DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 7th December 2019
victorvas's Avatar
victorvas victorvas is offline
Real Name: Victor
Fdisk Soldier
 
Join Date: May 2019
Posts: 73
Default A little help with PF?

Hello!
Open BSD 6.6
We have local network connected to a bridge, und only 192.168.1.2 must be allowed SSH connections, and only user admin must be allowed to connect via SSH. Also we would like to limit bandwidth for admin if that's possible.
Reply With Quote
  #2   (View Single Post)  
Old 8th December 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,065
Default

Quote:
Originally Posted by victorvas View Post
...only 192.168.1.2 must be allowed SSH connections...
Inbound or Outbound?
Quote:
... and only user admin must be allowed to connect via SSH.
Filtering by user or group can only be done for packets that originate on or are destined for the system that is running PF. If the system is acting as a router, user or group filtering is not possible. Group and user filtering is determined by the group/user of the process transmitting or the process listening.
Quote:
Also we would like to limit bandwidth for admin if that's possible.
Certainly, but only for outbound traffic. Arriving traffic cannot be queued, it is processed on arrival.
Reply With Quote
  #3   (View Single Post)  
Old 8th December 2019
victorvas's Avatar
victorvas victorvas is offline
Real Name: Victor
Fdisk Soldier
 
Join Date: May 2019
Posts: 73
Default

Thanks!
Quote:
Originally Posted by jggimi View Post
Inbound or Outbound?
The bridge must accept SSH from admin's PC (192.168.1.2), so it's inbound.
Reply With Quote
  #4   (View Single Post)  
Old 8th December 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,065
Default

Here is a PF configuration that passes everything except inbound SSH from systems other than 192.168.1.2, applying general rules first then applying more specific rules, as the last matching rule wins.
Code:
# this is the address of the admin's workstation:
admin = "192.168.1.2"

# default pass:
pass log all

# block inbound ssh:
block log proto tcp from any to self port ssh

# pass inbound ssh from $admin:
pass log proto tcp from $admin to self port ssh
If you want to add queuing, you can either queue by priority or bandwidth. Queuing will only be applied when there is contention for resources. See the QUEUEING section of the pf.conf(5) man page for examples. (Yes, it's spelled that way).
Reply With Quote
  #5   (View Single Post)  
Old 9th December 2019
victorvas's Avatar
victorvas victorvas is offline
Real Name: Victor
Fdisk Soldier
 
Join Date: May 2019
Posts: 73
Default

Thanks!
Reply With Quote
Reply

Tags
ssh admin pf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 05:15 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick