DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th September 2013
inversebit inversebit is offline
New User
 
Join Date: Mar 2013
Posts: 2
Default Default pf ruleset at boot and PPPoE

I'm using kernel pppoe for my internet interface and my pf.conf contains the rules for the pppoe0 interface (amongst others), however on boot this ruleset is not loaded and a very restrictive default set is loaded instead:

Code:
FILTER RULES:
block drop all
pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol
pass out inet6 proto ipv6-icmp all icmp6-type routersol
pass out proto tcp from any to any port = 53 flags S/SA
pass out proto udp from any to any port = 53
pass out inet proto icmp all icmp-type echoreq
pass in inet6 proto ipv6-icmp all icmp6-type neighbradv
pass in inet6 proto ipv6-icmp all icmp6-type routeradv
pass in proto tcp from any to any port = 22 flags S/SA
pass on lo0 all flags S/SA
pass proto carp all keep state (no-sync)
No queue in use
The ppp interface comes up correctly at boot but I need to reload the rules manually from pf.conf to get things working - I assume my ruleset is not getting loaded as pf is started before the ppp interface is up and contains invalid rules at this point.

My questions are:

1) Is it possible to see the pf errors on boot, there seems to be nothing in the logs or console about pf not loading correctly.

2) Is it possible to change the default rules or would I need to define a restricted pf.conf and then load the full 'ppp' pf.conf once the interface is up? If so how would you recommend I load the rules once the interface is up - ifstated maybe?

Kernel pppoe to ISP seems like a common enough scenario but I can't find other reports of similar issues.

OpenBSD 5.2 GENERIC#278 i386
Reply With Quote
  #2   (View Single Post)  
Old 6th September 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

I never used PPPoE but for those who have and thus could assist you, it would be helpful to post your configuration details.
Thing like /etc/rc.conf file, ifconfig output and contents of /etc/hostname.* contents.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 6th September 2013 at 03:40 PM.
Reply With Quote
  #3   (View Single Post)  
Old 6th September 2013
inversebit inversebit is offline
New User
 
Join Date: Mar 2013
Posts: 2
Default

/etc/rc.conf is untouched from 5.2 distribution, other files are:

Code:
# cat /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
        pppoedev vr1 authproto pap \
        authname 'xxxxxx' authkey 'authkey' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1

# cat /etc/hostname.vr0
inet 192.168.200.245 255.255.255.0

# cat /etc/hostname.vr1
up

# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196
        priority: 0
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        inet 127.0.0.1 netmask 0xff000000
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:c9:57:38
        priority: 0
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.200.245 netmask 0xffffff00 broadcast 192.168.200.255
        inet6 fe80::200:24ff:fec9:5738%vr0 prefixlen 64 scopeid 0x1
vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:c9:57:39
        priority: 0
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::200:24ff:fec9:5739%vr1 prefixlen 64 scopeid 0x2
pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
        priority: 0
        dev: vr1 state: session
        sid: 0x6 PADI retries: 0 PADR retries: 0 time: 08:43:03
        sppp: phase network authproto pap authname "xxxxxx"
        groups: pppoe egress
        status: active
        inet6 fe80::200:24ff:fec9:5738%pppoe0 ->  prefixlen 64 scopeid 0x7
        inet [my ext IP] --> [PPP Peer] netmask 0xffffffff
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196
        priority: 0
        groups: pflog
       
        
# cat /etc/rc.conf.local
syslogd_flags="-a /var/spool/postfix/dev/log  -a /var/unbound/dev/log"
# Disable sendmail
sendmail_flags="NO"
ntpd_flags="-s"
# Start on boot
pkg_scripts="postfix sshguard unbound"
/etc/pf.conf

Code:
## Interfaces ##

ExtIf = "pppoe0"
IntIf = "vr0"
VpnIf = "tun0"
PbxHost = "192.168.200.42"
MxHost = "192.168.200.41"
WebHost = "192.168.200.44"
PbxPeer = "[sip peer addr]"

### Queues, States and Types ###
 IcmpType ="icmp-type 8 code 0"
 IcmpMTUd ="icmp-type 3 code 4"
 SshQueue ="(ssh_bulk, ssh_login)"
#SynState ="flags S/SA synproxy state"
 TcpState ="flags S/SA modulate state"
 UdpState ="keep state"

### Ports ###
 FtpPort ="8021"
 SshPort ="8022"
 OpenVPNPort ="1194"
 RtpPorts = "16384:32768"

### Stateful Tracking Options (STO) ###
 FtpSTO   ="(tcp.established 7200)"
 ExtIfSTO ="(max 9000, source-track rule, max-src-conn   2000, max-src-nodes 14)"
 IntIfSTO ="(max 150,  source-track rule, max-src-conn   50,   max-src-nodes 14, max-src-conn-rate 75/20)"
 SmtpSTO  ="(max 200,  source-track rule, max-src-states 50,   max-src-nodes 50, max-src-conn-rate 30/10,   overload <BLOCKTEMP> flush global)"
 SshSTO   ="(max 5,    source-track rule, max-src-states 5,    max-src-nodes 5,  max-src-conn-rate  5/60)"
 WebSTO   ="(max 500,  source-track rule, max-src-states 50,   max-src-nodes 75, max-src-conn-rate 120/100, overload <BLOCKTEMP> flush global)"

### Tables ###
 table <SSHGUARD> counters persist
 table <BLOCKTEMP> counters
 table <BLOCKPERM> counters file "/etc/pf_block_permanent"

################ Options ######################################################
### Misc Options
 set skip on lo
 set skip on $VpnIf
 set debug urgent
 set reassemble yes
 set block-policy drop
 set loginterface $ExtIf
 set state-policy if-bound
 set fingerprints "/etc/pf.os"
 set ruleset-optimization none

### Timeout Options
 set optimization normal
 set timeout { tcp.established 600, tcp.closing 60 }

### Block to/from illegal sources/destinations
 block in     quick on $ExtIfs inet proto tcp from <SSHGUARD> to any port 22 label "ssh bruteforce"
 block in     quick on $ExtIfs inet proto tcp from <BLOCKTEMP> to any port != ssh
 block in     quick on $ExtIfs inet proto tcp from <BLOCKPERM> to any port != ssh
 block in     quick on $ExtIfs inet proto udp from <BLOCKTEMP> to any port != ssh
 block in     quick on $ExtIfs inet proto udp from <BLOCKPERM> to any port != ssh
 block in     quick inet proto udp from any to <BLOCKPERM> port != ssh

### BLOCK all in on external interface by default and log
 block log on $ExtIf

### Network Address Translation (NAT with outgoing source port randomization)
 match out log on $ExtIf proto tcp from $PbxHost port { 5060, 5080, 5090 } to any received-on $IntIf tag EGRESS nat-to ($ExtIf:0) static-port
 match out log on $ExtIf proto udp from $PbxHost port { 5060, 5080, 5090 } to any received-on $IntIf tag EGRESS nat-to ($ExtIf:0) static-port
 match out log on $ExtIf from !($ExtIf:network) to any nat-to ($ExtIf:0)

### Packet normalization ( "scrubbing" )
### remove "min-ttl 64" if you need native traceroute functions or just use "traceroute -I" instead
 match log on $ExtIf all scrub (random-id min-ttl 64 set-tos reliability reassemble tcp max-mss 1440)

### $ExtIf inbound

pass in log on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port { smtp, 2525 }  $TcpState $SmtpSTO rdr-to $MxHost
pass in log on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port { 993, 465 } $TcpState rdr-to $MxHost
pass in log on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port { https, http } $TcpState rdr-to $WebHost
pass in log on $ExtIf inet proto udp from !($ExtIf) port $RtpPorts $UdpState
pass in log on $ExtIf inet proto udp from !($ExtIf) port $OpenVPNPort $UdpState
pass in log on $ExtIf inet proto tcp from ($PbxPeer) to ($ExtIf) port { 5060, 5080, 5090 } $TcpState rdr-to $PbxHost
pass in log on $ExtIf inet proto udp from ($PbxPeer) to ($ExtIf) port { 5060, 5080, 5090 } $UdpState rdr-to $PbxHost


 pass in log on $ExtIf inet proto tcp  from !($ExtIf) to ($ExtIf) port ssh  $TcpState $SshSTO
 pass in log on $ExtIf inet proto icmp from !($ExtIf) to ($ExtIf) $IcmpType  $UdpState
 pass in log on $ExtIf inet proto icmp from !($ExtIf) to ($ExtIf) $IcmpMTUd  $UdpState

### $ExtIf outbound
 pass out log on $ExtIf inet proto tcp  from ($ExtIf) to !($ExtIf) $TcpState $ExtIfSTO tagged EGRESS
 pass out log on $ExtIf inet proto udp  from ($ExtIf) to !($ExtIf) $UdpState $ExtIfSTO tagged EGRESS
 pass out log on $ExtIf inet proto icmp from ($ExtIf) to !($ExtIf) $UdpState $ExtIfSTO tagged EGRESS
 pass out log on $ExtIf from ($ExtIf)

### $IntIf return (TCP reset) and log internal traffic
 block return log on $IntIf

### $IntIf inbound
 #pass in log on $IntIf inet proto tcp  from  $IntIf:network to !$IntIf port www    $TcpState $ExtIfSTO
 pass in log on $IntIf inet proto tcp  from  $IntIf:network to !$IntIf port ftp    $TcpState $IntIfSTO divert-to 127.0.0.1 port $FtpPort  ##obsd 5.1
 pass in log on $IntIf

### $IntIf ftp secure secure proxy for LAN
 anchor "ftp-proxy/*" in on $IntIf inet proto tcp

### $IntIf outbound
 pass out log on $IntIf

 pass in log on vr1
 pass out log on vr1
Reply With Quote
  #4   (View Single Post)  
Old 6th September 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

If you look through the /etc/rc script, you will first see the default PF rules loaded, then the netstart(8) script gets called, and then your $pf_rules (default: /etc/pf.conf) file gets loaded. For OpenBSD 5.2, this starts at line #322 in /etc/rc.

Logically, it would appear to me that the interface should be available once the netstart script has completed, but it may take a second or two to establish the pseudo device. You might try appending a line with !sleep 2 to your hostname.pppoe0 file, to add a delay to permit the pseudo device time to be available to PF, and see if that works for you.

I'm not a PPPoE user, but over the years I've come to understand that the userland pppoe(8) is considerably easier to implement and manage than the kernel driver pppoe(4). FAQ 6 mentions both but describes pppoe(8) as being the "main" software interface. If you're unable to get kernel PPPoE working properly, you might see what the userland implementation may be able to do for you.
Reply With Quote
Reply

Tags
pf, ppp

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf ruleset for ftp server? daemonfowl OpenBSD Security 2 30th July 2012 02:58 PM
Help needed with PF ruleset spaghetti_bolognese OpenBSD Security 1 14th September 2010 11:37 AM
Free PF Ruleset 4.7 wesley OpenBSD Security 0 7th June 2010 06:18 AM
FTP ruleset questions hitete OpenBSD Security 2 25th November 2008 05:30 PM
Modem PPPoE vs OpenBSD PPPoE ryoken OpenBSD Security 13 15th June 2008 10:07 PM


All times are GMT. The time now is 05:58 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick