DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3rd March 2011
mug23 mug23 is offline
New User
 
Join Date: Mar 2011
Posts: 2
Default https ports on PF

Hello,

I'm new to this forum and new to PF which is installed on OpenBSD 4.4. I'm currently having some issues with trying to access certain web sites that is on https. I seem to not able to load some https sites and somehow, the firewall seems to be blocking port 443 traffic. The https web site trys to load once I give it the correct username and password, but all of sudden it kicks me out. It happens on a few of the https sites I try to get to.

For testing, I connected a laptop directly on the DMZ and that https web site loaded with no problems. Also, I cannot get to my company's web mail also using https and now I'm able to access it while the laptop is still in the DMZ.

The firewall was implemented by someone else who knows PF very well and it's working nicely in my company's network.

1). Can anyone tell me how to find out if port 443 is open?

2). If that ports is not open, how can I open it? Not sure what script to use.

3). I'm not sure what's going on.

If anyone can help me out on how to diagnosis the problem and how to fix it, that would be great.

Thank you,
Reply With Quote
  #2   (View Single Post)  
Old 3rd March 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Is there no way to contact that 'someone else who knows PF very well' ?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 4th March 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by mug23 View Post
Hello,

I'm new to this forum...
Welcome!
Quote:
...installed on OpenBSD 4.4....
Officially, support for OpenBSD 4.4 ended on October 18, 2009. And, there have been innumerable changes to PF since then.

In order to self manage PF, since your support person is no longer available, you will need a copy of the PF User's Guide applicable for 4.4. The PF User's Guide currently at the OpenBSD project website (and mirrors) is for OpenBSD 4.8, and in May, will be updated for 4.9.

I'll cobble up a 4.4 version of the guide for you and attach it to this thread, but will not be able to get to it for many hours, so don't expect it until tomorrow. Meanwhile...
Quote:
.. I'm currently having some issues with trying to access certain web sites that is on https. I seem to not able to load some https sites and somehow, the firewall seems to be blocking port 443 traffic. The https web site trys to load once I give it the correct username and password, but all of sudden it kicks me out. It happens on a few of the https sites I try to get to...
If you are able to reach your https:// websites in order to authenticate, then whatever your problem is, it is not a port 443 problem, since an https URL will use port 443 as the destination port by default.
Quote:
...For testing, I connected a laptop directly on the DMZ and that https web site loaded with no problems. Also, I cannot get to my company's web mail also using https and now I'm able to access it while the laptop is still in the DMZ.
OpenBSD comes with a tool called tcpdump. You can use it to monitor PF block/pass decisions. It requires root (superuser) access on the firewall. Assuming you have that, and assuming your prior admin set up logging -- a big if -- you could find out what rules are blocking and passing traffic. But each rule to be tracked would need to have a "log" flag included, and many PF admins neglect to do so.
Quote:
1). Can anyone tell me how to find out if port 443 is open?
Reaching -any- https: URL and getting a web page back, as I mentioned above, requires port 443 to be open. The tcpdump tool can tell you if rules are blocking or passing traffic, if logging has been set up for individual block and pass rules. Reading your pf.conf file and looking for port 443 rules (or rules that refer to https) may give you an indication as well. Note that port 443 is a DESTINATION port number at the server, the sending port number can be completely random.
Quote:
....2). If that ports is not open, how can I open it? Not sure what script to use.
It's not a script at all, it's a text file, as mentioned above. The default name is pf.conf, stored in /etc. Meanwhile, please take a look at 4.8's PF User's Guide for a general description of PF and how it is utilized, even though rule syntax has changed significantly since 2008, when 4.4 was in development.

http://www.openbsd.org/faq/pf/index.html

Last edited by jggimi; 4th March 2011 at 04:14 PM. Reason: fixed link
Reply With Quote
  #4   (View Single Post)  
Old 4th March 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Here's a 4.4 version of the PF User's Guide. I found some time to create it for you. It is a collection of HTML files:

www.jggimi.homeip.net/44pf.tgz

Unpack, and start with the index.html file in the top directory.
Reply With Quote
  #5   (View Single Post)  
Old 4th March 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I should also point out some additional documents that may help you, from J65nko's page of resources:

http://www.daemonforums.org/showthread.php?t=108
Reply With Quote
  #6   (View Single Post)  
Old 4th March 2011
mug23 mug23 is offline
New User
 
Join Date: Mar 2011
Posts: 2
Default

Thank you very much for taking the time to reply back. I will look more into the info you provided me.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
FreeBSD Complete ports thaw after ports freeze for 7.3 Release J65nko News 0 24th March 2010 11:46 PM
Broken ports in /usr/ports/x11 DNAeon FreeBSD Ports and Packages 3 5th July 2009 08:20 PM
How do you update ports? disappearedng FreeBSD General 6 8th November 2008 05:59 AM
no /usr/ports or /usr/src/ports ?? ukulele OpenBSD Installation and Upgrading 3 27th July 2008 09:50 PM
Why ports? disappearedng FreeBSD Ports and Packages 14 20th July 2008 09:29 PM


All times are GMT. The time now is 10:30 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick