DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 28th March 2015
xJohansenx xJohansenx is offline
New User
 
Join Date: Dec 2014
Location: Ottawa, Ontario, Canada
Posts: 6
Default pf.conf + nfs

Hi,

I've managed to configure nfs as per the instruction on www.openbsd.org and it works great as long as pf is deactivated. Consequently, could someone review my rules? The problem is probably obvious but I just can't figure it out! Thanks.

Code:
##################################
# PF.CONF                        #
##################################
# MACROS
ext_if="xl0"
tcp_services="{ 21, 22, 53, 80, 111, 443, 2049, 9000 }"
udp_services="{ 53, 111, 123, 2049 }"
 
# TABLES
table <sshguard> persist
table <spamhaus_drop> persist
 
# OPTIONS
set block-policy return
set loginterface $ext_if
set skip on lo
 
# FTP PROXY RULES
anchor "ftp-proxy/*"
 
pass in quick on $ext_if inet proto tcp to any port ftp \
    divert-to 127.0.0.1 port 8021
 
# MATCH RULES
match in all scrub (no-df)
match out on egress inet from !($ext_if:network) to any nat-to ($ext_if:0)
 
# FILTER RULES
 
# SPOOF
antispoof quick for { lo $ext_if }
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
 
# BLOCK
block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"
block drop log quick from <spamhaus_drop> to any
block drop log quick from any to <spamhaus_drop>
block return log all
 
# PASS
pass out quick
 
pass in on egress inet proto tcp from any to (egress) \
    port $tcp_services
 
pass in on egress inet proto udp from any to (egress) \
    port $udp_services
 
# pass in on $ext_if
Reply With Quote
  #2   (View Single Post)  
Old 28th March 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

I am under impression that you are trying to pass NFS through restrictive firewall rules. OpenBSD implementation of NFS IIRC doesn't allow fixing ports for portmapper, rpc.statd, and rpc.lockd. Linux and FreeBSD have some silly hacks so you could keep 111, 2049, 4001, 4002, and 4003 open and have working NFS server. Note that NFS is not really intended to be used on the hostile network. You might want to check out Andrew File System (AFS) is that is the goal but OpenBSD has removed more or less all the support for AFS.
Reply With Quote
  #3   (View Single Post)  
Old 28th March 2015
xJohansenx xJohansenx is offline
New User
 
Join Date: Dec 2014
Location: Ottawa, Ontario, Canada
Posts: 6
Default

Thanks for the response Oko. Yeah, mountd will change port every time is restarted. I guess AFS could be used to achieve the same goal; I'm just trying to mount a nfs filesystem so that i don't have to constantly go from one computer to the next with a usb when i want to share documents amongst them. I guess I could probably achieve the same by using ssh.
Reply With Quote
  #4   (View Single Post)  
Old 28th March 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by xJohansenx View Post
Thanks for the response Oko. Yeah, mountd will change port every time is restarted. I guess AFS could be used to achieve the same goal; I'm just trying to mount a nfs filesystem so that i don't have to constantly go from one computer to the next with a usb when i want to share documents amongst them. I guess I could probably achieve the same by using ssh.
If it is local network it would seems to me that is OK to have little bit more liberal rules as long as it is not WiFi. Otherwise create a VPN and mount NFS shares through VPN. I have similar setup at work using OpenVPN and I am working on one at home using npppd and IPsec. BTW I really like what DragonFly people did with NFS server.
Reply With Quote
  #5   (View Single Post)  
Old 28th March 2015
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,506
Default

Not sure if it is feasible in your case but you could have a look at Simplyfing complex IPSec or Firewall solutions -- such as NFS -- with gif(4)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #6   (View Single Post)  
Old 28th March 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,376
Default

See http://daemonforums.org/showthread.php?t=8709 -- this is an example of using gif(4) to tunnel NFS traffic, so that PF rules could be easily written and the NFS traffic both managed and protected. The example rules are for an IPSec based VPN.

(Disclamer: I've recently changed the infrastructure so I no longer have this implementation in production.)

Edit - j65nko posted the same link as I was typing this.

Last edited by jggimi; 29th March 2015 at 12:01 AM. Reason: typo, thinko, etc.
Reply With Quote
  #7   (View Single Post)  
Old 31st March 2015
xJohansenx xJohansenx is offline
New User
 
Join Date: Dec 2014
Location: Ottawa, Ontario, Canada
Posts: 6
Default

Thanks! It's interesting. I have a question with regard to IPSec so I'll post it in the other thread.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf.conf okay? hitest OpenBSD Security 6 22nd March 2015 08:25 PM
Where should I put my config? "rc.conf" or "rc.conf.local"? fender0107401 OpenBSD General 2 2nd April 2012 02:53 AM
Help with pf.conf A_Sorenby OpenBSD Security 14 21st June 2011 09:52 PM
pf.conf lumiwa FreeBSD Security 11 20th September 2008 01:01 AM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM


All times are GMT. The time now is 02:52 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick