DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th April 2012
whispersGhost's Avatar
whispersGhost whispersGhost is offline
Real Name: heather
Package Pilot
 
Join Date: May 2008
Location: ny
Posts: 168
Default please check my pf for any errors Thank You

Code:
Code:
# Macros

server = 192.158.0.69
ext_if = "lo0"
int_if = "r10"

#Options
set skip on lo0
set block-policy drop

# Norm Traffic
match in all scrub (no-df max-mss 1440)

# Rerouting
pass in on $ext_if proto tcp from any to $ext_if port 7008 \
rdr-to $server port 7008

# Block Policy
block log all

# Security
antispoof for $ext_if
antispoof for $int_if

# Block Pings
block in on $ext_if inet proto icmp all

#pass 		# to establish keep-state

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
__________________
The journey is better then the destination

Last edited by ocicat; 19th April 2012 at 12:53 PM. Reason: PLEASE use [code] & [/code] tags when posting file content.
Reply With Quote
  #2   (View Single Post)  
Old 19th April 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Things I can see:
  1. Your "server" macro is set to an address on a 192.158 network. This is close to, but is not part of an RFC 1918 "private network" block: 192.168. I believe this address is either a typo, or you have a improperly configured local network.
  2. Your $ext_if macro is set to lo0. This is a loopback interface. It is not external, so using a macro called "$ext_if" is bound to confuse readers of this configuration file.... including you. Loopback interfaces are entirely virtual, and only used for internal communication between process on the local system. No external communication is ever made in or out of this interface, unless packets are forwarded through it. Your first pass rule does packet forwarding. Well, it would, if ever used. See below.
  3. You have set skip on lo0. There will be no inspection of packets on lo0, so pass/block/match rules for lo0 traffic will not be evaluated. Read along with me from the pf.conf(5) man page:
    Code:
         set skip on <ifspec>
                 List interfaces for which packets should not be filtered.
                 Packets passing in or out on such interfaces are passed as if pf
                 was disabled, i.e. pf does not process them in any way.  This can
                 be useful on loopback and other virtual interfaces, when packet
                 filtering is not desired and can have unexpected effects.  ifspec
                 is only evaluated when the ruleset is loaded; interfaces created
                 later will not be skipped.
  4. Your pass rule does port forwarding ... but the only traffic that could possibly match this rule is locally generated on this system, since the traffic must be on the loopback interface. No external traffic, coming in from any physical NIC, will ever match this rule. And because of the set skip rule, any packets which might match this rule will never be evaluated. This rule, therefore, will never be matched and no packets will ever be forwarded.
  5. You add a block all rule after the pass. Even if the prior pass rule was altered to evaluate to true for some traffic, it would not matter, because this block follows it. Unless quick is used, the last matching rule wins.
  6. The antispoof rules expansion for $ext_if will not be evaluated, due to the set skip.
  7. The second block is blocking pings and other ICMP traffic on your loopback interface. None of these would be evaluated, due to the set skip, and would only evaluate true -- if you didn't have the set skip -- for packets you generate yourself on this system, to the loopback address, such as: $ ping 127.0.0.1. Even if you had a block rule here that made some sort of sense, it wouldn't matter, because of the prior block all already in effect.
  8. The last block rule is from the default pf.conf, and again, matters not at all due to the preceding block all.
Reply With Quote
  #3   (View Single Post)  
Old 19th April 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Heather .... I'm going to make a guess that what you have is an OpenBSD end-point server -- it does no routing of packets elsewhere, and all you want PF to do is block all traffic for anything except TCP traffic to port 7008. If so, then perhaps this silly little 3 line pf.conf will suffice:
Code:
interface = "rl0"
block all
pass in on $interface proto tcp from any to any port 7008
You could do away with the $interface macro and use rl0 in the pass rule, and have only two lines. The purpose of macros is for easy change when moving to different computers, adding interfaces, changing fixed addresses, etc.

The first rule is a block all. All packets evaluate for true, in all directions, and all traffic is blocked.

The second rule is a pass for all traffic from anywhere to anywhere that is destined for port 7008. Now, obviously, the only inbound traffic will be destined for this server, since it is not a router and does not forward anything. So all inbound traffic for destination port 7008 will match and be passed. TCP traffic is "stateful", and the default on TCP traffic is to "keep state" so PF will pass all outbound traffic back to the originator without needed any new rules, as long as the TCP session remains active. Once the state terminates, no outbound traffic will be permitted.

Hope this helps. I recommend a careful review of the PF Users Guide, which is part of the OpenBSD FAQ. I also recommend Peter Hansteen's The Book of PF.
Reply With Quote
  #4   (View Single Post)  
Old 20th April 2012
whispersGhost's Avatar
whispersGhost whispersGhost is offline
Real Name: heather
Package Pilot
 
Join Date: May 2008
Location: ny
Posts: 168
Default Hj

@Jiggimi

You are right about me using wrong ip

The reason is I had forgotten that ismy vonage adapter use to
be behind my modem then to my linkysys router.

The Vonage adapter is also a router which uses 192.158
But I forgotten that I had recently reversed the routers to
Cable Modem---:Linkysys---:Vonage adapter----:Pc

My other problem is when I change my $ext_if and $_int_if as you sugested
my terminal will hang when I appoly the commmands

Code:
sudo pfctl -f pf.conf it just sits the blinking cursor
same thing at boot up starting the network it will hang till I break it

thanks for the other help as well
as for it hanging what should I do

Thanks
__________________
The journey is better then the destination
Reply With Quote
  #5   (View Single Post)  
Old 20th April 2012
whispersGhost's Avatar
whispersGhost whispersGhost is offline
Real Name: heather
Package Pilot
 
Join Date: May 2008
Location: ny
Posts: 168
Default Book of pf

I recommend a careful review of the PF Users Guide, which is part of the OpenBSD FAQ. I also recommend Peter Hansteen's The Book of PF.[/QUOTE]

JImmi I love to read,I still have my older books for FreeBSD and the OpenBSD 4.0 book

Unfortunatly a lot of it does not apply to todays verions for some things.
I do read the faqs a lot I get lost at tiimes reading t it as,

I must admit for pf material ,i may neeed pf for dummies since I'm a little slow on that aspect.

Would fwbnuilder help me also learn at all?

I use to use it long ago with FreeBSD

Now if I get the book you refered or read the faqs am I supose to look for the current verion I am using 5.0?

Another question I have is this
if I decide to install a package at any timne since I have my PKG_PATH and PKG_CACHE set
how can I access the files if my pf rules are set the way you have them the way I prefred

BY fowarding the port to ftp I imagine temporailry.

Jimmi thank you so much for all thhe effort and patience for a slowbie like me
heee if I ever learn to create my own Distro I should name it SlowbieBSD lol
__________________
The journey is better then the destination
Reply With Quote
  #6   (View Single Post)  
Old 20th April 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by heatherval View Post
My other problem is when I change my $ext_if and $_int_if as you sugested...
My recommendation was to not ever confuse loopback virtual interfaces with any sort of physical network connection. You had set $ext_if to "lo0" and this confused me, and apparently, confused you too.

I never mentioned $int_if, and you have neither explained nor shown what this means.

As I tried to tell you, macros are only variables, that are used for keyword substitution. And perhaps you're confused between the terms "internal" and "external". Allow me to try to enlighten you. If this is review, please forgive me. Based on what you've posted, my perception is of a person who continues to be confused.
A computer with more than one physical network interface can be used as a router -- to route packets between one network and another. If your computer has multiple network interfaces, and they are connected to separate networks, you can enable packet forwarding and route packets from one interface to the other. When a computer does this, we term it a "router." Your Linksys router does this, routing between your ISPs network and your private network. OpenBSD systems can do this, too, if they have more than one Network Interface Card (NIC).

PF doesn't know which of your interfaces might be used for a local network, and it doesn't know which of your interfaces might lead to the Internet. All it knows is that you have interfaces. You tell it which packets are permitted to flow inward from particular interfaces, and which packets are permitted to flow outward along particular interfaces. That's it.

PF configuration files permit the use of "macros" -- its not the best name, because these are nothing more than variable substitutions for strings. e.g. your pf.conf file could have:
permit = "pass"
prevent = "block"
... and then use $permit and $prevent later in the file to mean pass and block. It's nothing more than that.

Why use PF macros? For convenience, and clarity.

Convenience: If your pf.conf had 50 rules for your rl0 interface, and then you changed computers and used another interface, would you rather make a single edit, or 50 edits?

Clarity: If you named your interfaces for the network(s) they attach to, you are less likely to make a mistake. For example, one of my OpenBSD machines is a router with two different interfaces: vr0 connects to computers on a local, internal network, and dc0 connects externally to the Internet. I use "$internal_nic" and "$external_nic" as my variable names -- macros -- for these so that when I am reading the pf.conf file I never have to remember which physical interface connects to what, and the rules make sense to me, or would make sense to other readers.
I believe you only have a single interface ... at least, I presume that from what you have posted. In this case, there is no concept of "internal" or "external" networks, since you only have the one.
Quote:
...it will hang till I break it
There is a serious error; whether it is configuration problem or a software problem I can't say, because you have not provided enough information. Post this changed pf.conf, and please, post your dmesg(8). And please use code tags, as Ocicat recommended when he edited your first post.
Quote:
Would fwbnuilder help me also learn at all?
I doubt it. It appears you first need to spend time learning the basics of computer networking; PF scripting requires an understanding of how your applications use a network.
Quote:
Now if I get the book you refered or read the faqs am I supose to look for the current verion I am using 5.0?
The FAQ, including the PF Users Guide, will always apply to the most recent release.
Quote:
Another question I have... is this
if I decide to install a package at any timne since I have my PKG_PATH and PKG_CACHE set
how can I access the files if my pf rules are set the way you have them the way I prefred
You cannot. The two line (or three line if you use $interface) pf.conf file will only permit outbound traffic in response to inbound traffic on port 7008. You would have to add additional rules to cover this use case.
Reply With Quote
  #7   (View Single Post)  
Old 20th April 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Now if I get the book you refered...
Please take a look at the Books that Help page provided by the OpenBSD Project. Mr. Hansteen's book is the very first entry in the listing. The link to the publisher's site will take you to a page that includes a list of chapters and a sample chapter for download, as well as a link to his speaking schedule and up to date tutorial.
Quote:
BY fowarding the port to ftp I imagine temporailry...
It's statements like these that give me the impression you need a grounding in the basics of computer communication and TCP/IP. If the impression is true, then you should also look for a book geared for an audience with no prior network administration knowledge or experience. A little Googling found this. I'm sure there are others.
Reply With Quote
  #8   (View Single Post)  
Old 20th April 2012
whispersGhost's Avatar
whispersGhost whispersGhost is offline
Real Name: heather
Package Pilot
 
Join Date: May 2008
Location: ny
Posts: 168
Default Hi

@jggimi

First im sorry if i mispelt your name in earlier posts i had jiggimi instead of Jggimi

Thank you for the web site for the 3rd edition of tcp/ip.It looks like a good book.

Also it is good that the faq are updated as i would have gotten lost for sure and would have went back to using 4.0 OpenBSD .

i was using the rules you gave me for now
and my site is unreachable

Code:

interface = "rl0"

block all
pass in on $interface proto tcp from any to any port 7008

When i decide that i want to install packages ill just add a ruleset for ftp

Maybe you can find out why i cant access the site

Thanks this has been a great help.
__________________
The journey is better then the destination
Reply With Quote
  #9   (View Single Post)  
Old 20th April 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by heatherval View Post
Maybe you can find out why i cant access the site.
Not without more information, which I can only get from you.


If you are testing from the OpenBSD system itself, you aren't using the rl0 interface. Remember the loopback discussion? In this thread?

If it's an external test, packets can be traced.
Reply With Quote
Old 20th April 2012
whispersGhost's Avatar
whispersGhost whispersGhost is offline
Real Name: heather
Package Pilot
 
Join Date: May 2008
Location: ny
Posts: 168
Default Typo

Jggimi

Wow all this mess i got myself into for typos.

Like i got everything running the way it should be with your help.

And like now what was wrong besides my other type was i had

Code:

r10 rather then rl0

They do tend to look almost like twins lol

So my site works well now and everything you showed me is seems fine as well.

Blocks all in and out but inside requests to 7008

Thanks a bunch Jggimi
__________________
The journey is better then the destination
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
6.3 > 7.2 kernel errors carpman FreeBSD Installation and Upgrading 3 16th March 2010 10:58 PM
pkgdb errors maxrussell FreeBSD Ports and Packages 1 22nd May 2009 11:06 AM
please check my pf.conf gosha OpenBSD Security 10 30th January 2009 12:32 AM
check for badblocks ccc FreeBSD General 5 30th October 2008 07:00 PM
apache log errors ijk FreeBSD Ports and Packages 4 13th July 2008 03:56 PM


All times are GMT. The time now is 09:42 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick