DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 8th November 2013
esilvaz1101 esilvaz1101 is offline
New User
 
Join Date: Nov 2013
Location: san antonio, TX
Posts: 7
Default Help with PF for openbsd 5.1

I want to build a PF for 1 network card to all SSH, PHP, Apache, SQL also log files for attempted attacks. can anyone help?

I'm not good with PF yet.
Reply With Quote
  #2   (View Single Post)  
Old 8th November 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Hello, and welcome!

5.1 is no longer supported. The OpenBSD Project only supports a release for a single year, as there are two releases annually and they only support the most recent two releases, which today are 5.4 and 5.3. Please consider upgrading.

PF operates within the kernel and does not not filter at the application layer, only by IP protocol.
  • It does not "know" about the SSH application, it knows only about the TCP protocol and destination port 22.
  • It does not know about PHP or your Apache webserver. It knows only about the TCP protocol and destination port 80.
However, if PF is running on the same system as an application, the applications may be identified by user or group. Here's the definition for user:
Code:
     user <user>
             This rule only applies to packets of sockets owned by the
             specified user.  For outgoing connections initiated from the
             firewall, this is the user that opened the connection.  For
             incoming connections to the firewall itself, this is the user
             that listens on the destination port....
Note that in most cases, PHP applications communicate through the webserver, so you will not be able to separate PHP communication out through this method. If you are using PHP via a separate application, such as php-fpm (a FastCGI option), you may be able to separate out its functionality this way. That said, I use php-fpm with the nginx(8) webserver, and they both run as user www on my systems.

Edited to add:
--------------

Thinking about the separate PHP process -- even though I use php-fpm for PHP, I would not be able to filter this traffic with PF. All of the protocol headers that PF could inspect are identical for all traffic.

Last edited by jggimi; 8th November 2013 at 02:47 PM.
Reply With Quote
  #3   (View Single Post)  
Old 8th November 2013
esilvaz1101 esilvaz1101 is offline
New User
 
Join Date: Nov 2013
Location: san antonio, TX
Posts: 7
Default

Quote:
Originally Posted by esilvaz1101 View Post
I want to build a PF for 1 network card to all SSH, PHP, Apache, SQL also log files for attempted attacks. can anyone help?

I'm not good with PF yet.
Sorry I just installed OpendBSD 5.3
here is what I created can you look and tell me if its ok

Code:
## our interface ##
ext_if="vr0"
## Private network IP goes in the EXT_IP
EXT_IP 172.22.106.146
 

# Block everything (inbound AND outbound on ALL interfaces) by default (catch-all)
block all


## do not block mysqld on ##
mysqld_ip="{ !172.22.106.146 }"
 
## Block everything for tcp port number 3306 except $mysqld_ip  ###
block in on $ext_if proto tcp from any to  $mysqld_ip port 3306

## apache rules need the ip address###
pass in on $ext_if proto tcp from any to 172.22.106.146 port 80 flags S/SA synproxy state

##also ssh port22/tcp, auth 22/tcp, ICMP pings####

# Default TCP policy
block return-rst in log on $ext_if proto TCP all
   pass in log quick on $ext_if proto TCP from any to $EXT_IP port 22 flags $SYN_ONLY keep state
   pass in log quick on $ext_if proto TCP from any to $EXT_IP port 113 flags $SYN_ONLY keep state

# Default UDP policy
block in log on $ext_if proto udp all
   # It's rare to be hosting a service that requires UDP (unless you are hosting 
   # a dns server for example), so there typically won't be any entries here.

# Default ICMP policy
block in log on $ext_if proto icmp all
   pass in log quick on $ext_if proto icmp from any to $EXT_IP echoreq keep state

block out log on $ext_if all
   pass out log quick on $ext_if from $EXT_IP to any keep state

# Allow the local interface to talk unrestricted
pass in quick on lo0 all
pass out quick on lo0 all

Last edited by esilvaz1101; 8th November 2013 at 04:21 PM. Reason: error
Reply With Quote
  #4   (View Single Post)  
Old 8th November 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

OK. The following recommendations are without testing your configuration, just from walking through them.

  • I see two rules that I am sure will NOT work as you intended
  • I see a rule which negates all of the previous rules, rendering this configuration unworkable
  • I see a mix of policy, macro, and option settings within your filtering rules. I recommend moving all of those to the top of your configuration, ahead of your filter rules, for clarity.
  • Unless you have a specific requirement, I recommend avoid using flags to filter; you might either negate stateful processing which can affect performance, or you might cause a rule to be improperly skipped or applied, which would be an operational problem.
Of special note:
  • In PF, unless the quick option is used, the last matching rule will be applied. When you do not use quick, your general rules need to be at the top of the filter list, your specific rules underneath them.
Now for your ruleset:
  1. Your $mysqld_ip macro is a list which cotains a single IP address fronted by exclamation point. As defined, this is "all IP addresses except this one address." And this one address appears to be the address assigned to this single server. Your filter rule that uses this list will never match any traffic, as it states, "block all incoming tcp traffic from anywhere headed to anywhere for destination port 3306, except for traffic destined to the IP address for this computer." Except, this is a terminal server so there will only be traffic destined for this server, and you have no pass rules for this port in your ruleset. I believe your intent was:

    block all
    pass in from any to $EXT_IP port 3306
  2. Your rule to pass HTTP traffic to destination port 80 uses the IP address instead of the $EXT_IP macro. If your address changes, you will need to change it in multiple rules, instead of just at the top of your configuration. It also uses flags with synproxy state, and I recommend you avoid flags -- in this case, you are asking PF to manage the TCP handshake to avoid SYN flooding but you may be limiting its capabilities with flag settings.
  3. You have two rules that have flag settings which refer to an undefined $SYN_ONLY macro.
  4. You have a general block on all outbound traffic well beneath more specific rules, and if it were ever matched could block outbound traffic that must flow in order to establish state for earlier pass rules. As you already have a block all as your starting rule, this rule is unnecessary, and immediately followed by a general pass rule which renders it useless, at the moment. I'm warning you about it because if your ruleset changes, this could suddenly match and cause unintended blocks.
  5. Your pass rules for loopback could be replaced with a set skip option rule. I recommned using it, and recommend putting this in an options section above your filter rules, with your other options, macros, and general settings.

Last edited by jggimi; 8th November 2013 at 05:24 PM. Reason: improved clarity
Reply With Quote
  #5   (View Single Post)  
Old 8th November 2013
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Welcome!

I would recommend three sources to increase your understanding of pf(8):Although pf(8) has stabilized over the last few releases of OpenBSD, pf(8) has undergone radical changes over the years. If you have cobbled together the above rule set from information found on the Internet, you may be basing work on outdated material. When it comes to OpenBSD, staying with officially sanctioned information is always the best strategy.

Last edited by ocicat; 8th November 2013 at 06:39 PM. Reason: spelling
Reply With Quote
  #6   (View Single Post)  
Old 8th November 2013
esilvaz1101 esilvaz1101 is offline
New User
 
Join Date: Nov 2013
Location: san antonio, TX
Posts: 7
Default

Ok does this look better? this is for a class project and want to do this at home, my professor just told me to try to build a PF
Code:
## our interface ##
ext_if="vr0"
## Private network IP goes in the EXT_IP
EXT_IP 172.22.106.146
 

# Block everything (inbound AND outbound on ALL interfaces) by default (catch-all)
block all


## do not block mysqld on ##
mysqld_ip="{ !172.22.106.146 }"
 
## Block everything for tcp port number 3306 except $mysqld_ip  ###
block all 
 pass in from any to $EXT_IP port 3306

## apache rules need the ip address###
pass in on $ext_if proto tcp from any to 172.22.106.146 port 80 flags S/SA synproxy state

##also ssh port22/tcp, auth 22/tcp, ICMP pings####

# Default TCP policy
block return-rst in log on $ext_if proto TCP all
   pass in log quick on $ext_if proto TCP  port 22 
   pass in log quick on $ext_if proto TCP  port 113

# Default UDP policy
block in log on $ext_if proto udp all


# Allow the local interface to talk unrestricted
pass in quick on lo0 all
pass out quick on lo0 all

Last edited by esilvaz1101; 8th November 2013 at 05:50 PM. Reason: errors
Reply With Quote
  #7   (View Single Post)  
Old 8th November 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I would not use your updated configuration, as it still does has things I dislike as an administrator. It still has syntax errors, such as a missing "=" in a macro definition, and missing proto tcp when port numbers are referenced.

But more important than transcription errors, you are still intermixing policy settings and macros with your pass/block filter rules. While allowed by the configuration grammar, this is something I would never do. Humans must manage and maintain these configurations. Please don't do this. Your professor can contact me if he or she takes issue with a configuration that is structured with policy settings, macro assignments, and general settings at the top, then is followed by general filtration rules, then specific rules.

Here is how I might define a terminal server PF configuration, where I block all but inbound traffic to TCP ports 22, 80, 113, and 3306. This is based on your application set you have defined in this thread, and based on the policy settings you have attempted in your sample configurations. Note that I do not reference your interface, nor your IP address. You have only one NIC, so the rules "from any to any" will appy to everything that crosses the NIC. I have also used symbolic names for the destination port numbers, these are pre-defined in /etc/services.
Code:
### General information
#
# This configuration is for a terminal server with a single NIC.  It blocks by
# by default, and passes inbound stateful traffic for SSH, web, auth, and SQL inbound

### policy section ###
#

# return TCP RST or ICMP UNREACHABLE for blocked traffic:
set block-policy return

# do not filter loopback traffic:
set skip lo0

### filter rules ###
#

# block by default:
block all

# pass stateful traffic for four applications on this terminal server:
pass in proto tcp from any to any port {ssh, www, auth, mysql}

Last edited by jggimi; 8th November 2013 at 06:55 PM. Reason: typo
Reply With Quote
  #8   (View Single Post)  
Old 8th November 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

To be clear, by "terminal server" I mean a server that is the end point for client/server comunication, I do not intend to mean a controller that manages a suite of tty devices.
Reply With Quote
  #9   (View Single Post)  
Old 8th November 2013
esilvaz1101 esilvaz1101 is offline
New User
 
Join Date: Nov 2013
Location: san antonio, TX
Posts: 7
Default

That is way simple then what I was trying, my professor didn't give us any help said to look it up online and create a PF for MySQL, PHP, Apache I been working on this for a week straight and can't seem to get it working, basically I was blocking everything and had no idea why until you explained this to me. I just bought the book for PF for OpenBSD, to read up more on the subject.
Reply With Quote
Old 8th November 2013
esilvaz1101 esilvaz1101 is offline
New User
 
Join Date: Nov 2013
Location: san antonio, TX
Posts: 7
Default

just found about this
NOTE: The filter rules that the antispoof rule expands to will also block packets sent over the loopback interface to local addresses. It's best practice to skip filtering on loopback interfaces anyways, but this becomes a necessity when using antispoof rules:

set skip on lo0

antispoof for fxp0 inet

Usage of antispoof should be restricted to interfaces that have been assigned an IP address. Using antispoof on an interface without an IP address will result in filter rules such as:

block drop in on ! fxp0 inet all
block drop in inet all

With these rules there is a risk of blocking all inbound traffic on all interfaces.
Reply With Quote
Old 8th November 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

You have two (or three) reasons not to worry about antispoof rules.
  1. They only apply when you are operating as a router, with multiple NICs.
  2. Your only other "NIC" where you proposed rules is your loopback psuedo device lo0, and that has an address assigned to it by default: 127.0.0.1
  3. You could use my 4 rule set, which does not use antispoof.
Reply With Quote
Old 10th November 2013
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by esilvaz1101 View Post
I just bought the book for PF for OpenBSD, to read up more on the subject.
While studying Hansteen's book is a good choice, note that it was published in 2010. Work on pf(4) has continued. Studying this book and studying the PF User's Guide (which is always current...) is strategically a better choice.

Also note that Hansteen's PF manuscript continues to be updated. The latest set of changes is dated June 2013.

Studying all three documents will help fill in any blanks found in any one particular source.
Reply With Quote
Old 10th November 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Excellent advice, ocicat, but I'd like to make one clarification, to avoid any confusion. I'd put my tongue into my cheek and say thatl the FAQ always "-release", as opposed to "-current."

There have been recent changes in -current that affect PF traffic shaping rules. The altq subsystem is being replaced with a new queueing subsystem, so -current users must use the oldqueue keyword if they wish to use altq during this transition period.

These changes will be in the PF User's Guide for 5.5, and until 5.5 -current users will find guidance in the Following -current FAQ.

Last edited by jggimi; 10th November 2013 at 01:52 AM. Reason: clarity
Reply With Quote
Old 10th November 2013
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by jggimi View Post
Excellent advice, ocicat, but I'd like to make one clarification, to avoid any confusion. I'd put my tongue into my cheek and say thatl the FAQ always "-release", as opposed to "-current."


While I get the joke, esilvaz1101, being new to OpenBSD, may be confused by its flavors. Explanation of OpenBSD's flavors (-release, -stable, & -current) are discussed in Section 5.1 of the project's official FAQ.

In fact, this is a good point to plug the value of the overall FAQ document. The official FAQ is the single best source of information on the most recent release (-release) of OpenBSD. Studying its content is the best thing newcomers can do to familiarize themselves with general usage. Many newbie questions will be answered by reading this document.
Reply With Quote
Old 11th November 2013
esilvaz1101 esilvaz1101 is offline
New User
 
Join Date: Nov 2013
Location: san antonio, TX
Posts: 7
Default

Quote:
Originally Posted by ocicat View Post


While I get the joke, esilvaz1101, being new to OpenBSD, may be confused by its flavors. Explanation of OpenBSD's flavors (-release, -stable, & -current) are discussed in Section 5.1 of the project's official FAQ.

In fact, this is a good point to plug the value of the overall FAQ document. The official FAQ is the single best source of information on the most recent release (-release) of OpenBSD. Studying its content is the best thing newcomers can do to familiarize themselves with general usage. Many newbie questions will be answered by reading this document.
Thanks' everyone for all the help, have lot's learn but thanks to all of you for pointing me to the right direction
Reply With Quote
Old 5th December 2013
esilvaz1101 esilvaz1101 is offline
New User
 
Join Date: Nov 2013
Location: san antonio, TX
Posts: 7
Default

For some reason when I built the server and went to write the PF.CONF file the system by default had this on their should I delete it or just add my section? and also ifconfig show my nic=lo0 but this script put "lo" as you can see bellow. Is this just an example and it does nothing at all or I need it?
Code:
       #$OpenBSD: pf.conf,v 1.52 2013/02/13 23:11:14 halex Exp $

# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# increase default state limit from 10'000 states on busy systems
#set limit states 100000

set skip on lo

# filter rules and anchor for ftp-proxy(8)
#anchor "ftp-proxy/*"
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021

# anchor for relayd(8)
#anchor "relayd/*"

block           # block stateless traffic
pass            # establish keep-state

# rules for spamd(8)
#table <spamd-white> persist
#table <nospamd> persist file "/etc/mail/nospamd"
#pass in on egress proto tcp from any to any port smtp \
#    rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from <nospamd> to any port smtp
#pass in log on egress proto tcp from <spamd-white> to any port smtp
#pass out log on egress proto tcp to any port smtp


#block in quick from urpf-failed to any # use with care

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010

#COnfiguration is for terminal server with single NIC. It blocks
#by default, and passes inbound statefull traffic for ssh, web, auth, andSQL inb
ound

####policy section######

# return TCP RST or ICMP UNREACHABLE for Blocked Traffic:
#set block-policy return

# do not filter looback traffic:
set skip lo0

####Filter Rules #####
# block by default:
block all

# pass stateful traffic for four applications on this terminal server:
pass in proto tcp from any to any port {ssh, www, auth, mysql}
Reply With Quote
Old 5th December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

PF is enabled by default, and the OS ships with a default configuration file, which you have modified, by adding the example text I'd provided to you in this thread.

The default configuration for OpenBSD 5.3 or 5.4 a) does not filter on loopback interfaces, b) blocks stateless traffic, c) blocks incoming remote X11 traffic, and d) passes stateful traffic. Here are those lines, with the comments removed:
Code:
set skip on lo
block
pass 
block in on ! lo0 proto tcp to port 6000:6010
The example I'd provided was intended to replace this default configuration.
Quote:
...also ifconfig show my nic=lo0
This is a pseudo-NIC, for loopback traffic. It is not your actual network interface connection. See lo(4).
Reply With Quote
Old 6th February 2014
pitrh pitrh is offline
New User
 
Join Date: Feb 2014
Posts: 1
Post Book of PF and other documents

Quote:
Originally Posted by ocicat View Post
Studying all three documents will help fill in any blanks found in any one particular source.
While it hasn't been formally announced yet, I'm working now on a third edition of the book. The plan is to have it ready at OpenBSD 5.5 release, but there's still a bit of work to be done.

The tutorial (full text) manuscript is in 'minimal maintenance' mode. I haven't yet decided how much more work I will put into it. If I revise that one to include newqueue, it will anyway be after the book is done.

The slides for any events where I give a talk or tutorial will be available after the corresponding session has ended.

The acceptance deadlines for the ones I have sent proposals to haven't passed yet, so it's too early to say which events I'll be speaking at this year.

- Peter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:32 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick