DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th November 2010
thefronny thefronny is offline
Port Guard
 
Join Date: Oct 2008
Posts: 37
Default I can see jailed apache but the world cannot

I have an openbsd/pf firewall between my dsl router and the internal lan. I'm new to pf but I figured everything out except world access to a jailed apache server. The layout is pretty much this (I have deleted my attempt to serve the webserver since it wasn't working. Deleting it had no affect.):

Quote:
(123.456.789.101) static address
dsl router
(10.0.0.1)
|
(10.0.0.2)
firewall
(192.168.1.1)
|
(192.168.1.2)
server ---->jailed apache(192.168.1.13)
I can ping and ssh into the jail fine, just like it was a different box, and I can jexec into it when I'm on the host box. The router forwards ssh login requests to the firewall, and that works, and http requests to the jail IP address; that doesn't work. Everything else is refused. All the machines in the internal network can get pages served from the jailed apache, and also pages from an apache process running on the jail's host, but the internet cannot get the jailed pages. What rule do I need? Everything else is OK. My pf.conf is below. It is by and large trial-and-error and cut-and-paste:

Code:
## Macros

ext_if="fxp0"
int_if="xl0"
internal_net="192.168.1.0/24"

##================================
## Tables

table <brutes> persist file "/var/db/brutes"

##================================
## Options

# Set the default policy to return RSTs or ICMPs for blocked traffic.
set block-policy return

# Optimize parsing algorithms
set optimization normal

# Ignore the loopback interface entirely.
set skip on lo0

# Check for address spoofing
antispoof for fxp0 inet

##================================
## Normalize

match log on $ext_if all scrub (random-id min-ttl 254 set-tos lowdelay reassemble t
cp max-mss 1460)

##================================
## Translation

match out on egress from $int_if:network to any nat-to (egress)

##================================##
Filtering

# Default deny rule, with all blocked packets logged.
block log all

# Drop the infected IP addys without further ruleset parsing,
block in quick log on $ext_if from <brutes> to any

# Add persistent ssh login attempts to the brutes table (10 per source IP, 2 attemp
ts in 5 sec. max.)
pass in on $ext_if proto tcp to port ssh flags S/SA keep state (max-src-conn 10, ma
x-src-conn-rate 2/5, overload <brutes> flush)

# Outgoing POP3 to receive mail
pass out on $ext_if proto tcp from $internal_net to any port = 110 keep state

# Outgoing SMTP to send mail
pass out on $ext_if proto tcp from $internal_net to any port = 25 keep state

# Pass all traffic to and from the local network
pass quick on $int_if all

# Permit all traffic going out
pass out keep state


##================================
Thanks for any pointers.

tf
Reply With Quote
  #2   (View Single Post)  
Old 10th November 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

You have a default block, and no pass in rules from $ext_if.

Since you do block log, you should be able to see incoming packets being blocked by your default rule with tcpdump(8).
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Problems with installing world sniper007 FreeBSD Installation and Upgrading 1 17th April 2009 10:33 AM
Make world failure disappearedng FreeBSD General 1 16th January 2009 12:04 PM
Error building world 6.3 -> 6.4 chavez243 FreeBSD Installation and Upgrading 1 7th January 2009 02:31 PM
c++ compiling hello world Gates Programming 3 26th July 2008 12:48 PM
Jailed QEMU + other OS revzalot FreeBSD Installation and Upgrading 3 29th May 2008 06:00 PM


All times are GMT. The time now is 02:44 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick