DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
Old 12th September 2017
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Default

Hi Jggimi,

Thanks for your reply. I tried what you have suggested but still only one queue is active

Thanks
Reply With Quote
Old 12th September 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,974
Default

I'm sorry, it was only a guess.

I use queues, but I use them on specific pass rules, rather than on match rules.
Reply With Quote
Old 12th September 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,974
Default

Ah. NOW I see the problem.
Code:
match out on $ext_if proto {tcp, udp} from $bmpc_wks to any port>=80 queue bmpc set prio 7
match out on $ext_if proto {tcp, udp} from $int_if to any port>=80 queue std set prio 3
The first match rule applies to your selected workstations. The second match rule applies to ALL devices on your LAN, including the selected workstations.. The second match rule replaces the bmpc queue with the std queue. That is why the bmpc queue is never used.

Since your std queue is your default queue, you do not need the second match rule in your rule set.
Reply With Quote
Old 13th September 2017
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Default

Hi Jggimi,

Thanks for the guidance. I tried the following rules separately. But those didn't activate both queues

Code:
match out on $ext_if proto {tcp, udp} from $bmpc_wks to any port>=80 queue bmpc
Code:
pass out on $ext_if proto {tcp, udp} from $bmpc_wks to any port>=80 queue bmpc
I commented the " match out on $ext_if proto {tcp, udp} from $int_if to any port>=80 queue std " rule
Reply With Quote
Old 13th September 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,974
Default

The "pass" rule is not the last that would apply. Unless you use quick, the last matching rule wins, which may be:
Code:
pass out on $ext_if proto {tcp, udp} all keep state
The best way to diagnose a PF rule set is by adding the log option to pass/block/match rules, then using tcpdump(8) with pflog(4).
Reply With Quote
Old 14th September 2017
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Default

Hi Jggimi,

I changed the rules by adding the quick rule. But still one queue is active.

Code:
pass out quick on $ext_if proto {tcp, udp} from $bmpc_wks to any port>=80 queue bmpc
Thanks
Reply With Quote
Old 14th September 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,974
Default

Again, I'm going to recommend learning to use tcpdump(8). Mr. Hansteen's The Book of PF gives excellent guidance, and its use is also discussed in his online tutorial.

Last edited by jggimi; 14th September 2017 at 10:02 AM. Reason: typos
Reply With Quote
Old 3 Weeks Ago
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Unhappy

Hi Jggimi,

I followed the Book of PF ( Third Edition ) and tried Two methods. None of those gave the desired results. Relevant PF files are attached herewith.

When I implement both configurations, from LAN; internet is not accessible, only one queue is active ( the default queue ).

Could you point what mistakes I did for this configuration?

Thanks
Attached Files
File Type: conf pf.conf (5.3 KB, 4 views)
File Type: conf pf_old.conf (5.2 KB, 2 views)

Last edited by Amithapr; 3 Weeks Ago at 08:27 AM.
Reply With Quote
Old 3 Weeks Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,974
Default

I have looked at the first rule set you attached.

Queueing: your "set queue" rules are pass rules are located among your queue rules, before the comment line: "#****** THIS IS WHERE THE RULES BEGIN ******". Queue settings are not sticky when used in pass rules, and unless quick is used with pass, the last matching rule wins. Without looking very far, I can see rules that will match the same traffic and override your earlier pass rules that set queue.

You might consider using match rules to set queues, or, use the quick option.

Blocked traffic: Your general block rule is on inbound traffic. No outbound traffic is blocked except for IGMP. Did you enable the packet forwarding sysctl? If no, this is the root cause. If yes, then either simplify your rule set, or enable logging on each rule and use tcpdump(8).
Reply With Quote
Old 2 Weeks Ago
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Default

Hi Jggimi,

Thanks for the information. I will try what you have suggested.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Fan Control in OpenBSD? sparky OpenBSD General 18 4th April 2014 12:54 PM
Security Hacker Had Total Control Over DigiNotar Servers, Report J65nko News 0 1st November 2012 08:10 PM
five reasons why OpenBSD is recommended to total newbies daemonfowl OpenBSD General 20 25th February 2012 12:03 AM
Alix6e1 LED control in openbsd Sigi OpenBSD General 1 20th November 2011 08:24 PM
Fan control in OpenBSD Angevin OpenBSD General 6 20th November 2009 03:06 AM


All times are GMT. The time now is 02:44 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick