|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Re: your OpenVPN setup
How did you configure OpenVPN on your OpenBSD box? Most people have a lot of problems in getting it connected to a VPN service. Re: filter rules From http://www.swissvpn.net/index.php?co...ng=en#selected Quote:
I played a little bit with a pf.conf ruleset and enabled logging so the working can be verified by running tcpdump on the pflog0 device. Code:
set block-policy return set skip on lo set loginterface egress # --- OUTGOING services: TCP pass out log quick on egress inet proto tcp from egress to any port https pass out log quick on tun0 inet proto {tcp, udp, icmp} pass out quick on egress inet proto udp to 192.168.222.10 port 53 # --- INCOMING services: TCP pass in quick on egress inet proto tcp from egress:network to port ssh # -- DEFAULT policy block quick inet proto udp from any port 1900 to any port 1900 block quick inet proto udp from any to any port { 138 137 139 } block return log all # ------------------------------------------------------------------------- # use 'tcpdump -eni pflog0' to watch blocked packets in real time # use 'tcpdump -en -r /var/log/pflog' to read the blocked packets log file # ------------------------------------------------------------------------- So you could give it a try PS: I needed pass out quick on egress inet proto udp to 192.168.222.10 port 53 else I could not setup the VPN connection. And that is the reason that after stopping OpenVPN is still could do DNS lookups. But I could neither do pings or visit a website after stopping,
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
The output of
# pfctl -vvs rules :Code:
@0 pass out log quick on egress inet proto tcp from 192.168.222.243 to any port = 443 flags S/SA [ Evaluations: 45 Packets: 228 Bytes: 41607 States: 1 ] [ Inserted: uid 0 pid 5362 State Creations: 1 ] @1 pass out log quick on tun0 inet proto tcp all flags S/SA [ Evaluations: 28 Packets: 68 Bytes: 32060 States: 0 ] [ Inserted: uid 0 pid 5362 State Creations: 4 ] @2 pass out log quick on tun0 inet proto udp all [ Evaluations: 20 Packets: 34 Bytes: 4267 States: 0 ] [ Inserted: uid 0 pid 5362 State Creations: 17 ] @3 pass out log quick on tun0 inet proto icmp all [ Evaluations: 2 Packets: 8 Bytes: 672 States: 0 ] [ Inserted: uid 0 pid 5362 State Creations: 2 ] @4 pass out quick on egress inet proto udp from any to 192.168.222.10 port = 53 [ Evaluations: 1 Packets: 2 Bytes: 196 States: 0 ] [ Inserted: uid 0 pid 5362 State Creations: 1 ]
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Quote:
Quote:
Do I have to add your rule pass out quick on egress inet proto udp to 192.168.222.10 port 53 to my pf rules (see below): Code:
wan="em0" vpn="tun0" set block-policy drop block log all set skip on lo pass out quick on egress inet proto udp to 192.168.xxx.xxx port 53 pass out on $wan proto udp from any to a.b.c.d port 443 keep state pass out on $vpn proto tcp from any to any port {80 443} keep state pass out on $vpn proto {tcp udp} from any to any port 53 keep state |
|
|||
Sorry, specifically what rules are you referring to?
|
|
|||
192.168.222.10 is my caching nameserver on my LAN. It is only used for resolving the name of the VPN service provider to the IP address at the start of the OpenVPN connection. When the VPN connection is running all DNS traffic will go through the VPN tunnel.
I use a script to startup OpenVPN that also changes installs a new /etc/resolv.conf containing the nameservers of the VPN service. Two reasons:
Re: (egress) and (tun0) Whenever an IP adress is not static but dynamic and thus can change, and you want your rule set to adapt to the new IP address, you will have to embed the address or interface identier in a "(" and ")" pair. RE: pass out on $vpn proto tcp from any to any port {80 443} keep state Why do have port 80 there? You only need port 443
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Like you, my machine is on a LAN. Though the LAN is not under my control.
192.168.xxx.xxx is dynamic in my case. Sometimes it can be 192.168.1.xxx, other times 192.168.200.xxx and yet other times 192.168.170.xxx. How shall I modify the pf rule in this case? Thanks for correcting me. Is there any harm by including port 80? |
|
|||
Quote:
If I were President of the United States, I'd curtail the budget and scope of powers of the NSA and divert those resources to building the public trust of Americans in their legal system and improving race relations. (cf. the verdict of the grand jury on the Michael Brown's case. |
|
|||
Re: pass out quick on egress inet proto udp to 192.168.222.10 port 53
Actually the aim of this DNS rule was to make the rules as tight as possible. Probably you could leave out specifying the IP address. Programs that need to do DNS requests consult the file /etc/resolv.conf which nameserver to use. In my case: Code:
# Generated by vio0 dhclient search utp.xnet nameserver 192.168.222.10 lookup file bind Code:
Code:
[snip] ;; QUESTION SECTION: ;daemonforums.org. IN A ;; ANSWER SECTION: daemonforums.org. 3600 IN A 95.170.82.241 [snip] ;; Query time: 61 msec ;; SERVER: 80.254.79.157#53(80.254.79.157) ;; WHEN: Tue Nov 25 22:06:30 2014 ;; MSG SIZE rcvd: 163 Code:
# Tue Nov 25 22:06:07 CET 2014 : resolv.conf generated for OpenVPN connection lookup file bind nameserver 80.254.79.157 nameserver 80.254.77.39
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
Tags |
pf rules, vpn, workstation |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Security Improving the security of your SSH private key files | J65nko | News | 1 | 24th May 2013 09:17 PM |
Need suggestions on what to name this project | TerryP | Off-Topic | 10 | 6th November 2010 03:13 PM |
looking for external drive buy suggestions | gosha | General Hardware | 20 | 5th September 2009 05:32 AM |
VPN setup suggestions needed | mikesg | OpenBSD Security | 8 | 4th September 2009 09:45 PM |
Software suggestions | rex | FreeBSD General | 10 | 17th May 2008 12:00 AM |