DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd December 2017
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default Just want to make sure my pf is configured properly

Hi,
This is my pf.conf

Code:
# cat /etc/pf.conf                                                             
#       $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo

block return    # block stateless traffic
pass            # establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
I will study the docs but if anyone can confirm that the above configuration blocks all incoming I can relax and keep studying

Last edited by bsd007; 2nd December 2017 at 02:45 PM.
Reply With Quote
  #2   (View Single Post)  
Old 2nd December 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

No, it does not. In PF, the last matching rule wins.

The only incoming traffic that is blocked is remote X Terminal traffic (TCP ports 6000-6010), as this is a block that follows your completely wide open pass rule.

The prior block return rule will never be applied, as it will never be the last matching rule.
Reply With Quote
  #3   (View Single Post)  
Old 2nd December 2017
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Quote:
Originally Posted by jggimi View Post
No, it does not. In PF, the last matching rule wins.

The only incoming traffic that is blocked is remote X Terminal traffic (TCP ports 6000-6010), as this is a block that follows your completely wide open pass rule.

The prior block return rule will never be applied, as it will never be the last matching rule.
Please give me a secure configuration which basically drops all incoming and allows outgoing.

Code:
#       $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo

## block return         # block stateless traffic
## pass         # establish keep-state
block in all
pass out all keep state


# By default, do not permit remote connections to X11
## block return in on ! lo0 proto tcp to port 6000:6010
I tried the above then reloaded PF but when I launch Transmission and run a nmap scan it still shows port

Code:
PORT      STATE SERVICE
51413/tcp open  unknown
Reply With Quote
  #4   (View Single Post)  
Old 2nd December 2017
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Code:
# cat /etc/pf.conf   
pass out all keep state
block in all
Tried with the above. Same outcome.

Code:
$ nmap 172.16.197.126 -p51413 

Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-02 23:33 IST
Nmap scan report for mypc.my.domain (172.16.197.126)
Host is up (0.000076s latency).

PORT      STATE SERVICE
51413/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
Reply With Quote
  #5   (View Single Post)  
Old 2nd December 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by bsd007 View Post
Please give me...
No.

Developing and maintaining a functional, useful PF configuration requires two skills. 1) The admin must have knowledge of how the network protocols to be governed by PF actually function, and 2) the admin must also understand how PF configuration rules are applied. If you copy and paste a ruleset provided by someone else, it won't help you to develop either of these skills.
You do not appear to have a clear understanding of the protocols used by the Transmission application: Bit Torrent, and its underlying UDP and TCP protocols.

You do not appear to understand the basics of PF configurations.
For many years, Peter Hansteen - the author of The Book of PF - has travelled the world presenting PF Tutorials. He begins each and every Tutorial session by having his attendees recite this "Pledge of the Network Admin" aloud:
Code:
This is my network.

 It is mine
or technically my employer’s,
it is my responsibility
and I care for it with all my heart
there are many other networks a lot like mine,
but none are just like it.

 I solemnly swear
that I will not mindlessly paste from HOWTOs.
Mr. Hansteen's Book of PF is excellent, and I recommend it. In addition, his tutorial is available online, and may provide you with guidance you have not been able to obtain to date from the PF User's Guide.

Edited to add: the best book I've found on networking for admins is Networking for System Administrators, by Michael W. Lucas.

Last edited by jggimi; 2nd December 2017 at 06:28 PM. Reason: added a good pointer for networking education
Reply With Quote
  #6   (View Single Post)  
Old 2nd December 2017
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Okay I will definitely read the tutorial but in the mean time I dont want to run a insecure system.
Please give me something to just get started. If thats not possible I will have to cope with it.

Thanks for your reply.

I remember using PF under FreeBSD only the following rules was enough

Code:
pass out all keep state
block in all
https://www.freebsd.org/doc/handbook/firewalls-pf.html
Reply With Quote
  #7   (View Single Post)  
Old 2nd December 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

No. Instead, I'm happy to do some minimal teaching.

Question 1: What percentage of packets will be blocked by this 2-line PF configuration?
Code:
block
pass
Question 2: What percentage of packets will be blocked by this 2-line PF configuration?
Code:
pass
block
Question 3: Are your answers for Questions 1 and 2 the same, or are they different? Why?

Question 4: Both UDP and TCP connections use port numbers. In a single connection between two IP addresses, how many port numbers are involved? Why?

Question 5: How does a PF pass rule with the default keep state option treat the establishment of state? How is it different between TCP and stateless protocols like UDP?

---- Answers (hidden as white text on white background below) ---
1. 0%. 2. 100% 3. Different. The last matching rule wins. 4. Two. There is a sending port number, and a receiving port number. 5. When a pass rule is matched that establishes state, the state is added to PF's state table and no rules are tested for any follow-on packets while the state remains established. TCP session teardown ends the state. Stateless protocols use timers to maintain a temporary state table entry.
Reply With Quote
  #8   (View Single Post)  
Old 2nd December 2017
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

All I am trying to achieve is deny incoming and allow outgoing. As I mentioned before that under FreeBSD a simple
Code:
pass out all keep state
block in all
did the job.

Under Ubuntu its

Code:
sudo ufw default deny
Code:
sudos systemctl enable ufw
I want to achieve the same under OpenBSD.

Thanks for your patience.
Reply With Quote
  #9   (View Single Post)  
Old 2nd December 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Your concern is TCP port 51413, which is "open" when you have a ruleset that apparently blocks all incoming traffic. I can think of 3 possible answers:
  1. PF is not enabled, so the ruleset has no effect. This can be checked with the -e option of pfctl(8). It will enable PF if disabled, or tell you that PF is already enabled.
  2. PF is not loaded with this particular ruleset. This can be checked with the -s rules option of pfctl()
  3. Unlikely: the testing system has an established state with the system under test. This can be checked with the -s states option of pfctl().
If none of these guesses are correct, add the log option to your block and pass rules, and inspect pflog(4) traffic with tcpdump(8) while testing with nmap.


Port 51413 is the default TCP port used by Transmission for incoming peers. To function properly, Transmission will need to pass incoming peer traffic.
Reply With Quote
Old 2nd December 2017
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Quote:
Originally Posted by jggimi View Post
Your concern is TCP port 51413, which is "open" when you have a ruleset that apparently blocks all incoming traffic. I can think of 3 possible answers:
  1. PF is not enabled, so the ruleset has no effect. This can be checked with the -e option of pfctl(8). It will enable PF if disabled, or tell you that PF is already enabled.
  2. PF is not loaded with this particular ruleset. This can be checked with the -s rules option of pfctl()
  3. Unlikely: the testing system has an established state with the system under test. This can be checked with the -s states option of pfctl().
If none of these guesses are correct, add the log option to your block and pass rules, and inspect pflog(4) traffic with tcpdump(8) while testing with nmap.


Port 51413 is the default TCP port used by Transmission for incoming peers. To function properly, Transmission will need to pass incoming peer traffic.
Code:
# pfctl -e                                                                     
pf enabled
Code:
# pfctl -s rules
block return all
pass all flags S/SA
block return in on ! lo0 proto tcp from any to any port 6000:6010
Code:
# pfctl -s states
all tcp 172.16.197.126:47111 -> 50.112.201.212:443       FIN_WAIT_2:FIN_WAIT_2
all tcp 172.16.197.126:36590 -> 95.170.82.241:80       FIN_WAIT_2:FIN_WAIT_2
all udp 172.16.197.255:138 <- 172.16.197.171:138       NO_TRAFFIC:SINGLE
all udp 255.255.255.255:5678 <- 150.129.176.114:5678       NO_TRAFFIC:SINGLE
all udp 172.16.197.126:36062 -> 13.126.37.14:123       MULTIPLE:SINGLE
all udp 172.16.197.126:37230 -> 139.59.43.68:123       MULTIPLE:SINGLE
Yes I know that transmission will need that port but I want to be in control meaning transmission must not open that port unless I port forward that port.
Reply With Quote
Old 2nd December 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Ah hah! PF was disabled on your system.
Quote:
Originally Posted by bsd007 View Post
Code:
# pfctl -e                                                                     
pf enabled
If PF had been enabled, the message would be different:
Code:
pfctl: pf already enabled
Reply With Quote
Old 2nd December 2017
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Thanks to you I am getting closer.

I am getting this

Code:
#  pfctl -e
pfctl: pf already enabled
No idea how it changed.
Reply With Quote
Old 3rd December 2017
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Any ideas ?
Reply With Quote
Old 3rd December 2017
johnR johnR is offline
Fdisk Soldier
 
Join Date: Nov 2017
Posts: 57
Default

I'm using these lines in pf.conf on the PC which I'm using to post here:

block in all
pass out all

This does the job for now while I learn more about pf, mainly from reading the Hansteen book. The above lines and what they do are described on page 17 of the book (3rd edition). I'm just an OpenBSD noob though, so I would strongly recommend that you follow jggimi's advice and learn what these rules do before blindly copying them.
Reply With Quote
Old 3rd December 2017
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

Quote:
Originally Posted by johnR View Post
I'm using these lines in pf.conf on the PC which I'm using to post here:

block in all
pass out all

This does the job for now while I learn more about pf, mainly from reading the Hansteen book. The above lines and what they do are described on page 17 of the book (3rd edition). I'm just an OpenBSD noob though, so I would strongly recommend that you follow jggimi's advice and learn what these rules do before blindly copying them.
Usually it is good to skip block in rule on internal interface, regardless that local process IPC should be done by Unix domain sockets. Example:
Code:
set skip on lo0
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
Old 3rd December 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by bsd007 View Post
No idea how it changed.
Quote:
Originally Posted by bsd007 View Post
Any ideas ?
Only two.
  1. pf=NO set in /etc/rc.conf.local or in manually altered /etc/rc.conf.
  2. # pfctl -d executed manually or in a script
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ntfs-3g: Device not configured dc740 OpenBSD Packages and Ports 6 27th September 2014 01:11 AM
Netgear WG111V2_2 wireless USB device not configured AnilG FreeBSD Installation and Upgrading 19 16th June 2013 02:24 PM
Can gmirror be configured during sysinstall? PeterSteele FreeBSD Installation and Upgrading 3 13th November 2008 12:46 AM
Sound missing, no configured soundcard. tobox FreeBSD General 4 26th July 2008 12:03 AM


All times are GMT. The time now is 12:35 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick