|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|
|||
Without having seen the complete ruleset it is difficult to diagnose the problem
Please remember that with pf the last matching rule wins. So it could be that another rule accidentally allows in coming ssh traffic. So I would recommend to use quick to force immediate execution of the blocking rule(s). So either Code:
block in quick Code:
block in quick on tun0 proto tcp from any to any port = 22
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
Hi the rule set is this:
Code:
#macros int_if="hme1" ext_if="tun0" tcp_services="{ 22,23 }" icmp_types="echoreq" #Port Macros <port definitions - no SSH port here> #Server Macros <server IP's> #Network Macros <Network Ranges> #Queueing # The downstream is 8000kb, Voice services get 600Kb regardless, # and can get more when nobody else wants theirs. <inbound queues for tun0> # The upstream is 900kb, Voice services get 600Kb regardless, # and can get more when nobody else wants theirs. <outbound queues for tun0> #options set block-policy return set loginterface tun0 set skip on "{ lo }" # scrub incoming packets match in all scrub (no-df) # Proxy rules anchor "ftp-proxy/*" pass in quick on $int_if inet proto tcp to any port ftp \ divert-to 127.0.0.1 port 8021 #match rules match out on tun0 from $int_net to any nat-to ($ext_if) #filter rules block in log block out log # activate spoofing protection for all interfaces block in quick from urpf-failed block in quick on $ext_if proto tcp to port $tcp_services block out quick on $int_if proto tcp to port $tcp_services pass out quick log pass out quick on $ext_if from $int_net to any nat-to ($ext_if) antispoof quick for { lo, hme1 } pass in quick on $int_if inet proto tcp from $int_net to port $tcp_services queue ssh_in pass in quick on $ext_if inet proto tcp to port $dns_ports rdr-to $<dns-server> synproxy state queue dns_in pass in quick on $ext_if inet proto udp to port $dns_ports rdr-to $<dns-server> synproxy state queue dns_in .... <more inbound port definitions for other services> block in on egress inet proto icmp all icmp-type $icmp_types pass in quick on $int_if Minus the few posting adjustments I made that's the ruleset. I have chedcked the rules over with the pfctl -s(x) command to see which ones are being used and what's happening but still I'm not quite sure. Also the QoS services haven't been activated either 100% as I really needed them for the VoIP system however, on an 8Mb DSL line it's really not going to make much difference as my bandwidth is always fully in use. After the event and posting here I devcided to add the rule: Code:
block out quick on $int_if proto tcp to port $tcp_services I'm just worried that this could have been something like a trojan horse or some other form of packet manipulations style attack? I even am considering using Snort as an IDS/IPS solution however not sure if 400MHz + 360MB RAM would be able to cope with MySQL/Apache/Snort et el.... - things like Jnettop and Nload already slow the internet speeds down to a halt I found out. ? |
|
||||
Hmm.... this is interesting!
I think I figured out the issue. Logwatch sent me a message telling me that this user above had tried to get in. It turns out that Logwatch lied to me as that was last year but because it was the same month and no year printed in the logfile (not sure why newsyslog didn't role the file over for all this time), Logwatch got confused and served that up in it's recent log report nearly giving me a heart attack Well looks like my rules are working fine then :-S |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Microsoft warns of IE flaw, turns PC into public file server | J65nko | News | 0 | 4th February 2010 11:21 PM |
secure ssh with public key | milo974 | OpenBSD Security | 11 | 9th July 2008 04:52 PM |
Apache on two servers but one public IP | marco64 | General software and network | 2 | 4th June 2008 07:29 PM |
OS to run in a public computer? | Sunnz | Off-Topic | 31 | 23rd May 2008 05:47 PM |