DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 8th November 2009
sparker sparker is offline
New User
 
Join Date: Nov 2009
Posts: 4
Default Two PF questions

I have recently started to build a firewall for my home network using OpenBSD 4.6 and PF. However PF is completely new to me. I have read through to PF users guide and I'm still having trouble figuring a few things out. I have a network architecture as follows:

[ server server server ] ------- [Switch] -------- [OpenBSD] -------- [Internet]

I have configured the OpenBSD box to simply act as a transparent bridge. I have two network cards, fxp0 is the external card and vr0 is my internal card.

Basically what I would like to do is redirect incoming traffic from the internet to different servers. From what I have read the rdr macro doesn't seem to take an inbound or outbound parameter. So what rule would I use to forward all incoming traffic destined for port 80 to one of the servers?

Also I would like to be able to log traffic intended for each server in a separate log file. I have already created three pflog interfaces but I don't quite understand how the pflogd works. Am I able to use the single daemon to log everything to separate files or do I need to run multiple instances of the daemon to achieve this?
Reply With Quote
  #2   (View Single Post)  
Old 9th November 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Have you seen the redirection examples in http://www.openbsd.dk/faq/pf/rdr.html ?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 9th November 2009
sparker sparker is offline
New User
 
Join Date: Nov 2009
Posts: 4
Default

I have read through the redirection stuff in the user guide but it doesn't seem to work as intended. I have something like:

rdr on $int_if proto tcp from any to any port 80 -> $webserver

However my internal and external interfaces are setup as a bridge and neither has been assigned an ip address. So I have already allowed all inbound and outbound traffic on the external interface and I'm doing all my filtering on the internal interface. Any idea what could be wrong here?
Reply With Quote
  #4   (View Single Post)  
Old 9th November 2009
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

Maybe it would be helpful if you would post your entire pf.conf.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #5   (View Single Post)  
Old 9th November 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by sparker View Post
rdr on $int_if proto tcp from any to any port 80 -> $webserver
rdr is a catch-and-pitch (receive on the outside and re-transmit on the inside); therefore, it likely, it should be,

Code:
rdr on $ext_if proto tcp from any to ($ext_if:0) port 80 -> $webserver
This alone is insufficient.

Code:
#
rdr on $ext_if proto tcp \
 from any to ($ext_if:0) port 80 \
 tag MYPORT80 -> $webserver
#
pass in log quick on $ext_if inet proto TCP \
 tagged MYPORT80 synproxy state
#
pass out log quick on $int_if inet proto TCP \
 tagged MYPORT80 keep state
#
/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 9th November 2009 at 08:04 AM.
Reply With Quote
  #6   (View Single Post)  
Old 9th November 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Also, in a {server server server} scenario, you may hit the limits of PF's layer 3 and 4 only facilities, especially in a bridged mode.

If {server server server} is {web[80] email[25] ntp[123]}, then you're likely ok. If, however, it's one outside IP and {server server server} is {web-A[80] and web-B[80] and web-C[80]}, then you'll likely need to look at and use openbsd's relayd(8) in combination with PF.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 9th November 2009 at 08:06 AM.
Reply With Quote
Reply

Tags
pf rdr, pf tags

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Some Questions ?? ultranothing OpenBSD Security 6 4th September 2009 04:59 PM
Silly questions about Mac OS X? tutosun Other BSD and UNIX/UNIX-like 12 31st December 2008 03:45 PM
ZFS thoughts and questions mtx FreeBSD General 3 28th November 2008 07:27 AM
FTP ruleset questions hitete OpenBSD Security 2 25th November 2008 05:30 PM
A few questions on OpenBSD? php111 OpenBSD General 24 1st November 2008 09:18 AM


All times are GMT. The time now is 02:10 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick