DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default 2 gateways

I have a little problem that I cannot seem to figure out.

Client A machine 10.31.0.20
BSD ext_if 10.31.0.25 gateway 10.21.0.252
BSD int_if 10.10.0.10
Client B inside 10.10.0.0/16 network = 10.10.0.12 gateway on this client is 10.10.0.100

When I try to ssh to client B from client A I cannot log in at all. When I change the gateway for client B to 10.10.0.10 then it works but client B also need the 10.10.0.100 because this is its route out of the network.

The pf set to pass only for the moment for testing.
Reply With Quote
  #2   (View Single Post)  
Old 30th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,819
Default

I'm missing some information, again, or, I cannot make sense of your described network topography. Please draw an ASCII "graphic" showing your subnets and interface connections.

In particular:
  1. You are not showing a CIDR or netmask for your 10.31 network.
  2. You reference a 10.21 address as a gateway but I'm confused about your terminology as well as your topography.
This is based on your description, but it must not be correct, so please re-draw it showing how you have things actually configured.
Code:
[A-10.31.0.20] - {10.31} - [10.31.0.25-BSD-10.10.0.10] - {10.10/16} - [10.10.0.12-B]
                                                               |
                                                       [GW-10.10.0.100]
                                                               |
                                                      {other networks}
Reply With Quote
  #3   (View Single Post)  
Old 30th July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

Quote:
Originally Posted by jggimi View Post
I'm missing some information, again, or, I cannot make sense of your described network topography. Please draw an ASCII "graphic" showing your subnets and interface connections.

In particular:
  1. You are not showing a CIDR or netmask for your 10.31 network.
  2. You reference a 10.21 address as a gateway but I'm confused about your terminology as well as your topography.
This is based on your description, but it must not be correct, so please re-draw it showing how you have things actually configured.
Code:
[A-10.31.0.20] - {10.31} - [10.31.0.25-BSD-10.10.0.10] - {10.10/16} - [10.10.0.12-B]
                                                               |
                                                       [GW-10.10.0.100]
                                                               |
                                                      {other networks}
Actually after reading your reply I decided to go with a different model:

These are my rules so far:

pf.conf
Code:
### Variables ###

extif="em0"
intif="em1"
icmp_types="{ echoreq, unreach }"
allowed_tcp_ports="{ ssh, https, rdp }"

set block-policy drop
set loginterface $extif
set skip on lo
table <authpf_users> persist

### Block all Incoming Traffic  ###

block all


pass in on $extif inet proto icmp all icmp-type $icmp_types keep state
pass in on $extif proto tcp to $extif port $allowed_tcp_ports

pass in on $intif inet proto icmp all icmp-type $icmp_types keep state
pass out on $extif inet proto icmp all icmp-type $icmp_types keep state

### Authpf per user IP rules from /etc/authpf/authpf.rules ###

anchor "authpf/*"

#pass proto tcp to any port $allowed_tcp_ports
authpf.rules
Code:
allowed_tcp_ports="{ ssh, https, rdp }"
icmp_types="{ echoreq, unreach }"
int_if="em1" ## vlan10
ext_if="em0" ## vlan21
pass proto tcp from $user_ip to any port $allowed_tcp_ports
pass in on $ext_if proto tcp from $user_ip to any port $allowed_tcp_ports
You may be familiar with this ruleset. I realised that I was going in the wrong direction with my last post, therefore I will explain further what i am trying to achieve.

1. As you can see authpf allows the client machine to SSH into the locked down network. But I also what the servers inside the locked down network to be able to SSH out to any server outside the network. I have been going around in circles for the past 2 hours and cannot get it to work.
Reply With Quote
  #4   (View Single Post)  
Old 30th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,819
Default

I provided a possible solution in your pf rules thread. You did not continue the discussion there.

Unfortunately, without a better description of your subnets and topology, I don't have enough information to offer any new proposals..

From your post number 1 in this thread -- which is now no longer what you have -- it was possible that Client B had an incorrect netmask. But I was unsure, because you didn't provide enough information and I didn't want to post that without more information.

Your post number 3 also doesn't provide a clear picture of your topology. It's a repeat of what you'd posted in your authpf thread.

If you can't diagram your topology, then please:
  • List every local subnet you have defined. Provide a network address in CIDR format, such as 10.10.10/24 or 192.168/16.
  • List each router you have defined. List each subnet these are connected to. There will be at least two subnets. If a router you control is connected to an Internet subnet provided by an ISP, you can define it's Internet-facing network as just an "internet" subnet, you should keep your internet-facing address(es) private.
  • If you have two or more internet-facing subnets, number them internet-1, internet-2, so that we know they are different.

Last edited by jggimi; 30th July 2019 at 04:43 PM. Reason: changed "authpf" to "pf rules" as highlighted
Reply With Quote
  #5   (View Single Post)  
Old 30th July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

Quote:
Originally Posted by jggimi View Post
I provided a possible solution in your pf rules thread. You did not continue the discussion there.

Unfortunately, without a better description of your subnets and topology, I don't have enough information to offer any new proposals..

From your post number 1 in this thread -- which is now no longer what you have -- it was possible that Client B had an incorrect netmask. But I was unsure, because you didn't provide enough information and I didn't want to post that without more information.

Your post number 3 also doesn't provide a clear picture of your topology. It's a repeat of what you'd posted in your authpf thread.

If you can't diagram your topology, then please:
  • List every local subnet you have defined. Provide a network address in CIDR format, such as 10.10.10/24 or 192.168/16.
  • List each router you have defined. List each subnet these are connected to. There will be at least two subnets. If a router you control is connected to an Internet subnet provided by an ISP, you can define it's Internet-facing network as just an "internet" subnet, you should keep your internet-facing address(es) private.
  • If you have two or more internet-facing subnets, number them internet-1, internet-2, so that we know they are different.
Thank you for your reply. Here is my attempt:


[A-10.31.0.20] - {10.31} - [10.31.0.25-BSD-10.10.0.10] - {10.10/16} - [10.10.0.12-B] - - - - - - - - - - -- - - - - - - -
|
[GW-10.10.0.10]
|
{other networks}

It is much the same as you made it with a change in the gateway.

On the BSD machine there is a static route (route add -net 192.168.5.0/24 10.10.0.1)

The IP GW 10.10.0.1 is another router outside the internal network.

So to be able to reach "A" from "B" you ssh via 10.10.0.10 authpf then takes care of the access control upon successful login in. The you are able to SSH direct to 10.31.0.21 from your client "B".

Also once logged into client "A" I need to be able to SSH to any other machine outside the network like the following:

[A 10.31.0.20] - - [10.31.0.25-BSD-10.10.0.10] - [GW 10.10.0.1] - [192.168.5/24]

The network from 10.10.0.1 is vlan routed on a router.

What is important is that no one can use SSH to client "A" without authpf.

I hope this makes a lot more sense now
Reply With Quote
  #6   (View Single Post)  
Old 30th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,819
Default

I still have unanswered questions, because I am still confused by your topology descriptions.

While I still don't know the CIDR or netmask for your 10.31 network, you have stated twice that the 10.10 is a /16. You have a route added to the BSD router to reach the 192.168.5/24 subnet through a router not shown on your diagram at 10.10.0.1.

It also appears that your BSD router and your gateway router share the same IP address of 10.10.0.10. Is that a typo? Or did you actually intend for the gateway router to show the address 10.10.0.1?
Reply With Quote
  #7   (View Single Post)  
Old 30th July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

Hi so the netmask for the 10.31 is 255.255.0.0 so /16. Yes it was a typo it should be 10.10.0.1, I missed the router out from the diagram by accident but the vlan interface is 10.10.0.1 also on the router there is a vlan interface 192.168.5.1 for the other destination network.
Reply With Quote
  #8   (View Single Post)  
Old 30th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,819
Default

I'll try again to understand, by restating your networks and routers. You tell me where I've misunderstood.
  • There are three private subnets (A) (B) and (C) in your scope of interest: (A) 10.31/16, (B) 10.10/16, and (C) 192.168.5/24.
  • There are two routers: "OpenBSD" between subnets (A) and (B), and "Gateway" between (B), (C) and all other subnets, including the Internet. Here is a simple network diagram:
    Code:
    (A) - OpenBSD - (B) - Gateway - (C and all other networks)
  • You wish to block incoming, unsolicited traffic from anywhere, including traffic originating on the (B) network into subnet (A) unless an authpf SSH session is first established on the "OpenBSD" router.
  • Systems on subnet (A) may establish outbound traffic to other subnets, and stateful responses are permitted.
What have I misunderstood?

Last edited by jggimi; 30th July 2019 at 08:19 PM. Reason: one minor typo
Reply With Quote
  #9   (View Single Post)  
Old 30th July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

Quote:
Originally Posted by jggimi View Post
I'll try again to understand, by restating your networks and routers. You tell me where I've misunderstood.
  • There are three private subnets (A) (B) and (C) in your scope of interest: (A) 10.31/16, (B) 10.10/16, and (C) 192.168.5/24.
  • There are two routers: "OpenBSD" between subnets (A) and (B), and "Gateway" between (B), (C) and all other subnets, including the Internet. Here is a simple network diagram:
    Code:
    (A) - OpenBSD - (B) - Gateway - (C and all other networks)
  • You wish to block incoming, unsolicited traffic from anywhere, including traffic originating on the (B) network into subnet (A) unless an authpf SSH session is first established on the "OpenBSD" router.
  • Systems on subnet (A) may establish outbound traffic to other subnets, and stateful responses are permitted.
What have I misunderstood?

You understood perfectly
Reply With Quote
Old 30th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,819
Default

Routing
  • Devices on subnet (B) must be informed they are directly connected to two routers, "OpenBSD" and "Gateway". Their default route should be through "Gateway" as it reaches every address not on subnets (A) or (B). The additional route is needed to reach subnet (A) via the router "OpenBSD". This can be provided to each device manually/statically or via a DHCP server option such as classless-static-routes or classless-ms-static-routes.
  • Devices on subnet (A) only need their default route through "OpenBSD"
  • If NAT is not used in transitioning "Gateway" then devices on subnet (C) and other local subnets in your network need to have at least two additional routes, directing traffic to both subnets (A) and (B) through "Gateway".
  • The "OpenBSD" router needs a default route through "Gateway," just as other devices on subnet (B). It does not need a route added for subnet (A), as that is directly attached to a NIC.
PF (just a possible example, completely untested)
Code:
subnet_a = "10.31/16"

# default block
block return log

# pass all traffic originating from subnet (A):
pass log from $subnet_a

# pass SSH inbound to this router:
pass log proto tcp to self port ssh

# permit this router to communicate:
pass log from self
# but do not permit this router to reach subnet (A):
block log from self to $subnet_a

# authpf(8) rules will be inserted here:
 anchor "authpf/*"
AuthPF (again, untested)
Code:
# your previously permitted traffic
allowed_tcp_ports="{ ssh, https, rdp }"
icmp_types="{ echoreq, unreach }"

# currently defined:
subnet_a = "10.31/16"

pass log proto tcp from $user_ip to $subnet_a port $allowed_tcp_ports
pass log proto icmp from $user_ip to $subnet_a icmp-type $icmp_types

Last edited by jggimi; 30th July 2019 at 10:50 PM. Reason: four typos
Reply With Quote
Old 30th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,819
Default

There is a reason I add log directives to every filter rule example. I make mistakes. They get corrected when I review pflog(4) traffic with tcpdump(8).
Reply With Quote
Old 31st July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,819
Default

Ooops. "Gateway" will need a route to subnet (A), too.
Reply With Quote
Old 31st July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

Im very grateful, it works perfectly
Reply With Quote
Old 31st July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,819
Default

Really? I guess there's a first time for everything.
Reply With Quote
Old 31st July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

Quote:
Originally Posted by jggimi View Post
Really? I guess there's a first time for everything.
Yes the gateway was very easy to figure and I completely understand your ruleset.
Reply With Quote
Old 31st July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,819
Default

With my example ruleset, you won't be able to ping the "OpenBSD" router. I'm sure there are other flaws in the rules.
Reply With Quote
Old 1st August 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

Yes I know this, I made some adjustments and to be honest I don't want people to ping the gateway. I could learn a lot from you.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Using multiple gateways ivanatora FreeBSD General 7 15th November 2008 06:57 PM


All times are GMT. The time now is 07:40 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick