|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Network isolation of process using rdomain rtable
Hello,
I have started today topic on misc, but maybe here somebody who is not subscribed to misc can help. https://marc.info/?i=xvwykxmpbmuapsqsujlt%20()%20xbzl I would like to isolate process using rtable/rdomain. By isolation I mean only isolate from network. I would like to achieve that every packet which is trying to go through egress would go through pair1 interface, maybe pair2 interface and then it will be directed/redirected/nat-ed/forced (I don't know which word/action is appropriate) to arrive at port 9191 on pair2 interface. Now I have something that seems to work, but maybe there is something to improve? Maybe there is some error/fault on my side and it is going to leak some packets? I would like to prevent that. This is something that I have now: Code:
cat /etc/hostname.pair* inet 172.10.0.1 255.255.255.0 172.10.0.255 rdomain 1 \ description "An isolated Ethernet" inet 172.10.0.2 255.255.255.0 172.10.0.255 Code:
ifconfig pair1 patch pair2 Code:
route -T1 add default 172.10.0.2 Code:
/usr/local/bin/sudo -u user /usr/bin/nc -4 -k -n -l 172.10.0.2 9191 Code:
#!/bin/sh /usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \ -u user /usr/bin/nc -4 -n -v 172.10.0.2 9191 Code:
#!/bin/sh /usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \ -u user /usr/bin/nc -4 -n -v 172.10.0.2 9192 Code:
#!/bin/sh /usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \ -u user /usr/bin/nc -4 -n -v 212.191.227.88 80 Code:
#cat pf.conf: pass in quick on pair2 inet proto tcp from pair1 \ rdr-to pair2 port 9191 keep state (floating) pass in pass out Code:
#pfctl -sr pass in quick on pair2 inet proto tcp from 172.10.0.1 \ to any flags S/SA tag rdr_tor_tcp rdr-to 172.10.0.2 port 9191 pass in all flags S/SA pass out all flags S/SA Last edited by e1-531g; 15th February 2016 at 04:55 PM. Reason: typo |
Tags |
isolation, prevent leak, rdomain, rtable, virtualized networking |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Returning the PID of a ssh process | gso | General software and network | 18 | 16th September 2015 02:01 PM |
PhotoRec process bug | LeFrettchen | General software and network | 4 | 1st July 2014 11:15 PM |
Security-through-isolation: Qubes 1.0 released | J65nko | News | 0 | 4th September 2012 05:39 PM |
Build Process Warnings | IronForge | OpenBSD Installation and Upgrading | 9 | 22nd January 2010 11:21 AM |
See what process is generating DNS traffic? | Bruco | FreeBSD General | 3 | 2nd July 2009 05:57 PM |