|
|||
pf-badhost
Hi, all.
@home, I manage a little server, on OpenBSD. - 3 zones DNS, with nsd - web service for one domain. And to protect a litlle I attempt to use this project "pf-badhost". No problem to install, and configure. But, When I active rules for PF, I surprise dig requests are not possible. (I add rules to exclude LAN subnets on the file install) ---- Before, active PF rules; Code:
$ dig @ns1.stephane-huc.net ebnh.fr.eu.org ; <<>> DiG 9.16.2-Debian <<>> @ns1.stephane-huc.net ebnh.fr.eu.org ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37696 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ebnh.fr.eu.org. IN A ;; ANSWER SECTION: ebnh.fr.eu.org. 3600 IN A 88.136.16.221 ;; AUTHORITY SECTION: ebnh.fr.eu.org. 3600 IN NS ns1.stephane-huc.net. ebnh.fr.eu.org. 3600 IN NS ns2.he.net. ebnh.fr.eu.org. 3600 IN NS ns3.he.net. ebnh.fr.eu.org. 3600 IN NS ns4.he.net. ebnh.fr.eu.org. 3600 IN NS ns5.he.net. ;; Query time: 4 msec ;; SERVER: 88.136.16.221#53(88.136.16.221) ;; WHEN: mer. mai 06 19:42:29 CEST 2020 ;; MSG SIZE rcvd: 168 Code:
$ dig @ns1.stephane-huc.net ebnh.fr.eu.org ; <<>> DiG 9.16.2-Debian <<>> @ns1.stephane-huc.net ebnh.fr.eu.org ; (2 servers found) ;; global options: +cmd ;; connection timed out; no servers could be reached My PF Rules: Code:
# pfctl -sr match log all scrub (no-df random-id min-ttl 64 reassemble tcp max-mss 1440) block drop in on ! lo inet6 from ::1 to any block drop in on ! lo inet from 127.0.0.0/8 to any block drop in inet6 from ::1 to any block drop in on lo0 inet6 from fe80::1 to any block drop in inet from 127.0.0.1 to any block drop in on ! egress inet6 from 2001:470:cc33::/64 to any block drop in on ! egress inet from 192.168.***.0/24 to any block drop in on re0 inet6 from fe80::261c:4ff:fe08:8c05 to any block drop in inet6 from 2001:470:cc33::3 to any block drop in inet from 192.168.88.3 to any anchor "relayd/*" all (...) block return in quick on egress from <pfbadhost> to any block return out quick on egress from any to <pfbadhost> (...) block return log all pass out all flags S/SA keep state (if-bound) # and, below all others in and out pass (…) If I wrote thoses rules after my pass in and pass out rules, as final rules, I can request again with dig! ---- Any idea?!
__________________
GPG:Fingerprint ed25519 : 072A 4DA2 8AFD 868D 74CF 9EA2 B85E 9ADA C377 5E8E GPG:Fingerprint rsa4096 : 4E0D 4AF7 77F5 0FAE A35D 5B62 D0FF 7361 59BF 1733 Last edited by CiotBSD; 7th May 2020 at 03:07 AM. |
|
||||
pf-badhost is not in the ports tree. For support, contact the developer directly. https://www.geoghegan.ca/contact.html
|
|
|||
pf uses a "last matching rule wins" strategy. You can circumvent this by either using the "quick" keyword or reorder your ruleset.
These blocking rules at the beginning of your ruleset can be overridden by later rules: Code:
block drop in on ! lo inet6 from ::1 to any block drop in on ! lo inet from 127.0.0.0/8 to any block drop in inet6 from ::1 to any block drop in on lo0 inet6 from fe80::1 to any block drop in inet from 127.0.0.1 to any block drop in on ! egress inet6 from 2001:470:cc33::/64 to any block drop in on ! egress inet from 192.168.***.0/24 to any block drop in on re0 inet6 from fe80::261c:4ff:fe08:8c05 to any block drop in inet6 from 2001:470:cc33::3 to any block drop in inet from 192.168.88.3 to any Code:
LQ = "log quick" block drop in $LQ on ! lo inet6 from ::1 to any block drop in $LQ on ! lo inet from 127.0.0.0/8 to any block drop in $LQ inet6 from ::1 to any In a SSH session to your server run tcpdump(8) on the pflog0 interface. Code:
# tcpdump -eni pflog0 An example on my firewall: Quote:
BTW Usually blocking internal loopback traffic is a bad idea. That is why "set skip on lo0" exists
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
In my first post, the view of rules is the result of `pfctl -sr`.
I will investigate as you recommand me @J65nko. Actually, I put rules PF for pf-badhost at the final. --- My writings PF: Code:
auth_tcp_ports = "{ domain http 25 }" auth_tcps_ports = "{ https smtp 587 }" auth_udp_ports = "{ domain ntp mdns }" dns_port = "domain" ssh_port = "247" host = "192.168.***.3" host6 = "2001:470:cc33::3" ntwk = "192.168.***.0/24" ntwk6 = "2001:470:cc33::/64" aoks = "allow-opts" fks = "flags S/SA keep state" fms = "flags S/SA modulate state" icmp_auth = "{ 8 11 12 }" icmp_block = "{ 4 6 15 16 17 18 31 32 33 34 35 36 37 38 39 }" icmp6_auth = "{ unreach, toobig, timex code 0, timex code 1, paramprob code 1, paramprob code 2, echoreq, routeradv, neighbrsol, neighbradv }" icmp6_block = "{ 100 101 127 138 139 140 144 145 146 147 150 200 201 }" icmp6_in = "{ redir }" icmp_sto = "(max-src-conn-rate 10/1)" ssh_sto = "(max-src-conn 10, max-src-conn-rate 10/60, overload <t_abuse_ssh> flush global)" table <abuse_ssh> counters persist table <t_adm> const { 192.168.***.1 192.168.***.47 192.168.***.147 } table <t_adm6> const { fd**:c107:b5d:1::47 fd**:c107:b5d:1::147 } table <auth_lan> const { 192.168.**.0/24 192.168.***.0/24 } table <pfbadhost> persist file "/etc/pf-badhost.txt" set block-policy return set fingerprints "/etc/pf.os" set loginterface egress set optimization normal set reassemble yes set ruleset-optimization profile set skip on lo set state-policy if-bound set timeout { tcp.established 600, tcp.closing 60 } match log all scrub (max-mss 1440 min-ttl 64 no-df random-id reassemble tcp) antispoof for egress anchor "relayd/*" block drop quick log on egress inet6 proto icmp6 icmp6-type $icmp6_block block drop quick on egress inet proto icmp icmp-type 3 code 6 block drop in quick on egress inet proto icmp icmp-type 3 code 7 block drop quick on egress inet proto icmp icmp-type 3 code 8 block drop quick on egress inet proto icmp icmp-type $icmp_block block drop in quick log on egress proto tcp from <abuse_ssh> to egress port 22 label "ssh brute" block drop in quick on egress inet6 from { urpf-failed no-route } to any block drop quick on egress inet6 from any to { no-route } block drop in quick on egress inet from { urpf-failed no-route } to any block drop quick on egress inet from any to { no-route } block return in on ! lo0 proto tcp to port 6000:6010 block return out log proto {tcp udp} user _pbuild block in log on egress inet proto { tcp udp } from any to ! egress port 53 block in log on egress proto tcp to egress port 11211 block log pass out # in/out icmpv6 pass quick on egress inet6 proto icmp6 icmp6-type $icmp6_auth $aoks pass in quick on egress inet6 proto icmp6 icmp6-type $icmp6_in $aoks # in icmp pass in quick on egress inet proto icmp from any to egress icmp-type 3 code 3 $aoks $icmp_sto pass in quick on egress inet proto icmp from any to egress icmp-type $icmp_auth $aoks $icmp_sto # out icmp pass out quick on egress inet proto icmp from egress to any icmp-type 3 code 3 $aoks $icmp_sto pass out quick on egress inet proto icmp from egress to any icmp-type $icmp_auth $aoks $icmp_sto # in admin hosts pass in quick on egress inet proto tcp from <t_adm> to $host $fms pass in quick on egress inet6 proto tcp from <t_adm6> to $host6 $fms pass in quick log on egress inet proto tcp from <t_adm> to $host port $ssh_port $fms pass in quick log on egress inet6 proto tcp from <t_adm6> to $host6 port $ssh_port $fms # in 80 pass in quick log on egress inet proto tcp to $host port 80 $fms pass in quick log on egress inet6 proto tcp to $host6 port 80 $fms # in 50 pass in quick on egress proto tcp from any to { $host $host6 } port $dns_port $fms pass in quick on egress proto udp from any to { $host $host6 } port $dns_port $aoks # out 50 pass out on egress proto tcp from { $host $host6 } to any port $dns_port $fms pass out on egress proto udp from { $host $host6 } to any port $dns_port $aoks # out auth others port pass out on egress proto tcp from egress to any port $auth_tcp_ports $fms pass out on egress proto tcp from egress to any port $auth_tcps_ports $fms pass out on egress proto udp from egress to any port $auth_udp_ports $aoks block in quick on egress from <pfbadhost> block out quick on egress to <pfbadhost>
__________________
GPG:Fingerprint ed25519 : 072A 4DA2 8AFD 868D 74CF 9EA2 B85E 9ADA C377 5E8E GPG:Fingerprint rsa4096 : 4E0D 4AF7 77F5 0FAE A35D 5B62 D0FF 7361 59BF 1733 |
Tags |
badhost, dig, pf |
|
|