DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th March 2009
Quaxo Quaxo is offline
Port Guard
 
Join Date: Jun 2008
Posts: 29
Question A PF packet tagging (policy filtering) question...

Hello

I'm experimenting with the rules for packet tagging but when I check the syntax of the rules I get errors...

Code:
/# pfctl -n -f /etc/pf.conf.test
/etc/pf.conf.test:102: syntax error
/etc/pf.conf.test:105: syntax error
/etc/pf.conf.test:108: syntax error
these lines corresponds to my packet tagging experiment rules in the file /etc/pf.conf.test ...

Code:
# Tag roper -> inet
block out on $ext_if from $my_ip tag ROPER_to_INET # line 99

   # Allow roper -> inet DNS
   pass quick tagged ROPER_to_INET proto udp to $dns_ip port domain  # line 102

   # Allow roper -> inet NTP
   pass quick tagged ROPER_to_INET proto udp to $ntp_ip port ntp # line 105

   # Allow roper -> inet pkg_add
   pass quick tagged ROPER_to_INET proto tcp to $pkg_ip # line 108
"roper" is the router/firewall. "inet" is the internet. The idea here is to tag all packets that originate from Roper and are destined to internet (ie. line 99), then have "secondary rules" that decide which of those tagged packets that are allowed to pass out to the internet (ie. line 102,105 and 108). Can anyone see why I get syntax errors here?


Thanks in advance
/Quaxo
Reply With Quote
  #2   (View Single Post)  
Old 30th March 2009
Quaxo Quaxo is offline
Port Guard
 
Join Date: Jun 2008
Posts: 29
Talking

...never mind. I found the problem!

Correct rules should be with "tagged" at the end of the line:

Code:
# Tag roper -> inet
block out on $ext_if from $my_ip tag ROPER_to_INET

   # Allow roper -> inet DNS
   pass quick proto udp to $dns_ip port domain tagged ROPER_to_INET

   # Allow roper -> inet NTP
   pass quick proto udp to $ntp_ip port ntp tagged ROPER_to_INET

   # Allow roper -> inet pkg_add
   pass quick proto tcp to $pkg_ip tagged ROPER_to_INET
By the way...is it a bad idea to go with policy based rules instead of "the normal way"? It looks like few users write the rules as a policys, so perhaps im wasting my time trying it out.


/Quaxo
Reply With Quote
  #3   (View Single Post)  
Old 30th March 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

The intent is to make your ruleset easier to manage, and easier to understand. I don't use them, only because my rulesets predate the feature. Otherwise, I'd have investigated them in detail.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Policy routing bsd and cisco clone Guides 1 17th August 2009 04:57 PM
IP Security Policy Management snap-in wesley OpenBSD Security 2 11th August 2009 04:34 AM
Web content filtering Crypt FreeBSD Security 14 14th December 2008 02:38 PM
Enforce a better user password policy anomie Guides 8 7th November 2008 09:10 PM
question about Packet Filter (pf) milo974 OpenBSD Security 2 31st July 2008 01:39 PM


All times are GMT. The time now is 10:58 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick