DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th September 2016
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Question New Firewall Creation

Hi,

I tried to create a new firewall by copying an existing pf.conf file to a brand new OpenBSD installation. But from my LAN internet is not accessible.

I try,

pfctl -nf /etc/pf.conf and it didn't give any errors

then I try,

pfctl -f /etc/pf.conf
and it gave the following error

pfctl: SIOCGIFMTU: Device not configured

My external interface card have Realtek chipset. Why this error occur? when I try to ping www.google.lk it pings but from my LAN internet is not accessible.

Thanks
Reply With Quote
  #2   (View Single Post)  
Old 30th September 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,971
Default

Your PF configuration file contains at least one reference to a network interface that does not exist on the new system.

A network interface reference contains the name of a driver, followed by a number. Examples include em0, vr1, dc0, fxp3. They are dependent on the specific hardware in each system.

You can learn what they are on each of your systems by reading your dmesg(8) or by using ifconfig(8).

There are many different drivers for many different network interfaces. Just look at how many different Realtek drivers there are, and that is only one brand of network interface chipset vendor:
Code:
$ man -k realtek
re(4) - Realtek 8139C+/8169/816xS/811xS/8168/810xE 10/100/Gigabit Ethernet device
rgephy(4) - Realtek 8169S/8110S/8211B/8211C 10/100/Gigabit Ethernet PHY
rl(4) - Realtek 8129/8139 10/100 Ethernet device
rlphy(4) - Realtek 8139/8201L Ethernet PHY
rsu(4) - Realtek RTL8188SU/RTL8192SU USB IEEE 802.11b/g/n wireless network device
rtsx(4) - Realtek SD card reader
rtw(4) - Realtek RTL8180L IEEE 802.11b wireless network device
rtwn(4) - Realtek RTL8188CE PCIe IEEE 802.11b/g/n wireless network device
ure(4) - RealTek RTL8152 10/100 USB Ethernet device
url(4) - Realtek RTL8150L 10/100 USB Ethernet device
urlphy(4) - Realtek RTL8150L Ethernet PHY
urtw(4) - Realtek RTL8187L/RTL8187B USB IEEE 802.11b/g wireless network device
urtwn(4) - Realtek RTL8188CU/RTL8188EU/RTL8192CU USB IEEE 802.11b/g/n wireless network device
$

Last edited by jggimi; 30th September 2016 at 11:59 AM. Reason: typo
Reply With Quote
  #3   (View Single Post)  
Old 30th September 2016
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Default

Hi jggimi,

Thanks for the reply.My if config output is as follows

Code:
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196
        priority: 0
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr xx:xx:xx:xx:xx:xx
        priority: 0
        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
        status: active
        inet 192.168.94.227 netmask 0xffffff00 broadcast 192.168.94.255
        inet6 x::x:x:x:x%em0 prefixlen 64 scopeid 0x1
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr xx:xx:xx:xx:xx:xx
        priority: 0
        groups: egress
        media: Ethernet autoselect (none)
        status: no carrier
        inet x.x.x.x netmask 0xfffffffc broadcast x.x.x.x
        inet6 x::x:x:x:x%rl0 prefixlen 64 scopeid 0x2
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196
        priority: 0
        groups: pflog
During the first installation only the file hostname.em0 was there. I created the hostname.rl0 and mygate files manually since those was not there on my system ( OpenBSD 5.3 )
Reply With Quote
  #4   (View Single Post)  
Old 30th September 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,971
Default

I'll repeat the root cause of the error:
Quote:
Originally Posted by jggimi View Post
Your PF configuration file contains at least one reference to a network interface that does not exist on the new system.
The default configuration file is /etc/pf.conf. Within, you are likely to find a network interface name that needs to be revised.
Reply With Quote
  #5   (View Single Post)  
Old 30th September 2016
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,277
Default

Quote:
Originally Posted by Amithapr View Post
I created the hostname.rl0 and mygate files manually since those was not there on my system ( OpenBSD 5.3 )
OpenBSD 5.3 was released May 1, 2013, and public support ended in May 2014. Although this site is not officially affiliated with the OpenBSD project, we do try to adhere to their policies. We highly recommend that you either update or reinstall your system. OpenBSD 6.0 was released a month ago.
Reply With Quote
  #6   (View Single Post)  
Old 30th September 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,971
Default

I've recommended upgrading or reinstalling, and questioned the continued use of 5.3 more than once. Three weeks ago, we learned that at least one of Amithapr's systems was running a blend of components from 4.1 and 5.3, and perhaps from other releases, and that none of them were beyond 5.3.

It is unclear to me if Amithapr was referring to 5.3 in this thread as the "old" system, or the "new" system.
Reply With Quote
  #7   (View Single Post)  
Old 3rd October 2016
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Default

Hi Ocicat, Jggimi

I installed OpenBSD 6.0 finally on my backup gateway. Could you assist me on transferring me PF rules and IPSEC VPN from my old OpenBSD 5.3 system to the new one?

I cannot change the existing IPSEC VPN keys since my remote OpenVPN box is beyond my control I really need your help to get this backup up and running with the remote OpenBSD 5.3 system

Many thanks for your help.

Last edited by Amithapr; 3rd October 2016 at 09:37 AM.
Reply With Quote
  #8   (View Single Post)  
Old 3rd October 2016
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Default


My pf.conf of the 5.3 live firewall is attached herewith
. What are the IPSEC VPN deatils I should get from the old firewall to the new one to make the IPSEC VPN up and running? ( do I have to create a separate topic for the VPN ? )
Attached Files
File Type: conf pf.conf (4.2 KB, 34 views)
Reply With Quote
  #9   (View Single Post)  
Old 3rd October 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,971
Default

Quote:
Originally Posted by Amithapr View Post
...my remote OpenVPN box is beyond my control...
OpenVPN? I'll assume that's a typo, as all previous discussion has been about IPSec.

You must make contact with the person or persons who control your remote gateway. Your replacement of the local gateway would need to be coordinated with the remote facility. In addition, the remote gateway is also running an unsupported OS, and is likely running the same unsupportable Frankensystem as your local gateway.

Ideally, both gateways should have their OSes replaced, and it would be best to coordinate the activity so they are replaced at the same time. If this were my environment, I would replace both gateways at the same time, coordinating with a remote systems administrator, or arranging for a remote console.
There are risks to replacing only one gateway and leaving the other unchanged. There is no guarantee that a modern, supported release will work with a remote "something unknown but similar to 5.3" gateway, as there have been changes to IPSec over time.
---

To my understanding, this is a simple gateway-to-gateway network architecture, such as:

[lan a] - [gateway a] - [Internet] - [gateway b] - [lan b]

If that is actually true, I would abandon whatever complex isakmpd.policy(5) structure was deployed by your predecessor and replace it with a simple ipsec.conf(5) configuration. There is a reason that Symantec wrote Zero to IPSec in 4 minutes. It is easy, simple, and quick.

I don't know if your environment is that simple, because you have not posted any configuration information. But if the network topology is that simple, and you decide to proceed with replacing the IPSec configuration, keep in mind the article is ten years old. Use up-to-date man pages, do not copy/paste.

If the environment is sufficiently complex to be unable to use ipsec.conf(5) and ipsecctl(8), you will need to migrate all of the existing isakmpd(8) configuration files such as isakmpd.conf(5), isakmpd.policy(5), keynote(5) files, and you will need to migrate keys.

Last edited by jggimi; 3rd October 2016 at 05:54 PM. Reason: typos
Reply With Quote
Old 4th October 2016
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Default

Thanks a lot Jggimi,

I'll try your information.
Reply With Quote
Old 9th October 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,971
Default

I've taken a few minutes to look at the only network configuration information you have posted at this forum. In its entirety, this is:
  • The network interfaces in post #3 above
  • The PF configuration file attached to post #8 above
There are four things I am able to determine from this limited information.
  1. The network interfaces in post #3 match the hardware network interfaces posted in the PF configuration you attached to post #8. However the error message you posted in post#1 above will only produced when PF attempts to obtain the Maximum Transmission Unit (MTU) size of a non-existent interface.

    The PF configuration includes references to a network tunnel pseudo-device, tun3. This device exists on your "old" system, but not your "new" system.
  2. The PF configuration includes rules for BOTH IPSec and OpenVPN. Your reference in post #7 to OpenVPN was not a typo. It is the OpenVPN rules which refer to tun3.

    Both IPSec and OpenVPN are VPN technologies, but they are otherwise entirely unrelated.

    OpenVPN is not part of the OS kernel. It is a "userland" program, that communicates with the kernel's network stack via a network tunnel pseudo-device.

    The tun(4) driver was split in two for OpenBSD 5.9. The tun(4) driver became a point-to-point connector only, and a new driver, tap(4), took on the responsibility for tunneling Ethernet frames between the kernel and userland programs. OpenVPN connections may use tun(4) or tap(4) depending upon how they are provisioned.
  3. If you want your replacement gateways to pass OpenVPN traffic, you will need to install and configure the OpenVPN package. At 6.0 this is version 2.3.11 of OpenVPN. At 5.3, the version was 2.2.2.

    If you install this package, please read the pkg-readme file which installs with it. It explains the replacement of the tun(4) driver with the tap(4) driver for tunnelled Ethernet if required.

    If you do not want or need OpenVPN, remove the rules related to this traffic from your PF configuration.
  4. Your PF configuration broadly passes both IPSec and OpenVPN traffic indiscriminately (any to any), and does not filter it in any way.

    The IPSec traffic will use IPSec's Encapsulating Security Payload (ESP) protocol. This protocol is always passed.

    The IPSec traffic is presented to PF in plaintext via the enc(4) pseudo device for filtering. This traffic is always passed.

    The OpenVPN traffic is tunnelled via User Datagram Protocol (UDP) packets with source 1194 and destination port 1194. This traffic is always passed.

    The OpenVPN program-to-network traffic is sent and received via pseudo device tun3. This traffic is always passed.
You may recall my whining, more than once, that we can only help you based on the information you present to us. I'm whining again, because until I looked at this configuration file I was unaware you had two different VPN technologies deployed.

Last edited by jggimi; 9th October 2016 at 03:22 AM. Reason: clarity
Reply With Quote
Old 27th October 2016
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Default

Hi Jggimi,

Thanks a lot for your information.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
npf firewall gpatrick NetBSD Security 0 30th October 2015 02:18 AM
Thread creation kalimuthu NetBSD General 0 7th December 2010 05:11 PM
Needs for a firewall milo974 OpenBSD Security 1 31st December 2009 03:00 PM
PF firewall bsdnewbie999 OpenBSD General 3 28th April 2009 12:35 PM
Web GUI for firewall ? giga FreeBSD General 6 8th May 2008 05:10 AM


All times are GMT. The time now is 12:35 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick