DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th December 2011
toro7 toro7 is offline
New User
 
Join Date: Dec 2011
Posts: 3
Default pf.conf label question

Hello

I have the following rule in my pf.conf (on OpenBSD 4.3)

Code:
rdr pass on $new_if proto tcp from any to 123.123.123.33 port {80,443}  -> 10.0.0.99
now I want to add a label to this rule. I use the label for later traffic analysis. I tried out a lot of variations, but I think this one should work:

Code:
rdr pass on $new_if proto tcp from any to 123.123.123.33 port {80,443} label test -> 10.0.0.99
But when I try to load the config, I always get the error:
pfctl: Syntax error in config file: pf rules not loaded

Any ideas how I can set the label to this rule. I don't want to split it to a rdr and a pass rule. That works, I want to have it in the same rule.
Thanks
Reply With Quote
  #2   (View Single Post)  
Old 13th December 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by toro7 View Post
I have the following rule in my pf.conf (on OpenBSD 4.3)
OpenBSD 4.3 was released in May 2008, & official support ended May 2009 -- nearly 2.5 years ago. Is there a reason why you are using such an old version?

If you are using information from the current PF Users' Guide, recognize that pf(4) has undergone radical changes in the intervening years. Using information from the current 5.0 Guide will likely not work on OpenBSD 4.3 & vice versa.

If you must use OpenBSD 4.3, your best bet is to resurrect the PF Users' Guide from the 4.3 era which can be found at the following:

http://www.openbsd.org/cgi-bin/cvsweb/www/faq/pf/

Last edited by ocicat; 13th December 2011 at 06:52 PM.
Reply With Quote
  #3   (View Single Post)  
Old 13th December 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

In normal pf rules labels come last. An example from my workstation pf.conf
Code:
pass out quick on egress inet proto tcp from egress to any port www label "$nr:$proto:WWW"
pass out quick on egress inet proto tcp from egress to any port imaps label "$nr:$proto:IMAPS"
pass out quick on egress inet proto tcp from egress to any port https label "$nr:$proto:HTTPS"
pass out quick on egress inet proto tcp from egress to any port smtp label "$nr:$proto:SMTP"
In the BNF at the end of the 4.3 pf.conf man page label is a definition of filteropt and a filteropt-list:
Code:
     filteropt-list = filteropt-list filteropt | filteropt

     filteropt      = user | group | flags | icmp-type | icmp6-type | tos |
                      ( "no" | "keep" | "modulate" | "synproxy" ) "state"
                      [ "(" state-opts ")" ] |
                      "fragment" | "no-df" | "min-ttl" number |
                      "max-mss" number | "random-id" | "reassemble tcp" |
                      fragmentation | "allow-opts" |
                      "label" string | "tag" string | [ ! ] "tagged" string |
                      "queue" ( string | "(" string [ [ "," ] string ] ")" ) |
                      "rtable" number | "probability" number"%"
The BNF for a pf rule states:
Code:
     pf-rule        = action [ ( "in" | "out" ) ]
                      [ "log" [ "(" logopts ")"] ] [ "quick" ]
                      [ "on" ifspec ] [ "fastroute" | route ] [ af ] [ protospec ]
                      hosts [ filteropt-list ]
So the label is one of the last things in a pf rule.

Now look at the BNF for the 4.3 rdr statement:
Code:
     rdr-rule       = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
                      [ "on" ifspec ] [ af ]
                      [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
                      [ "->" ( redirhost | "{" redirhost-list "}" )
                      [ portspec ] [ pooltype ] ]
Neither a filteropt nor a label to be seen

PS: The 4.3 pf.conf manual can be found at http://www.openbsd.org/cgi-bin/man.c...86&format=html
No need to resurrect an old pf.conf faq
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 14th December 2011
toro7 toro7 is offline
New User
 
Join Date: Dec 2011
Posts: 3
Default

Quote:
Originally Posted by ocicat View Post
OpenBSD 4.3 was released in May 2008, & official support ended May 2009 -- nearly 2.5 years ago. Is there a reason why you are using such an old version?
I know that is very old, currently a bit afraid of upgrading the system as it is just working more then perfect. But it's a task for next year to upgrade that server. So in that case I assume that i first need to upgrade and then come back here in case it does not work ;-)
Reply With Quote
  #5   (View Single Post)  
Old 14th December 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by toro7 View Post
So in that case I assume that i first need to upgrade and then come back here in case it does not work ;-)
Recognize that OpenBSD's upgrade policy is incremental to the next version only -- meaning that to upgrade OpenBSD 4.3 to OpenBSD 5.0 requires upgrading from 4.3 to 4.4, followed by 4.4 to 4.5, etc. all the way up to 5.0. While you can do all the individual upgrades if you so choose, I would simply suggest doing a fresh install of OpenBSD 5.0.

...& given that pf(4) has gone through major revision itself, study both the User's Guide & manpage as previously mentioned, & build a new pf.conf(5) file from scratch. You will learn from the process & better understand how to modify it later.
Reply With Quote
  #6   (View Single Post)  
Old 14th December 2011
toro7 toro7 is offline
New User
 
Join Date: Dec 2011
Posts: 3
Default

Quote:
Originally Posted by ocicat View Post
meaning that to upgrade OpenBSD 4.3 to OpenBSD 5.0 requires upgrading from 4.3 to 4.4, followed by 4.4 to 4.5, etc. all the way up to 5.0.
thanks for that information, it's very helpful... as you can assume, I never upgraded openbsd, but i just got thorugh the upgrade info from openbsd. I think it's fastest do install a fresh 5.0 and copy over the relevant config files ;-)
Reply With Quote
  #7   (View Single Post)  
Old 14th December 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by toro7 View Post
I never upgraded openbsd, but i just got thorugh the upgrade info from openbsd. I think it's fastest do install a fresh 5.0 and copy over the relevant config files ;-)
When doing upgrades, it is also advised to study the Upgrade Guide to see if there are further issues which need to be considered.
Reply With Quote
  #8   (View Single Post)  
Old 14th December 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

@toro7, the main differences between an upgrade and an install are:
  1. No disk gets formatted; all filesystems are left in place.
  2. Configuration files are not touched; the etc*.tgz and xetc*.tgz filesets are not utilized.
  3. Updating of /etc and /var configuration files is left to the user to conduct manually following each release's upgrade guide, or with sysmerge(8).
  4. The upgrade guide for each release includes additional considerations for specific configurations or applications that may require manual steps.
Some things to consider regarding configuration files in /etc and /var:


  • You must not merely copy your 4.3 configuration files onto a 5.0 system. Many of these files have had significant change, in similar fashion to pf.conf(5). Instead of copying files, you must integrate your local customizations into 5.0 configuration files.
  • I referred to sysmerge(8) above. It does not exist in your system, it was added at OpenBSD release 4.4. It makes the integration of local customizations in updated configuration files automatic or semi-automatic, depending on complexity. (It is based on mergemaster, a FreeBSD tool that used to be in the OpenBSD ports tree. It is no longer needed.)
Reply With Quote
  #9   (View Single Post)  
Old 14th December 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

As a final comment, studying the information in Section 4 of the FAQ is also paramount to understanding the install process. Upgrading is nominally discussed there as well.

There is a wealth of information to be found in both the FAQ & Upgrade Guides. Studying these beforehand with alleviate aggravation & prevent blunders. Many of the questions/situations we deal with here are from those that don't take the time to understand the information contained.
Reply With Quote
Old 5th January 2012
mbw's Avatar
mbw mbw is offline
Port Guard
 
Join Date: May 2010
Location: Seattle, WA
Posts: 13
Default

since 4.3, bridge file syntax has changed, among other things in pf.... if you can build out your new version 5 firewall in parallel to the production one, and put one non-important host behind it, its not a bad way to debug/test your new ruleset.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Using fetchmail as IMAP client to download mail from a Gmail folder(label) J65nko Guides 1 8th November 2022 07:44 PM
quick question about optimizations in /etc/make.conf thevirtuesofxen FreeBSD Installation and Upgrading 7 15th July 2008 10:29 AM
PF and label counters espenfjo FreeBSD General 2 2nd July 2008 03:17 PM
mplayer osd - set label of audio channel Grizzly FreeBSD General 0 7th June 2008 08:37 PM
FreeBSD Crashes: GEOM_LABEL: Label for provider ad8s1 is ntfs disappearedng FreeBSD General 4 5th June 2008 04:10 PM


All times are GMT. The time now is 10:00 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick