DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th September 2016
azdps azdps is offline
Port Guard
 
Join Date: Apr 2014
Posts: 21
Default network address translation

I have an xbox and a ps4 that both need static ports (outbound). The following code works fine for just my xbox:

Code:
xbox = "192.168.1.111"
ps4 =  "192.168.1.112"

# Perform source-port randomization for all hosts which are not the xbox
match out log on egress from !$xbox to any nat-to ($ext_if:0) port 1024:65535

# Do not perform source-port randomization for the xbox
match out log on egress from $xbox to any nat-to ($ext_if:0) static-port
I attempted to add my ps4 but it doesn't appear to be working as intended. Here is the code:

Code:
xbox = "192.168.1.111"
ps4 =  "192.168.1.112"

# Perform source-port randomization for all hosts which are not the xbox
match out log on egress from !$xbox to any nat-to ($ext_if:0) port 1024:65535

# Do not perform source-port randomization for the xbox or ps4
match out log on egress from $xbox to any nat-to ($ext_if:0) static-port
match out log on egress from $ps4 to any nat-to ($ext_if:0) static-port
The first match rule not equal to the xbox (!$xbox) I have a question about. Is it possible to add the ps4 to that same line as an "or" statement? Something similar to:

Code:
match out log on egress from {!$xbox || !$ps4} to any nat-to ($ext_if:0) port 1024:65535
If I'm going all wrong with this code can someone provide a solution or suggestion? Thank you.
Reply With Quote
  #2   (View Single Post)  
Old 30th September 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,519
Default

There's no logical or in PF rule syntax. But match rules are sticky, and it is possible that there is an error in how static-port "stickiness" is applied.

You might try something that avoids any logical "not" structures, to test if there is a stickiness problem. The general NAT rule we all use includes a logical not-egress. We use the not-egress form because we want to NAT traffic from non-egress network interfaces:
Code:
match out on egress from !(egress) nat-to (egress)
This substitute avoids the logical not structure:
Code:
internal_interfaces="{em2 vr3}"
match out on egress from $internal_interfaces nat-to (egress)
That will be expanded to two general-case match rules, one for each interface.
Then we can add the specific use-case for static ports:
Code:
internal_interfaces="{em2 vr3}"
match out on egress from $internal_interfaces nat-to (egress)
match out on egress from {$xbox $ps4} nat-to (egress) static-port
That will expand to two match rules with static-port applied. If it doesn't work, you will have clear indication that dynamic port stickiness might not be overridden in a subsequent match rule. The next test would be to use pass rules with nat-to, rather than match rules, as they are not sticky. If you get different results with pass, you will have something you can discuss with Project developers on misc@, or perhaps bugs@.

I have never used static-port, and just use rdr-to to pass specific ports to devices on the local networks through NAT.
Reply With Quote
  #3   (View Single Post)  
Old 30th September 2016
azdps azdps is offline
Port Guard
 
Join Date: Apr 2014
Posts: 21
Default

jggimi I've tested numerous match settings to see if I could get static ports for just 2 ip addresses on my network. I've come up with only one solution that is similar to the one I had already posted except with PS4 added. Still doesn't seem like an ideal solution.

I would figure match would act similar to a pass rule and the last rule that matches would be used. Using match with network address translation does not appear to act the same way as a pass rule. Unfortunately I don't have the time to post what code had worked for me but will do so later.

By the way you code suggestions didn't work for me. More on this later.
Reply With Quote
  #4   (View Single Post)  
Old 30th September 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,519
Default

Thanks for the brief report. I'm sorry my suggestions were not successful.

As I noted above, the match rule is not the same as block or pass. Last matching does not apply, every packet is tested. The pf.conf(5) man page says, "...match rules differ from block and pass rules in that parameters are set every time a packet matches the rule, not only on the last matching rule."

Using pass rather than match may be more helpful for your use case.
Reply With Quote
  #5   (View Single Post)  
Old 1st October 2016
azdps azdps is offline
Port Guard
 
Join Date: Apr 2014
Posts: 21
Default

So this is what worked for me. I'm not really sure why it does. Static-port is definitely working for my Xbox but I'm not really sure about the PS4 as I've not setup port forwarding yet to make sure the PS4 NAT is open and not restricted. I can tell when my Xbox static-ports isn't working correctly when my Xbox Nat shows restricted instead of open.

This works:

Code:
match out on egress inet from !$XBOX to any nat-to ($WAN:0) port 1024:65535
match out on egress from {$PS4 $XBOX} to any nat-to (egress) static-port

pfctl -vf pf.conf output
-------------------------------
match out on em0 inet from ! 10.200.200.114 to any nat-to (em0:0) port 1024:65535
match out on egress inet from 10.200.200.110 to any nat-to (egress) round-robin static-port
match out on egress inet from 10.200.200.114 to any nat-to (egress) round-robin static-port
I've considered my options for using pass instead of match. It would seem that a pass rule wouldn't really work since it's not sticky like a match rule.

Quote from the pf.conf man page reference a match rule:

Quote:
Subsequent rules will see packets as they look after any addresses and ports have been translated. These rules will therefore have to filter based on the translated address and port number.
So it would seem that a match rule is required first and then a pass rule should later apply. I'm sure there's something simple I'm overlooking here.
Reply With Quote
  #6   (View Single Post)  
Old 1st October 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,519
Default

I was considering pass rules that include nat-to.

Would static-port for all NAT translations (with a single match nat-to) be a possible solution?
Reply With Quote
  #7   (View Single Post)  
Old 1st October 2016
azdps azdps is offline
Port Guard
 
Join Date: Apr 2014
Posts: 21
Default

I wanted to limit static ports to just my gaming consoles for security reasons. Would prefer to have source port randomization for the rest of the network.

For now I've set the entire network to have static ports as a "possible solution". I would suspect that a pass rule with nat-to would always have to match otherwise network address translation for a specific IP wouldn't work. Wouldn't this end up with a pass quick rule with nat-to?

I'm really not sure. When I have the time I'll test pass rules with nat-to and report back.
Reply With Quote
  #8   (View Single Post)  
Old 1st October 2016
junkym
-Guest-
 
Posts: n/a
Default

I'm curious as to what is not working, per your original post:

Quote:
I attempted to add my ps4 but it doesn't appear to be working as intended...
Are you not getting Internet on PS4?
Unable to sign-on to PSN?
Getting NAT Type 3?
Unable to game online?
Getting "fragmented packets" message on network check?

I have PS4 and Xbox 1 and both are working fine on my OpenBSD 6.0 firewall.
Reply With Quote
  #9   (View Single Post)  
Old 1st October 2016
azdps azdps is offline
Port Guard
 
Join Date: Apr 2014
Posts: 21
Default

Code:
match out on egress inet from !$XBOX to any nat-to ($WAN:0) port 1024:65535
match out on egress from {$PS4 $XBOX} to any nat-to (egress) static-port
The above code works for both Xbox One and PS4. Both consoles connect fine and I'm able to play over the internet. Most people say that if you are behind a router your Xbox One NAT will be moderate. Well I figured out a rule solution that I can obtain and OPEN NAT on my Xbox One with rules I have set in place. The PS4 I can obtain a NAT Type 2. Having the correct rules in place I should be able to do better than NAT Type 2 or maybe not. I haven't had a chance to work on port forwarding with my PS4 just yet. I'm still tying to sort out the match situation. I don't use UPNP or DMZ. Specifically port forwarding only.

Yes the above match code seams to work fine but I really don't see it as the best solution. I think there has to be a better match rule solution. The match logic doesn't seem right and the PS4 I would suspect would end up with port randomization. The first match rule is setting all other IP addresses on the network with non static ports except the Xbox. This rule would be sticky at this point and anything afterwards would not override the first match. The second match rule setting the Xbox and PS4 with static ports works with the Xbox. I'm not so sure of the PS4 since the fist match applied to everything else including the PS4 but excluded the Xbox.

junkym what does your match rules or rule look like? are you using a single match rule making all ports static for the entire network? Would you mind providing your pf.conf setup? Thanks.

MY goal:
Apply static-ports only to the Xbox and PS4. All other IP ports on the network should default to having port randomization.

Last edited by azdps; 1st October 2016 at 06:54 PM.
Reply With Quote
Old 1st October 2016
junkym
-Guest-
 
Posts: n/a
Default

Not sure of your network layout, but my firewall has a 4-port nic:

em0 = WAN
em1 = LAN
em2 = GSN -- Gaming and Streaming Network
em3 = VMN -- Virtual Machines Network

em2 goes to a wireless access point for my gaming consoles/Apple TV/Smart TV etc.

Here are my match rules for NAT:
Quote:
#----------------------------------
# NETWORK ADDRESS TRANSLATION
#----------------------------------
match out on $WAN from $XB1 nat-to ($WAN) static-port
match out on $WAN from $PS3 nat-to ($WAN) static-port
match out on $WAN from $PS4 nat-to ($WAN) static-port

match out on $WAN from $LAN_NET nat-to ($WAN) port 1024:65535 set prio(4,7)
match out on $WAN from $GSN_NET nat-to ($WAN) port 1024:65535 set prio(5,7)
match out on $WAN from $VMN_NET nat-to ($WAN) port 1024:65535
I use anchors to load rules for gaming (basically a "gaming out" and a "gaming in") so I can clear and flush the rules as I see fit. It also keeps my pf.conf file a little neater. I only allow ports for whatever I need for that console (PlayStation Network/Xbox Live) or a particular game (Dark Souls/Steam).

This has worked for me for the last couple of years.
Reply With Quote
Old 1st October 2016
azdps azdps is offline
Port Guard
 
Join Date: Apr 2014
Posts: 21
Default

junkym thanks for the code snippet. What does the $LAN_NET equal to? Hmm looking at your code it would seem I overlooked the obvious. Using match out first for my Xbox and PS4 with static ports and then match out for rest of the network with source port randomization (default) should work. The third match out shouldn't modify my first 2 match outs since they are sticky. I'll test this out.

Are you able to obtain and open NAT with your Xbox? Are you using IPv4 or IPv6? Just curious.

Edit: Just finished with my testing and now have a working match rule set. It appears a match rule will not override a previous match rule. So the sequence of match rules are essential. Below are my final match rules that work:

Code:
match out on $WAN inet from $PS4 to any nat-to ($WAN:0) static-port
match out on $WAN inet from $XBOX to any nat-to ($WAN:0) static-port
match out on $WAN inet from $LAN:network to any nat-to ($WAN:0) port 1024:65535

Last edited by azdps; 1st October 2016 at 10:57 PM.
Reply With Quote
Old 1st October 2016
junkym
-Guest-
 
Posts: n/a
Default

$LAN_NET is a macro defined as:
Quote:
LAN = "em1"
LAN_NET = $LAN:network
You have it similarly in your match rule.

I get moderate NAT on my Xbox One and NAT Type 2 on my PS4.

I use IPV4 only.
Reply With Quote
Old 1st October 2016
azdps azdps is offline
Port Guard
 
Join Date: Apr 2014
Posts: 21
Default

junkym do me a favor and try this rule. Let me know if you end up with an open Xbox One NAT. Took me awhile to figure this out with the help of tcpdump. This is the only rule I have for my Xbox One. Just make sure you don't restrict outbound access.

Code:
pass in quick on $WAN proto udp from any port 3544 to ($WAN) port 3074 rdr-to $XB1 port 3074

Get rid of any other 3544 or 3074 port rules you have otherwise they will conflict.

Last edited by azdps; 1st October 2016 at 10:59 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PF and NAT: Specify SRC IP Address? jasonvp FreeBSD Security 5 25th November 2015 08:04 PM
Address book fossala Programming 6 5th July 2011 05:26 PM
could not look up internet address for .lan idefix FreeBSD General 2 31st January 2009 02:22 PM
MAC address to IP rex FreeBSD General 9 11th November 2008 07:06 PM
Asking about IPv6 address berlowin Off-Topic 2 9th July 2008 02:39 AM


All times are GMT. The time now is 10:52 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick