DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
Old 22nd June 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by CyberJet View Post
...I have been hearing of all these hacks in the past week...
Quote:
Originally Posted by jggimi View Post
...You're just "hearing" about these because they are publicized...
Great minds think alike: See Hack Attacks Escalating? Here's a Reality Check, published by PC World today. They quote an analyst, who said, in part:
Quote:
...despite the uptick in reported computer attacks, network break-ins, and data breaches the volume of hack attacks is not rising. What has changed is that hacker groups such as Anonymous and LulzSec have gotten media savvy creating an illusion of an escalating cyberwar that in reality does not exist.
Reply With Quote
Old 25th June 2011
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

The following may be "overkill" for many a SOHO pf implementation, but this motherboard comes with FOUR (4) embedded intel (em) NICs. It retails for approx. CAD$235. You may use either of, E3-1200 series XEON, or I3-2100 series CPU. (For price reference, a quad-port intel NIC is typically CAD$400+ by itself.)

The i3-2100 CPU is at a nice price point and provides more than enough punch for SOHO/SMB deployments.

TYAN S5512 (S5512GM4NR) (http://www.tyan.com/support_download_cpu2.aspx?socketid=26)

Why four is good -- one outside (red) interface, one inside (safe), one for WIFI AP, and one DMZ.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 26th June 2011
Randux Randux is offline
Disgruntled desktop user
 
Join Date: May 2008
Location: Siberia
Posts: 100
Default

You can get some nice Sparc boxes now on ebay for the price of that mobo. I have some Sun V210's and they come with 4 NICs. The only thing is they're like having a jet in your room. Loud, loud, loud!
__________________
BSDForums.org refugee #27
Multibooting with LILO
Reply With Quote
Old 27th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default

I'm having problems getting internal connections to servers by using URL's rather than IP addresses.

I've read the instructions here http://www.openbsd.org/faq/pf/rdr.html but still can't get it to work. I added the following line to /etc/inetd.conf
Code:
127.0.0.1:5000 stream tcp nowait proxy /usr/bin/nc nc -w 20 192.168.0.55 80
and started the inetd service then added these lines to my pf.conf
Code:
pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to 127.0.0.1 port 5000 
pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to $websrv
pass out on $int_if proto tcp to $websrv port 80 received-on $int_if nat-to $int_if
and restarted pf and it's not working.

Here is my complete pf.conf file:
Code:
# macros
int_if="xl0"
ext_if="xl1"
int_net="{ 192.168.0.0/24 }"
whs="192.168.0.50"
pc1="192.168.0.20"
pc2="192.168.0.21"
websrv="192.168.0.55"

# options
set block-policy drop
set loginterface $ext_if
set skip on lo

# match rules
match in all scrub (no-df)
match out on egress inet from !(egress) to any nat-to (egress:0)

# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
# start internal connection
pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to 127.0.0.1 port 5000
pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to $websrv
pass out on $int_if proto tcp to $websrv port 80 received-on $int_if nat-to $int_if
# end internal connection
pass in on egress inet proto tcp to (egress) port 80 rdr-to $websrv synproxy state
pass in on egress inet proto tcp to (egress) port 443 rdr-to $whs synproxy state
pass in on egress inet proto tcp to (egress) port 5900 rdr-to $pc1 synproxy state
pass in on egress inet proto tcp to (egress) port 5901 rdr-to $pc2 synproxy state
pass in log on $int_if
What is wrong that is preventing this from working?

Am I making my firewall less secure by running inetd to accomplish this?

I'm also not quite understanding what egress and (egress) mean. Does
egress=$int_if
(egress)=$ext_if

Thanks.
Reply With Quote
Old 27th June 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

RE: egress
http://en.wikipedia.org/wiki/Egress_filtering

"(egress)" tells pf pf that the IP address of the egress NIC has a dynamic IP, so it could change.
Plain "egress" is used when the IP address is fixed,.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 27th June 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

More generally, egress is an English word for "leaving".

The external interface on your firewall is added to the egress group, you can use the interface name directly instead though.. which is what I'd recommend.
Reply With Quote
Old 27th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default

Quote:
Originally Posted by BSDfan666 View Post
More generally, egress is an English word for "leaving".

The external interface on your firewall is added to the egress group, you can use the interface name directly instead though.. which is what I'd recommend.
I really want to understand how all this works so I'm going to write what I think the following line means and hopefully you'll tell where I'm wrong or if I've got it right.

Code:
pass in on egress inet proto tcp to (egress) port 443 rdr-to $whs synproxy state
I interpret the above line as:
Pass the incoming inet4 TCP HTTPS traffic on the external interface and send it out on the internal interface to my Windows Home Server completing the port forwarding.

So in my head that means:
egress = external interface which is $ext_if in my pf.conf
(egress) = internal interface which is $int_if in my pf.conf

If that is the case then would rewriting the above line as follows be correct?
Code:
pass in on $ext_if inet proto tcp to $int_if port 443 rdr-to $whs synproxy state
What does (egress:0) mean/do which is in match rules section?
Reply With Quote
Old 27th June 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

No, that's not what it means.. and it's documented in pf.conf(5).
  • egress represents your external interface.. it's an automatically assigned group, see ifconfig(8).
  • (egress) translates to the egress interfaces IP address, which is dynamic.
  • (egress:0) is similar, but excludes any aliases on the interface.
Reply With Quote
Old 27th June 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Essentially what that rules means is match incoming IPv4 packets matching "any" source address (..you could put from any in that rule) to your external IP address (egress) on TCP port 443 (https) and redirect/rewrite/pass the packet to an internal private address on the same port.

Not sure why you're using synproxy, is it because someone mentioned it once? did you read the documentation to see if it was appropriate?

Last edited by BSDfan666; 27th June 2011 at 04:57 PM.
Reply With Quote
Old 27th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default

I'm using synproxy because rocket357 suggested it might be a good idea since my 3Com router was constantly getting knocked offline due to syn-flood DoS attacks. Trying to do anything online these past six months has been an exercise in frustration because of the constant disconnections. Since I permanently switched over to my OpenBSD router six days ago I haven't experienced a single second of down time. Well, that's not entirely true, I had a few lockups on the BSD box on the first day but that was an over heating issue which was quickly solved. My BSD router is functioning beautifully with the firewall rule set I am using. Now I am trying to understand exactly what all the contents of of my pf.conf file mean and do. Unfortunately I'm one of those people who can read something a hundred times and it still might not sink in, but show me how to do something once and I'll remember it forever. The problem is trying to find the time to learn all this new stuff.

The problem I'm trying to solve now is how to connect to my internal web servers via URL rather than using the IP address of the box. I don't need to be able to do this, I just want to do this so that I can understand how it works.

As I mentioned, I've read the instructions here http://www.openbsd.org/faq/pf/rdr.html and made the appropriate changes to my inetd.conf and pf.conf files but it still doesn't work. All my Google searches end up taking me to the same FAQ.

Step by step this is what I did:
1. Add this line to inetd.conf
Code:
127.0.0.1:5000 stream tcp nowait proxy /usr/bin/nc nc -w 20 192.168.0.55 80
2. Start inetd
3. Add these lines to pf.conf
Code:
int_net="{ 192.168.0.0/24 }"
websrv="192.168.0.55"
pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to 127.0.0.1 port 5000 
pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to $websrv
pass out on $int_if proto tcp to $websrv port 80 received-on $int_if nat-to $int_if
4. Restart pf
5. Test URL connection
6. Connection fails and I curse vehemently at my lack of knowledge of something that is probably so easy even a caveman could do it.

I'm obviously over looking something in those instructions but I don't know what.
Reply With Quote
Old 27th June 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Your quest to refer by name has nothing to do with PF. It has to do with name resolution. See resolv.conf(5), and /etc/hosts. Optionally, you may eventually want a local domain name server.
Reply With Quote
Old 28th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default

Quote:
Originally Posted by jggimi View Post
Your quest to refer by name has nothing to do with PF. It has to do with name resolution. See resolv.conf(5), and /etc/hosts. Optionally, you may eventually want a local domain name server.
Oops. Sometimes I get so focused on the difficult solution to a problem that I completely overlook the simple and often better solution.

Adding the appropriate line to the hosts file of my internal PC's has solved my problem. Thanks for that bump in the right direction.
Reply With Quote
Old 28th June 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

If I understand you correctly, you want hosts on the internal network accessing your local server using the domain name?

As jggimi stated, a method of configuring this could be to have your DNS serve the internal address to clients on the Internet network.. however the following should be adequate to rewrite requests from your LAN to your external IP and replace them with the address of your internal service.

Code:
match in on $int_if inet proto tcp from $int_if:network to (egress:0) \
port https rdr-to $websrv
Reply With Quote
Old 28th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default

Quote:
Originally Posted by BSDfan666 View Post
If I understand you correctly, you want hosts on the internal network accessing your local server using the domain name?

As jggimi stated, a method of configuring this could be to have your DNS serve the internal address to clients on the Internet network.. however the following should be adequate to rewrite requests from your LAN to your external IP and replace them with the address of your internal service.

Code:
match in on $int_if inet proto tcp from $int_if:network to (egress:0) \
port https rdr-to $websrv
That's exactly what I want but the line your provided above isn't working for me. I had to change the port to http since that is what the host is expecting. Here is the entire pf.conf with the new addition you gave.

Code:
# macros
int_if="xl0"
ext_if="xl1"
int_net="{ 192.168.0.0/24 }"
whs="192.168.0.50"
pc1="192.168.0.20"
pc2="192.168.0.21"
websrv="192.168.0.55"

# options
set block-policy drop
set loginterface $ext_if
set skip on lo

# match rules
match in all scrub (no-df)
## START NEW LINE ##
match in on $int_if inet proto tcp from $int_if:network to (egress:0) port http rdr-to $websrv
## END NEW LINE ##
match out on egress inet from !(egress) to any nat-to (egress:0)

# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp to (egress) port 80 rdr-to $websrv synproxy state
pass in on egress inet proto tcp to (egress) port 443 rdr-to $whs synproxy state
pass in on egress inet proto tcp to (egress) port 5900 rdr-to $pc1 synproxy state
pass in on egress inet proto tcp to (egress) port 5901 rdr-to $pc2 synproxy state
pass in log on $int_if
Does the code line you gave me also depend on inetd to be running with the proxy line added to it?
Reply With Quote
Old 28th June 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Nope, also in the future don't copy rules as-is.
Reply With Quote
Old 28th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default

I've played around with that line changing in to out, different ports and destinations and it still won't let me connect to internal servers via domain names. My basic understanding of that rule tells me that it should work but it's not. It's little things like this that keep me up all night trying to figure it out rather than calling it quits and trying again tomorrow.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
3com 3c985B fiber card on openBSD joshwade7 OpenBSD General 3 5th February 2010 09:29 PM
OpenBSD amd64 or i386 for firewall/router J65nko OpenBSD General 7 24th December 2009 09:06 PM
DSL Router Zvrk NetBSD General 1 18th June 2009 01:21 PM
Using OpenBSD as a second router paran0iaX OpenBSD Security 32 20th March 2009 04:51 AM
Searching and replacing weird patterns on a file. bigb89 Programming 8 6th December 2008 06:59 PM


All times are GMT. The time now is 08:06 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick