DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 6th May 2020
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 107
Default pf-badhost

Hi, all.

@home, I manage a little server, on OpenBSD.

- 3 zones DNS, with nsd
- web service for one domain.

And to protect a litlle I attempt to use this project "pf-badhost".

No problem to install, and configure.

But, When I active rules for PF, I surprise dig requests are not possible.
(I add rules to exclude LAN subnets on the file install)

----

Before, active PF rules;

Code:
$ dig @ns1.stephane-huc.net ebnh.fr.eu.org

; <<>> DiG 9.16.2-Debian <<>> @ns1.stephane-huc.net ebnh.fr.eu.org
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37696
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ebnh.fr.eu.org.			IN	A

;; ANSWER SECTION:
ebnh.fr.eu.org.		3600	IN	A	88.136.16.221

;; AUTHORITY SECTION:
ebnh.fr.eu.org.		3600	IN	NS	ns1.stephane-huc.net.
ebnh.fr.eu.org.		3600	IN	NS	ns2.he.net.
ebnh.fr.eu.org.		3600	IN	NS	ns3.he.net.
ebnh.fr.eu.org.		3600	IN	NS	ns4.he.net.
ebnh.fr.eu.org.		3600	IN	NS	ns5.he.net.

;; Query time: 4 msec
;; SERVER: 88.136.16.221#53(88.136.16.221)
;; WHEN: mer. mai 06 19:42:29 CEST 2020
;; MSG SIZE  rcvd: 168
After:
Code:
$ dig @ns1.stephane-huc.net ebnh.fr.eu.org

; <<>> DiG 9.16.2-Debian <<>> @ns1.stephane-huc.net ebnh.fr.eu.org
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached
----

My PF Rules:
Code:
# pfctl -sr
match log all scrub (no-df random-id min-ttl 64 reassemble tcp max-mss 1440)
block drop in on ! lo inet6 from ::1 to any
block drop in on ! lo inet from 127.0.0.0/8 to any
block drop in inet6 from ::1 to any
block drop in on lo0 inet6 from fe80::1 to any
block drop in inet from 127.0.0.1 to any
block drop in on ! egress inet6 from 2001:470:cc33::/64 to any
block drop in on ! egress inet from 192.168.***.0/24 to any
block drop in on re0 inet6 from fe80::261c:4ff:fe08:8c05 to any
block drop in inet6 from 2001:470:cc33::3 to any
block drop in inet from 192.168.88.3 to any
anchor "relayd/*" all
(...)
block return in quick on egress from <pfbadhost> to any
block return out quick on egress from any to <pfbadhost>
(...)
block return log all
pass out all flags S/SA keep state (if-bound)
# and, below all others in and out pass
(…)
----

If I wrote thoses rules after my pass in and pass out rules, as final rules, I can request again with dig!

----

Any idea?!
__________________
GPG:Fingerprint ed25519 : 072A 4DA2 8AFD 868D 74CF 9EA2 B85E 9ADA C377 5E8E
GPG:Fingerprint rsa4096 : 4E0D 4AF7 77F5 0FAE A35D 5B62 D0FF 7361 59BF 1733

Last edited by CiotBSD; 7th May 2020 at 03:07 AM.
Reply With Quote
 

Tags
badhost, dig, pf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 10:57 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick