DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 9th February 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Question Redirect Internal Network to Internal Website

Hello all,

I am trying to figure out how I can have PF redirect my internal addresses to my internal web server...etc rather than have internal users access the internal resources from the internet.

Example:

Internal user tries to access my website. http://*url*.org
or
Internal user tried to access web service. https://*url*.orgort#/path/


I have tried adding redirect rules for my internal interface but they do not seem to be working.

Code:
rdr on $int_if inet proto tcp from any to *myurl* port 80 -> *webserver* port 80
I would rather not use an IP for the URL.

Does anyone know how this can be done?

Thanks!
Reply With Quote
  #2   (View Single Post)  
Old 9th February 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

pf is a packet filter, it is not aware of high level protocols.. what you want would require special configuration for a combination of services.

As for domain names in pf, unfortunately that would require changing certain elements of the rc script.

Please post in more detail what you're trying to achieve.
Reply With Quote
  #3   (View Single Post)  
Old 9th February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

PF can use domain resolution, but only at the time the rules are being loaded. If the IP address changes, the rules must be reloaded to obtain changed addresses. This also means that your DNS server, if used for resolution, must be available during boot. If this is not possible, you would want to place all names to be resolved in the PF server's hosts(5) file, and use "lookup file bind" in resolv.conf(5).

If you have a DNS server on the same platform -- i.e.: you have "nameserver 127.0.0.1" in resolv.conf(5) -- you need to be aware that PF rules are loaded by rc(8) before named(8) is started by rc(8). Therefore, you would require the same hosts(5) lookup for resolution.

Last edited by jggimi; 9th February 2009 at 06:43 PM. Reason: clarity
Reply With Quote
  #4   (View Single Post)  
Old 9th February 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

BSDfan666

I am trying to have PF redirect outgoing requests (inside my LAN) that are pointing to my domain name/DNS so they do not first travel out of my network to the internet and than back in again.

So instead of:

user wants to visit my locally hosted website, types URL, browser forwards query to DNS...etc and than is redirected out into the internet to access "domain name" which happens to just point back to my own network. (this fails and is a waste of bandwidth)

I would like instead of going to the internet to access my internal website that my internal PF firewall will simply redirect anything to URL port 80 to my internal web server. Thus no more wasted bandwidth and hopefully will actually work.

jggimi

Hmmm its unfortunate that PF will not "lookup" the IP on-the-fly. This defeats the full purpose of putting DNS as apposed to IP. (for me)

Would you be able to show a sample code for PF that would work for redirection using DNS Name (I will have to just reload my config if my IP changes.)

The firewall is acting as a middle-man type thing. So it has internal and external interfaces. Internal would be connecting to the internal network and external would be connecting to the exterior portion of my network.


Hope this helps clarify things.

Thanks for all your help!
Reply With Quote
  #5   (View Single Post)  
Old 9th February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by plexter View Post
...so they do not first travel out of my network to the internet and than back in again....
That can be solved with local DNS. e.g.: When inside your private LAN, your local DNS server(s) respond to a resolution request for "our.webserver.inhere.com" with your inside-the-firewall address. No need to redirect with PF.
Quote:
Hmmm its unfortunate that PF will not "lookup" the IP on-the-fly.
There would be a significant performance impact, as each and every test of such a rule would require either an /etc/hosts lookup or a DNS request.
Quote:
Would you be able to show a sample code for PF that would work for redirection using DNS Name (I will have to just reload my config if my IP changes.)
I have never used name resolution with PF, but according to pf.conf(5), host names may be used in tables or rules. Resolution is done at table load or ruleset load time. ":0" may be appended to a rule host name to limit the resolution to the first IPv4 or IPv6 address resolved, but, in tables, all resolved addresses for a hostname are added to the table.

In your first post, you said of your rdr rules:
Quote:
I have tried adding redirect rules for my internal interface but they do not seem to be working.
You don't say if there are syntax failures or other issues. If the rules load, you can use pfctl(8) with "-s <rule-section>" to see the various components of your resolved rule set.

Last edited by jggimi; 9th February 2009 at 08:09 PM. Reason: clarity
Reply With Quote
  #6   (View Single Post)  
Old 10th February 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Hello again,

Thanks for the info.

With DNS I know I can manually enter the info there. However my issue is I have one domain name with multiple servers (IPs). I'd rather not have to do server1.domainname, server2.domainname...etc (these won't exist outside) as well I would prefer to filter based on port used.

Yes the rules do go through. I have not had a chance to test with pfctl -s yet.

Thanks for your help!
Reply With Quote
  #7   (View Single Post)  
Old 10th February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

You shouldn't have to do a lot of labor. If I understand what you want to accomplish, all you need to do is Google for "split DNS" -- and look through some of the definitions and suggestions.
Reply With Quote
  #8   (View Single Post)  
Old 10th February 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

I took a look with pfctl -sn and I was able to see the rdr rules with the domain names translated into ip addresses.

I'm not sure what else I should check.
Reply With Quote
  #9   (View Single Post)  
Old 10th February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

If you need to, you can do further confirmation. On your OpenBSD system, you can use tcpdump(8) to watch packets as they move in and out, and, if you were to set your rules to log traffic, you could also use tcpdump(8) with pflogd(8) and pflog(4). Your destination webservers may have tcpdump(8) or similar tools available.

The better performing solution would be to use split DNS; if you set up an "internal zone" DNS server, then you will not need to re-route all packets destined for internal addresses through your firewall, as this solution you're stuck on will do.
Reply With Quote
Old 10th February 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Solutions for this issue are discussed in http://openbsd.org/faq/pf/rdr.html#reflect
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 12th February 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Thanks for the link J65nko I suppose where it talks about RDR is why my RDR rules do not work.

I will play around and see if I can't get this going.

Thanks!
Reply With Quote
Old 12th February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Some rdr rules *can* work; you just need to understand the limitations. And, as I did, it recommends split DNS.
Reply With Quote
Old 12th February 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Hi jggimi,

Yes thank you also for your input.

I am not all that proficient with DNS and my DNS is not kept on BSD so I'm not sure how, if possible, it would be doable on Windows.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Routing internal requests to external IPs jdude FreeBSD General 1 9th July 2009 07:25 AM
Problem pinging internal nic JustDoIt OpenBSD General 16 19th August 2008 08:16 PM
fetchmail: POP3< -ERR internal server error graudeejs FreeBSD General 3 19th July 2008 02:02 PM
NIC with internal cable; how to remove? TerryP Off-Topic 9 14th July 2008 06:33 AM
2 external NIC + 1 internal NIC AlexV FreeBSD General 7 4th June 2008 08:18 AM


All times are GMT. The time now is 11:17 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick