|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|
||||
DD, Sorry to give you wrong info. I can dns lookup just fine but I'm getting a 'no route to host' error so my routing is messed up when pf is enable. Here's the error:
Code:
Begin dump of root DUMP: Date of this level 0 dump: Wed Sep 9 00:05:02 2009 DUMP: Date of last level 0 dump: the epoch DUMP: Dumping /dev/rwd0a (/) to standard output DUMP: mapping (Pass I) [regular files] DUMP: mapping (Pass II) [directories] DUMP: estimated 46424 tape blocks. DUMP: Volume 1 started at: Wed Sep 9 00:05:02 2009 DUMP: dumping (Pass III) [directories] DUMP: dumping (Pass IV) [regular files] DUMP: 46805 tape blocks DUMP: Date of this level 0 dump: Wed Sep 9 00:05:02 2009 DUMP: Volume 1 completed at: Wed Sep 9 00:05:31 2009 DUMP: Volume 1 took 0:00:29 DUMP: Volume 1 transfer rate: 1613 KB/s DUMP: Date this dump completed: Wed Sep 9 00:05:31 2009 DUMP: Average transfer rate: 1613 KB/s DUMP: level 0 dump on Wed Sep 9 00:05:02 2009 DUMP: DUMP IS DONE curl: (7) Failed to connect to 192.168.0.200: No route to host |
|
||||
You are blocking ICMP traffic, as part of your default block rule. You may want it, as it would allow ping, traceroute, and similar information to flow unimpeded.
It is not clear, from your last post, what platform you were running your failed curl command from, and the path it would take to connect to 192.168.0.200. Were you running this from the firewall, or from another platform on the network that connects to 0.200 *through* the firewall? If it is going through your router, did you enable the IP forwarding sysctl? Does the curl connection function correctly when pf is disabled? |
|
||||
Quote:
|
|
||||
Do I understand the curl failure's topology to be:
Code:
[Router] | [network with both the sending and receiving servers] In order to communicate via IP on the same network, they must have addresses in the same IP subnet. e.g.: If the receiving box at 192.168.0.200 is using the netmash 255.255.255.0, also known as a /24 block, then the sending box needs to have an address in the same block, somewhere between 192.168.0.1 and 192.168.0.254. If a different netmask is used, the range of addresses in the subnet will expand or contract accordingly. If I've misunderstood, please clarify your topology and addressing, which are guesses, since you haven't articulated it clearly. |
|
||||
Quote:
|
|
||||
pf enabled:
$ ping 192.168.0.200 PING 192.168.0.200 (192.168.0.200): 56 data bytes ping: sendto: No route to host ping: wrote 192.168.0.200 64 chars, ret=-1 ping: sendto: No route to host ping: wrote 192.168.0.200 64 chars, ret=-1 --- 192.168.0.200 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss pf disabled: $ ping 192.168.0.200 PING 192.168.0.200 (192.168.0.200): 56 data bytes 64 bytes from 192.168.0.200: icmp_seq=0 ttl=64 time=0.405 ms 64 bytes from 192.168.0.200: icmp_seq=1 ttl=64 time=0.210 ms --- 192.168.0.200 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.210/0.307/0.405/0.099 ms My network is simple: both servers are behind my router/firewall. I just want to add an additional layer of protection on my obsd mail server. Thanks i'll add ftp in my ruleset if it's not there. Last edited by revzalot; 9th September 2009 at 04:28 PM. |
|
||||
Revised but haven't tested yet.
Code:
ext_if="re0" tcp_services = "{ssh, ftp, sftp, imap, imaps, smtp, 587, pop3 \ domain, ntp, www, http, https}" udp_services= "{domain, ntp}" ### allow ping / pong #### icmp_types = "{ echoreq, unreach }" set skip on lo set loginterface $ext_if scrub in all random-id fragment reassemble block return in log all block log out all antispoof quick for $ext_if pass out quick on $ext_if proto tcp to any port $tcp_services pass out quick on $ext_if proto udp to any port $udp_services # Allow trace route pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep stat e pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state pass in on $ext_if proto tcp from any to any port smtp flags S/SA synproxy state pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy state pass in on $ext_if proto tcp from any to any port https flags S/SA synproxy state pass in on $ext_if proto tcp from any to any port pop3 flags S/SA synproxy state pass in on $ext_if proto udp from any to any port domain pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state pass inet proto icmp all icmp-type $icmp_types keep state |
|
||||
Sigh.
Here are my guesses: Guess #1: Both servers are on the same physical infrastructure.If these guesses are wrong, it's because your information continues to be misleading / unclear / incomplete. If you want better guesses, or responses that are actual answers, you will have to provide better info. |
|
||||
I just noticed that these various pf.conf rule sets only have one NIC, $ext_if (re0). Assuming, for the moment, that there is a second NIC, there are no pass in rules for its traffic. All traffic initiated on a local LAN (assuming there is one) will be blocked, except for the limited set of ICMP traffic added to your second pf.conf example.
|
|
||||
The pf rules above are not for my firewall/router. They're for my openbsd mail/web server.
router/firewall - openbsd ( pf works fine) | | switch <----> 192.168.0.200 file server | | | mail/server - openbsd ( pf stated above ) * * this is on the same subnet as my file server. |
|
||||
OK.
Let's start over, and have you spoon feed us information, since every time you reply, we get different, and yet still incomplete information. So I'll ask a few initial, basic questions, and you provide answers. OK? 1. What is the IP address and netmask of your mail server? 2. What is the netmask of your file server at 0.200? 3. a) Is your failure to ftp occuring when you try to connect from your mail server? Yes or no? If no, b) was it when you were trying to connect from your router/firewall to your file server? Yes or no? If no, c) what is the IP address and netmask of the device you failed-to-connect with? Start with those three questions. Good luck. |
|
||||
1. 192.168.0.4 netmask 255.255.255.0
2. 255.255.255.0 3. a) no b) no, with pf disabled, I can ftp from .4 to .200 c) 192.168.0.200 netmask 255.255.255.0 Quote:
|
|
||||
I still have no clarity about what system you were trying to connect to 0.200 with and getting failures. Your answers to #3 were unhelpful:
For 3a you stated that you did not have trouble connecting to the file server (0.200) from the mail server (0.4).So, giving up, forever, and making the assumption that your mail server and its individual PF configuration is the source of your problem, log onto it and use: # tcpdump -neti pflog0 action block That will show you, in real time, what type of IP traffic is being blocked, if you manage to retain the "log" options in your two block rules. What's critical for repairing the problem is for you to understanding what traffic is being blocked, why that traffic is necessary, then writing appropriate pass rules. I won't try to help you any further. |
|
|||
In the future please volunteer as much information as possible revzalot, otherwise you're forcing us to guess how you've configured your systems after installation.
Nobody here has to take the time and effort to search your previous posts to get an outlook of your network topology, it's simply unreasonable to assume we will. In the future, think of this forum as a proverbial dump(8) site.. nobody will complain if you give them too much information, although be sure not to leak any sensitive information if you're employed by someone. Here partial list of information that should be included when reporting routing/networking issues:
You scared off jggimi, an long time member of this forum.. perhaps this will open your eyes to your communication deficiencies.. It is simply unfair to paint half of a picture and leave the rest of it up to our imaginations. Good luck. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pkg_add - can't resolve <packagename> | nihonto | OpenBSD Packages and Ports | 11 | 28th January 2009 10:03 PM |
Sun Java System Web Server - Active Server Pages (yes ASP) | hopla | FreeBSD General | 0 | 26th September 2008 08:22 AM |