DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security
Reload this Page Network isolation of process using rdomain rtable
FAQ Today's Posts Search

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 15th February 2016
e1-531g e1-531g is offline
ISO Quartermaster
  
Join Date: Mar 2014
Posts: 628
Default Network isolation of process using rdomain rtable
Hello,
I have started today topic on misc, but maybe here somebody
who is not subscribed to misc can help.
https://marc.info/?i=xvwykxmpbmuapsqsujlt%20()%20xbzl

I would like to isolate process using rtable/rdomain.
By isolation I mean only isolate from network.
I would like to achieve that every packet which is trying
to go through egress would go through pair1 interface,
maybe pair2 interface and then it will be
directed/redirected/nat-ed/forced
(I don't know which word/action is appropriate)
to arrive at port 9191 on pair2 interface.
Now I have something
that seems to work, but maybe there is something to improve?
Maybe there is some error/fault on my side and it
is going to leak some packets? I would like to prevent that.

This is something that I have now:
Code:
cat /etc/hostname.pair*
inet 172.10.0.1 255.255.255.0 172.10.0.255 rdomain 1 \
description "An isolated Ethernet"
inet 172.10.0.2 255.255.255.0 172.10.0.255
patched together
Code:
ifconfig pair1 patch pair2
with default route:
Code:
route -T1 add default 172.10.0.2
Server command:
Code:
/usr/local/bin/sudo -u user /usr/bin/nc -4 -k -n -l 172.10.0.2 9191
Commands for programs I would like to intercept/redirect:
Code:
#!/bin/sh
/usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \
-u user /usr/bin/nc -4 -n -v 172.10.0.2 9191
random port
Code:
#!/bin/sh
/usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \
-u user /usr/bin/nc -4 -n -v 172.10.0.2 9192
random IP and port (this is Google, don't hack)
Code:
#!/bin/sh
/usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \
-u user /usr/bin/nc -4 -n -v 212.191.227.88 80
Packet filter rule file and actual rules from pfctl:
Code:
#cat pf.conf:
pass in quick  on pair2 inet proto tcp from pair1 \
rdr-to pair2 port 9191 keep state (floating)
pass in
pass out
Code:
#pfctl -sr             
pass in quick on pair2 inet proto tcp from 172.10.0.1 \
to any flags S/SA tag rdr_tor_tcp rdr-to 172.10.0.2 port 9191
pass in all flags S/SA
pass out all flags S/SA
Last edited by e1-531g; 15th February 2016 at 04:55 PM. Reason: typo
Reply With Quote
Reply

Tags
isolation, prevent leak, rdomain, rtable, virtualized networking

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Returning the PID of a ssh process gso General software and network 18 16th September 2015 02:01 PM
PhotoRec process bug LeFrettchen General software and network 4 1st July 2014 11:15 PM
Security-through-isolation: Qubes 1.0 released J65nko News 0 4th September 2012 05:39 PM
Build Process Warnings IronForge OpenBSD Installation and Upgrading 9 22nd January 2010 11:21 AM
See what process is generating DNS traffic? Bruco FreeBSD General 3 2nd July 2009 05:57 PM


All times are GMT. The time now is 05:25 PM.

DaemonForums.org RSS Feeds - Contact Us - DaemonForums.org - Archive - Privacy Statement - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick