DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 23rd March 2012
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
 
Join Date: Mar 2012
Posts: 73
Default Help needed with understanding PF rules

Hi,

I've created a router/NAT combo in OpenBSD 5.0 RELEASE and am trying to access outside of the NAT.

However, I seem to be running into issues regarding the blocking of packets??


This is what I'm basing my PF rules on:

http://www.openbsd.org/faq/pf/nat.html

http://www.openbsd.org/faq/pf/example1.html

and here is my pf.conf file:

Code:
#macros

int_if="em1"

tcp_services="{ 22 }"
icmp_types="echoreq"

imap_box="10.0.0.9"
http_box="10.0.0.8"

#options

set block-policy return
set loginterface em0
set skip on "{ lo, em1 }"

# HTTP Proxy rules

#anchor "http-proxy/*"

#pass in quick on $int_if inet proto tcp to any port http \
#    divert-to 172.16.8.40 port 3128 



#match rules

#match out on egress inet from !(egress) to any nat-to (egress:0)

match out on em1 from 10.0.0.0/24 to any nat-to 172.16.8.13

#filter rules

block in log
pass out quick
pass out quick on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13 
#pass out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13

antispoof quick for { lo }

pass in quick on egress inet proto tcp from any to (egress) port $tcp_services

#pass in quick on egress inet proto tcp to (egress) port 143 rdr-to $imap_box synproxy state 
pass in quick on em0 inet proto tcp to port 143 rdr-to $imap_box synproxy state
pass in quick on em1 inet proto tcp to port 143 rdr-to $imap_box synproxy state
#pass in out on em0 inet proto tcp to port 143 rdr-to $imap_box synproxy state
#pass  on em0 from any to $imap_box binat-to em0 
pass  on em1 from $imap_box to any binat-to em0


pass in quick on egress inet proto tcp to (egress) port 80 rdr-to $http_box synproxy state

block in on egress inet proto icmp all icmp-type $icmp_types

pass in quick on $int_if

#pass out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13
which is quite a mess as I'm struggling to understand the mentality or how PF works! I think it's because am used to Cisco's IOS that the order of things seem to be reversed with PF or function a little differently??


I have managed to gain access to the IMAP server running behind the router/NAT from outside (inside the production network) however, the systems behind the router/NAT don't seem to able to access anything outside...... as I'm trying to update the ports tree using FreeBSD but it cops out using FTP.


I am testing with:

Code:
pfctl -sr
pfctl -ss
tcpdump -eni pflog0

I don't seem to be able to see anything wrong however, can anyone help me out?


Regards!

Last edited by sparky; 23rd March 2012 at 07:30 PM.
Reply With Quote
  #2   (View Single Post)  
Old 23rd March 2012
denta denta is offline
Shell Scout
 
Join Date: Nov 2009
Location: Sweden
Posts: 95
Default

For a quick NAT-test, you could try changing the nat-to interface to the external interface and try the following:
Code:
block log all
match out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13
pass in on em1 from 10.0.0.0/24 keep state
pass out on em0 keep state
edit: Maybe binat is the way to go, however.

Last edited by denta; 23rd March 2012 at 06:28 PM.
Reply With Quote
  #3   (View Single Post)  
Old 24th March 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
...but it cops out using FTP...
See if http://www.openbsd.org/faq/pf/ftp.html helps.
Reply With Quote
  #4   (View Single Post)  
Old 26th March 2012
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
 
Join Date: Mar 2012
Posts: 73
Default

Thanks for the responses!

Quote:
For a quick NAT-test, you could try changing the nat-to interface to the external interface and try the following:
Will take a look at that today, but what's a good way to debug PF other then what I specified above?

Code:
tcpdump -eni pflog0 src 10.0.0.5
doesn't show anything blocking or allowing??

Quote:
Maybe binat is the way to go, however.
What is the main difference at this stage between NAT and BiNAT?

Is binat a way of using more then 1 WAN IP address on one interface?

There is an external FTP proxy service now configured outside of the firewall within the local physical network. I'm not sure if proxy'ing twice would work though?
Reply With Quote
  #5   (View Single Post)  
Old 26th March 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
I'm not sure if proxy'ing twice would work though?
Your PF configuration includes NAT. AFAICR you will not be able to transit the FTP protocol through the OpenBSD router without ftp-proxy(8).
Reply With Quote
  #6   (View Single Post)  
Old 26th March 2012
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
 
Join Date: Mar 2012
Posts: 73
Default

Right so I've enabled the ftp-proxy service which I've checked using netstat -ap tcp and it's up!

Code:
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp          0      0  localhost.8021         *.*                    LISTEN
However, how can I check that things are working properly because the Foreign Address field keeps saying listen and that's it??

This is my pf.conf file now:

Code:
#macros

int_if="em1"

tcp_services="{ 22 }"
icmp_types="echoreq"

imap_box="10.0.0.9"
http_box="10.0.0.8"

#options

set block-policy return
set loginterface em0
set skip on "{ lo, em1 }"

# Proxy rules

#anchor "http-proxy/*"

#pass in quick on $int_if inet proto tcp to any port http \
#    divert-to 172.16.8.40 port 3128 

pass in quick on $int_if inet proto tcp to any port ftp \
    divert-to 127.0.0.1 port 8021 

#match rules

#match out on egress inet from !(egress) to any nat-to (egress:0)

match out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13

#filter rules

block in log
pass out quick
pass out quick on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13 
#pass out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13

antispoof quick for { lo, em1 }

pass in quick on egress inet proto tcp from any to (egress) port $tcp_services

#pass in quick on egress inet proto tcp to (egress) port 143 rdr-to $imap_box synproxy state 
pass in quick on em0 inet proto tcp to port 143 rdr-to $imap_box synproxy state
#pass in quick on em1 inet proto tcp to port 143 rdr-to $imap_box synproxy state
#pass in out on em0 inet proto tcp to port 143 rdr-to $imap_box synproxy state
#pass  on em0 from any to $imap_box binat-to em0 
pass  on em1 from $imap_box to any binat-to em0


pass in quick on egress inet proto tcp to (egress) port 80 rdr-to $http_box synproxy state

block in on egress inet proto icmp all icmp-type $icmp_types

pass in quick  on $int_if 

#pass out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13
On the FreeBSD host that I'm trying to use ports to install software with I am doing this:

Code:
setenv http_proxy http://172.16.8.40:3128
setenv ftp_proxy ftp://172.16.8.40:3128
setenv https_proxy https://172.16.8.40:3128
That proxy address/port combo is what I'm using outside of my OpenBSD router as internet access is restricted!

pfctl -ss shows:

Code:
# pfctl -ss 
all tcp 10.0.0.1:22 <- 10.0.0.10:53250       ESTABLISHED:ESTABLISHED
all tcp 10.0.0.9:143 (172.16.8.13:143) <- 172.16.8.12:55195       ESTABLISHED:ESTABLISHED
all tcp 172.16.8.12:55195 -> 10.0.0.9:143       ESTABLISHED:ESTABLISHED
all tcp 10.0.0.9:143 (172.16.8.13:143) <- 172.16.8.12:55210       ESTABLISHED:ESTABLISHED
all tcp 172.16.8.12:55210 -> 10.0.0.9:143       ESTABLISHED:ESTABLISHED
all tcp 10.0.0.9:143 (172.16.8.13:143) <- 172.16.8.12:55211       ESTABLISHED:ESTABLISHED
all tcp 172.16.8.12:55211 -> 10.0.0.9:143       ESTABLISHED:ESTABLISHED
all tcp 10.0.0.1:22 <- 10.0.0.10:53307       ESTABLISHED:ESTABLISHED
all tcp 172.16.8.40:3128 <- 10.0.0.5:58513       ESTABLISHED:ESTABLISHED
all tcp 172.16.8.13:52735 (10.0.0.5:58513) -> 172.16.8.40:3128       ESTABLISHED:ESTABLISHED
but still am unable to download anything from ftp://ftp.freebsd.org
Reply With Quote
  #7   (View Single Post)  
Old 26th March 2012
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
 
Join Date: Mar 2012
Posts: 73
Default

Turns out that FTP has been allowed through the firewall for me so that the internal FTP proxy is enough to let me through....

The additional config of:

Code:
setenv ftp_proxy ftp://172.16.8.40:3128
didn't need to be used

But was in turn adversly blocking me...... when input (duh!)
Reply With Quote
  #8   (View Single Post)  
Old 26th March 2012
denta denta is offline
Shell Scout
 
Join Date: Nov 2009
Location: Sweden
Posts: 95
Default

Quote:
Originally Posted by sparky View Post
what's a good way to debug PF other then what I specified above?
You could also check the rules themselves, and see how many packets are being "matched" by each rule. Example snipped output of /sbin/pfctl -sr -vv

Code:
@5 block drop in quick on vr0 from <china:2601> to any
  [ Evaluations: 30160     Packets: 283       Bytes: 20721       States: 0     ]
  [ Inserted: uid 0 pid 30316 State Creations: 0     ]
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help needed with PF ruleset spaghetti_bolognese OpenBSD Security 1 14th September 2010 11:37 AM
help needed Thelmaster OpenBSD Installation and Upgrading 8 10th May 2010 07:44 PM
Understanding Fdisk, Slice, and the MBR (Master Boot Record) FBSD Guides 1 20th February 2010 08:33 PM
Desperate help needed for KDE disappearedng FreeBSD General 12 17th July 2008 05:21 PM
Understanding the FreeBSD kernel TomAmundsen FreeBSD General 3 7th July 2008 02:48 PM


All times are GMT. The time now is 07:50 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick