DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 11th December 2013
capt_cosmo capt_cosmo is offline
New User
 
Join Date: Dec 2013
Posts: 9
Default PF: Two internal interfaces and routing

Hi,

I have a problem regarding my pf ruleset.

My network setup looks as following:

Code:
                            Internet
                                ^
                                |
                          if_wan [pppoe0]
                                |
                                v
(client1..n) <-- if_wlan --> bsd-router <-- if_lan --> (clientn+1..m)
As you can see, I've got two internal interfaces: wlan and lan.

I'd like to achieve the following state:
1a. if_lan can connect to the wlan-clients through if_wlan
1b. if_lan can connect to the sshd on the bsd-router
1c. if_lan can connect to the internet through if_wan
2a. if_wlan can connect to the dhcpd on the bsd-router
2b. if_wlan can connect to the internet

Short:
if_lan -> if_wan, if_wlan, bsd-router:ssh
if_wlan -> if_wan, bsd-router:dhcp

Coming from the iptables world, my current approach seems a little odd to me – although
it seems to work out just fine. Anyways, the relevant lines are:

Code:
# lan:network -> lan:ssh
pass in quick on $if_lan proto tcp from $if_lan:network to $if_lan port ssh

# lan -> {wlan, internet}
block in log quick on $if_lan to $if_lan
pass in quick on $if_lan from $if_lan:network to $if_wlan:network
pass in quick on $if_lan from $if_lan:network

# lan -> router:dhcp
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 67
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 68

# wlan -> pppoe
block in log quick on $if_wlan to $if_lan:network
block in log quick on $if_wlan to $if_wlan:network
pass in quick on $if_wlan from $if_wlan:network
pass out quick on $if_wlan from $if_lan:network
I assumed to state rules just like:
Code:
pass in quick on $if_lan from $if_lan:network to ($if_wan)  # allow if_lan -> internet
pass in quick on $if_lan from $if_lan:network to $if_wlan:network # allow if_lan ->
if_wlan
pass in quick on $if_lan from $if_lan:network to $if_lan port ssh
Those lines I expected to work prevent me from connecting to the internet... Note: I also tried using "(egress)" instead of "($if_wan)".

(I wanted to post a link to the entire ruleset but unfortunately I can't because I need to have at least five posts. Instead I'll just post it here, sorry)
The whole ruleset:
Code:
# interfaces
if_lan="vr0"
if_wan="pppoe0"
if_wlan="vr2"
 
if_wan_bandwith="1400Kb"
 
# tables
table <private_nets> const { 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
 
# qos definitions
que_low_ports = "{ http, https, 8080, smtp, smtps, 6881:6889 }"
#                           |-- SIP --|  |ICQ|  | Jabber |       |-- Playstation Net --|
que_int_ports_tcp = "{ ssh, 5060, 5061,  5190,  5222, 5223, irc, 3478, 3479, 3480, 5223 }"
#                      |-- SIP --|  |-- PSN --|
que_int_ports_udp = "{ 5060, 5061,  3478, 3479 }"
 
# options
##############
# allow lo communication
set skip on lo
set block-policy drop
 
# hygiene
##############
# scrubbing
match     in all                 scrub (no-df random-id)
match out on $if_wan all scrub (random-id)
match     on $if_wan     scrub (max-mss 1440)
 
# qos
###############
altq on $if_wan priq bandwidth $if_wan_bandwith queue { que_low, que_def, que_int, que_dns, que_ack }
 
queue que_low priq(default) qlimit 80
queue que_def priority 2
queue que_int priority 4 priq(red)
queue que_dns priority 5 qlimit 25
queue que_ack priority 6
 
# nat
###############
match out on $if_wan inet from { $if_lan:network, $if_wlan:network } to any nat-to ($if_wan) static-port
 
# filtering
###############
# block all packets
block all
 
# enable spoofing protection
antispoof quick for { lo $if_wan $if_lan $if_wlan }
 
# reject ipv6
block quick on $if_wan inet6 all
 
# block private addresses on external interfaces
block drop in  quick on $if_wan from <private_nets>
block drop out quick on $if_wan to   <private_nets>
 
# allow output for wan, fill queues
pass out quick on $if_wan proto tcp to port $que_low_ports queue (que_low, que_ack)
pass out quick on $if_wan proto tcp to port $que_int_ports_tcp queue (que_int, que_ack)
pass out quick on $if_wan proto udp to port $que_int_ports_udp queue (que_int, que_ack)
pass out quick on $if_wan proto { tcp, udp } to port domain queue (que_dns, que_ack)
pass out quick on $if_wan queue (que_def, que_ack)
 
# enable input
# lan:network -> lan:ssh
pass in quick on $if_lan proto tcp from $if_lan:network to $if_lan port ssh
 
# lan -> {wlan, internet}
block in log quick on $if_lan to $if_lan
pass in quick on $if_lan from $if_lan:network to $if_wlan:network
pass in quick on $if_lan from $if_lan:network
 
# lan -> router:dhcp
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 67
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 68
 
# wlan -> pppoe
block in log quick on $if_wlan to $if_lan:network  
block in log quick on $if_wlan to $if_wlan:network
pass in quick on $if_wlan from $if_wlan:network
pass out quick on $if_wlan from $if_lan:network
Thanks for any suggestions.

Sören
Reply With Quote
  #2   (View Single Post)  
Old 11th December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Hello, and welcome!

There are only a few of us here who regularly try to answer posts containing PF related questions. I wanted you to know that you aren't being ignored -- from my first brief reading it seems to me that your post will require some time to review and then to answer. I will have some free time starting in about seven hours and will then make the attempt to review this in detail, which might include problem recreation, and to try to provide a considered answer. That might take several hours.
Reply With Quote
  #3   (View Single Post)  
Old 11th December 2013
capt_cosmo capt_cosmo is offline
New User
 
Join Date: Dec 2013
Posts: 9
Default

Hey jggimi, thanks for your reply.

I can understand other members not observing threads about pf as they seem to make up roughly 80% of the posts in this subforum.

Just for clarification: The script as posted *appears* to work "just fine". I just have a strange feeling about the rules (especially in the excerpt), as they appear (to me) to follow the "enumerate badness" principle (instead of enumerate goodness). Thus I tried to tighten the rules but the results prevented me from connecting to the internet.

Thank you for spending your time on this issue!
Reply With Quote
  #4   (View Single Post)  
Old 12th December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I do not clearly understand how the three rules you added for inter-LAN communication affected your egress traffic. They shouldn't. Perhaps I've misunderstood.

This may be review, but please keep in mind that whether or not you use standard or quick rules, position within the ruleset matters. In your case, whenever your quick rules are tested -- to establish a new stateful session, or for stateless traffic -- on the first match, rule inspection stops and the block or pass is applied. So perhaps the position of your three added rules affected function.

It will probably take me until the weekend before I have time to recreate your environment, and test your rules with three networks. Meanwhile, you might consider adding the log option to all of your pass and block rules, so that you can inspect the behavior of your ruleset with your traffic, using tcpdump(8) and the pflog(4) interface. For example:

# tcpdump -neti pflog0 action block

will show you which block rule is blocking current traffic, by rule number. Numbers to rules can be mapped with

# pfctl -vvsr

Perhaps someone else will provide additional input for you, prior to the weekend.

Last edited by jggimi; 12th December 2013 at 03:20 AM. Reason: clarity
Reply With Quote
  #5   (View Single Post)  
Old 12th December 2013
capt_cosmo capt_cosmo is offline
New User
 
Join Date: Dec 2013
Posts: 9
Default

Thank you, I'll try that out when I get home from work and then provide the output.

Cheers
Reply With Quote
  #6   (View Single Post)  
Old 14th December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I have set up a lab with 4 machines across three networks, and am testing with your PF configuration.
  • Machines on both your LANs can make TCP connections outbound to arbitrary ports anywhere on the Internet.
  • Arbitrary LAN to WLAN connections can be established
  • I could not establish arbitrary WLAN to LAN connections, see below.
  • I could not recreate your "add pass rules and can't get to the Internet" error -- your three added rules, when added to the end of the configuration file, did not prevent arbitrary Internet connection from either LAN. By the way, your last rule of the three does not have correct syntax -- as it references a port number, it must also use proto tcp.
You cannot connect from your WiFi LAN to your wired LAN due to this rule:
Code:
# wlan -> pppoe
block in log quick on $if_wlan to $if_lan:network
You need to pass this traffic rather than block it.



I am not clear why you are using explicit block quick rules throughout your ruleset, since you begin with a block all any traffic that does not match an explicit pass rule will be blocked. It makes your ruleset hard to read and understand.
Reply With Quote
  #7   (View Single Post)  
Old 16th December 2013
capt_cosmo capt_cosmo is offline
New User
 
Join Date: Dec 2013
Posts: 9
Default

Thanks for (trying) to reproduce my setup and sorry for the late answer – I had to replace my notebook that broke last week.

I was aware that those three lines that I posted separately are bogus. Your note about not being able to connect from Wifi to Lan is in my case not a bug rather intended behaviour. However, I am wondering why it was possible for you to connect to the internet from the lan and wlan interfaces while for me it was denied. Before I replied to your post, I spent a little time on simplifying the rules:

Code:
....
pass out quick on $if_wan queue (que_def, que_ack)

# lan:network  -> lan:ssh
pass in log quick on $if_lan proto tcp from $if_lan:network to $if_lan port ssh

# wlan:network -> wlan:dhcp
pass in quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 67
pass in quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 68

#**********************************************************

# block any -> lan
block in quick to $if_lan:network

# block wlan -> wlan
block in quick from $if_wlan:network to $if_wlan:network

# pass lan -> any
pass in quick on $if_lan from $if_lan:network

# pass dmz -> any
pass in quick on $if_wlan from $if_wlan:network
EOF
These rules seem to work (and I could live with them), but to clarify my initial motivation on this topic: Is there a way to rewrite the excerpted rules without the two 'block' statements and rather using a working line á la
Code:
pass in quick on $if_lan from $if_lan:network to ($if_wan)
As I stated in the beginning, I didn't manage to write such a rule that allows me to use internet from if_lan / if_wlan.

Thank you for patience and guidance.
Reply With Quote
  #8   (View Single Post)  
Old 17th December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by capt_cosmo View Post
However, I am wondering why it was possible for you to connect to the internet from the lan and wlan interfaces while for me it was denied.
I only used the rules you shared above. Since you asked, I've gone back to the lab and using tcpdump(8) and pflog(8) I can see exactly what rules matched.

LAN traffic -- inbound, the highlighted rule below:
Code:
# lan -> {wlan, internet}
block in log quick on $if_lan to $if_lan
pass in quick on $if_lan from $if_lan:network to $if_wlan:network
pass in quick on $if_lan from $if_lan:network
Outbound, this highlighted rule:
Code:
# allow output for wan, fill queues
pass out quick on $if_wan proto tcp to port $que_low_ports queue (que_low, que_ack)
pass out quick on $if_wan proto tcp to port $que_int_ports_tcp queue (que_int, que_ack)
pass out quick on $if_wan proto udp to port $que_int_ports_udp queue (que_int, que_ack)
pass out quick on $if_wan proto { tcp, udp } to port domain queue (que_dns, que_ack)
pass out quick on $if_wan queue (que_def, que_ack)
For your WLAN, it was these highlighted rules:
Code:
# wlan -> pppoe
block in log quick on $if_wlan to $if_lan:network  
block in log quick on $if_wlan to $if_wlan:network
pass in quick on $if_wlan from $if_wlan:network
pass out quick on $if_wlan from $if_lan:network
and...
Code:
# allow output for wan, fill queues
pass out quick on $if_wan proto tcp to port $que_low_ports queue (que_low, que_ack)
pass out quick on $if_wan proto tcp to port $que_int_ports_tcp queue (que_int, que_ack)
pass out quick on $if_wan proto udp to port $que_int_ports_udp queue (que_int, que_ack)
pass out quick on $if_wan proto { tcp, udp } to port domain queue (que_dns, que_ack)
pass out quick on $if_wan queue (que_def, que_ack)
Quote:
Is there a way to rewrite the excerpted rules without the two 'block' statements
You are in the minority of PF users, as you use quick for every rule. The majority of us use quick as an exception. The default is a "last matching rule wins" process, and that allows us to write our general rules at the top of the rule list, then get more specific as we descend it.

Your "cleanup" is a file fragment and I have not yet reviewed what you have done. As I've stated, you should not require "block quick" rules in among your various "pass quick rules, as you started with a standard block all rule.

Please note that you have several rules that PF did not apply to your ruleset. They could never match so PF ignored them: I've highlighted them below, the rules above them negate their ever being matched:
Code:
# lan -> {wlan, internet}
block in log quick on $if_lan to $if_lan
pass in quick on $if_lan from $if_lan:network to $if_wlan:network
pass in quick on $if_lan from $if_lan:network
 
# lan -> router:dhcp
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 67
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 68
Reply With Quote
  #9   (View Single Post)  
Old 17th December 2013
capt_cosmo capt_cosmo is offline
New User
 
Join Date: Dec 2013
Posts: 9
Default

Again, thanks for your reply!

The point with the 'quick' rules is simply that this behaviour is more common for me due to iptables.

I wonder why you've been able to connect to the internet from any lan/wlan interface in my setup. Of course I used your commands for getting the output.

Whenever I try to connect to the outside, the following rule prevents me from doing so:

Code:
pflog0 rule 5/(match) block in on vr0: 192.168.0.2 > 8.8.8.8: icmp: echo request (DF)
Code:
@5 block drop log all
  [ Evaluations: 159       Packets: 77        Bytes: 6468        States: 0     ]
  [ Inserted: uid 0 pid 14650 State Creations: 0     ]
When I insert the following rule (that I posted last times) it's working:
Code:
# pass lan -> any
pass in log quick on $if_lan from $if_lan:network
I wonder how you managed to connect to the internet with the rules I posted..

Thank you and greetings
Reply With Quote
Old 17th December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

That's easy. Your connectivity tests and mine were different.

You were getting blocked ICMP Echo Requests, which is of course the case because you did not have a pass rule that included ICMP. (ICMP Echo requests are how ping(8) communicates. ICMP is also helpful for informing users immediately when connections cannot be established, and it usually makes for a better browsing experience for people if they receive an immediate error rather than waiting 30 seconds for a TCP timeout. It's a key Internet protocol.)

I was not testing with ping. I was testing with the TCP protocol, as I wanted to test state establishment and stateful functions.

As this was just a lab experiment, I was using nc(1) as my testing tool. On the "Internet server" I used the options -l and -k, for example:

$ nc -kl 1234

To connect to this "server" (at lab IP address 99.99.99.100) from platforms on the WLAN and LAN networks, I used:

$ nc 99.99.99.100 1234
Reply With Quote
Old 17th December 2013
capt_cosmo capt_cosmo is offline
New User
 
Join Date: Dec 2013
Posts: 9
Default

It feels like I'm slowly slipping into insanity, although I see some progress by now.
I think the problem rather lies within stateful rules / nat than in icmp...

I tried to open a tcp connection to a google webserver by using
Code:
$ nc -v -w 1 74.125.132.106 80
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connection timed out.
The result on the BSD box
Code:
rule 5/(match) block in on vr0: 192.168.0.3.50118 > 74.125.132.106.80: S 1884520729:1884520729(0) win 29200 <mss 1460,sackOK,timestamp 6781807 0,nop,wscale 7> (DF)
rule 5/(match) block in on vr0: 192.168.0.3.50118 > 74.125.132.106.80: S 1884520729:1884520729(0) win 29200 <mss 1460,sackOK,timestamp 6782808 0,nop,wscale 7> (DF)
Again, when I uncomment the line
Code:
pass in log quick on $if_lan from $if_lan:network
it worked just fine...

Does my ruleset maybe miss anything regarding NAT / stateful rules (which is my humble assumption)
Reply With Quote
Old 18th December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

You posted your changes in excerpt form, rather than as a complete ruleset, so it is difficult for me to see what has changed. If you post a complete ruleset, at least we will be comparing results of the same exact rules. I have only tested the rules you posted at the top of this thread.

Some additional thoughts.
  • You have separated your inward and outward traffic flows into separate rules. You may have noted that I reported that each state I established required two pass rules instead of one -- A pass in rule and a separate pass out rule. This makes it dificult to understand and then debug your ruleset. For clarity and simplicity, you should try to specify the end-to-end state you wish to establish in a single rule. (Granted, this isn't always possible. Rules with port number definitions must specify proto tcp and/or udp, so they must be defined separately from rules for other protocols.)
  • If your initially stated goals (1a through 2b) in the top post have not changed, I could draft a minimal example ruleset to meet them. I wouldn't use your current ruleset, and am unlikely to use any quick rules. Let me know if this is of any interest.
Reply With Quote
Old 18th December 2013
capt_cosmo capt_cosmo is offline
New User
 
Join Date: Dec 2013
Posts: 9
Default

You are absolutely right about the difficulty to comprehend the compelte ruleset when I just post the new rules as excerpts. I will post the the complete ruleset when I'm home from work.
  • I know my initial ruleset had some flaws, especially regarding in- and outward traffic. Because of that I added the rule
    Code:
    pass out quick
    just after
    Code:
    pass out quick on $if_wan queue (que_def, que_ack)
    (Sorry for posting an excerpt again but I currently have no access to my entire ruleset, as I said, I'll post it later)
  • I'd be delighted if you'd do so. In my opinion it would be sufficient if you'd post a minimal ruleset that begins after the block where the pppoe traffic passes (just before "# enable input")

Thank you,

Sören
Reply With Quote
Old 18th December 2013
capt_cosmo capt_cosmo is offline
New User
 
Join Date: Dec 2013
Posts: 9
Default

jggimi, this is the head revision of my script:

Code:
# interfaces
if_lan="vr0"
if_wlan="vr2"

if_wan="pppoe0"
if_wan_bandwith="1400Kb"

# tables
table <private_nets> const { 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }

# qos definitions
que_low_ports = "{ http, https, 8080, smtp, smtps, 6881:6889 }"
que_int_ports_tcp = "{ ssh, 5060, 5061,  5190,  5222, 5223, irc, 3478, 3479, 3480, 5223 }"
que_int_ports_udp = "{ 5060, 5061,  3478, 3479 }"

# allow lo communication
set skip on lo
set block-policy drop

# scrubbing
match in all scrub (no-df random-id)
match out on $if_wan all scrub (random-id)
match on $if_wan scrub (max-mss 1440)

# qos
altq on $if_wan priq bandwidth $if_wan_bandwith queue { que_low, que_def, que_int, que_dns, que_ack }

queue que_low priq(default) qlimit 80
queue que_def priority 2 
queue que_int priority 4 priq(red)
queue que_dns priority 5 qlimit 25
queue que_ack priority 6 

# nat (use "static-port" for crappy Playstation Network)
match out on $if_wan inet from { $if_lan:network, $if_wlan:network } to any nat-to ($if_wan) static-port

# filtering
# block all packets
block log all

# enable spoofing protection
antispoof quick for { lo $if_wan $if_lan $if_wlan }

# reject ipv6
block quick on $if_wan inet6 all

# block private addresses on external interfaces
block drop in  quick on $if_wan from <private_nets>
block drop out quick on $if_wan to   <private_nets>

# qos: fill queues 
pass out quick on $if_wan proto tcp to port $que_low_ports queue (que_low, que_ack)
pass out quick on $if_wan proto tcp to port $que_int_ports_tcp queue (que_int, que_ack)
pass out quick on $if_wan proto udp to port $que_int_ports_udp queue (que_int, que_ack)
pass out quick on $if_wan proto { tcp, udp } to port domain queue (que_dns, que_ack)
pass out quick on $if_wan queue (que_def, que_ack)

# allow output
# I guess this is point where I'm starting to mess up
pass out quick 

# allow services
# allow ssh from if_lan
pass in quick on $if_lan proto tcp from $if_lan:network to $if_lan port ssh

# allow dhcp from if_wlan
pass in quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 67 
pass in quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 68

# block any -> lan
# explicitely blocking something seems absurd to me...
block in quick to $if_lan:network

# block wlan -> wlan
block in quick from $if_wlan:network to $if_wlan:network

# pass lan -> any
# if I disable comment this rule, there's no connection to the internet from if_lan
pass in quick on $if_lan from $if_lan:network

# pass wlan -> any 
# if I disable comment this rule, there's no connection to the internet from if_wlan
pass in quick on $if_wlan from $if_wlan:network
Thank you for your suggestions and your efforts!
Reply With Quote
Old 18th December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

The configuration files below is, as I described, very minimal. Your general goals were used to create the rules. For clarity, I have added two macros, and for an improved experience I set a block policy to return TCP RST (for TCP traffic) or ICMP UNREACHABLE (for everything else).

1. I avoided quick. It wasn't needed.
2. I used tags for clarity when reading the rules, but also, for ease of defining outbound policy.
3. I left your queues alone, except I converted them to match rules so that queing could be separated from pass policy.
Code:
# interfaces
if_lan="vr0"
if_wlan="vr2"
if_wan="pppoe0"

# other macros for convenience
# these two added by jggimi:
lan="em0:network"
wlan="em1:network"

if_wan_bandwith="1400Kb"
que_low_ports = "{ http, https, 8080, smtp, smtps, 6881:6889 }"
que_int_ports_tcp = "{ ssh, 5060, 5061,  5190,  5222, 5223, irc, 3478, 3479, 3480, 5223 }"
que_int_ports_udp = "{ 5060, 5061,  3478, 3479 }"

# loopback ignored
set skip on lo

# scrubbing
match in all scrub (no-df random-id)
match out on $if_wan all scrub (random-id)
match on $if_wan scrub (max-mss 1440)

# qos
altq on $if_wan priq bandwidth $if_wan_bandwith queue { que_low, que_def, que_int, que_dns, que_ack }

queue que_low priq(default) qlimit 80
queue que_def priority 2
queue que_int priority 4 priq(red)
queue que_dns priority 5 qlimit 25
queue que_ack priority 6

# nat (use "static-port" for crappy Playstation Network)
# simplified by jggimi:
match out on $if_wan from !($if_wan) nat-to ($if_wan) static-port

# filtering

# this is where jggimi substituted a new set of rules to meet these goals:
#
# 1. pass traffic from $lan devices to $wlan, egress, and ssh daemon here.
# 2. pass traffic from $wlan devices to egress and dhcp daemon here.
#
# jggimi's rules use the following guidelines:
#
# Blocked traffic will be polite and return ICMP UNREACHABLE or TCP RST.
# Queues will be assigned by match rules. Queue assignments were unchanged.
# Policy based rules set by tag, primarily for readability and clarity.

# default block policy
set block-policy return
block log 

# queue assignments
match out on $if_wan proto tcp to port $que_low_ports queue (que_low, que_ack)
match out on $if_wan proto tcp to port $que_int_ports_tcp queue (que_int, que_ack)
match out on $if_wan proto udp to port $que_int_ports_udp queue (que_int, que_ack)
match out on $if_wan proto { tcp, udp } to port domain queue (que_dns, que_ack)
match out on $if_wan queue (que_def, que_ack)

########
# 1. pass traffic from $lan devices to $wlan, egress, and ssh daemon here.
########
pass log from $lan tag external
pass log from $lan to $wlan tag internal
pass log proto tcp from $lan to self port 22 tag local

########
# 2. pass traffic from $wlan devices to egress and dhcp daemon here.
########
pass log from $wlan tag external
pass log proto {tcp udp} from $wlan to self port bootps tag local
pass log proto {tcp udp} from self to $wlan port bootpc tag local

# pass the tagged traffic

pass out log on {$if_lan $if_wlan} tagged internal
pass out log on $if_wan tagged external
I tested local traffic (dhcp with WLAN, ssh with LAN) internal traffic (LAN client to WLAN server), and established external connections from LAN and WLAN with the "internet server".

Please read the rules and modify them to meet your actual needs, if you elect to use them. I may have misunderstood your goal of LAN client connecting to WLAN services -- it might be you intended the opposite.

Last edited by jggimi; 18th December 2013 at 10:43 PM. Reason: clarity, typo
Reply With Quote
Old 18th December 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Many people who have to configure multiple NIC firewalls with pf have difficulties with understanding what according to pf is in and out.

Code:
               /|\          | 
           out  |           |  in
                |           | 
                |          \|/
                |           |
          +-----|-----------|-----+
          |     +-----------+     |
          |     |   PPPoE   |     |
          |     +-----------+     |
          |                       |
          |   +---+      +---+    |
   out    |   |   |      |   |    |  out     
 <------------| W |      |   |----------->
          |   | L |      | L |    |     
          |   | A |      | A |    |  
 ----->-------| N |      | N |------<-----
    in    |   |   |      |   |    |  in  
          |   +---+      +---+    |
          |                       |
          |        OpenBSD        |
          |          pf           |
          |                       |
          +-----------------------+
It is also easier if you use the tag facilities that pf provides. With tags you can simplify your ruleset. Because today is my wedding anniversary the following is in pf pseudocode and only meant to get you started
  • Internal traffic
    • wireless lan ---> LAN
      Code:
      pass in quick on WLAN from WLAN:network to LAN:network tag LAN_OUT
      
      pass out quick on LAN tagged LAN_OUT
    • LAN --> Wireless LAN
      Code:
      pass in quick on LAN from LAN:network to WLAN:network tag WLAN_OUT
      
      pass out quick on WLAN tagged WLAN_OUT
  • Internal traffic ---> INTERNET
    • WLAN --> internet
      Code:
      pass in quick on WLAN from WLAN:network to ! LAN:network, tag OUT_PPPOE
      
      pass out quick on PPPOE tagged OUT_PPPOE
    • LAN --> internet
      Code:
      pass in quick on LAN from LAN:network to ! WLAN:network tag OUT_PPPOE

Of course you will need some additional rules and refinements to allow the DCHP and SSH traffic from/to the OpenBSD pf box itself.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 19th December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

J65nko used tags as I did, but he also used quick, which you may prefer.

I'd like to highlight what I see as a value when using standard rules; which is that we are able to use a broad rule first then narrow focus for rules which follow to more specific traffic. An example of this is in the following fragment. These are the first 3 pass rules I provided above:
Code:
########
# 1. pass traffic from $lan devices to $wlan, egress, and ssh daemon here.
########
pass log from $lan tag external
pass log from $lan to $wlan tag internal
pass log proto tcp from $lan to self port 22 tag local
The first rule passes all incoming LAN traffic, and tags it as "external". The second and third rules alter the tag to either "internal" or "local" for specific traffic incoming from the LAN network, so that different outbound rules can be applied.

Last edited by jggimi; 19th December 2013 at 11:53 AM. Reason: clarity
Reply With Quote
Old 19th December 2013
capt_cosmo capt_cosmo is offline
New User
 
Join Date: Dec 2013
Posts: 9
Default

Thank you both for your replies!

jggimi, I applied your rules to my ruleset, but I had to modify them:

I had to change the following statement
Code:
########
# 1. pass traffic from $lan devices to $wlan, egress, and ssh daemon here.
########
pass log from $lan tag external
to
Code:
########
# 1. pass traffic from $if_lan:network devices to $if_wlan:network, egress, and ssh daemon here.
########
pass log from $lan to !($lan) tag external
in order to achieve that solely port 22 is accessable on the bsd box.

Further, I had to replace the following statement:
Code:
########
# 2. pass traffic from $wlan devices to egress and dhcp daemon here.
########
pass log from $wlan tag external
to
Code:
########
# 2. pass traffic from $if_wlan:network devices to egress and dhcp daemon here.
########
table <WLAN_PROHIBITED> { $lan, $wlan }
pass log from $wlan to !<WLAN_PROHIBITED> tag external
in order to prevent wlan clients from connecting to arbitrary ports on the bsd box and from establishing connections on $if_lan:network

Now it seems to work just fine, thank you!
Reply With Quote
Old 19th December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Excellent! I'm glad you got it working!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
two lan interfaces and one network peric0 OpenBSD General 1 29th March 2012 02:16 AM
Routing internal requests to external IPs jdude FreeBSD General 1 9th July 2009 07:25 AM
PPTP Server, no internet connectivity (routing between interfaces?) godfrank FreeBSD Ports and Packages 5 15th April 2009 04:44 PM
Redirect Internal Network to Internal Website plexter OpenBSD Security 12 12th February 2009 08:00 PM
PHP database interfaces TerryP Programming 6 11th September 2008 01:03 PM


All times are GMT. The time now is 08:51 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick