DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4 Weeks Ago
jonsec jonsec is offline
Port Guard
 
Join Date: Jul 2019
Posts: 24
Exclamation block any reqest except OpenBSD CDN

hi
i want block any port on server and only my OpenBSD server can access to OpenBSD CDN. (pkg_add, fw_update and etc).

below rules is not working!

/etc/pf.conf
Code:
table <http_whitelist> persist const file "/etc/pf.http_whitelist"
block all
antispoof for em1
pass out log on em1 proto tcp to <http_whitelist> port {http https} no state
/etc/pf.whitelist
Code:
151.101.114.217
/etc/hosts
Code:
127.0.0.1     localhost
::1             localhost
151.101.114.217 cdn.openbsd.org
Reply With Quote
  #2   (View Single Post)  
Old 4 Weeks Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,707
Default

Quote:
Originally Posted by jonsec View Post
below rules is not working!
I need more information, otherwise I can only make one guess:
  • You must have lookup file without lookup bind in resolv.conf(5), as your rules block DNS traffic.
To see what is actually happening:
  • You have the log directive already included in your pass rule. Add log to your block rule, and monitor pflog(4) traffic with tcpdump(8) so that you can see what is being blocked and passed.
Reply With Quote
  #3   (View Single Post)  
Old 4 Weeks Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,707
Default

Here's a second guess:
Code:
no state
Your pass rule is for outbound traffic without state. Because no state is established, you must add a pass rule to permit inbound traffic. Another option would be to permit state to be established.
Reply With Quote
  #4   (View Single Post)  
Old 4 Weeks Ago
jonsec jonsec is offline
Port Guard
 
Join Date: Jul 2019
Posts: 24
Smile

Quote:
Originally Posted by jggimi View Post
Here's a second guess:
Code:
no state
Your pass rule is for outbound traffic without state. Because no state is established, you must add a pass rule to permit inbound traffic. Another option would be to permit state to be established.
yes all right. when i drop no state flag from rule , worked.

thanks jggimi.
Reply With Quote
  #5   (View Single Post)  
Old 4 Weeks Ago
jonsec jonsec is offline
Port Guard
 
Join Date: Jul 2019
Posts: 24
Default

also below command can be help for find more ip address.

Code:
dig cdn.openbsd.org a
Reply With Quote
  #6   (View Single Post)  
Old 4 Weeks Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,707
Default

Not from your server. These rules block domain name resolution traffic.
Reply With Quote
  #7   (View Single Post)  
Old 4 Weeks Ago
jonsec jonsec is offline
Port Guard
 
Join Date: Jul 2019
Posts: 24
Wink

Quote:
Originally Posted by jggimi View Post
Not from your server. These rules block domain name resolution traffic.
yes all right. but this is not full config.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
block specific Lan IP from internet azdps OpenBSD Security 2 5th June 2017 02:20 PM
pf block command help newbsdied OpenBSD Security 1 7th November 2010 12:50 AM
Block IDM-DAP-P2P mohammadreza OpenBSD Security 5 25th February 2010 09:59 AM
block spam milo974 OpenBSD Security 1 26th May 2009 11:30 AM
Automaticaly block IPs with PF DNAeon FreeBSD Installation and Upgrading 7 20th February 2009 02:06 AM


All times are GMT. The time now is 08:37 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick