DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default pf rules

I have the following rules.

Code:
### Packets from Internal Network ###

pass in on $intif inet proto icmp all icmp-type $icmp_types keep state
pass in on $intif proto tcp to $intif port $allowed_tcp_ports

pass in on $extif inet proto icmp all icmp-type $icmp_types keep state

pass proto tcp to any port $allowed_tcp_ports
pass inet proto icmp all icmp-type $icmp_types keep state
What I want to achieve is this:

intif is on the internal network and will be the gateway to get out of the network. So from inside the network I want to be able to ping ssh and https to anything outside of the network via $extif. But, I do not want aynone to be able to use the SSH, https ports from outside the network to the $extif.

client machine {ssh 192.168.0.50} >> gateway {10.10.10.10} >> forward to $extif >>> server {192.168.0.50 }
server {192.168.0.50 } ssh 10.10.10.10 >>> block ssh denied

What have I done wrong in my rules?
Reply With Quote
  #2   (View Single Post)  
Old 29th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

First, the last matching rule wins. Your last two rules override your first three rules.

Second, the directives in, out, and on are restrictions for rule matching, and may cause more problems than they solve.

Third, your examples are unclear. Both your client machine and your server machine have the same local IP address. Are they both devices on your local, internal network?

Last edited by jggimi; 29th July 2019 at 09:48 AM. Reason: typos
Reply With Quote
  #3   (View Single Post)  
Old 29th July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

Quote:
Originally Posted by calanon View Post
I have the following rules.

Code:
### Packets from Internal Network ###

pass in on $intif inet proto icmp all icmp-type $icmp_types keep state
pass in on $intif proto tcp to $intif port $allowed_tcp_ports

pass in on $extif inet proto icmp all icmp-type $icmp_types keep state

pass proto tcp to any port $allowed_tcp_ports
pass inet proto icmp all icmp-type $icmp_types keep state
What I want to achieve is this:

intif is on the internal network and will be the gateway to get out of the network. So from inside the network I want to be able to ping ssh and https to anything outside of the network via $extif. But, I do not want aynone to be able to use the SSH, https ports from outside the network to the $extif.

client machine {ssh 192.168.0.50} >> gateway {10.10.10.10} >> forward to $extif >>> server {192.168.0.50 }
server {192.168.0.50 } ssh 10.10.10.10 >>> block ssh denied

What have I done wrong in my rules?
Sorry if that looks strange. Here is a better version:

client machine-10.10.10.5 {ssh} >> gateway {10.10.10.10} >> forward to $extif >>> server {192.168.0.50 }
server {192.168.0.50 } ssh 10.10.10.10 >>> block ssh denied

I am assuming now that the first 3 rules are probably not even required or?

I thought they were required to allow ssh to pass through $intif to $extif
Reply With Quote
  #4   (View Single Post)  
Old 29th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Because of the "last matching rule" logic, your PF ruleset should be ordered from the most general rule first to the most specific rule last.

Here's an example ruleset that might meet your use-case. The ICMP rule includes the inet directive, so that only IPv4 ICMP traffic is permitted to pass. The TCP rule does not require the inet directive, since it only matches traffic originating from a specific IPv4 subnet.
Code:
# block by default
block return log
#
# allow the preferred categories of IPv4 ICMP traffic:
pass log inet proto icmp icmp-type $icmp_types
#
# Allow the preferred types of IPv4 TCP traffic from the inner network:
pass log proto tcp from 10.10.10.0/24 to any port { $allowed_tcp_ports }
Your use-case does not account for domain name resolution. If you want to add the ability for the inner network to reach one or more external nameservers, add a rule such as:
Code:
pass log proto { udp tcp } from 10.10.10.0/24 to { $allowed_nameservers } port domain
Your use-case does not include traffic originating from the gateway itself.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
DOAS(1) rules jjstorm OpenBSD General 8 11th April 2016 08:09 PM
PF Rules for DoS chazz FreeBSD Security 3 14th July 2009 09:35 PM
Help with pf rules TerranAce007 OpenBSD General 4 16th January 2009 10:14 PM


All times are GMT. The time now is 07:20 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick