadcast of routing information from his router to any others in 192.*.*.* that might be interested in reaching the subnet he controls. If you were cooperating rather than in conflict, ripd(8) could be utilized to automatically update your routing table.

2. You're already blocking these packets, and without a running routing daemon such as ripd, you would have nothing "listening" to the data anyway.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Port Forwarding with Dual WAN Connections alpha202ej OpenBSD Security 0 14th December 2011 02:05 AM
Controlling a RS-232 Serial Console from a Shell Script ishikawanakano Programming 0 9th January 2009 10:00 PM
port forwarding ikevmowe OpenBSD Security 13 21st November 2008 06:03 PM
VNC port forwarding help revzalot OpenBSD Security 3 10th September 2008 06:59 AM
A P2P controlling tool at last - ipfw-classifyd s0xxx FreeBSD Ports and Packages 0 3rd August 2008 09:49 AM


All times are GMT. The time now is 11:11 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick