DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 7th May 2009
gezley gezley is offline
Port Guard
 
Join Date: May 2009
Location: Ireland
Posts: 12
Default PF and kernel-level PPPoE(4)

OpenBSD 4.5
xl0 internal interface
xl1 external interface
DSL modem in bridging mode

I want to replace an Endian firewall with an OpenBSD firewall.
I understand kernel-level PPPoE works better than userland PPPoE.
I am able to set PPPoE up, but I have some questions regarding the PF aspect of it. I have followed the guides but I am stuck on these issues.
1) With kernel-level PPPoE, is it necessary for PF to be disabled until after the connection is brought up? If so, how do I enable PF as soon as the connection goes live? What happens if the connection dies?
2) pppoe0 replaces xl1 as the external interface in pf.conf, correct?
Thank you.
Reply With Quote
  #2   (View Single Post)  
Old 9th May 2009
sousa sousa is offline
New User
 
Join Date: Jan 2009
Posts: 3
Default

You should really take some time and read the PF User Guide.

Quote:
1) With kernel-level PPPoE, is it necessary for PF to be disabled until after the connection is brought up?
No.

Quote:
What happens if the connection dies?
Automatic redial.
Assuming that you will be doing NAT and have a dynamic IP, pay attention to this part of the above guide.

Quote:
2) pppoe0 replaces xl1 as the external interface in pf.conf, correct?
Yes.
Reply With Quote
  #3   (View Single Post)  
Old 10th May 2009
gezley gezley is offline
Port Guard
 
Join Date: May 2009
Location: Ireland
Posts: 12
Default

Quote:
Originally Posted by sousa View Post
You should really take some time and read the PF User Guide.
I have indeed read that guide a number of times, as well as Jacek Artemiak's book and other resources. However, I could not get an answer to the specific question I asked, which was, does PF have to be disabled in OpenBSD 4.5 until the PPPoE interface is brought up? All I needed was a simple answer - yes or no - which you have now provided me, and for which I am very grateful. My head was spinning with all the information I was trying to take in.
Quote:
Automatic redial.
I understand that PPPoE will redial; what I wanted to know was how to deal with PF if the connection dropped. But since PF does not have to be disabled while PPPoE is dialling this shouldn't be a concern now.
Quote:
Assuming that you will be doing NAT and have a dynamic IP, pay attention to this part of the above guide.
The public address is a fixed address, but I do understand the need to put pppoe0 in brackets in the NAT section if the address is dynamic. Many thanks for your time and answer; I had quite a headache trying to work it out. Sometimes I can understand the more complicated things better than the straightforward things!
Reply With Quote
  #4   (View Single Post)  
Old 15th May 2009
spid3r spid3r is offline
New User
 
Join Date: May 2009
Posts: 1
Default

I have a issue regarding this very same setup.

CLOUD-----------soekris gateway-----------LAN
(vr0)pppoe0 vr1

When i'm in the LAN, all is good.
When i'm right on the gateway, DNS works ( udp ), icmp works, but I can't get TCP to work.

Here is a snip of what's going on:

on the lan:
lerequin# uname -a
OpenBSD laptop 4.5 GENERIC#118 i386
lerequin# telnet google.ca 80
Trying 64.233.161.104...
Connected to google.ca.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
lerequin#


on the gateway:
# uname -a
OpenBSD lataupe.xxxxxxx.com 4.5 GENERIC#1749 i386
# ping google.nl
PING google.nl (216.239.59.104): 56 data bytes
64 bytes from 216.239.59.104: icmp_seq=0 ttl=244 time=159.768 ms
--- google.nl ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 159.768/159.768/159.768/0.000 ms
# telnet google.nl 80
Trying 74.125.77.104...
^C
# telnet openbsd.org 80
Trying 199.185.137.3...
^C
# nslookup
> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> freebsd.org
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: freebsd.org
Address: 69.147.83.40
> exit

#

tcp connetion hangs.

# cat /etc/hostname.vr0
up
# cat /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE pppoedev vr0 authproto pap \
authname 'xxxxxx@acanac.net' authkey 'xxxxxxx' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1
#


# netstat -rnfinet
Routing tables

Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 0.0.0.1 UGS 7 1337177 - 8 pppoe0
10.1.1/24 link#2 UC 4 0 - 4 vr1
10.1.1.1 00:00:24:c9:32:69 UHLc 0 14 - 4 lo0
10.1.1.25 00:22:15:8d:93:ff UHLc 0 0 - 4 vr1
10.1.1.204 00:0b:6b:36:72:ab UHLc 2 264074 - 4 vr1
10.1.1.207 link#2 UHLc 1 440518 - 4 vr1
67.XXX.8.1 67.XXX.13.124 UH 0 0 - 4 pppoe0
127/8 127.0.0.1 UGRS 0 0 33204 8 lo0
127.0.0.1 127.0.0.1 UH 2 1899 33204 4 lo0
224/4 127.0.0.1 URS 0 0 33204 8 lo0
#

pf rulz striped down for the post:
# cat /etc/pf.conf
ext_if="pppoe0"
int_if="vr1"

table <lan_sub> { 10.1.1.0/24 }
table <fuckers> persist

#set loginterface $ext_if
set skip on lo0
set debug loud

#scrub all no-df random-id fragment reassemble reassemble tcp
scrub out log (all) on $ext_if max-mss 1440

nat log (all) on $ext_if from !($ext_if) to any -> ($ext_if)

block drop log (all) all
block drop quick log (all) inet6
block drop quick log (all) from <fuckers>

pass in quick log (all) on $int_if modulate state
pass out quick log (all) on $ext_if modulate state

pass in quick log (all) on $ext_if proto tcp from any port > 1024 to ($ext_if) port ssh flags S/SA modulate state (max-src-conn 5, max-src-conn-rate 10/5, overload <fuckers> flush global)

pass in quick log (all) inet proto icmp all icmp-type echoreq modulate state



while doing a telnet google.com 80 on the soekris:
# tcpdump -i pflog0 -X -s 1500 -e -vvv host google.com
tcpdump: listening on pflog0, link-type PFLOG
14:51:04.002160 rule 5/(match) [uid 0, pid 24578] pass out on pppoe0: dsl-67-XXX-13-124.acanac.net.56197 > yx-in-f100.google.com.www: S [tcp sum ok] 4038451558:4038451558(0) win 16384 <mss 1440,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 697898457 0> (DF) [tos 0x10] (ttl 64, id 51129, len 64)


14:51:04.059010 rule 0/(match) [uid 0, pid 24578] nat in on pppoe0: yx-in-f100.google.com.www > 0.0.0.0.41797: S [tcp sum ok] 3120326047:3120326047(0) ack 4038451559 win 5672 <mss 1430,sackOK,timestamp 1821837804 697898457,nop,wscale 6> (ttl 51, id 27033, len 60)


14:51:04.383735 rule 0/(match) [uid 0, pid 24578] nat in on pppoe0: yx-in-f100.google.com.www > 0.0.0.0.41797: S [tcp sum ok] 3120326047:3120326047(0) ack 4038451559 win 5672 <mss 1430,sackOK,timestamp 1821838129 697898457,nop,wscale 6> (ttl 51, id 27034, len 60)


14:51:04.984323 rule 0/(match) [uid 0, pid 24578] nat in on pppoe0: yx-in-f100.google.com.www > 0.0.0.0.41797: S [tcp sum ok] 3120326047:3120326047(0) ack 4038451559 win 5672 <mss 1430,sackOK,timestamp 1821838729 697898457,nop,wscale 6> (ttl 51, id 27035, len 60)


the synack comes back, but it doesn't reach telnet. so telnet keep sending syn until it reaches the timeout.

It looks like the packets are natted back to 0.0.0.0 instead of the pppoe0 ip address and I guess telnet is not listening 0.0.0.0.
# netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 *.37330 qy-in-f104.googl.www SYN_SENT


at this point I don't know more.
......... anyone?

Last edited by spid3r; 15th May 2009 at 07:18 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pppoe internet connection on another lladdr enaqx General software and network 3 4th July 2009 12:07 AM
pppoe kaschei OpenBSD General 2 20th May 2009 01:14 AM
PPPoE -> ADSL Router (Bridge) - Slow connect? DraconianTimes OpenBSD General 0 31st December 2008 01:07 PM
Modify host-level firewall rules (without getting locked out) anomie Guides 13 16th June 2008 04:26 AM
Modem PPPoE vs OpenBSD PPPoE ryoken OpenBSD Security 13 15th June 2008 10:07 PM


All times are GMT. The time now is 11:45 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick