DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st March 2011
tinhead tinhead is offline
New User
 
Join Date: Mar 2011
Location: Vancouver, CA
Posts: 8
Default need help with troubleshooting pf.conf

Hi all,

New here seeking help with my PF.conf

For some reason, I'm not getting the desired effect, perhaps someone can be a second pair of eyes / ears?

My testing has given the following results (in brackets, it's what this is supposed to be in the end):

UNCONFIGURED - 29mbps down and 18mbps up. (supposed to be unlimited in the end but understand it's not config'd that way right now)
CLIENT1 - 26.72mbps down and 15.63mbps up. (supposed to be limited to 10mbps)
CLIENT2 - 1.33mbps down and 1.19mbps up. (supposed to be limited to 1.5mbps so this is good)
8.82.104.212 - 38mbps down and 8mbps up. (supposed to be limited to 10mbps)

Any insight on what I'm missing? Thanks for the help!
Attached Files
File Type: conf pf-bw-daemonforums.conf (5.8 KB, 82 views)
Reply With Quote
  #2   (View Single Post)  
Old 21st March 2011
tinhead tinhead is offline
New User
 
Join Date: Mar 2011
Location: Vancouver, CA
Posts: 8
Default some progress on the pf.conf

Hi,

I think I've made some progress here but if someone out there has a better understanding of pf.conf files, maybe you can help me with glaring errors?

Attached Files
File Type: conf pf-bw-daemonforums.conf (6.1 KB, 76 views)
Reply With Quote
  #3   (View Single Post)  
Old 21st March 2011
tinhead tinhead is offline
New User
 
Join Date: Mar 2011
Location: Vancouver, CA
Posts: 8
Default In case you don't want to download...

Might be useful for those that don't want to download the conf file...

Code:
#	$OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#
# Couple things look into making it a default block policy, make sure VPN's work, double check and test the outbox.allstream.net address, determine the correct interface for ftp-proxy CARP or EM?

table <LocalNetworks> const { 10.1.0.0/24, 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/23, 10.9.0.0/24 10.10.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.14.0.0/24 } 

IntIFs  = "{ em0, vlan2, vlan2, vlan3, vlan4, vlan5, vlan6, vlan7, vlan8, vlan9, vlan10, vlan11, vlan12, vlan13, vlan14 }" 
IntCARPs = "{ carp1, carp2, carp3, carp4, carp5, carp6, carp7, carp8, carp9, carp10, carp11, carp12, carp13, carp14 }"

set skip on lo

scrub in all

# Allstream upload = 40Mbit (queue at 97%)
#altq on em1 bandwidth 38Mb hfsc queue { ack, dns }
#queue ack bandwidth 50% priority 7 qlimit 500 hfsc (realtime 50%)
#queue dns bandwidth 5% priority 6 qlimit 500 hfsc (realtime 5%)
#queue dns	bandwidth  7% priority 6 qlimit 500 hfsc (realtime  5%)
#queue https     bandwidth  7% priority 5 qlimit 500 hfsc (realtime  5%)
#queue http      bandwidth  7% priority 4 qlimit 500 hfsc (realtime  5%)
#queue bulk	bandwidth  1% priority 3 qlimit 500 hfsc (realtime 5% default)
#queue bittor	bandwidth  1% priority 2 qlimit 500 hfsc (upperlimit 99%)

ext_if		= "em1"
int_if		= "em0"
dev_if		= "em2"

dev1        = "8.82.104.212"

bw_world_up     = "51Mb"
bw_world_dn     = "51Mb"

bw_client1      = "39.5Mb"
bw_client2      = "1.5Mb"

bw_rest         = "5Mb"

bw_dev_dn       = "100Mb"
bw_dev1         = "5Mb"
bw_rest_dev_dn  = "95Mb"

altq on $ext_if cbq bandwidth $bw_world_up queue { client1_up, client2_up, dev1_up, rest_up }
altq on $int_if cbq bandwidth $bw_world_dn queue { client1_dn, client2_dn, rest_dn }
altq on $dev_if cbq bandwidth $bw_dev_dn queue { dev1_dn, rest_dev_dn }

queue client1_up bandwidth $bw_client1 cbq
queue client1_dn bandwidth $bw_client1 cbq
queue client2_up bandwidth $bw_client2 cbq
queue client2_dn bandwidth $bw_client2 cbq
queue dev1_up bandwidth $bw_dev1 cbq
queue dev1_dn bandwidth $bw_dev1 cbq
queue rest_up bandwidth $bw_rest cbq(default)
queue rest_dn bandwidth $bw_rest cbq(default)
queue rest_dev_dn bandwidth $bw_rest_dev_dn cbq(default)



# NAT all internal networks on em1 to CARP100 interface (Internet) 
nat on em1 proto { tcp, udp, icmp, esp, gre } from <LocalNetworks>  -> (carp100) 

# Correct FTP issues on all local interfaces 

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# Please determine which is working the CARP or the Internal IF
#rdr pass on $IntCARPs proto tcp to port ftp -> 127.0.0.1 port 8021
rdr pass on $IntIFs proto tcp to port ftp -> 127.0.0.1 port 8021

# Intercept all smtp outgoing e-mail and forward to outbox.allstream.net  
rdr pass on $IntIFs proto tcp to port 25 -> 207.245.244.41 port 25

# Redirect external IP address to internal CMPP camera server. 
rdr pass on em1 proto tcp to 8.82.105.158 port 5400 -> 10.1.0.5 port 5400 
#rdr pass on em1 proto tcp to 192.168.42.2 port 5400 -> 10.1.0.5 port 5400

anchor "ftp-proxy/*"

# Allow all vpn data
pass in quick on em1 inet proto udp from any to any port = 500
pass in quick on em1 inet proto esp from any to any
pass out on em1 inet proto esp from any to any
pass out on em1 inet proto tcp all flags S/SA keep state
pass out on em1 inet proto udp from any to any port = 500
pass out on em1 inet proto esp from any to any
pass out on em1 inet proto udp all keep state
pass out on em1 inet proto icmp all keep state

# no inet6 for me
block quick inet6 all

block out on $IntIFs from <LocalNetworks> 

pass in on em0 from 10.1.0.0/24 to any tag CLIENT2U queue client2_dn 
pass out on em0 from { (em0), (carp1) } queue client2_dn
pass out quick on $ext_if tagged CLIENT2U queue client2_up

pass in on vlan2 from 10.2.0.0/24 to any
pass out on vlan2 from { (vlan2), (carp2) }

pass in on vlan3 from 10.3.0.0/24 to any
pass out on vlan3 from { (vlan3), (carp3) }

#pass in on vlan4 from 10.4.0.0/24 to any
#pass out on vlan4 from { (vlan4), (carp4) }

pass in on vlan4 from 10.4.0.0/24 to any tag CLIENT2U queue client2_dn
pass out on vlan4 from { (vlan4), (carp4) } queue client2_dn
pass out quick on $ext_if tagged CLIENT2U queue client2_up


pass in on vlan5 from 10.5.0.0/24 to any
pass out on vlan5 from { (vlan5), (carp5) }

pass in on vlan6 from 10.6.0.0/24 to any
pass out on vlan6 from { (vlan6), (carp6) }

pass in on vlan7 from 10.7.0.0/24 to any
pass out on vlan7 from { (vlan7), (carp7) }

pass in on vlan8 from 10.8.0.0/23 to any tag CLIENT1U queue client1_dn
pass out on vlan8 from { (vlan8), (carp8) } queue client1_dn
pass out quick on $ext_if tagged CLIENT1U queue client1_up

# dev1
#pass in quick on $dev_if from any to $dev1 queue dev1_dn
#pass in quick on $ext_if from any to $dev1 queue dev1_dn
#pass out quick on $ext_if from $dev1 to any queue dev1_up
#pass out quick on $dev_if from any to $dev1 queue dev1_dn
#pass out quick on $ext_if from $dev1 to any
#pass out quick on $dev_if from any to $dev1 
pass in on $dev_if from $dev1 to any tag DEV1U queue dev1_dn
pass out on $dev_if from $dev1 queue dev1_dn
pass out quick on $ext_if tagged DEV1U queue dev1_up 

pass in on vlan9 from 10.9.0.0/24 to any tag CLIENT2U queue client2_dn
pass out on vlan9 from { (vlan9), (carp9) } queue client2_dn
pass out quick on $ext_if tagged CLIENT2U queue client2_up

pass in on vlan10 from 10.10.0.0/24 to any
pass out on vlan10 from { (vlan10), (carp10) }

pass in on vlan11 from 10.11.0.0/24 to any
pass out on vlan11 from { (vlan11), (carp11) }

pass in on vlan12 from 10.12.0.0/24 to any
pass out on vlan12 from { (vlan12), (carp12) }

pass in on vlan13 from 10.13.0.0/24 to any
pass out on vlan13 from { (vlan13), (carp13) }

pass in on vlan14 from 10.14.0.0/24 to any
pass out on vlan14 from { (vlan14), (carp14) }

Last edited by tinhead; 22nd March 2011 at 01:52 AM.
Reply With Quote
  #4   (View Single Post)  
Old 22nd March 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

If you're going to post configuration files inline, use [code][/code] blocks.
Reply With Quote
  #5   (View Single Post)  
Old 22nd March 2011
tinhead tinhead is offline
New User
 
Join Date: Mar 2011
Location: Vancouver, CA
Posts: 8
Default

Now doesn't that look pretty?! Thanks!
Reply With Quote
  #6   (View Single Post)  
Old 22nd March 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Without a network topology and a description of the security policy your rules are supposed to implement it is rather difficult to give meaningful/correct tips and/or advice

Code:
# Allow all vpn data
pass in quick on em1 inet proto udp from any to any port = 500
pass in quick on em1 inet proto esp from any to any

pass out on em1 inet proto esp from any to any
pass out on em1 inet proto tcp all flags S/SA keep state
pass out on em1 inet proto udp from any to any port = 500
pass out on em1 inet proto esp from any to any
pass out on em1 inet proto udp all keep state
pass out on em1 inet proto icmp all keep state
What are you trying to accomplish here? Only allow incoming VPN connections in the first 2 rules, and passing out the return traffic in the remaining ones?

Or only allow outgoing VPN connections?

Why don't you use quick on the pass out rules as well?

Some rules say keep state, or flags S/SA keep state but some don't. That is not consistent
If you want stateful connections, you don't have to specify keep state. anymore. Stateful connections have been the default in pf for quite some time.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 22nd March 2011 at 09:33 AM.
Reply With Quote
  #7   (View Single Post)  
Old 22nd March 2011
tinhead tinhead is offline
New User
 
Join Date: Mar 2011
Location: Vancouver, CA
Posts: 8
Default thanks J65nko

Thanks for pointing that out. The biggest concern is actually the bandwidth limitation. We run a complex environment with three physical interfaces.

One physical interface is connected to the ISP, the other is connected to a number of devices with public IPs, the third is connected to a number of internal networks all on their own VLANS.

Our concern is rate limiting individual networks, on the public IP space, limiting by IP on the internal networks, limiting by VLAN.

What information would you need in order to help on this situation? What can I pull off the server to better elicit a reply from an expert such as yourself?
Reply With Quote
  #8   (View Single Post)  
Old 22nd March 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Code:
pass in on em0 from 10.1.0.0/24 to any tag CLIENT2U queue client2_dn 
pass out on em0 from { (em0), (carp1) } queue client2_dn
pass out quick on $ext_if tagged CLIENT2U queue client2_up
Cannot you use quick on the first two rules? Remember that in pf the last matching rule wins. The only way to prevent this is to use quick.

So if any other rule after this by would allow incoming traffic on em0 from 10.1.0.0/24, this traffic would be passed without being assigned to that "client2_up" queue.

BTW I am not an expert
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #9   (View Single Post)  
Old 22nd March 2011
tinhead tinhead is offline
New User
 
Join Date: Mar 2011
Location: Vancouver, CA
Posts: 8
Default

This stuff is way over my head! (hence why I'm asking for help )
Reply With Quote
Old 23rd March 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

  • All 10.x. networks are 10.x.0.0/24 except 10.8.0.0, which is 10.8.0.0/23. Is that correct?
  • Names like ext_if, int_if and dev_if are defined, but the majority of the rules still use em0, em1 and em2. Makes it hard to understand
  • What is the purpose of ?
    Code:
    block out on $IntIFs from <LocalNetworks>
    Are you sure you the direction is correct?
    Code:
            i n t e r n e t
    
             IN        OUT
                       
              |        /|\
              |       / | \
              |         |
              |         |
            \ | /       |
             \|/        |
    +---------|---------|----------+
    |         |         |          |
    |    +--------------------+    |
    |    | external interface |    |
    |    +--------------------+    |
    |         |        /|\         |
    |         |       / | \        |
    |         |         |          |
    |         |   PF    |          |
    |         |         |          |
    |       \ | /       |          |
    |        \|/        |          |
    |    +--------------------+    |
    |    | internal interface |    |
    |    +--------------------+    |
    |         |         |          |
    +---------|---------|----------+
              |        /|\
              |       / | \
              |         |
            \ | /       |
             \|/        |
    
             OUT       IN
    
        l o c a l  n e t w o r k
  • The tcp rule for the VPN traffic is not assigned to any queue on em1.
    Could this be the culprit?
    Code:
    pass out on em1 inet proto tcp all flags S/SA keep state
  • I prefer to group the rules by interface and then by direction
    Code:
    # === EXTERNAL INTERFACE ===
    # --- IN
    
    rules for incoming traffic on external interface
    
    # --- OUT
    
    rules for outgoing traffic on external interface
    
    
    # === INTERNAL INTERFACE ===
    # --- IN
    
    rules for incoming traffic on internal interface
    
    # --- OUT
    
    rules for outgoing traffic on internal interface
    
    
    # === DEV INTERFACE ===
    # --- IN
    
    rules for incoming traffic on dev  interface
    
    # --- OUT
    
    rules for outgoing traffic on dev interface
    You could make an exception for the vlan rules, and keep these together as they are.
  • Have you tried to use pfctl to view the queues and the queue stats
    Code:
                 -s queue       Show the currently loaded queue rules.  When used
                                together with -v, per-queue statistics are also
                                shown.  When used together with -v -v, pfctl will
                                loop and show updated queue statistics every five
                                seconds, including measured bandwidth and packets
                                per second.
  • Does pfctl -vvs state show traffic that that is not being assigned to a queue, while it should?

  • The vlan rules can be generated easily with a script. Here I add 'quick' and 'inet' so 'inet6' traffic will not be passed:

    Code:
    cat <<END
    pass out quick on $ext_if tagged CLIENT1U queue client2_up
    pass out quick on $ext_if tagged CLIENT2U queue client2_up
    END
    
    
    VLANS='2 3 4 5 6 7 8 9 10 11 12 13 14'
    
    for X in ${VLANS} ; do 
    
    cat <<END
    #pass in quick on vlan${X}  inet from 10.${X}.0.0./24 to any
    #pass out quick on vlan${X} inet from { (vlan${X}), (carp${X}) }
    
    pass in  quick on vlan${X} inet from 10.${X}.0.0/24 to any tag CLIENT2U queue client2_dn
    pass out quick on vlan${X} inet from { (vlan${X}), (carp${X}) } queue client2_dn
    
    END
    
    done
    This will produce
    Code:
    pass out quick on  tagged CLIENT1U queue client2_up
    pass out quick on  tagged CLIENT2U queue client2_up
    #pass in quick on vlan2  inet from 10.2.0.0./24 to any
    #pass out quick on vlan2 inet from { (vlan2), (carp2) }
    
    pass in  quick on vlan2 inet from 10.2.0.0/24 to any tag CLIENT2U queue client2_dn
    pass out quick on vlan2 inet from { (vlan2), (carp2) } queue client2_dn
    
    #pass in quick on vlan3  inet from 10.3.0.0./24 to any
    #pass out quick on vlan3 inet from { (vlan3), (carp3) }
    
    pass in  quick on vlan3 inet from 10.3.0.0/24 to any tag CLIENT2U queue client2_dn
    pass out quick on vlan3 inet from { (vlan3), (carp3) } queue client2_dn
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 25th March 2011
tinhead tinhead is offline
New User
 
Join Date: Mar 2011
Location: Vancouver, CA
Posts: 8
Default

@J65nko thanks again for your response...

* The 10.x networks are all /24 except 10.8 which is a /23
* I understand that these are defined - the file was hacked together before my time and I'm somewhat clueless
* I'm not sure what the purpose of
Code:
block out on $IntIFs from <LocalNetworks>

Again, I'm pretty junior on this stuff but have the task of making sure this works.. I would be willing to pay someone to actually do the work and implement. I would be the test monkey. Is this a possibility?
Reply With Quote
Old 25th March 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

I just noticed the 10.8/23 and wondered whether this was deliberate or a typo.

RE: test monkey possibility
Please read the Private Message I sent to you.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Pf.conf issues afcelie OpenBSD Security 5 3rd January 2011 09:12 PM
need troubleshooting tip for vpn connections badguy OpenBSD Security 19 10th November 2010 02:53 PM
Pf.conf erict35 OpenBSD Security 1 30th January 2010 10:19 PM
pf.conf lumiwa FreeBSD Security 11 20th September 2008 01:01 AM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM


All times are GMT. The time now is 04:40 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick