DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 28th October 2018
bsdsource bsdsource is offline
Port Guard
 
Join Date: Apr 2014
Posts: 34
Default Interesting pf.conf observation

LAN = "em1"

In my pf.conf file I had $LAN:NETWORK in one of my rule sets and when I reloaded the rules using pfctl -f /etc/pf.conf the rules reload without an error. Although after I rebooted my router pf.conf fails to load the rules and indicates there is an error with NETWORK in pf.conf on startup.

Obvious issue here is that LAN:NETWORK should be $LAN:network. I find it strange that pfctl will reload the rules but after a reboot I get an error. Shouldn't pfctl produce and error when I reload the rules? Is this something that needs to be addressed with the developers? Just curious.

Last edited by bsdsource; 28th October 2018 at 10:07 PM.
Reply With Quote
  #2   (View Single Post)  
Old 29th October 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Per pf.conf(5):
Code:
:network    Translates to the network(s) attached to the
            interface.
.
.
.
Host name resolution and interface to address translation are
done at ruleset load-time....
.
.
.

...Surrounding the interface name (and optional modifiers) in
parentheses changes this behaviour.  When the interface name is
surrounded by parentheses, the rule is automatically updated
whenever the interface changes its address.  The ruleset does not
need to be reloaded....
Reply With Quote
  #3   (View Single Post)  
Old 29th October 2018
bsdsource bsdsource is offline
Port Guard
 
Join Date: Apr 2014
Posts: 34
Default

Yes I know. I just figured it would show a syntax error instead of making it seem like the rules reloaded without an issue. I wasn't aware there was an issue with my pf.conf until I rebooted OpenBSD then it showed an error at ruleset load-time.
Reply With Quote
  #4   (View Single Post)  
Old 29th October 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

The ruleset load at boot time is performed by rc(8) with pfctl. There are two phases:
  1. An initial, temporary ruleset is loaded through an sh(1) here document, then PF is enabled.
  2. An attempt is made to execute "pfctl -f /etc/pf.conf"
In the event the admin's ruleset fails to load, the temporary ruleset remains in place.


Because there is no difference in function from rc()'s load of the ruleset and your manual execution of pfctl, I will guess that there was a failure to load by rc(), and the temporary ruleset was left in place. Of course, it's only a guess.
Reply With Quote
  #5   (View Single Post)  
Old 29th October 2018
bsdsource bsdsource is offline
Port Guard
 
Join Date: Apr 2014
Posts: 34
Default

Where is the temporary ruleset located in the event that the admin's ruleset is not loaded?

Edit: I looked at the source code for rc and found the following code. I'm guessing this is what you are referring to.

Code:
# Set initial temporary pf rule set.
if [[ $pf != NO ]]; then
	RULES="
	block all
	pass on lo0
	pass in proto tcp from any to any port ssh keep state
	pass out proto { tcp, udp } from any to any port domain keep state
	pass out inet proto icmp all icmp-type echoreq keep state
	pass out inet proto udp from any port bootpc to any port bootps
	pass in inet proto udp from any port bootps to any port bootpc"

	if ifconfig lo0 inet6 >/dev/null 2>&1; then
		RULES="$RULES
		pass out inet6 proto icmp6 all icmp6-type neighbrsol
		pass in inet6 proto icmp6 all icmp6-type neighbradv
		pass out inet6 proto icmp6 all icmp6-type routersol
		pass in inet6 proto icmp6 all icmp6-type routeradv
		pass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server
		pass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client"
	fi

	RULES="$RULES
	pass in proto carp keep state (no-sync)
	pass out proto carp !received-on any keep state (no-sync)"

	if (($(sysctl -n vfs.mounts.nfs 2>/dev/null) > 0)); then
		# Don't kill NFS.
		RULES="set reassemble yes no-df
		$RULES
		pass in proto { tcp, udp } from any port { sunrpc, nfsd } to any
		pass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any"
	fi

	print -- "$RULES" | pfctl -f -
	pfctl -e
fi

Last edited by bsdsource; 29th October 2018 at 05:07 PM.
Reply With Quote
  #6   (View Single Post)  
Old 29th October 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Yes, that's it.

If my guess was wrong, and you are able to recreate the problem, it may be worth reporting. https://www.openbsd.org/report.html
Reply With Quote
  #7   (View Single Post)  
Old 30th October 2018
bsdsource bsdsource is offline
Port Guard
 
Join Date: Apr 2014
Posts: 34
Default

Thanks for the feedback jggimi. Just FYI I tested it again with the same results. When I manually reload the rules using pfctl -f /etc/pf.conf I get no syntax error. I still find this to be strange.

When I reboot OpenBSD I get the error below on startup.

Code:
no IP address found for em1:NETWORK
/etc/pf.conf:46: could not parse host specification
pfctl: Syntax error in config file: pf rules not loaded
I don't necessarily think this is a bug but I do think pfctl should be able to distinguish between upper case and lower case with this specific scenario.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Any interesting snippets? Mike-Sanders Programming 6 29th October 2016 12:43 PM
NixOS - an interesting Linux distro. TerryP Off-Topic 2 21st February 2011 07:44 PM
Interesting disscussion on: Solaris vs HP-UX vs AIX vermaden Other BSD and UNIX/UNIX-like 2 19th May 2010 09:33 AM
Other Interesting "Security" Issue on GRUB 2 vermaden News 2 10th November 2009 01:19 PM
An interesting benchmark (kqueue vs. epoll) mdh Programming 0 9th October 2008 09:49 PM


All times are GMT. The time now is 07:44 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick