DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th June 2008
Dain_L Dain_L is offline
New User
 
Join Date: Jun 2008
Posts: 1
Thanked 0 Times in 0 Posts
Unhappy PF wont open port despite rules...

Hello,

I just dont get it. I have a PF firewall on my DSL connection with 3 internal network interfaces. On one of the internal networks (LNETTR) theres a web server and a smtp server.

However; despite redirections and filtering rules it doesn't work. The ports redirected does not open. If I scan myself all ports are still STEALTH.
Web surf and any outgoing traffic I allow works perfectly.

Any help would be appreciated.
Thnx in advance.

/U


Quote:
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $


# 1. Macros
lo_if = "lo0"

ext_if = "rl0"

UNET_if = "vr0"
UNET_network = "10.20.0.32/27"

LNETTR_if = "rl1"
LNETTR_network = "10.20.0.64/27"

# PUBNET_if = "rl2"
# PUBNET_network "10.20.0.96/27"

internal_networks = "{ 10.20.0.32/27, 10.20.0.64/27 }"
reserved_networks = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

tcpservices = "{ 22, 21, 25, 80, 443, 1863, 5190 }"
udpservices = "{ 53 }"


# 2. Tables
# Tomt.

# 3. Options
set limit { states 50000, frags 50000 }
set block-policy drop
set optimization aggressive
# set loginterface $ext_if
set skip on $lo_if

# 4. Packet normalization
scrub in all

# 5. Queueing

# 6. Translation
nat on $ext_if from $internal_networks -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $UNET_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
rdr pass on $LNETTR_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# rdr pass on $PUBNET_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to ($ext_if) port 80 -> <server ip> port 80
rdr on $ext_if proto tcp from any to ($ext_if) port 25 -> <server ip> port 25
rdr on $ext_if proto tcp from any to ($ext_if) port 53 -> <server ip> port 53



# 7. Filtering


block in all
block out all

block in quick on $ext_if from $reserved_networks to any
block out quick on $ext_if from any to $reserved_networks
block return in log quick on $UNET_if proto tcp from ! x.x.x.x to $UNET_if port 22

pass in on {$UNET_if, $LNETTR_if} proto tcp from $internal_networks to any port $tcpservices
pass in on {$UNET_if, $LNETTR_if} proto udp from $internal_networks to any port $udpservices

pass in on $ext_if proto tcp from any to ($ext_if) port 80 synproxy state
pass in on $ext_if proto tcp from any to ($ext_if) port 25

pass out on $LNETTR_if all
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state


anchor "ftp-proxy/*"
antispoof for { $ext_if, $UNET_if, $LNETTR_if }

#EOF

Last edited by Dain_L; 24th June 2008 at 12:10 PM.
Reply With Quote
  #2   (View Single Post)  
Old 24th June 2008
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,674
Thanked 214 Times in 189 Posts
Default

Step 0: Make sure all pass and block rules log their actions.

Step 1. Make sure net.inet.ip.forwarding=1.

Step 2. Use "# tcpdump -neti pflog0" to see what rule # is blocking

Step 3. Use "# pfctl -vvsr" to see match the number to the rule"

Lather. Rinse. Repeat.
Reply With Quote
  #3   (View Single Post)  
Old 24th June 2008
halber_mensch's Avatar
halber_mensch halber_mensch is offline
Real Name: halber mensch
Port Guard
 
Join Date: Jun 2008
Location: Sapulpa, OK
Posts: 14
Thanked 1 Time in 1 Post
Default

Are you testing from inside or outside your network? Be sure to read the relevant section of the pf documentation regarding redirection and reflection (http://www.openbsd.org/faq/pf/rdr.html)

Quote:
...
rdr on $ext_if proto tcp from any to $ext_if port 80 -> $server \
port 80

But when the redirection rule is tested from a client on the LAN, it doesn't work. The reason is that redirection rules apply only to packets that pass through the specified interface ($ext_if, the external interface, in the example). Connecting to the external address of the firewall from a host on the LAN, however, does not mean the packets will actually pass through its external interface. The TCP/IP stack on the firewall compares the destination address of incoming packets with its own addresses and aliases and detects connections to itself as soon as they have passed the internal interface. Such packets do not physically pass through the external interface, and the stack does not simulate such a passage in any way. Thus, PF never sees these packets on the external interface, and the redirection rule, specifying the external interface, does not apply.
__________________
perl -e "eval pack(q{H*}, join q{},qw{7072696e74207061636b28717b482a7d2c717b34393 23036333631366532303666366536633739323036313733373 33735366436353230373936663735323036353738373036353 63337343635363432303734363836393733323037343666323 03632363532303631323036633639373437343663363532303 66436663732363532303635366537343635373237343631363 93665363936653637326530617d293b})"
Reply With Quote
  #4   (View Single Post)  
Old 12th September 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Thanked 9 Times in 8 Posts
Default

Code:
#
rdr on $ext_if proto tcp from any to ($ext_if) port 80 -> <server ip> port 80
rdr on $ext_if proto tcp from any to ($ext_if) port 25 -> <server ip> port 25
#
pass in on $ext_if proto tcp from any to ($ext_if) port 80 synproxy state  # <- this rule, as written, will NEVER be true because the rdr re-write has occurred.
pass in on $ext_if proto tcp from any to ($ext_if) port 25
#
rdr action occurs first and changes the packet's dest to <server_ip> from ($ext_if); therefore, the working rdr-pass pair is as follows

Code:
#
rdr on $ext_if inet proto tcp \
 from any to ($ext_if) port 80 -> <server ip> port 80
#
pass in on $ext_if inet proto tcp \
 from any to <server_ip> port 80 synproxy state
#
And, imo, I prefer using tag/tagged and let pf keep track of the ip-addr-in-motion...

Code:
#
rdr on $ext_if inet proto tcp \
 from any to ($ext_if) port 80 tag OKHTTP -> <server ip> port 80
#
pass in on $ext_if inet proto tcp \
 tagged OKHTTP synproxy state
#
pass out on $LNETTR_if inet proto tcp \
 tagged OKHTTP keep state
#
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 12th September 2008 at 03:21 AM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
namp show me a 1720 open port ?? killa74 OpenBSD Security 11 11th February 2009 02:55 PM
Firefox 3 port wont compile : libsoftokn3.so problems padmanabh FreeBSD Ports and Packages 3 8th October 2008 07:13 AM
How to open port 80 on FreeBSD kapom FreeBSD General 14 19th June 2008 04:48 AM
KDE wont start up dctr FreeBSD General 9 11th June 2008 05:59 AM
Why wont this compile? Johnny2Bad FreeBSD General 10 19th May 2008 11:30 PM


All times are GMT. The time now is 07:52 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick