|
|||
packet filtering problem
I'm having problems setting up openbsd as a firewall. I believe my pf.conf is the problem. I've read everything I could on pf. From my lan computers I can ping using an ip address but can't ping using a host address. I can't surf the internet. Below is my network setup:
Code:
internet | | cable modem | | ---- dynamic wan ip (em0) ---- | | | openbsd | | | ----- 10.255.255.1 (em1) ----- | | wireless access point 10.255.255.2 | | -------------------- | | | | 10.255.255.100 10.255.255.101 desktop netbook Code:
# cat /etc/pf.conf # macros wan = "em0" lan = "em1" set block-policy return set skip on lo0 match out on $wan from $lan:network nat-to ($wan) pass in inet proto icmp all icmp-type { echoreq, unreach } pass in on { $wan } pass in on { $lan } =============================================================================== # cat /etc/dhcpd.conf # $OpenBSD: dhcpd.conf,v 1.2 2008/10/03 11:41:21 sthen Exp $ option domain-name "openbsd.ph.comcast.net"; option domain-name-servers 10.255.255.1; subnet 10.255.255.0 netmask 255.255.255.0 { option routers 10.255.255.1; range 10.255.255.100 10.255.255.120; } =============================================================================== # cat /etc/dhclient.conf # $OpenBSD: dhclient.conf,v 1.2 2011/04/04 11:14:52 krw Exp $ # # DHCP Client Configuration initial-interval 1; send host-name "openbsd"; request subnet-mask, broadcast-address, routers, domain-name, domain-name-servers, host-name; =============================================================================== # sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 # cat /etc/hostname.em0 dhcp # cat /etc/hostname.em1 inet 10.255.255.1 255.255.255.0 =============================================================================== # ifconfig em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 4c:72:b9:20:a5:aa priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet6 fe80::4e72:b9ff:fe20:a5aa%em0 prefixlen 64 scopeid 0x1 inet 128.223.65.98 netmask 0xffffff00 broadcast 128.223.65.255 # ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33192 priority: 0 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 4c:72:b9:20:a5:cc priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet6 fe80::4e72:b9ff:fe20:a5aa%em0 prefixlen 64 scopeid 0x1 inet 72.223.65.98 netmask 0xffffff00 broadcast 72.223.65.255 em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 4c:72:b9:20:a5:dd priority: 0 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 10.255.255.1 netmask 0xffffff00 broadcast 10.255.255.255 inet6 fe80::4e72:b9ff:fe20:a5ab%em1 prefixlen 64 scopeid 0x2 enc0: flags=0<> priority: 0 groups: enc status: active pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33192 priority: 0 groups: pflog =============================================================================== # netstat -rn -f inet Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 72.223.65.1 UGS 0 61 - 8 em0 10.255.255/24 link#2 UC 3 0 - 4 em1 10.255.255.100 bc:5f:f4:65:c5:69 UHLc 0 207 - 4 em1 10.255.255.111 18:af:61:01:63:2d UHLc 0 25 - 4 em1 10.255.255.112 28:6a:ba:6d:16:3b UHLc 0 71 - 4 em1 72.223.65/24 link#1 UC 1 0 - 4 em0 72.223.65.1 00:1e:be:ff:0a:d0 UHLc 1 0 - 4 em0 72.223.65.98 127.0.0.1 UGS 0 0 33192 8 lo0 127/8 127.0.0.1 UGRS 0 0 33192 8 lo0 127.0.0.1 127.0.0.1 UH 2 77 33192 4 lo0 224/4 127.0.0.1 URS 0 0 33192 8 lo0 =============================================================================== # pfctl -vvsr @0 match out on em0 inet from 10.255.255.0/24 to any nat-to (em0:1) round-robin [ Evaluations: 211 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2191 State Creations: 0 ] @1 pass in inet proto icmp all icmp-type echoreq [ Evaluations: 211 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2191 State Creations: 0 ] @2 pass in inet proto icmp all icmp-type unreach [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2191 State Creations: 0 ] @3 pass in on em0 all flags S/SA [ Evaluations: 150 Packets: 47 Bytes: 5104 States: 1 ] [ Inserted: uid 0 pid 2191 State Creations: 43 ] @4 pass in on em1 all flags S/SA [ Evaluations: 150 Packets: 879 Bytes: 60717 States: 30 ] [ Inserted: uid 0 pid 2191 State Creations: 105 ] =============================================================================== # pfctl -s info Status: Enabled for 0 days 00:02:43 Debug: err State Table Total Rate current entries 34 searches 1130 6.9/s inserts 161 1.0/s removals 127 0.8/s Counters match 224 1.4/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 2 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s translate 0 0.0/s ================================================================================= |
|
|||
dmesg output:
Code:
# dmesg OpenBSD 5.4 (GENERIC.MP) #44: Tue Jul 30 12:13:32 MDT 2013 deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Core(TM) i3-3220T CPU @ 2.80GHz ("GenuineIntel" 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,AVX,F16C,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS real mem = 3592253440 (3425MB) avail mem = 3522113536 (3358MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/06/13, SMBIOS rev. 2.7 @ 0xec470 (75 entries) bios0: vendor Intel Corp. version "KBQ7710H.86A.0053.2013.1206.1031" date 12/06/2013 bios0: Intel Corporation DQ77KB acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT TCPA MCFG HPET SSDT SSDT SSDT ASF! acpi0: wakeup devices PS2K(S3) PS2M(S3) UAR1(S3) MBTN(S1) P0P1(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) USB6(S3) USB7(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 99MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i3-3220T CPU @ 2.80GHz ("GenuineIntel" 686-class) 2.80 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,AVX,F16C,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Core(TM) i3-3220T CPU @ 2.80GHz ("GenuineIntel" 686-class) 2.80 GHz cpu2: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,AVX,F16C,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i3-3220T CPU @ 2.80GHz ("GenuineIntel" 686-class) 2.80 GHz cpu3: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,AVX,F16C,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 24 pins acpimcfg0 at acpi0 addr 0xf8000000, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 3 (P0P1) acpiprt2 at acpi0: bus 1 (RP01) acpiprt3 at acpi0: bus -1 (RP02) acpiprt4 at acpi0: bus -1 (RP03) acpiprt5 at acpi0: bus -1 (RP04) acpiprt6 at acpi0: bus -1 (RP05) acpiprt7 at acpi0: bus -1 (RP06) acpiprt8 at acpi0: bus 2 (RP07) acpiprt9 at acpi0: bus -1 (RP08) acpiprt10 at acpi0: bus -1 (PEG0) acpiprt11 at acpi0: bus -1 (PEG1) acpiprt12 at acpi0: bus -1 (PEG2) acpiprt13 at acpi0: bus -1 (PEG3) acpiec0 at acpi0: Failed to read resource settings acpicpu0 at acpi0: C2, C1, PSS acpicpu1 at acpi0: C2, C1, PSS acpicpu2 at acpi0: C2, C1, PSS acpicpu3 at acpi0: C2, C1, PSS acpipwrres0 at acpi0: FN00 acpipwrres1 at acpi0: FN01 acpipwrres2 at acpi0: FN02 acpipwrres3 at acpi0: FN03 acpipwrres4 at acpi0: FN04 acpitz0 at acpi0: critical temperature is 92 degC acpitz1 at acpi0: critical temperature is 92 degC acpibat0 at acpi0: BAT0 not present acpibat1 at acpi0: BAT1 not present acpibat2 at acpi0: BAT2 not present acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: LID0 acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD02 bios0: ROM list: 0xc0000/0xe600 0xce800/0x1000 0xcf800/0x1000 cpu0: Enhanced SpeedStep 2794 MHz: speeds: 2800, 2700, 2600, 2500, 2400, 2300, 2200, 2100, 2000, 1900, 1800, 1700, 1600 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel Xeon E3-1200v2 Host" rev 0x09 vga1 at pci0 dev 2 function 0 "Intel HD Graphics 2500" rev 0x09 intagp0 at vga1 agp0 at intagp0: aperture at 0xe0000000, size 0x10000000 inteldrm0 at vga1 drm0 at inteldrm0 No connectors reported connected with modes Cannot find any crtc or sizes - going 1024x768 inteldrm0: 1024x768 wsdisplay0 at vga1 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) "Intel 7 Series xHCI" rev 0x04 at pci0 dev 20 function 0 not configured "Intel 7 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured em0 at pci0 dev 25 function 0 "Intel 82579LM" rev 0x04: msi, address 4c:72:b9:20:a5:cc ehci0 at pci0 dev 26 function 0 "Intel 7 Series USB" rev 0x04: apic 2 int 16 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb0 at pci0 dev 28 function 0 "Intel 7 Series PCIE" rev 0xc4: apic 2 int 16 pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 6 "Intel 7 Series PCIE" rev 0xc4: apic 2 int 18 pci2 at ppb1 bus 2 em1 at pci2 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 4c:72:b9:20:a5:dd ehci1 at pci0 dev 29 function 0 "Intel 7 Series USB" rev 0x04: apic 2 int 23 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb2 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xa4 pci3 at ppb2 bus 3 pcib0 at pci0 dev 31 function 0 vendor "Intel", unknown product 0x1e47 rev 0x04 ahci0 at pci0 dev 31 function 2 "Intel 7 Series AHCI" rev 0x04: msi, AHCI 1.3 scsibus0 at ahci0: 32 targets cd0 at scsibus0 targ 1 lun 0: <ASUS, DRW-24B1ST c, 1.05> ATAPI 5/cdrom removable sd0 at scsibus0 targ 5 lun 0: <ATA, SanDisk iSSD P4, SSD> SCSI3 0/direct fixed naa.5001b4458a993254 sd0: 3825MB, 512 bytes/sector, 7835184 sectors, thin ichiic0 at pci0 dev 31 function 3 "Intel 7 Series SMBus" rev 0x04: apic 2 int 18 iic0 at ichiic0 spdmem0 at iic0 addr 0x50: 4GB DDR3 SDRAM PC3-12800 SO-DIMM spdmem1 at iic0 addr 0x52: 4GB DDR3 SDRAM PC3-12800 SO-DIMM isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console pckbc0 at isa0 port 0x60/5 kbc: cmd word write error pcppi0 at isa0 port 0x61 spkr0 at pcppi0 wbsio0 at isa0 port 0x2e/2: NCT6776F rev 0x33 lm1 at wbsio0 port 0xa00/8: NCT6776F npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 mtrr: Pentium Pro MTRR support uhub2 at uhub0 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2 uhub3 at uhub1 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2 vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets root on sd0a (50be3b8be0aacd38.a) swap on sd0b dump on sd0b |
|
||||
Hello, and welcome!
Quote:
If you prefer, you could change your dhcpd.conf to provide your ISP's nameservers, or other publicly available nameservers, and not run a local DNS service yourself. Last edited by jggimi; 27th April 2014 at 11:35 PM. Reason: added option to reconfigure dhcpd.conf for externally provided DNS |
|
|||
Prior to posting my problem I thought that possibly I was having a DNS issue as well. I attempted to change the name server from 10.255.255.1 to the 3 ISP provided name servers. Upon closer inspection on the proper way to separate the ISP DNS name servers in my dhcpd.conf file, I can see I made an error the first time I made the change. I forgot to include a comma to separate the DNS name servers which probably caused my connection to fail. I will attempt the change again, to see if that was my problem. I did not setup a DNS server in OpenBSD so I'm betting this is my problem. I'll report back on my findings. Thank you.
|
|
|||
jggimi looks like the DNS issue was one of my problems. I changed the DNS to use my ISP's domain name servers and initially I was still having the same problem. Turns out I had 2 problems, and not just the DNS issue. I had to modify my pf.conf file, and changed the following nat rule:
Code:
from: match out on $wan from $lan:network nat-to ($wan) to: pass out on $wan from $lan:network nat-to ($wan) http://daemonforums.org/showthread.php?t=5393 Unfortunatly, the forum rules won't allow me to enclose the above address in url tags until i have a least five posts Last edited by ocicat; 28th April 2014 at 11:41 AM. Reason: activted link |
|
||||
I have been thinking more about this. You do not use a Default Deny approach, as recommended in the PF Users Guide -- there is no leading block all rule. There are no block rules in your configuration at all.
Pursuant to pf.conf(5) the default is to pass traffic when there is no matching rule, without creating state. Any match rule should apply to all matching traffic, also without creating or altering state. The documentation does not state an explicit pass or block is required, as I assumed above. Since best practice is to operate with a Default Deny approach, perhaps your particular use case has not been previously tested by or reported to the Project. |
|
|||
jggimi, the rule set I supplied was just a minimal set only intended to test my connection. I needed something very simple to see if I could establish a connection to the internet from my lan. After fixing my two problems, I'm moving on to create a more appropriate rule set. Looking at the pf users guide, I saw the following statement:
Quote:
|
|
|||
Any suggestions on improving my ruleset? I just need to surf the internet, check email, and need access to shares on lan from computer within lan. Was trying to figure out how to allow host name lookups and ntp but with the rule below that I disabled, I was not longer able to surf the internet.
Code:
######### ## Macros ######### wan = "em0" lan = "em1" ######### ## Tables ######### table <private_ips> const { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.1/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.88.99.0/24, 192.168.0.0/16, 198.18.0.0/15, 198. 51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32 } ########## ## Options ########## set skip on lo0 ######################## ## Traffic normalization ######################## match in log on $wan scrub (no-df) ############################## ## Network address translation ############################## pass out on $wan from $lan:network nat-to ($wan) ################### ## Packet filtering ################### # block and log inbound traffic block in log # block IPv6 traffic block quick inet6 all # block spoofed or forged IP's antispoof quick for $wan # block non-routable addresses block in quick from no-route to any # check unicast reverse path forwarding block in quick from urpf-failed to any # block private address blocks outside network block in quick on $wan from <private_ips> to any block out quick on $wan from any to <private_ips> # drop broadcasts block in quick on $wan from any to 255.255.255.255 # UDP (allow DNS lookups and time keeping) #pass out on $wan proto udp from any to ($wan) port { domain, ntp } keep state pass in on $lan |
|
||||
To be clear, is this the rule that caused problems?
Code:
#pass out on $wan proto udp from any to ($wan) port { domain, ntp } keep state Your explicit rule to block any internet traffic to 255.255.255.255 is unnecessary as you have that address in the table you block with the immediately preceeding rule. I recommend until you have your ruleset somewhat fixed that you add the log option to every rule, both block and pass. That way, you will be able to use tcpdump(8) with your pflog(4) device to see exactly what is being passed or blocked. You will be able to see every rule that matches ... and eventually be able to discern which rules are moot, and which are causing problems. |
|
||||
A thread began on the misc@ mailing list today which may contain additional assistance. While the OP did not use an implicit pass as you did, the response from Peter Hansteen is noteworthy: you can log matches. He points to a slide from his PF tutorial with an example.
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pf filtering | phyro | OpenBSD Security | 2 | 19th March 2013 09:05 AM |
"Intel Packet of Death" not Intel's problem | J65nko | News | 0 | 11th February 2013 07:26 PM |
What tool for dynamic I.P filtering | unixjingleman | OpenBSD Security | 1 | 2nd March 2011 11:31 AM |
A PF packet tagging (policy filtering) question... | Quaxo | OpenBSD Security | 2 | 30th March 2009 10:47 PM |
Web content filtering | Crypt | FreeBSD Security | 14 | 14th December 2008 02:38 PM |