DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th January 2019
apfelgluck apfelgluck is offline
Port Guard
 
Join Date: Sep 2016
Location: France
Posts: 14
Default [pf or routing] No communication between networks

Hello,


I have an problem with my gateway : the hosts on WiFi network can not reach the hosts on LAN network and vice versa.
According to my pf rules, it should work.
Does any one hae an idea ?


Below is a diagram of my simple network.
Code:
               +-----+
               +WiFi +
               +--+--+
		  |
+--------+    +---+---+    +---+
+Internet+----+Gateway+----+LAN+
+--------+    +-------+    +---+
WiFi network is 192.168.2.0/24.
LAN network is 192.168.0.0/24.

On the gateway, the interfaces are :
- athn0 for the WiFi,
- em0 for Internet,
- em1 for the LAN.


I replaced the IP addresses and netword with value and the MAC addresses with mac.


The routing table :
Code:
root@145 [12:36:08]:~$ route -n show
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            value              UGS      737 1392467194     -   8 em0
224/4              127.0.0.1          URS        0      328 32768     8 lo0
value/23           value              UCn        1        0     -     4 em0
value              mac                UHLch      1     5171     -     3 em0
value              mac                UHLl       0   340127     -     1 em0
value              value              UHb        0        0     -     1 em0
127/8              127.0.0.1          UGRS       0        0 32768     8 lo0
127.0.0.1          127.0.0.1          UHhl       2     1938 32768     1 lo0
192.168.0/24       192.168.0.1        UCn        3    15944     -     4 em1
192.168.0.1        mac                UHLl       0   537223     -     1 em1
192.168.0.20       mac                UHLc       1  4024816     -     3 em1
192.168.0.30       mac                UHLc       1  2743949     -     3 em1
192.168.0.60       mac                UHLc       1 894938970     -    3 em1
192.168.0.255      192.168.0.1        UHb        0     1407     -     1 em1
192.168.2/24       192.168.2.1        UCn        0        5     -     8 athn0
192.168.2.1        mac                UHLl       0      648     -     1 athn0
192.168.2.255      192.168.2.1        UHb        0        0     -     1 athn0

Below is my pf ruleset.
Code:
#----------------------------
# Macros
#----------------------------


 EXT_IF="em0"
 LAN_IF="em1"
WIFI_IF="athn0"
LOOPBACK="lo"

 LAN="(em1:network)"
WIFI="(athn0:network)"

DOWNLOAD="176600K"
UPLOAD="9200K"

ICMP_TYPE="{ echoreq unreach }"

PORT_BITTORRENT="value"
PORT_FTP_PROXY="8021"
PORT_IN_SSH="value"
PORT_UNPRIV="1024:65535"

SERVER_DHCP="{ value value 255.255.255.255/32 }"
SERVER_P2P="192.168.0.60/32"
SERVER_SEEDBOX="value"


#----------------------------
# Tables
#----------------------------


table <ABUSIVE_IPv4> counters persist

# Last Updated : 2018-11-17
# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xml

table <MARTIANS> const counters persist { 0/8 10/8 100.64/10 127/8 169.254/16 172.16/12 192/24 192.0.0.0/29 192.0.0.8/32 192.0.0.170/32 192.0.0.171/32 192.0.2/24 192.88.99/24 192.168/16 198.18/15 198.51.100/24 203.0.113/24 240/4 }


#----------------------------
# Options
#----------------------------


set block-policy drop
set loginterface  $EXT_IF
set loginterface  $LAN_IF
set loginterface $WIFI_IF
set skip on $LOOPBACK


#----------------------------
# Scrub
#----------------------------


match all scrub (random-id reassemble tcp)


#----------------------------
# Quality of Service
#----------------------------


queue q_ext on $EXT_IF flows 1024 bandwidth $UPLOAD   max $UPLOAD   qlimit 1024 default
queue q_lan on $LAN_IF flows 1024 bandwidth $DOWNLOAD max $DOWNLOAD qlimit 1024 default


#----------------------------
# NAT & REDIRECTION
#----------------------------


anchor "ftp-proxy/*"

pass in quick on  $LAN_IF inet proto tcp from $LAN  to any port ftp divert-to 127.0.0.1 port $PORT_FTP_PROXY
pass in quick on $WIFI_IF inet proto tcp from $WIFI to any port ftp divert-to 127.0.0.1 port $PORT_FTP_PROXY

match out on $EXT_IF inet from !($EXT_IF) to any nat-to ($EXT_IF) port $PORT_UNPRIV

match in on $EXT_IF inet proto icmp from any to ($EXT_IF) rdr-to $SERVER_P2P
match in on $EXT_IF inet proto { tcp udp } from any to ($EXT_IF) port $PORT_BITTORRENT rdr-to $SERVER_P2P
match in on $EXT_IF inet proto tcp         from any to ($EXT_IF) port $PORT_IN_SSH     rdr-to $SERVER_P2P port ssh


#----------------------------
# Filtering
#----------------------------


# Gateway DHCP & IGMP
pass out quick on $EXT_IF inet proto udp from ($EXT_IF) port bootpc to $SERVER_DHCP port bootps
block    quick on $EXT_IF inet proto igmp


# Bad packets
block all
block quick inet6
block quick from <ABUSIVE_IPv4>
antispoof quick for { $EXT_IF $LAN_IF $WIFI_IF } inet
block out quick on $EXT_IF inet from any to { <MARTIANS> }
block in  quick on $EXT_IF inet from        { <MARTIANS> no-route urpf-failed } to any


# Gateway -> LAN
pass out on $LAN_IF inet proto icmp from ($LAN_IF) to $LAN icmp-type $ICMP_TYPE
pass out on $LAN_IF inet proto udp  from ($LAN_IF) port $PORT_UNPRIV to $LAN port 33433 >< 33626


# Gateway -> WiFi
pass out on $WIFI_IF inet proto icmp from ($WIFI_IF) to $WIFI icmp-type $ICMP_TYPE
pass out on $WIFI_IF inet proto udp  from ($WIFI_IF) port $PORT_UNPRIV to $WIFI port 33433 >< 33626


# LAN -> Gateway
pass in on $LAN_IF inet proto { tcp udp } from $LAN port $PORT_UNPRIV to ($LAN_IF) port domain
pass in on $LAN_IF inet proto icmp from $LAN to ($LAN_IF) icmp-type $ICMP_TYPE
pass in on $LAN_IF inet proto udp from $LAN port { ntp $PORT_UNPRIV } to ($LAN_IF) port ntp
pass in on $LAN_IF inet proto tcp from $LAN port $PORT_UNPRIV to ($LAN_IF) port ssh
pass in on $LAN_IF inet proto udp from $LAN port $PORT_UNPRIV to ($LAN_IF) port 33433 >< 33626


# LAN -> WiFi
pass in on $LAN_IF inet proto icmp from $LAN to $WIFI icmp-type $ICMP_TYPE tag LAN_WIFI
pass in on $LAN_IF inet proto tcp  from $LAN port $PORT_UNPRIV to $WIFI port ssh tag LAN_WIFI
pass in on $LAN_IF inet proto udp  from $LAN port $PORT_UNPRIV to $WIFI port 33433 >< 33626 tag LAN_WIFI


# LAN -> Internet
pass in on $LAN_IF inet proto icmp from $LAN icmp-type $ICMP_TYPE tag LAN_INTERNET
pass in on $LAN_IF inet proto tcp  from $LAN port $PORT_UNPRIV to any port { http https smtp } tag LAN_INTERNET
pass in on $LAN_IF inet proto tcp  from $LAN port $PORT_UNPRIV to $SERVER_SEEDBOX port ssh     tag LAN_INTERNET
pass in on $LAN_IF inet proto udp  from $LAN port $PORT_UNPRIV to any port 33433 >< 33626      tag LAN_INTERNET


# WiFi -> Gateway
pass in on $WIFI_IF inet proto udp from { $WIFI 0.0.0.0/32 } port bootpc to { ($WIFI_IF) 192.168.2.255/32 255.255.255.255/32 } port bootps
pass in on $WIFI_IF inet proto { tcp udp } from $WIFI port $PORT_UNPRIV to ($WIFI_IF) port domain
pass in on $WIFI_IF inet proto icmp from $WIFI to ($WIFI_IF) icmp-type $ICMP_TYPE
pass in on $WIFI_IF inet proto udp from $WIFI port { ntp $PORT_UNPRIV } to ($WIFI_IF) port ntp
pass in on $WIFI_IF inet proto udp from $WIFI port $PORT_UNPRIV to ($WIFI_IF) port 33433 >< 33626


# WiFi -> LAN
pass in on $WIFI_IF inet proto icmp from $WIFI to $LAN icmp-type $ICMP_TYPE tag WIFI_LAN
pass in on $WIFI_IF inet proto udp  from $WIFI port $PORT_UNPRIV to $LAN port 33433 >< 33626 tag WIFI_LAN


# WiFi -> Internet
pass in on $WIFI_IF inet proto icmp from $WIFI icmp-type $ICMP_TYPE tag WIFI_INTERNET
pass in on $WIFI_IF inet proto tcp  from $WIFI port $PORT_UNPRIV to any port { http https } tag WIFI_INTERNET
pass in on $WIFI_IF inet proto udp  from $WIFI port $PORT_UNPRIV to any port 33433 >< 33626 tag WIFI_INTERNET


# BitTorrent (from SERVER_P2P -> Internet)
pass in on $LAN_IF inet proto tcp from $SERVER_P2P port $PORT_UNPRIV to any port $PORT_UNPRIV tag LAN_INTERNET
pass in on $LAN_IF inet proto udp from $SERVER_P2P port $PORT_UNPRIV to any port { http $PORT_UNPRIV } tag LAN_INTERNET
pass in on $EXT_IF inet proto icmp from any to $SERVER_P2P icmp-type $ICMP_TYPE tag INTERNET_LAN
pass in on $EXT_IF inet proto { tcp udp } from any port $PORT_UNPRIV to $SERVER_P2P port $PORT_BITTORRENT tag INTERNET_LAN
pass in on $EXT_IF inet proto tcp from any port $PORT_UNPRIV to $SERVER_P2P port ssh modulate state (max-src-conn 5, max-src-conn-rate 5/1, overload <ABUSIVE_IPv4> flush global) tag INTERNET_LAN


# Game & VoIP
anchor game in on $LAN_IF inet proto { tcp udp } from $LAN port $PORT_UNPRIV to any
load anchor game from "/root/pf.game.conf"


# Gateway -> Internet
pass out on $EXT_IF inet proto { tcp udp } from ($EXT_IF) port $PORT_UNPRIV to any port domain
pass out on $EXT_IF inet proto icmp from ($EXT_IF) icmp-type $ICMP_TYPE
pass out on $EXT_IF inet proto tcp from ($EXT_IF) port $PORT_UNPRIV to any port { http https smtp }
pass out on $EXT_IF inet proto udp from ($EXT_IF) port $PORT_UNPRIV to any port ntp
pass out on $EXT_IF inet proto tcp from ($EXT_IF) port $PORT_UNPRIV to any port ftp tag  LAN_INTERNET
pass out on $EXT_IF inet proto tcp from ($EXT_IF) port $PORT_UNPRIV to any port ftp tag WIFI_INTERNET
pass out on $EXT_IF inet proto udp from ($EXT_IF) port $PORT_UNPRIV to any port 33433 >< 33626


# Policies
pass out on $WIFI_IF modulate state tagged  LAN_WIFI
pass out on  $EXT_IF modulate state tagged  LAN_INTERNET
pass out on  $EXT_IF modulate state tagged WIFI_INTERNET
pass out on  $LAN_IF modulate state tagged INTERNET_LAN
pass out on  $LAN_IF modulate state tagged     WIFI_LAN


#----------------------------
# End of file
#----------------------------
Thanks for your advices.
Reply With Quote
  #2   (View Single Post)  
Old 5th January 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Your list of destination ports to pass might be too restrictive. For example:
Code:
# WiFi -> LAN
pass in on $WIFI_IF inet proto icmp from $WIFI to $LAN icmp-type $ICMP_TYPE tag WIFI_LAN
pass in on $WIFI_IF inet proto udp  from $WIFI port $PORT_UNPRIV to $LAN port 33433 >< 33626 tag WIFI_LAN
Whether or not this is the problem, if you add the log option to your block rules, you should be able to determine why your desired traffic is not matching your pass rules by using tcpdump(8) with pflog(4).
Reply With Quote
  #3   (View Single Post)  
Old 5th January 2019
apfelgluck apfelgluck is offline
Port Guard
 
Join Date: Sep 2016
Location: France
Posts: 14
Default

Problem solved.

I forgot the pf principle of the last matching rule.

It does now work fine after moving :
- the section LAN -> WiFi after LAN -> Internet,
- the section WiFi -> LAN after the section WiFi -> Internet.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Kazakhstan is going to MitM all TLS-encrypted communication e1-531g News 0 9th January 2016 10:49 PM
Security Specialists Oppose Access to Encrypted Communication ocicat News 0 7th July 2015 04:12 PM
capture serial communication with socat darktrym NetBSD General 3 10th January 2015 10:50 PM
pf interfering with local lan peer communication tomp OpenBSD Security 3 2nd September 2011 09:12 PM
Communication with su failed amandus OpenBSD Packages and Ports 7 17th July 2008 07:17 AM


All times are GMT. The time now is 01:58 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick