DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 9th November 2020
SimpL SimpL is offline
New User
 
Join Date: Nov 2020
Location: Hungary at the moment
Posts: 8
Question Pf.conf searching for better dns resolve possibilities

Hi everyone,

I was searching here and could not find a thread about this. If there is then sorry.

I would like to do the following:
I have a openbsd 6.7 for a firewall before my windows machines at home. I block everything in default and want to allow a few dns addresses to be accessible.
I want this two to work:
- Windows update
- Gmail
Dont need internet or anything else these are devices on a subnet that are there as a backup/NAS.

What i did is to create a pf table that contains a few dns addresses that are for gmail and a few windows update dns that i could get my hands on + IP addresses i seen that they try to connect to the update sites.

The problem is that the dns addresses that are resolved are only 1 ipv4 and 1 ipv6 address for that dns, and most of the time the machines dont connect to update/gmail, only 50%of the time with these settings. Its getting better as i read the logs and add ip addresses but this is too much so im looking for a better solution, and a permanent one that could resolve this issue once and for all, so that i dont need to read the logs every week for the rest of my life

Does anybody have a list or solution for a massive list like these 2 that i could allow so that i don't need to allow everything?

Thank you in advance
SimpL
Reply With Quote
  #2   (View Single Post)  
Old 9th November 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,138
Default

The only way I can perceive of doing this with PF is to craft a script which updates a PF table. For example, a script might parse the output of dig(1) and use pfctl(8) to update table contents. The cron(8) facility could be used to schedule the script.

An alternative solution would be to provision a proxy server which inspects URLs -- and that will include the need for X.509 certificates in order to conduct TLS inspection. In base, there is relayd(8) which can do this. There are third party tools such as www/squid, also.
Reply With Quote
  #3   (View Single Post)  
Old 27th November 2020
SimpL SimpL is offline
New User
 
Join Date: Nov 2020
Location: Hungary at the moment
Posts: 8
Default

Hi, Sorry for the late reply.

Thx jggimi, i was thinking of the same solution you suggested at first.
its like this:
dig +nocmd google.com any +multiline +answer
gives out multiple answers but sadly not all...
so i would need to dig every answer/dns this first one gives me. That would be not a big of a deal if it would be like 4-5 addresses but as far as i can see google has like 10-15 and ms has the same number, and if they change i need to alter the script.
Is there noone who done something like this in the past maybe or is there no list of these somewhere on the net?
I found and ms one:

https://answers.microsoft.com/en-us/...ca06620?auth=1

But as you look at it it has * on a few links and you know what that means.....
So im a bit bumped about this. If there is no other better solution then dig it is....
Thy jggimi again for your answer.
Reply With Quote
  #4   (View Single Post)  
Old 28th November 2020
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,610
Default

An alternative could be to define a restrictive pf rule set with an empty pf anchor for gmail and another anchor for windows update.

Before using gmail you load the rules enabling gmail in the gmail anchor and when done with gmail you flush those rules from the anchor.

Similar procedure for windows update.

See https://www.openbsd.org/faq/pf/anchors.html#manip

This way you limit the time the firewall is open for these activities.

With simple shell scripts you can automate loading/flushinf these rules.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 28th November 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,138
Default

If this were my use case, I'd probably first try to use a PF table, using a script that runs daily to update the PF table. Here's an untested example:
Code:
#!/bin/sh
# 1. Load table <allowed> with resolved domain name addresses.
# 2. Store the results in /var/db/allowed.addresses so that these can be loaded
# on boot by rc(8) when it loads pf.conf(5).
#
# Note: pf.conf(5) must contain `table <allowed> persist file "/var/db/allowed.addresses"`
#
# a. use a temporary file to load the domain names in the here document, as dig(8) will
#    be used twice.
# b. Type "A" records replace /var/db/allowed.addresses.
# c. Type "AAAA" records append to /var/db/allowed.addresses.
# d. Google's CNAME for mail.google.com is deleted with grep(1).
#
TMPFILE=$(mktemp /tmp/resolve.XXXXXXXX) || exit 1
cat > $TMPFILE  << 'EOF'
   microsoft.com
   gmail.com
   mail.google.com
EOF
dig -f $TMPFILE -t A +short | grep -v google > /var/db/allowed.addresses
dig -f $TMPFILE -t AAAA +short | grep -v google >> /var/db/allowed.addresses
rm $TMPFILE
pfctl -t allowed -T replace -f /var/db/allowed.addresses
If this works, I'd run it from my daily.local(5) script.
Reply With Quote
  #6   (View Single Post)  
Old 2 Weeks Ago
SimpL SimpL is offline
New User
 
Join Date: Nov 2020
Location: Hungary at the moment
Posts: 8
Default

Hi

Sorry for not posting. I tried the dig and other methods its not easy to do it this way so i gave up so that maybe later i have a good idea to solve this. I found that you can add dns to pf, but haven"t tried it yet, and the dig that Jggimi and J65nko wrote is an alternate solution that could work but it needs work. (But now i got multiple other dns addresses that would need to be set...) So im back and will try what you suggested. Thank you again. I will write back if i get any better solutions for this.
Thanks again and Happy New Year
Reply With Quote
  #7   (View Single Post)  
Old 2 Weeks Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,138
Default

Another possible solution might be a transparent proxy, such as relayd(8). The EXAMPLES section in the relayd.conf(5) man page shows the blocking of an https request to a prohibited social media site.

I'd mentioned this possible solution in November, above.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux (Centos, Red-Hat) searching intrusions pablovalcarcel Other OS 5 15th January 2013 05:36 PM
Weeks of searching and no answer yet - is openbsd performance good for web server ? barti FreeBSD General 12 20th August 2012 09:06 PM
NetBSD package searching ? mgreen NetBSD General 5 30th January 2010 11:27 AM
Searching and replacing weird patterns on a file. bigb89 Programming 8 6th December 2008 06:59 PM
searching for a SP/PDA like device, advice needed TerryP Off-Topic 5 26th July 2008 03:54 AM


All times are GMT. The time now is 04:41 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick