Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
  #1   (View Single Post)  
Old 26th August 2011
tomp's Avatar
tomp tomp is offline
Real Name: Tom Purvis
Local Area Nitwit
Join Date: Aug 2011
Location: Colorado
Posts: 17
Default pf interfering with local lan peer communication

After a couple weeks of installing/configuring OpenBSD 4.9, learning about PF, testing pf.conf rules on a closed test network, last night the boss and I stayed late to put it into place as our firewall when we could do it without disrupting normal operations. It took about four hours to root out our gremlins and get all the critical stuff working. It was good, I left last night feeling like the past couple weeks had been worth the furrowed brow.

We are a mail order outfit. My boss and I are the IT department. We run an application supplied by UPS called Worldship. We use a multi-node version of it that has an MS SQL Server DB at its core. The nodes talk to that central machine more or less as peers, and all of them talk to the mothership through the 'net.

We are in a busy season, and today after I'd been here a couple hours I got word from the warehouse that the main Worldship box was working but that non of the peer nodes were, they threw an error about not being able to connect to the MS SQL Express DB. Now, this multi-node version of Worldship is pretty brittle. We used to use a single node version and it was much less complicated, but we needed more nodes to scale our operation.

As it was failing I watched tcpdump and saw some blocked communications coming in from outside on various obscure ports, and I wrote rules to pass them as I saw them. (UPS says that you only need 1433/1434 and 443 open). I was able to write pass rules to get all of those log entries to go away, and still the trouble persisted. I tried writing a quick rule or two to be sure that nothing was jacking around with internal LAN communications. No dice. Finally I actually commented out the "block log all" statement that is my first rule. When I ran pfctl verbose, none of the output said "block". No. Dice.

We had no choice but to take the OpenBSD box out of the way and put things back as they were before 6 PM yesterday. Worldship worked on all nodes immediately.

Very disappointing.

While I was at lunch, muttering and grinding my teeth, it occurred to me that the NAT rule could be dicking around with my internal communications.

match out on $ext_if from $localnet nat-to ($ext_if)

It occurred to me that perhaps before the nat-to rule I should have a quick rule that says something like:

do not dick around quick on { $int_if, $localnet } rdr-to $go_foff_yourself

(or more seriously)

pass inet quick on $int_if from $localnet

Something like that anyway.

I'm grumpy. I'm sure it shows in this post. If you are inclined to ignore the grumpy, I understand. But I'm hoping to have a pretty strong guess or two up my sleeve next time we break the whole network to get this %&#$&ing thing back in production. If you can add any ideas or throw me a clue, I'd appreciate it. Very much.

Last edited by tomp; 26th August 2011 at 07:55 PM.
Reply With Quote
  #2   (View Single Post)  
Old 28th August 2011
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,598

I am as surprised as you that the OBSD router/firewall somehow prevents access to the peer nodes.

If you have a block log all statement, all blocked connection attempts will show up on the pflog0 device. You can run tcpdump on pflog0 to watch these blocked packets. See plfog(4)

You could configure a spare box as a bridge as per http://www.openbsd.dk/faq/faq6.html#Bridge. This allows you to watch the traffic with tcpdump without disturbing anything.

Place this box between a peer node and the switch and you can watch/dump the traffic transparently, in other words without affecting the traffic in any way.
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 29th August 2011
cybergaurd cybergaurd is offline
New User
Join Date: Aug 2011
Posts: 1

you can use pftop and apply filters to inspect any connection.
Reply With Quote
  #4   (View Single Post)  
Old 2nd September 2011
wimwauters wimwauters is offline
Port Guard
Join Date: Aug 2008
Posts: 36

Wouldn't it make sense to setup permanent VNP tunnels (with an OpenBSD box at each end) between your sites? It would save you a lot of trouble and would also encrypt your network data...
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
mysql won't run via rc.local benben159 OpenBSD Packages and Ports 3 8th August 2010 02:41 PM
log from rc.conf.local and rc.local sdesilet OpenBSD General 1 21st January 2010 02:37 AM
Local NTPd Server "bad peer" plexter OpenBSD General 24 9th September 2009 04:48 PM
local dns (dnsmasq) bsdperson FreeBSD Ports and Packages 3 3rd September 2008 06:48 AM
Communication with su failed amandus OpenBSD Packages and Ports 7 17th July 2008 07:17 AM

All times are GMT. The time now is 08:35 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick