DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3 Weeks Ago
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 97
Default pf-badhost

Hi, all.

@home, I manage a little server, on OpenBSD.

- 3 zones DNS, with nsd
- web service for one domain.

And to protect a litlle I attempt to use this project "pf-badhost".

No problem to install, and configure.

But, When I active rules for PF, I surprise dig requests are not possible.
(I add rules to exclude LAN subnets on the file install)

----

Before, active PF rules;

Code:
$ dig @ns1.stephane-huc.net ebnh.fr.eu.org

; <<>> DiG 9.16.2-Debian <<>> @ns1.stephane-huc.net ebnh.fr.eu.org
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37696
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ebnh.fr.eu.org.			IN	A

;; ANSWER SECTION:
ebnh.fr.eu.org.		3600	IN	A	88.136.16.221

;; AUTHORITY SECTION:
ebnh.fr.eu.org.		3600	IN	NS	ns1.stephane-huc.net.
ebnh.fr.eu.org.		3600	IN	NS	ns2.he.net.
ebnh.fr.eu.org.		3600	IN	NS	ns3.he.net.
ebnh.fr.eu.org.		3600	IN	NS	ns4.he.net.
ebnh.fr.eu.org.		3600	IN	NS	ns5.he.net.

;; Query time: 4 msec
;; SERVER: 88.136.16.221#53(88.136.16.221)
;; WHEN: mer. mai 06 19:42:29 CEST 2020
;; MSG SIZE  rcvd: 168
After:
Code:
$ dig @ns1.stephane-huc.net ebnh.fr.eu.org

; <<>> DiG 9.16.2-Debian <<>> @ns1.stephane-huc.net ebnh.fr.eu.org
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached
----

My PF Rules:
Code:
# pfctl -sr
match log all scrub (no-df random-id min-ttl 64 reassemble tcp max-mss 1440)
block drop in on ! lo inet6 from ::1 to any
block drop in on ! lo inet from 127.0.0.0/8 to any
block drop in inet6 from ::1 to any
block drop in on lo0 inet6 from fe80::1 to any
block drop in inet from 127.0.0.1 to any
block drop in on ! egress inet6 from 2001:470:cc33::/64 to any
block drop in on ! egress inet from 192.168.***.0/24 to any
block drop in on re0 inet6 from fe80::261c:4ff:fe08:8c05 to any
block drop in inet6 from 2001:470:cc33::3 to any
block drop in inet from 192.168.88.3 to any
anchor "relayd/*" all
(...)
block return in quick on egress from <pfbadhost> to any
block return out quick on egress from any to <pfbadhost>
(...)
block return log all
pass out all flags S/SA keep state (if-bound)
# and, below all others in and out pass
(…)
----

If I wrote thoses rules after my pass in and pass out rules, as final rules, I can request again with dig!

----

Any idea?!
__________________
GPG:Fingerprint ed25519 : 072A 4DA2 8AFD 868D 74CF 9EA2 B85E 9ADA C377 5E8E
GPG:Fingerprint rsa4096 : 4E0D 4AF7 77F5 0FAE A35D 5B62 D0FF 7361 59BF 1733

Last edited by CiotBSD; 3 Weeks Ago at 03:07 AM.
Reply With Quote
  #2   (View Single Post)  
Old 3 Weeks Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,974
Default

pf-badhost is not in the ports tree. For support, contact the developer directly. https://www.geoghegan.ca/contact.html
Reply With Quote
  #3   (View Single Post)  
Old 3 Weeks Ago
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,593
Default

pf uses a "last matching rule wins" strategy. You can circumvent this by either using the "quick" keyword or reorder your ruleset.
These blocking rules at the beginning of your ruleset can be overridden by later rules:
Code:
block drop in on ! lo inet6 from ::1 to any
block drop in on ! lo inet from 127.0.0.0/8 to any
block drop in inet6 from ::1 to any
block drop in on lo0 inet6 from fe80::1 to any
block drop in inet from 127.0.0.1 to any
block drop in on ! egress inet6 from 2001:470:cc33::/64 to any
block drop in on ! egress inet from 192.168.***.0/24 to any
block drop in on re0 inet6 from fe80::261c:4ff:fe08:8c05 to any
block drop in inet6 from 2001:470:cc33::3 to any
block drop in inet from 192.168.88.3 to any
A simple way to check whether any of these rules are preventing name lookup is to add the following macro:
Code:
LQ = "log quick"
block drop in $LQ on ! lo inet6 from ::1 to any
block drop in $LQ on ! lo inet from 127.0.0.0/8 to any
block drop in $LQ inet6 from ::1 to any
Repeat this for those other rules.

In a SSH session to your server run tcpdump(8) on the pflog0 interface.
Code:
# tcpdump -eni pflog0
Now run your dig command and if one of these rules blocks something it will end up on pflog0 and will be parsed and shown by tcpdump(8).
An example on my firewall:
Quote:
01:52:12.595180 rule 33/(match) block in on vr0: 192.168.2.254 > 224.0.0.1: igmp query (DF) [ttl 1]
After debugging you can simple redefine the LQ macro to either "quick" or nothing "".

BTW Usually blocking internal loopback traffic is a bad idea. That is why "set skip on lo0" exists
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 3 Weeks Ago
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 97
Default

In my first post, the view of rules is the result of `pfctl -sr`.

I will investigate as you recommand me @J65nko.

Actually, I put rules PF for pf-badhost at the final.

---

My writings PF:
Code:
auth_tcp_ports = "{ domain http 25 }"
auth_tcps_ports = "{ https smtp 587 }"
auth_udp_ports = "{ domain ntp mdns }"

dns_port = "domain"
ssh_port = "247"

host  = "192.168.***.3"
host6 = "2001:470:cc33::3"
ntwk  = "192.168.***.0/24"
ntwk6 = "2001:470:cc33::/64"

aoks = "allow-opts"
fks = "flags S/SA keep state"
fms = "flags S/SA modulate state"

icmp_auth   = "{ 8 11 12 }"
icmp_block  = "{ 4 6 15 16 17 18 31 32 33 34 35 36 37 38 39 }"
icmp6_auth  = "{ unreach, toobig, timex code 0, timex code 1, paramprob code 1, paramprob code 2, echoreq, routeradv, neighbrsol, neighbradv }"
icmp6_block = "{ 100 101 127 138 139 140 144 145 146 147 150 200 201 }"
icmp6_in    = "{ redir }"

icmp_sto = "(max-src-conn-rate 10/1)"
ssh_sto = "(max-src-conn 10, max-src-conn-rate 10/60, overload <t_abuse_ssh> flush global)"

table <abuse_ssh> counters persist
table <t_adm>  const { 192.168.***.1 192.168.***.47 192.168.***.147 }
table <t_adm6> const { fd**:c107:b5d:1::47 fd**:c107:b5d:1::147 }
table <auth_lan> const { 192.168.**.0/24 192.168.***.0/24 }
table <pfbadhost> persist file "/etc/pf-badhost.txt"

set block-policy return
set fingerprints "/etc/pf.os"
set loginterface egress
set optimization normal
set reassemble yes
set ruleset-optimization profile
set skip on lo
set state-policy if-bound
set timeout { tcp.established 600, tcp.closing 60 }

match log all scrub (max-mss 1440 min-ttl 64 no-df random-id reassemble tcp)

antispoof for egress

anchor "relayd/*"

block drop quick log on egress inet6 proto icmp6 icmp6-type $icmp6_block

block drop quick on egress inet proto icmp icmp-type 3 code 6
block drop in quick on egress inet proto icmp icmp-type 3 code 7
block drop quick on egress inet proto icmp icmp-type 3 code 8
block drop quick on egress inet proto icmp icmp-type $icmp_block

block drop in quick log on egress proto tcp from <abuse_ssh> to egress port 22    label "ssh brute"

block drop in quick on egress inet6 from { urpf-failed no-route } to any
block drop quick on egress inet6 from any to { no-route }

block drop in quick on egress inet from { urpf-failed no-route } to any
block drop quick on egress inet from any to { no-route }

block return in on ! lo0 proto tcp to port 6000:6010

block return out log proto {tcp udp} user _pbuild

block in log on egress inet proto { tcp udp } from any to ! egress port 53

block in log on egress proto tcp to egress port 11211

block log 
pass out

# in/out icmpv6
pass quick on egress inet6 proto icmp6 icmp6-type $icmp6_auth $aoks
pass in quick on egress inet6 proto icmp6 icmp6-type $icmp6_in $aoks
# in icmp 
pass in quick on egress inet proto icmp from any to egress icmp-type 3 code 3   $aoks $icmp_sto
pass in quick on egress inet proto icmp from any to egress icmp-type $icmp_auth $aoks $icmp_sto
# out icmp
pass out quick on egress inet proto icmp from egress to any icmp-type 3 code 3  $aoks $icmp_sto
pass out quick on egress inet proto icmp from egress to any icmp-type $icmp_auth $aoks $icmp_sto

# in admin hosts
pass in quick on egress inet  proto tcp from <t_adm>  to $host  $fms
pass in quick on egress inet6 proto tcp from <t_adm6> to $host6 $fms 
pass in quick log on egress inet  proto tcp from <t_adm>  to $host  port $ssh_port $fms
pass in quick log on egress inet6 proto tcp from <t_adm6> to $host6 port $ssh_port $fms 

# in 80
pass in quick log on egress inet  proto tcp to $host  port 80 $fms
pass in quick log on egress inet6 proto tcp to $host6 port 80 $fms

# in 50
pass in quick on egress proto tcp from any to { $host $host6 } port $dns_port $fms
pass in quick on egress proto udp from any to { $host $host6 } port $dns_port $aoks

# out 50
pass out on egress proto tcp from { $host $host6 } to any port $dns_port $fms
pass out on egress proto udp from { $host $host6 } to any port $dns_port $aoks

# out auth others port
pass out on egress proto tcp from egress to any port $auth_tcp_ports  $fms
pass out on egress proto tcp from egress to any port $auth_tcps_ports $fms 
pass out on egress proto udp from egress to any port $auth_udp_ports $aoks

block in quick on egress from <pfbadhost>
block out quick on egress to <pfbadhost>
__________________
GPG:Fingerprint ed25519 : 072A 4DA2 8AFD 868D 74CF 9EA2 B85E 9ADA C377 5E8E
GPG:Fingerprint rsa4096 : 4E0D 4AF7 77F5 0FAE A35D 5B62 D0FF 7361 59BF 1733
Reply With Quote
Reply

Tags
badhost, dig, pf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 05:59 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick