|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
DMZ zone - I can't find a mistake...
Hello,
I must create a DMZ zone for my second local net: 192.168.1.0/16 this is my pf.conf: ---- Code:
### macros int_if = "re0" dmz_if = "re1" ext_if = "pppoe0" tcp_services = "{ 20, 21, 22, 25, 80, 110, 113 }" udp_service = "{ 53, 5060 }" icmp_types = "echoreq" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16 }" dmz_net = "192.168.1.0/16" bnd_upstream="512Kb" bnd_downstream="7168Kb" host_usr1="192.168.0.1" host_usr4="192.168.0.4" host_usr5="192.168.0.5" host_usr6="192.168.0.6" host_usr8="192.168.0.8" host_usr9="192.168.0.9" host_usr10="192.168.0.10" host_usr11="192.168.0.11" host_usr12="192.168.0.12" host_usr13="192.168.1.13" host_usr14="192.168.1.14" host_usr15="192.168.0.15" host_usr16="192.168.0.16" host_usr17="192.168.0.17" host_usr18="192.168.0.18" ### options set optimization normal set block-policy return set loginterface $ext_if set skip on lo0 ### scrub scrub in all scrub out on $ext_if max-mss 1440 ### altq altq on $ext_if cbq bandwidth $bnd_upstream queue { up_def } altq on $int_if cbq bandwidth $bnd_downstream queue { dn_def } queue up_def bandwidth 100% cbq(default) { up_host1 up_host4 up_host5 up_host6 up_host8 up_host9 up_host10 up_host11 up_host12 up_host13 up_host14 up_host15 up_host16 up_host17 up_host18 } queue up_host1 bandwidth 13% cbq(borrow) queue up_host4 bandwidth 7% cbq(borrow) queue up_host5 bandwidth 7% cbq(borrow) queue up_host6 bandwidth 7% cbq(borrow) queue up_host8 bandwidth 6% cbq(borrow) queue up_host9 bandwidth 6% cbq(borrow) queue up_host10 bandwidth 6% cbq(borrow) queue up_host11 bandwidth 6% cbq(borrow) queue up_host12 bandwidth 6% cbq(borrow) queue up_host13 bandwidth 6% cbq(borrow) queue up_host14 bandwidth 6% cbq(borrow) queue up_host15 bandwidth 6% cbq(borrow) queue up_host16 bandwidth 6% cbq(borrow) queue up_host17 bandwidth 6% cbq(borrow) queue up_host18 bandwidth 6% cbq(borrow) queue dn_def bandwidth 100% cbq(default) { dn_host1 dn_host4 dn_host5 dn_host6 dn_host8 dn_host9 dn_host10 dn_host11 dn_host12 dn_host13 dn_host14 dn_host15 dn_host16 dn_host17 dn_host18} queue dn_host1 bandwidth 13% cbq(borrow) queue dn_host4 bandwidth 7% cbq(borrow) queue dn_host5 bandwidth 7% cbq(borrow) queue dn_host6 bandwidth 7% cbq(borrow) queue dn_host8 bandwidth 6% cbq(borrow) queue dn_host9 bandwidth 6% cbq(borrow) queue dn_host10 bandwidth 6% cbq(borrow) queue dn_host11 bandwidth 6% cbq(borrow) queue dn_host12 bandwidth 6% cbq(borrow) queue dn_host13 bandwidth 6% cbq(borrow) queue dn_host14 bandwidth 6% cbq(borrow) queue dn_host15 bandwidth 6% cbq(borrow) queue dn_host16 bandwidth 6% cbq(borrow) queue dn_host17 bandwidth 6% cbq(borrow) queue dn_host18 bandwidth 6% cbq(borrow) ### nat/rdr nat on $ext_if from $int_if:network to any -> ($ext_if) nat on $ext_if from $dmz_if:network to any -> ($ext_if) #redirect per nucleo, anima, xaser ed enjoy rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port {4001:4005, 1063:1083} -> $host_usr1 rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1000:1020 -> $host_usr8 rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port {1021:1041, 3724, 6112 } -> $host_usr9 rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1042:1062 -> $host_usr10 ### filter rules block all block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets block drop in quick on $ext_if from $dmz_net to any block drop out quick on $ext_if from any to $dmz_net pass in on $int_if proto { tcp udp } from $host_usr1 to any queue up_host1 pass in on $int_if proto { tcp udp } from $host_usr4 to any queue up_host4 pass in on $int_if proto { tcp udp } from $host_usr5 to any queue up_host5 pass in on $int_if proto { tcp udp } from $host_usr6 to any queue up_host6 pass in on $int_if proto { tcp udp } from $host_usr8 to any queue up_host8 pass in on $int_if proto { tcp udp } from $host_usr9 to any queue up_host9 pass in on $int_if proto { tcp udp } from $host_usr10 to any queue up_host10 pass in on $int_if proto { tcp udp } from $host_usr11 to any queue up_host11 pass in on $int_if proto { tcp udp } from $host_usr12 to any queue up_host12 pass in on $dmz_if proto { tcp udp } from $host_usr13 to any queue up_host13 pass in on $dmz_if proto { tcp udp } from $host_usr14 to any queue up_host14 pass in on $int_if proto { tcp udp } from $host_usr15 to any queue up_host15 pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host16 pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host17 pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host18 pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_service keep state pass in on $ext_if inet proto { tcp udp } from any to ($dmz_if) keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any pass in on $dmz_if all keep state pass out on $int_if proto { tcp udp } from any to $host_usr1 queue dn_host1 pass out on $int_if proto { tcp udp } from any to $host_usr4 queue dn_host4 pass out on $int_if proto { tcp udp } from any to $host_usr5 queue dn_host5 pass out on $int_if proto { tcp udp } from any to $host_usr6 queue dn_host6 pass out on $int_if proto { tcp udp } from any to $host_usr8 queue dn_host8 pass out on $int_if proto { tcp udp } from any to $host_usr9 queue dn_host9 pass out on $int_if proto { tcp udp } from any to $host_usr10 queue dn_host10 pass out on $int_if proto { tcp udp } from any to $host_usr11 queue dn_host11 pass out on $int_if proto { tcp udp } from any to $host_usr12 queue dn_host12 pass out on $dmz_if proto { tcp udp } from any to $host_usr13 queue dn_host13 pass out on $dmz_if proto { tcp udp } from any to $host_usr14 queue dn_host14 pass out on $int_if proto { tcp udp } from any to $host_usr15 queue dn_host15 pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host16 pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host17 pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host18 pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state pass out on $int_if from any to $int_if:network pass out on $dmz_if all keep state ###Deny spoofing antispoof for $ext_if antispoof for $dmz_if antispoof for $int_if I need to leave open ALL TCP AND UDP ports on the dmz network and this is not happen with this firewall... And, I can ping from server/router every ip of 192.168.1.0 but from pc of lan (in the 192.168.0.0) I can't ping a pc in the dmz...where is the mistake?! Thanks a lot.
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat." Last edited by maurobottone; 22nd December 2008 at 08:21 PM. |
|
|||
Thanks for reply jggimi;
outputs here: ---- Code:
bash-3.2# ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33160 groups: lo inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:19:db:81:72:a8 media: Ethernet autoselect (1000baseT full-duplex) status: active inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 inet6 fe80::219:dbff:fe81:72a8%re0 prefixlen 64 scopeid 0x1 rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:14:c1:0f:b2:fa media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::214:c1ff:fe0f:b2fa%rl0 prefixlen 64 scopeid 0x2 re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:50:fc:f5:c4:62 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::250:fcff:fef5:c462%re1 prefixlen 64 scopeid 0x3 enc0: flags=0<> mtu 1536 pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492 dev: rl0 state: session sid: 0xa77e PADI retries: 3 PADR retries: 0 time: 7d 17:26:49 sppp: phase network authproto pap authname "4813296885" groups: pppoe egress inet6 fe80::219:dbff:fe81:72a8%pppoe0 -> prefixlen 64 scopeid 0x6 inet 78.134.10.25 --> 81.174.0.1 netmask 0xffffff00 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33160 groups: pflog Code:
bash-3.2# route -n show -inet Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 0.0.0.1 UGS 5 362936 - 48 pppoe0 81.174.0.1 78.134.10.25 UH 0 0 - 48 pppoe0 127/8 127.0.0.1 UGRS 0 0 33160 48 lo0 127.0.0.1 127.0.0.1 UH 2 23197 33160 48 lo0 192.168.0/24 link#1 UC 3 0 - 48 re0 192.168.0.8 00:01:29:a6:22:05 UHLc 1 56479 - 48 re0 192.168.0.9 00:1a:4d:5d:44:a5 UHLc 2 948 - 48 re0 192.168.0.10 00:00:4d:83:08:98 UHLc 0 34550 - 48 re0 192.168.1/24 link#3 UC 1 0 - 48 re1 192.168.1.13 link#3 UHLc 1 8183 - 48 re1 224/4 127.0.0.1 URS 0 0 33160 48 lo0 -bash-3.2# however netmask of both LANs is: 255.255.255.0 Thanks.
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat." Last edited by maurobottone; 30th December 2008 at 02:13 PM. |
|
||||
All I can tell, at this point, are two things:
1) Your dmz_net macro uses an incorrect CIDR. It overlaps priv_nets, and goes beyond the RFC 1918 address range. Your priv_nets, 192.168.0.0/16 covers the addresses 192.168.0.0 thru 192.168.255.255. 2) Since your DMZ lan is included in priv_nets, and both are only used for antispoofing, it appears to be unnecessary. ---- You have a default gateway address of 0.0.0.1, which I find very odd, but it still routes through your pppoe0 connection, so I don't think that is anything to worry about. It might be a pppoe-ism. I'm not familiar with pppoe. You pass ICMP echo requests, without specifying any interface, so I am not sure why you are unable to successfully ping. Further diagnostics will require the use of tcpdump(8). I recommend using it with the pflog(4) device. If you change your pass/block rules to "pass log..." and "block log..." you can see what rule was applied to any particular packet, either a pass or a block. Some people only log blocking rules, as they are uninterested in which pass rules apply to particular packets. |
|
||||
You have your interfaces set to 192.168.0.1 netmask 255.255.255.0, but have specified 192.168.0.1/16 in your pf.conf. 255.255.255.0 means a /24 in CIDR notation.
The netmask is a value that is binary-ORed with the address to find the network address. If you used 8-bit addresses, it would look like this- Code:
10100101 - address, decimal 165 11110000 - netmask, decimal 240 - or /4 because 4 of the bits are '1's 10100000 - network address, via binary OR -160 Hope that helps!
__________________
The only dumb question is a question not asked. The only dumb answer is an answer not given. |
|
|||
I've modified in pf.conf 192.168.0.0/16 to 192.168.0.1/24 and 192.168.1.0/16 to 192.168.1.0/24.
The problem is here yet! I can ping pc of 192.168.1.0 from server but can't ping that from a pc of 192.168.0.0 Help me pls :/
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat." |
|
|||
I've added in pf.conf these two line:
Code:
nat on $int_if from $dmz_if:network to any -> ($int_if) nat on $dmz_if from $int_if:network to any -> ($dmz_if) I need all the other line I set?! Well...how for dmz?! I need to leave all subnet 192.168.1.0 with open ports... Thanks
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat." Last edited by J65nko; 27th January 2010 at 02:32 AM. Reason: Correction of wrong closing code tag (Missing / ) |
|
||||
I'm glad you discovered your problem was misconfigured NAT rules.
I do not understand what you are asking, now, regarding your 192.168.1 LAN. As you have crafted your pf.conf, you have pass in and pass out rules by individual system. If you want filter rules by interface or network, you can certainly write them. |
|
|||
sorry for my english; well...I was saying that I need the all 192.168.1.0 is a DMZ: in this net I've ps3, wii, pc mediacenter and other consoles that need to bypass firewall block rules and to be open to the internet. Example: I've ps3 on 192.168.1.13 and I need a rule that let me to pass in ALL traffic on ALL port from internet to ps3 and from ps3 to internet...how can I do this?!
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat." |
|
||||
If I understand your network, there is a single IP address exposed to the Internet.
If any system on your local network originates traffic destined for the Internet, its state table entry will be used to redirect any return inbound packets back to that system. But ... any network traffic that originates on the Internet has no state table entry. The only way to reach a system behind the NAT firewall is via a redirection (rdr) rule. Your last filter rule: Code:
pass out on $dmz_if all keep state |
|
|||
Well jggimi, then...Can I use a rule like this:
rdr on $ext_if proto {tcp udp} from ($ext_if) to any -> 192.168.1.0 ?
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat." |
|
||||
So you want any traffic trying to leave your external interface to be redirected to your server on its 192.168.1.0 address? That is what that rule says - find any packet on ext_if with the from address set to ext_if's address and change it's to address to 192.168.1.0. I think that will fail spectacularly, as the packets will hit the public network with a non-routeable address, and be summarily dropped by your isp's gateway.
Try this: If you want a computer on the DMZ network (192.168.1.5, say) to handle http: traffic, then this rule accomplishes that: Code:
rdr on ext_if proto tcp from any to ($ext_if) port http -> 192.168.1.5
__________________
The only dumb question is a question not asked. The only dumb answer is an answer not given. Last edited by robbak; 3rd January 2009 at 01:09 AM. |
|
|||
thanks robbak...
I try to explain better: I need to pass ALL in my 192.168.1.0 from the net, beacuse in this private net I've ps3 and other consoles that must be setted in a DMZ...I don't need open only some port. Well...can I pass all in 192.168.1.0? how?
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat." |
|
||||
You only have a single IP address on the Internet ... correct?
If so, as configured, you cannot easily redirect all ports. Particularly to a subnet, rather than an individual IP. You should either obtain multiple IP addresses from your ISP, or set up your DMZ with two firewalls. Something like this: Internet - <fw1> - DMZ - <fw2> - protected LAN |
|
|||
yeah, correct! Well...I can't obtain multiple IP address, so...when can I read something about two firewalls? I didn't know that possibility...thanks and sorry :/
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat." |
|
||||
Further clarification of NAT and redirection
If there are specific ports you know about, or, ranges of ports you know about, for specific systems in your DMZ, you may write a redirect rule. In situations where port numbers are unknown .... how do you redirect that traffic to the appropriate system? Let us pretend that your various systems have TCP ports open, but you don't know the port number, nor can you limit the port number to a specific range. Let us also pretent that your firewall receives a TCP SYN packet incoming to your single IP address, TCP protocol, port number 12345. A SYN packet is the first packet of the three-way TCP handshake. NAT allows the firewall to replace the 78.134.x.x Internet IP address with the appropriate private IP address, such as 192.168.1.13 or 192.168.0.8, and then route the packet on to that address. State is tracked. Packets sent in reply from 192.168.1.13 or 192.168.0.8 will have their IPs replace with 78.134.x.x and be routed on via your ISP. If there is no rdr rule for that port, the firewall will assume the packet is destined for the firewall itself, and will respond according to inbound pass/block rules and if a service is listening on that port. Since NAT only allows the replacement of one IP address with another, I suppose it is possible to redirect to the broadcast address. However, I doubt a broadcast will work: IP supports multicasting (the broadcasting of packets), but TCP cannot be broadcast. Think about it for a moment. If that SYN packet is sent to every device in the DMZ, every device will respond to it, and, to any all follow-on packets. The handshake will likely never properly complete, since the first rejection packet will stop the attempted connection. |
|
||||
Quote:
There's a good discussion of tiered firewalls in Michael Lucas's book, Absolute OpenBSD, which is out-of-print currently. The publisher (No Starch Press) has a .pdf available for sale; in addition, the example pf.conf files for a tiered firewall setup (in Appendex B) are available for download at www.absoluteopenbsd.com for your review -- see Example 3. Note: Tiered configurations require routing table additions, which are described in the book but not in the examples. |
|
||||
You cannot do this without multiple IP addresses. Think about it - You have one IP address, so any incoming packets will come to that address. How will your firewall know what machine in the DMZ to send this packet to? And how would a remote machine indicate that it wanted the packet sent to a particular machine?
Well the answer is, of course, using ports. Each system offers a service on one or more ports, and the firewall uses rdr rules to redirect matching packets to that machine. rdr rules can also redirect to different ports - for instance, say you have 5 machines that you need to ssh to. consider these rdr rules: Code:
rdr on $ext_if from any to ($ext_if) port 1022 -> 102.168.1.101 port 22 rdr on $ext_if from any to ($ext_if) port 2022 -> 102.168.1.102 port 22 rdr on $ext_if from any to ($ext_if) port 3022 -> 102.168.1.103 port 22 rdr on $ext_if from any to ($ext_if) port 4022 -> 102.168.1.104 port 22 rdr on $ext_if from any to ($ext_if) port 5022 -> 102.168.1.105 port 22 "Redirect packets arriving on interface $ext_if with the to address set to the current address of $ext_if and the port set to 1022, by changing their address to "192.168.1.101" and changing the port number to "22". So a remote user can access ssh on machine ..105 with ssh -p 5022 [your one external ip address] . (Just noted: the port numbers can be specified in the config file!)
__________________
The only dumb question is a question not asked. The only dumb answer is an answer not given. Last edited by robbak; 9th January 2009 at 11:25 AM. |
|
|||
thanks to all for help: now I've understood how to proced! You're indications well for me
:°)
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat." |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
K3b cannot find growisofs | maxrussell | FreeBSD General | 5 | 26th April 2009 12:20 PM |
hahaha noob mistake, file called -z... | michaelrmgreen | FreeBSD General | 8 | 9th December 2008 12:12 AM |
pkg inside non-global zone? | nacredata | Solaris | 2 | 30th September 2008 11:50 PM |
pkg_add g95;g95 x.f95: cannot find g95 | enpey | OpenBSD Packages and Ports | 8 | 27th August 2008 12:48 AM |
Zone problem | c0mrade | General software and network | 3 | 22nd June 2008 03:31 PM |