DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th November 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default Pf Nat getting started ??

I created a very very simple set of PF rules to try and get my idea for a simplified home network setup. I have some what of a question on this posted in another thread but it became a bit off topic and this is a little more specific. Ive created a very simple set of rules in PF for NAT and some redirecting and before I put this together would like some opinions/suggestions. This is not meant to be a secure set up as of yet although I would love some suggestions to help secure it without breaking it with my limited knowledge.

Code:
# Macros: define common values, so they can be referenced and changed easily.
ext_if="re0"                                            # The external interface to internet
int_if="rl0"                                            # The internal interface to Linksys wrt54gl


#external_addr="192.168.42.5"                           # My external address is DHCP so this doesnt do me any good?
webserver="10.1.10.10"                                   #jailed in host
ftpserver="10.1.10.11"                    	         #jailed in host
webports="{80, 8080, 443, 22}"
ftpports="21, 22"
internal_ports="{55, 88}" #just entered some arbitrary numbers that will be forwarded to linksys to be changed later.

#Options
set block-policy return
set loginterface $ext_if
set skip on lo

# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.

nat on $ext_if from !($ext_if) to any -> ($ext_if) 


# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.

rdr on $ext_if proto tcp from any to ($ext_if) port $webports -> $webserver
rdr on $ext_if proto tcp from any to ($ext_if) port $ftpports -> $ftpserver

# Make sure we don't block any traffic to test setup. 
# Rules
pass in all
pass out all
My goal is to allow anything coming from my int_if out to the internet and have few ports allowed to connect to it. I also eventually I want to start blocking what is allowed from int_if to my firewall but i dont have that figured out yet. I also eventually want to limit what is allowed in and out of the jails. does this look like something that would work or are my rules very bad?

Last edited by neurosis; 10th November 2008 at 09:03 PM.
Reply With Quote
  #2   (View Single Post)  
Old 10th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

You can define a simple default policy to block all traffic. Then you tag the allowed traffic. Only let this pass in (on the internal interface) and out on the external one.
Code:
# cat test.pf

ext_if = bge0
int_if = re0


TCP_services="{ www whois}"
UDP_services="{ domain ntp }"

nat on $ext_if tagged OUT_OK  -> $ext_if

block log (all)

pass out quick on $ext_if tagged OUT_OK

pass in quick on $int_if inet proto tcp to any  port $TCP_services tag OUT_OK
pass in quick on $int_if inet proto udp to any  port $UDP_services tag OUT_OK
A test load shows how these rules expand
Code:
ext_if = "bge0"
int_if = "re0"
TCP_services = "{ www whois}"
UDP_services = "{ domain ntp }"
@0 nat on bge0 inet all tagged OUT_OK -> 192.168.222.20
@0 block drop log (all) all
@1 pass out quick on bge0 all flags S/SA keep state tagged OUT_OK
@2 pass in quick on re0 inet proto tcp from any to any port = www flags S/SA keep state tag OUT_OK
@3 pass in quick on re0 inet proto tcp from any to any port = whois flags S/SA keep state tag OUT_OK
@4 pass in quick on re0 inet proto udp from any to any port = domain keep state tag OUT_OK
@5 pass in quick on re0 inet proto udp from any to any port = ntp keep state tag OUT_OK
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 11th November 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default

This will be my soon future plan. I will start blocking once I get the connection figured out. Right now I have the BSD box connected to the internet through my isp and it works fine. I configured the internal nic to use 10.1.10.1 and hooked my Linksys router up to that. My plan is to allow "all" out from the linksys but only selected ports in. I know this sounds strange maybe but im in a learning process here My problem is, I plug the router in to int_if . I set the router ip static and to 10.1.10.2 netmask 255.255.255.0 gateway 10.1.10.1 dns to what my isp assigned. I can ping 10.1.10.1 from the router. I can ping 10.1.10.2 from the router <grin> but I cant ping 10.1.10.2 from the Freebsd box. I can however ping 10.1.10.1 from the freebsd box. I cant figure out yet why I am having a hard time with this connection. It seems like it should be so simple. Using PF should take care of all of my routing needs shouldnt it? no need for natd?
Reply With Quote
  #4   (View Single Post)  
Old 11th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

pf does network address/port translation as well as redirects. So there is no need to use natd at all.

I have a hard time understanding your problem Can you post a simple network diagram of what you are trying to do.

BTW adding some whitespace, e.g. hitting return once in a while, will make your posts more easy to understand
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 12th November 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default

Quote:
Originally Posted by J65nko View Post
pf does network address/port translation as well as redirects. So there is no need to use natd at all.

I have a hard time understanding your problem Can you post a simple network diagram of what you are trying to do.

BTW adding some whitespace, e.g. hitting return once in a while, will make your posts more easy to understand

Haha! Sorry for that. It was late and I was trying to relay what I could without losing my train of thought. I was a bit frustrated too at my problem. I'll try to explain and sorry if this is a bit long winded.

The problem with my connection was DNS. I could ping but not resolve anything coming from inside of the private network. The freebsd box is hooked directly up to my isp and works fine.

Today to fix my problem, I brought a laptop home from work. It allows me to troubleshoot allot easier than trying to send commands from my router.

Today I hooked my router up to my ISP like normal.

I put the FreeBSD box behind the router and set up ext_if to DHCP.

I set int_if to 10.1.10.1.

I rebooted the FreeBSD machine and loaded the firewall and rules for nat (lack of rules is more like it <GRIN>

I set my laptop up using 10.1.10.2 255.255.255.0 Gateway 10.1.10.1.

Instead of using the gateway ip for DNS, I used what my isp sent to my router. That solved my DNS problem.

I can now traverse the internet from my laptop connected to the FreeBSD Gateway. Now I am going to add rules and will be able to test them before I set my FreeBSD firewall up in front of the router.

My goal is to have a setup like this.

Internet <-> FreeBSD Gateway <-> Linksys Router <-> Private Network

My FreeBSD Gateway will be running three jails. Mail, WWW, FTPD
My internal network should be completely protected if I do this right and not allowing any connections in through the router. I want to limit connections in and out of each jail and also in and out of the FreeBSD Gateway itself.

I do have one question however. Is it possible to write a rule that allows all traffic to pass out through the Gateway from 10.1.10.2 but not in?

pass out quick on $ext_if from 10.1.10.2 to any flags S/SA modulate state <-- would that rule work?

That is my next step. I also need to make sure to open SSH to the Gateway before blocking anything so if I screw up I can ssh in and fix it.

Enough for now. Thanks for your help.

Last edited by neurosis; 12th November 2008 at 05:25 AM.
Reply With Quote
  #6   (View Single Post)  
Old 12th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Quote:
Originally Posted by neurosis View Post
Internet <-> FreeBSD Gateway <-> Linksys Router <-> Private Network
I wonder why you still would need the Linksys router if your FreeBSD box, plays for firewall/gateway


Quote:
Originally Posted by neurosis View Post
I do have one question however. Is it possible to write a rule that allows all traffic to pass out through the Gateway from 10.1.10.2 but not in?
Code:
pass out quick on $ext_if from 10.1.10.2 to any flags S/SA modulate state
<-- would that rule work?
Yes that would work for TCP traffic. You would need a similar rule for UDP like this
Code:
pass out quick on $ext_if inet proto udp from 10.1.10.2 to any keep state
The icmp one is similar although I would restrict that to echo requests only (used by ping ).
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 12th November 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default

Quote:
Originally Posted by J65nko View Post
I wonder why you still would need the Linksys router if your FreeBSD box, plays for firewall/gateway
Because I dont trust my ability to make a secure firewall yet of course. Its my "onion" of security so to speak.

Quote:
Yes that would work for TCP traffic. You would need a similar rule for UDP like this
Code:
pass out quick on $ext_if inet proto udp from 10.1.10.2 to any keep state
The icmp one is similar although I would restrict that to echo requests only (used by ping ).
One other question about this rule to simplify it. can it look like this?

Code:
pass out quick on $ext_if inet proto { tcp, udp, icmp } from $int_if:10.1.10.2 \ 
to any modulate state
I want to make sure that what is so liberally allowed out is coming from that ip only on my int_if. Is $int_if:10.1.10.2 even a viable option? I added the rule in my pf.conf to use int_if:network, im just wondering how flexible that is.
Ive only seen $int_if:network in examples but I would like to limit it down a bit more.

I also would like to limit the icmp more as you said above, only to echo requests, but is that necessary for outgoing icmp from inside of my personal network? Just looking for opinions.

Also, would there be any reason to not add the quick option to this rule since I dont want any rules affecting this later on although Im not sure what they would be.

Here is the example I saw on the pf faq.

Code:
Keep state on outgoing TCP, UDP, and ICMP packets and modulate TCP ISNs:

    pass out on fxp0 proto { tcp, udp, icmp } from any \
        to any modulate state
Thanks a bunch for your help. I really appreciate it.

Last edited by neurosis; 12th November 2008 at 11:26 PM.
Reply With Quote
  #8   (View Single Post)  
Old 14th November 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default

I just wanted to follow up here. First off the

Code:
pass out quick on $ext_if inet proto { tcp, udp, icmp } from $int_if:10.1.10.2 \ 
to any modulate state
rule did not work out for me. Ive tried it several ways.

Code:
pass out quick on $ext_if inet proto { tcp, udp, icmp } from ($int_if) \ 
to any modulate state
to

Code:
pass out quick on $ext_if from  ($int_if) to any modulate state
to

Code:
pass out quick on $ext_if from 10.1.10.2 to any

So far with my limited knowledge, the only way I have been able to pass through the Gateway is with this combination of rules.

Code:
ext_if="fxp0"
int_if="fxp1"
lan_hosts="{10.1.10.2 10.1.10.3}"

nat on $ext_if from { 192.168.0.1/16 } to any -> ($ext_if)

# allow traffic initiated from Router to outside
pass out quick on $ext_if from ($ext_if) to any modulate state

# allow all traffic only for connections initiated from LAN to Internet
pass in quick on $int_if from $lan_hosts to any modulate state
This allows traffic from the lan to the internet but does not allow unsolicited traffic in to my lan. This is a good starting point, but to do what I am trying to accomplish I I can modify this rule:

Code:
pass in quick on $int_if from $lan_hosts to any modulate state
to regulate what the lan is doing. Then the problem is, I want to regulate what traffic is allowed out of the Gateway

This rule:
Code:
pass out quick on $ext_if from ($ext_if) to any modulate state
It just allows all traffic initiated by itself out. Man I feel dense. This seems like it would be somewhat insecure??

I will change the above rule in to several rules to regulate what is allowed out of the gateway. My thinking is, that the rules minimally have to match the LAN rules to not break the LAN connection to the internet but what If i want to restrict the gateway separately? Is this even intelligent thinking or am I just being thick?

Last edited by neurosis; 14th November 2008 at 07:16 PM.
Reply With Quote
  #9   (View Single Post)  
Old 14th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

I don't understand why you don't use the rules I proposed in one of the first posts and add the one for the firewall initiated traffic
Code:
block log (all)

pass out quick on $ext_if tagged OUT_OK

pass out  on $ext_if from ($ext_if) to any modulate state tag OUT_OK

pass in quick on $int_if inet proto tcp to any  port $TCP_services tag OUT_OK
pass in quick on $int_if inet proto udp to any  port $UDP_services tag OUT_OK
The advantage of having a block log (all) rule is debugging. All packets that are being blocked by pf will show up on the pflog0 device. You can watch these packets by running tcpdump on this device:
Code:
# tcpdump -eni pflog0
Re: examples of OpenBSD pf user guide

If you are not running OpenBSD you have to be careful with using the examples from the pf user guide. That guide is up-to-date for OpenBSD only

It usually takes some time before the newest pf features available for OpenBSD, have been migrated/ported to FreeBSD.
That is why I am a little bit conservative in recommending you the latest and greatest pf features
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 15th November 2008 at 06:36 PM. Reason: Changed 'tcpdump -eni bge0' into the correct 'tcpdump -eni pflog0'
Reply With Quote
Old 15th November 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default

I am just now starting to understand how the tags work. The tags look like a very good idea! I will probably add them very soon to my rules.

When i look at the pflog0 device it is cluttered very badly with DHCP BootP and Igmp queries from my isp.

When I run

Code:
 tcpdump -eni re0
it has a very big flow of information.

Youve helped out so much can I pick your brain with one more question. I think this will help me get a better understanding overall of how pf works.


I have an ftpd set up inside of a jail. It is set up to use passive and ports 30000 to 50000. I have all of my nat with rdr set up correctly and with the firewall set to pass in all and pass out all it works flawlessly. Once i set up the firewall to block all, it breaks the ftpd.

I have my int_if set to 10.1.10.1 and am using 10.1.10.10 for the ftpd jail. I have port 21 and 30000:50000 -> 10.1.10.1

ive been struggling trying to get this to work. I am also having a hard time finding and example searching google. Most just use a ftp proxy. I know that I could set one up but would rather learn this first.

Last edited by neurosis; 15th November 2008 at 07:39 PM.
Reply With Quote
Old 15th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Oops, I made an mistake in my post showing you how to use tcpdump for watching blocked packets by a block log (all) rule.

The correct command is to specify the pflog0 device
Code:
tcpdump -eni pflog0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 16th November 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default

Well, I figured it out! I figured out how to allow the connection to pass through my firewall to the jail running the ftpd and use the passive ports. It was very simple and I cant believe that I didnt understand it sooner.
Reply With Quote
Reply

Tags
ftpd, jail, nat, pf, routing

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
thinkpad x200 or similar owners pleas help getting started gosha General Hardware 1 14th July 2009 04:06 AM
Trying to get started translating OpenBSD Documentaion qmemo OpenBSD General 6 12th July 2009 12:50 PM
Apache : httpd could not be started lalebarde General software and network 13 13th November 2008 11:51 PM
Getting started with DTrace tanked FreeBSD General 2 25th June 2008 09:21 AM


All times are GMT. The time now is 07:43 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick