DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd February 2014
roggy roggy is offline
Port Guard
 
Join Date: Nov 2013
Posts: 41
Default Open 5.4 change rule to rdr

I'm struggling to apply an exception of a redirection in PF with Openbsd 5.4.
As the syntax has changed, I'm still picking up.

I have the following rule in previous versions:
no rdr on $int_local proto tcp from <adm> to any port { 80 443 }

For the version of PF tried with openbsd 5.4
no pass in on $int_local proto tcp from <adm> to any port { 80 443 }

but it did not work?
Does anyone know how is this syntax?

Thanks!
Reply With Quote
  #2   (View Single Post)  
Old 2nd February 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Hello, once again. As I answered when you asked this same question in December, there is no longer a direct equivalent to no rdr. As you have discovered, no pass is not part of the language of PF.

I will try once again to explain how to manage exceptions to rdr-to rules, and to be more clear, if I can:
  1. Write your pass rule with rdr-to to be the common, general case.
  2. Write a second, narrow pass rule without rdr-to for traffic you wished excluded from redirection.
If this is still not clear to you, please, post your pf.conf file and tell us exactly what services you want redirected, and which you want excluded from redirection, so that we can provide specific guidance for your environment.



All we have from you is your single no rdr rule from your pre-4.7 system, and that is insufficient information to help you further, if these instructions are still unclear to you.
Reply With Quote
  #3   (View Single Post)  
Old 3rd February 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Although dealing with no nat you could have a look at http://daemonforums.org/showthread.php?t=5851
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 27th June 2014
roggy roggy is offline
Port Guard
 
Join Date: Nov 2013
Posts: 41
Default

Already tried anyway rdr do with version 5.4 of the PF but not working.
I read the documentation, I tried several ways but could not.
I wish someone analyze my pf.conf below to know where I am going wrong.
Code:
srv01_int = 192.168.42.11
srv02_int = 192.168.42.12
srv02_ext = 200.200.200.10
srv03_ext = 200.200.200.13
srv04_int = 192.168.42.13
host_fw = 200.200.200.2

# BINAT
match on $ext_if from $srv02_int to any binat-to $srv02_ext
pass on $ext_if from $srv02_int to any binat-to $srv02_ext

# NAT
match out on $ext_if from $srv01 to any nat-to $host_fw
pass out on $ext_if from $srv01 to any nat-to $host_fw

# RDR
pass in on $ext_if proto udp from any to $srv03_ext port 59925 rdr-to $srv04_int port 59925 
pass in on $ext_if proto tcp from any to $srv03_ext port 80 rdr-to $srv04_int port 80

# Deny Policy
block in log all
block out log all

# Traffic Loopback
pass in quick on lo0 all
pass out quick on lo0 all

# Ancor FTP
anchor "ftp-proxy/*"

# Rules srv01
pass log quick from $srv01_int to any keep state

# Rules srv04
pass log quick proto tcp from any to $srv04_int port { 80 59925 } keep state
Thanks!

Last edited by ocicat; 27th June 2014 at 11:16 PM. Reason: Please use [code] & [/code] tags when posting configuration file contents.
Reply With Quote
  #5   (View Single Post)  
Old 27th June 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

  1. The last rule that matches will be in effect. Your two block all rules:
    Code:
    # Deny Policy
    block in log all
    block out log all
    are after 4 of your pass rules: your binat pass, your nat pass, and your 2 rdr pass rules. These rules will never be used.
  2. These rules work, but they can be replaced with set skip on lo0:
    Code:
    # Traffic Loopback
    pass in quick on lo0 all
    pass out quick on lo0 all
I cannot determine from your configuration file what traffic you do not want redirected. For lack of information, let us pretend, for a moment, that your original request at the top of this thread was in reference to this particular rule:
Code:
pass in on $ext_if proto tcp from any to $srv03_ext port 80 rdr-to $srv04_int port 80
Now that rule will never be applied, per your error above. But, if you move your default deny above it, it can then redirect traffic from any IP address. Let us also pretend that you have a table called <adm> that you do not want to redirect to $srv04_int port 80. Add a second rule, after this first rule:
Code:
pass in on $ext_if proto tcp from <adm> to $srv03_ext port 80
Is this clear? The first rule is the general case. The second rule is the narrower case, and the last matching rule applies. For addresses in the <adm> table, rdr-to will not apply.
Reply With Quote
  #6   (View Single Post)  
Old 30th June 2014
roggy roggy is offline
Port Guard
 
Join Date: Nov 2013
Posts: 41
Default

Hi jggimi,
Thanks for the reply.
From what I saw my rules are not working due to the error in positioning the default policy, which is block.
I'll change the file and test again.
Post here the result.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf NAT rule isn't working flit OpenBSD Security 8 30th September 2013 02:45 AM
Help with my pf rule please whispersGhost OpenBSD Security 0 19th April 2012 07:54 AM
Help please open port 8005 pf rule set whispersGhost OpenBSD Security 6 16th April 2012 11:07 PM
pf: why is that rule not working? ivanatora FreeBSD General 14 11th December 2008 09:32 AM


All times are GMT. The time now is 03:03 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick