|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Default pf ruleset at boot and PPPoE
I'm using kernel pppoe for my internet interface and my pf.conf contains the rules for the pppoe0 interface (amongst others), however on boot this ruleset is not loaded and a very restrictive default set is loaded instead:
Code:
FILTER RULES: block drop all pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol pass out inet6 proto ipv6-icmp all icmp6-type routersol pass out proto tcp from any to any port = 53 flags S/SA pass out proto udp from any to any port = 53 pass out inet proto icmp all icmp-type echoreq pass in inet6 proto ipv6-icmp all icmp6-type neighbradv pass in inet6 proto ipv6-icmp all icmp6-type routeradv pass in proto tcp from any to any port = 22 flags S/SA pass on lo0 all flags S/SA pass proto carp all keep state (no-sync) No queue in use My questions are: 1) Is it possible to see the pf errors on boot, there seems to be nothing in the logs or console about pf not loading correctly. 2) Is it possible to change the default rules or would I need to define a restricted pf.conf and then load the full 'ppp' pf.conf once the interface is up? If so how would you recommend I load the rules once the interface is up - ifstated maybe? Kernel pppoe to ISP seems like a common enough scenario but I can't find other reports of similar issues. OpenBSD 5.2 GENERIC#278 i386 |
|
|||
I never used PPPoE but for those who have and thus could assist you, it would be helpful to post your configuration details.
Thing like /etc/rc.conf file, ifconfig output and contents of /etc/hostname.* contents.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 6th September 2013 at 03:40 PM. |
|
|||
/etc/rc.conf is untouched from 5.2 distribution, other files are:
Code:
# cat /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 NONE \ pppoedev vr1 authproto pap \ authname 'xxxxxx' authkey 'authkey' up dest 0.0.0.1 !/sbin/route add default -ifp pppoe0 0.0.0.1 # cat /etc/hostname.vr0 inet 192.168.200.245 255.255.255.0 # cat /etc/hostname.vr1 up # ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196 priority: 0 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 inet 127.0.0.1 netmask 0xff000000 vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:00:24:c9:57:38 priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.200.245 netmask 0xffffff00 broadcast 192.168.200.255 inet6 fe80::200:24ff:fec9:5738%vr0 prefixlen 64 scopeid 0x1 vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:00:24:c9:57:39 priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::200:24ff:fec9:5739%vr1 prefixlen 64 scopeid 0x2 pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492 priority: 0 dev: vr1 state: session sid: 0x6 PADI retries: 0 PADR retries: 0 time: 08:43:03 sppp: phase network authproto pap authname "xxxxxx" groups: pppoe egress status: active inet6 fe80::200:24ff:fec9:5738%pppoe0 -> prefixlen 64 scopeid 0x7 inet [my ext IP] --> [PPP Peer] netmask 0xffffffff pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196 priority: 0 groups: pflog # cat /etc/rc.conf.local syslogd_flags="-a /var/spool/postfix/dev/log -a /var/unbound/dev/log" # Disable sendmail sendmail_flags="NO" ntpd_flags="-s" # Start on boot pkg_scripts="postfix sshguard unbound" Code:
## Interfaces ## ExtIf = "pppoe0" IntIf = "vr0" VpnIf = "tun0" PbxHost = "192.168.200.42" MxHost = "192.168.200.41" WebHost = "192.168.200.44" PbxPeer = "[sip peer addr]" ### Queues, States and Types ### IcmpType ="icmp-type 8 code 0" IcmpMTUd ="icmp-type 3 code 4" SshQueue ="(ssh_bulk, ssh_login)" #SynState ="flags S/SA synproxy state" TcpState ="flags S/SA modulate state" UdpState ="keep state" ### Ports ### FtpPort ="8021" SshPort ="8022" OpenVPNPort ="1194" RtpPorts = "16384:32768" ### Stateful Tracking Options (STO) ### FtpSTO ="(tcp.established 7200)" ExtIfSTO ="(max 9000, source-track rule, max-src-conn 2000, max-src-nodes 14)" IntIfSTO ="(max 150, source-track rule, max-src-conn 50, max-src-nodes 14, max-src-conn-rate 75/20)" SmtpSTO ="(max 200, source-track rule, max-src-states 50, max-src-nodes 50, max-src-conn-rate 30/10, overload <BLOCKTEMP> flush global)" SshSTO ="(max 5, source-track rule, max-src-states 5, max-src-nodes 5, max-src-conn-rate 5/60)" WebSTO ="(max 500, source-track rule, max-src-states 50, max-src-nodes 75, max-src-conn-rate 120/100, overload <BLOCKTEMP> flush global)" ### Tables ### table <SSHGUARD> counters persist table <BLOCKTEMP> counters table <BLOCKPERM> counters file "/etc/pf_block_permanent" ################ Options ###################################################### ### Misc Options set skip on lo set skip on $VpnIf set debug urgent set reassemble yes set block-policy drop set loginterface $ExtIf set state-policy if-bound set fingerprints "/etc/pf.os" set ruleset-optimization none ### Timeout Options set optimization normal set timeout { tcp.established 600, tcp.closing 60 } ### Block to/from illegal sources/destinations block in quick on $ExtIfs inet proto tcp from <SSHGUARD> to any port 22 label "ssh bruteforce" block in quick on $ExtIfs inet proto tcp from <BLOCKTEMP> to any port != ssh block in quick on $ExtIfs inet proto tcp from <BLOCKPERM> to any port != ssh block in quick on $ExtIfs inet proto udp from <BLOCKTEMP> to any port != ssh block in quick on $ExtIfs inet proto udp from <BLOCKPERM> to any port != ssh block in quick inet proto udp from any to <BLOCKPERM> port != ssh ### BLOCK all in on external interface by default and log block log on $ExtIf ### Network Address Translation (NAT with outgoing source port randomization) match out log on $ExtIf proto tcp from $PbxHost port { 5060, 5080, 5090 } to any received-on $IntIf tag EGRESS nat-to ($ExtIf:0) static-port match out log on $ExtIf proto udp from $PbxHost port { 5060, 5080, 5090 } to any received-on $IntIf tag EGRESS nat-to ($ExtIf:0) static-port match out log on $ExtIf from !($ExtIf:network) to any nat-to ($ExtIf:0) ### Packet normalization ( "scrubbing" ) ### remove "min-ttl 64" if you need native traceroute functions or just use "traceroute -I" instead match log on $ExtIf all scrub (random-id min-ttl 64 set-tos reliability reassemble tcp max-mss 1440) ### $ExtIf inbound pass in log on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port { smtp, 2525 } $TcpState $SmtpSTO rdr-to $MxHost pass in log on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port { 993, 465 } $TcpState rdr-to $MxHost pass in log on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port { https, http } $TcpState rdr-to $WebHost pass in log on $ExtIf inet proto udp from !($ExtIf) port $RtpPorts $UdpState pass in log on $ExtIf inet proto udp from !($ExtIf) port $OpenVPNPort $UdpState pass in log on $ExtIf inet proto tcp from ($PbxPeer) to ($ExtIf) port { 5060, 5080, 5090 } $TcpState rdr-to $PbxHost pass in log on $ExtIf inet proto udp from ($PbxPeer) to ($ExtIf) port { 5060, 5080, 5090 } $UdpState rdr-to $PbxHost pass in log on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port ssh $TcpState $SshSTO pass in log on $ExtIf inet proto icmp from !($ExtIf) to ($ExtIf) $IcmpType $UdpState pass in log on $ExtIf inet proto icmp from !($ExtIf) to ($ExtIf) $IcmpMTUd $UdpState ### $ExtIf outbound pass out log on $ExtIf inet proto tcp from ($ExtIf) to !($ExtIf) $TcpState $ExtIfSTO tagged EGRESS pass out log on $ExtIf inet proto udp from ($ExtIf) to !($ExtIf) $UdpState $ExtIfSTO tagged EGRESS pass out log on $ExtIf inet proto icmp from ($ExtIf) to !($ExtIf) $UdpState $ExtIfSTO tagged EGRESS pass out log on $ExtIf from ($ExtIf) ### $IntIf return (TCP reset) and log internal traffic block return log on $IntIf ### $IntIf inbound #pass in log on $IntIf inet proto tcp from $IntIf:network to !$IntIf port www $TcpState $ExtIfSTO pass in log on $IntIf inet proto tcp from $IntIf:network to !$IntIf port ftp $TcpState $IntIfSTO divert-to 127.0.0.1 port $FtpPort ##obsd 5.1 pass in log on $IntIf ### $IntIf ftp secure secure proxy for LAN anchor "ftp-proxy/*" in on $IntIf inet proto tcp ### $IntIf outbound pass out log on $IntIf pass in log on vr1 pass out log on vr1 |
|
||||
If you look through the /etc/rc script, you will first see the default PF rules loaded, then the netstart(8) script gets called, and then your $pf_rules (default: /etc/pf.conf) file gets loaded. For OpenBSD 5.2, this starts at line #322 in /etc/rc.
Logically, it would appear to me that the interface should be available once the netstart script has completed, but it may take a second or two to establish the pseudo device. You might try appending a line with !sleep 2 to your hostname.pppoe0 file, to add a delay to permit the pseudo device time to be available to PF, and see if that works for you. I'm not a PPPoE user, but over the years I've come to understand that the userland pppoe(8) is considerably easier to implement and manage than the kernel driver pppoe(4). FAQ 6 mentions both but describes pppoe(8) as being the "main" software interface. If you're unable to get kernel PPPoE working properly, you might see what the userland implementation may be able to do for you. |
Tags |
pf, ppp |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pf ruleset for ftp server? | daemonfowl | OpenBSD Security | 2 | 30th July 2012 02:58 PM |
Help needed with PF ruleset | spaghetti_bolognese | OpenBSD Security | 1 | 14th September 2010 11:37 AM |
Free PF Ruleset 4.7 | wesley | OpenBSD Security | 0 | 7th June 2010 06:18 AM |
FTP ruleset questions | hitete | OpenBSD Security | 2 | 25th November 2008 05:30 PM |
Modem PPPoE vs OpenBSD PPPoE | ryoken | OpenBSD Security | 13 | 15th June 2008 10:07 PM |