DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd January 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Question Firewall Blocking Good Traffic

Hello,

First a quick text diagram.

{internet} <--> [PIX Firewall] <--> [OpenBSD PF] <--> [rest of internal net]

I believe my problem is with my PF firewall rules however if you feel otherwise I will investigate further on the PIX.

What is happening is that while PF is enabled. (works after disabling it)

I see the following (as an example) in my logs on the PIX:

Code:
6|Jan 01 2009|19:24:05|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12234 to CENSORED-IP/110 flags FIN ACK  on interface inside
6|Jan 01 2009|19:21:58|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12235 to CENSORED-IP/80 flags ACK  on interface inside
6|Jan 01 2009|19:21:48|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12235 to CENSORED-IP/80 flags RST ACK  on interface inside
6|Jan 01 2009|19:21:39|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12234 to CENSORED-IP/110 flags RST ACK  on interface inside
6|Jan 01 2009|19:21:10|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12229 to CENSORED-IP/80 flags ACK  on interface inside
6|Jan 01 2009|19:20:55|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12229 to CENSORED-IP/80 flags RST ACK  on interface inside
The connections are for port 80 which is software trying to get updates for itself. Also port 110 which is a connection to an external mail server.

PF Configuration:

Code:
#Last Modified Dec 29 2008

#Interfaces
ext_if="fxp0"
int_if="fxp1"

#Devices

dlbox = "{ 10.10.200.4 }"
main = "{ 10.10.200.13 }"
ftpsrv = "{ 192.168.233.3 }"
websrv = "{ 192.168.233.4 }"
exc2k3 = "{ 10.10.200.3 }"
voipnet = "{ 192.168.255.0/24 }"
sshport = "{ 2201 }"

#Options
set require-order yes
set block-policy drop
set loginterface $ext_if
set loginterface $int_if
set state-policy floating
set fingerprints "/etc/pf.os"
set ruleset-optimization none

#Timeout Settings
set optimization aggressive
set timeout { frag 10, tcp.established 3600 }
set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
set timeout { adaptive.start 5000, adaptive.end 10000 }

#Connection Normalization 

scrub all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble

#Queuing ALTQ
#Upload assumed aprox 80kb or 640Kb queued aprox 94%

altq on $ext_if cbq bandwidth 600Kb queue { tcpack, voip, dns, mainpc, webftp, dlbox, std }

queue std bandwidth 10% priority 1 cbq(borrow red default)
queue dlbox bandwidth 10% priority 2 cbq(borrow red)
queue webftp bandwidth 5% priority 3 cbq(borrow red)
queue mainpc bandwidth 10% priority 4 cbq(borrow red)
queue dns bandwidth 5% priority 5 cbq(borrow red)
queue tcpack bandwidth 20% priority 6 cbq(borrow red)
queue voip bandwidth 40% priority 7 cbq(borrow red) 

block in log on $ext_if

#TCP Traffic Out on $ext_if
pass out on $ext_if inet proto tcp from any to any modulate state queue(std, tcpack)
pass out quick on $ext_if inet proto tcp from $dlbox to any modulate state queue(dlbox, tcpack)
pass out quick on $ext_if inet proto tcp from $ftpsrv to any port ftp synproxy state queue(webftp, tcpack)
pass out quick on $ext_if inet proto tcp from $websrv to any port 10001 synproxy state queue(webftp, tcpack)
pass out quick on $ext_if inet proto tcp from $exc2k3 to any synproxy state queue(webftp, tcpack)
pass out quick on $ext_if inet proto tcp from $main to any modulate state queue(mainpc, tcpack)
pass out quick on $ext_if inet proto tcp from any to any port domain modulate state queue(dns, tcpack)

pass out quick on $ext_if inet proto tcp from $main to any port 63600  modulate state queue(dlbox, tcpack) 

#UDP Traffic Out on $ext_if
#pass out on $ext_if inet proto udp from any to any keep state queue(std, tcpack)
pass out quick on $ext_if inet proto udp from $main to any keep state queue(mainpc, tcpack)
pass out quick on $ext_if inet proto udp from any to any port ntp keep state queue(dns, tcpack)
pass out quick on $ext_if inet proto udp from any to any port domain keep state queue(dns, tcpack)
pass out quick on $ext_if inet proto udp from any to any port 514 queue(std, tcpack)
pass out log quick on $ext_if inet proto udp from any to any port 5060 keep state queue(voip, tcpack)
pass out log quick on $ext_if inet proto udp from any to any port 5000 keep state queue(voip, tcpack)
pass out log quick on $ext_if inet from $voipnet to any keep state queue(voip, tcpack)
pass out quick on $ext_if inet proto udp from any to any port 63600 keep state queue(dlbox, tcpack)

#TCP/UDP Traffic Out on $ext_if

#TCP Traffic In on $ext_if

pass in on $ext_if inet proto tcp from any to any port 63600 modulate state queue(dlbox, tcpack)
pass in quick on $ext_if inet proto tcp from any to any port 10001 modulate state

#UDP Traffic In on $ext_if

pass in on $ext_if inet proto udp from any to any port domain keep state queue(dns, tcpack)
pass in on $ext_if inet proto udp from any to any port 514 queue(std, tcpack)
pass in on $ext_if inet proto udp from any to any port 63600 keep state queue(dlbox, tcpack)
pass in log on $ext_if inet proto udp from any to any port 5060 keep state queue(voip, tcpack)
pass in log on $ext_if inet proto udp from any to any port 5000 keep state queue(voip, tcpack)

Hope someone can help!
Thanks a bunch!
Reply With Quote
  #2   (View Single Post)  
Old 2nd January 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

Quick suggestions:

Use 'modulate state' on outbound TCP connections, use 'synproxy state' on inbound TCP connections destined for your LAN , and use 'keep state' on inbound TCP (to the firewall itself), in/outbound UDP and in/outbound ICMP.

Do not use things like queue(a, b) on non-TCP traffic. UDP and ICMP have no TCP acks, so this might confuse altq or have undesirable side-effects (like filling up the wrong queues).
Reply With Quote
  #3   (View Single Post)  
Old 3rd January 2009
s0xxx's Avatar
s0xxx s0xxx is offline
Package Pilot
 
Join Date: May 2008
Posts: 194
Thanked 47 Times in 22 Posts
Default

I'm not familiar with Cisco's PIX, but if you suspect pf is blocking some connections then make sure you have log keyword in either block or pass rules and run tcpdump(8) on pflog(4) interface or check its log file in /var/log/pflog. More about that in: http://www.openbsd.org/faq/pf/logging.html
__________________
The best way to learn UNIX is to play with it, and the harder you play, the more you learn.
If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD
Reply With Quote
  #4   (View Single Post)  
Old 4th January 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Hello there,

Thanks for your replies.

I have adjusted my pf.conf file with your state suggestions. This seems to have actually helped. Ports are no longer being blocked Thanks!

However I with queues (a, b) ; the first field (a) is it not just a general marker where the second (b) is for TOS which would account for more than TCP ack?

I have adjusted the queues as you suggested anyway. I have not experienced any difference so far so I suppose it is possible (b) was not doing anything at all. Clarification would be nice if possible.

In regards to logging. I already did have log setup on some rules. However since I made the above changes I no longer see any log results for INCOMING traffic. I'm not sure why or how this happened. Perhaps I made a typo of some kind?

Code:
#Last Modified Jan 03 2009

#Interfaces
ext_if="fxp0"
int_if="fxp1"

#Devices
dlbox = "{ 10.10.200.4 }"
main = "{ 10.10.200.13 }"
ftpsrv = "{ 192.168.233.3 }"
websrv = "{ 192.168.233.4 }"
exc2k3 = "{ 10.10.200.3 }"
voipnet = "{ 192.168.255.0/24 }"
voipone = "{ 192.168.255.2 }"
sshport = "{ 2201 }"
VOIPSERV = "{ CENSORED }"

#Options
set require-order yes
set block-policy drop
set loginterface $ext_if
set loginterface $int_if
set state-policy floating
set fingerprints "/etc/pf.os"
set ruleset-optimization none

#Timeout Settings
set optimization aggressive
set timeout { frag 10, tcp.established 3600 }
set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
set timeout { adaptive.start 5000, adaptive.end 10000 }

#Connection Normalization

scrub all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble

#Queuing ALTQ
#Upload assumed aprox 80kb or 640Kb queued aprox 94%

altq on $ext_if cbq bandwidth 600Kb queue { tcpack, voip, dns, mainpc, webftp, dlbox, std }

queue std bandwidth 10% priority 1 cbq(borrow red default)
queue dlbox bandwidth 10% priority 2 cbq(borrow red)
queue webftp bandwidth 5% priority 3 cbq(borrow red)
queue mainpc bandwidth 10% priority 4 cbq(borrow red)
queue dns bandwidth 5% priority 5 cbq(borrow red)
queue tcpack bandwidth 20% priority 6 cbq(borrow red)
queue voip bandwidth 40% priority 7 cbq(borrow red)

block in log on $ext_if

#TCP Traffic Out on $ext_if
pass out on $ext_if inet proto tcp from any to any modulate state queue(std, tcpack)
pass out quick on $ext_if inet proto tcp from $dlbox to any modulate state queue(dlbox, tcpack)
pass out quick on $ext_if inet proto tcp from $ftpsrv to any port ftp modulate state queue(webftp, tcpack)
pass out quick on $ext_if inet proto tcp from $websrv to any port 10001 modulate state queue(webftp, tcpack)
pass out quick on $ext_if inet proto tcp from $exc2k3 to any modulate state queue(webftp, tcpack)
pass out quick on $ext_if inet proto tcp from $main to any modulate state queue(mainpc, tcpack)
pass out quick on $ext_if inet proto tcp from any to any port domain modulate state queue(dns, tcpack)


#UDP Traffic Out on $ext_if
#pass out on $ext_if inet proto udp from any to any keep state queue(std, tcpack)
pass out quick on $ext_if inet proto udp from any to any port ntp queue(dns)
pass out quick on $ext_if inet proto udp from any to any port domain queue(dns)
pass out quick on $ext_if inet proto udp from any to any port 514 queue(std)
pass out quick log on $ext_if inet proto udp from $voipone to $VOIPSERV port 5060 keep state queue(voip) label VOIP_OUT
pass out quick log on $ext_if inet proto udp from $voipone to $VOIPSERV port 5000 keep state queue(voip) label VOIP_OUT
pass out quick log on $ext_if inet proto udp from $voipone to $VOIPSERV port > 10000 keep state queue(voip) label VOIP_OUT
pass out on $ext_if inet proto udp from $dlbox to any port 63600 keep state queue(dlbox)
#TCP/UDP Traffic Out on $ext_if

#TCP Traffic In on $ext_if

pass in quick on $ext_if inet proto tcp from any to any port 10001 synproxy state queue(webftp, tcpack)

#UDP Traffic In on $ext_if

pass in on $ext_if inet proto udp from any to any port domain queue(dns)
pass in on $ext_if inet proto udp from $voipone to any port ntp queue(dns)
pass in on $ext_if inet proto udp from any to any port 514 queue(std)
pass in on $ext_if inet proto udp from any to $dlbox port 63600 keep state queue(dlbox)
pass in quick log on $ext_if inet proto udp from any to $voipone port 5060 keep state queue(voip) label VOIP_IN
pass in quick log on $ext_if inet proto udp from any to $voipone port 5000 keep state queue(voip) label VOIP_IN
pass in quick log on $ext_if inet proto udp from any to $voipone port > 10000 queue(voip) label VOIP_IN
Any idea?

Thanks.
Reply With Quote
  #5   (View Single Post)  
Old 4th January 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

Based on the manual, you're right about the lowdelay stuff. I guess it depends on how you design your queues. I usually put stuff that performs badly under congestion (like voip) in its own high-priority queue. Anyway, you can see how (and if) your queues perform by installing pftop and pressing '8' after starting it (you can also use pfctl -sq -vv, but that's less granular and harder to read).
Reply With Quote
  #6   (View Single Post)  
Old 4th January 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,708
Thanked 214 Times in 189 Posts
Default

systat queues or states may be helpful, also.
Reply With Quote
  #7   (View Single Post)  
Old 8th January 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

I believe I figured out why I do not see the log messages now. Since the traffic is going both ways with state it only logs the initial connection. I changed to log (all) and I see the traffic as expected now.

systat is a neat tool. I had not seen this before. Thanks for sharing!


Anyway I believe my initial problem has been resolved. Thanks all for your help/input. Very much appreciated.
Reply With Quote
Reply

Tags
openbsd pf block

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
See what process is generating DNS traffic? Bruco FreeBSD General 3 2nd July 2009 05:57 PM
PF Blocking VPN Traffic plexter OpenBSD Security 6 23rd January 2009 05:25 PM
Dynamic Traffic Shaping LordZ OpenBSD Security 6 19th January 2009 04:30 PM
PF Blocking schrodinger OpenBSD Security 6 6th October 2008 10:33 PM
Suggestions for Web Traffic Logging? Bruco FreeBSD Ports and Packages 16 18th September 2008 10:54 PM


All times are GMT. The time now is 06:23 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick