DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
Old 10th July 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

PF supports interface group names jggimi, "lo" is valid and is used in FAQ examples.

But you are right, the skip rule makes it redundant.
Reply With Quote
Old 10th July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,803
Thanked 214 Times in 189 Posts
Default

Thanks BSDfan. I feel sheepish.


Birdmansdomain: I have just recreated your environment, with your pf.conf as posted above. It works fine.

TCP traffic from the outside destined for port 80 gets properly routed to the server, and responses get properly routed back.

My test configuration:

Workstation --- Router ---- Server

All three were running 4.5-release. (-current has changes to PF affecting scrub and require-order).

Your pf.conf was used verbatim, except for changing the NICs.

---------------------------

Server:
/etc/hostname.ne3 contained "inet 192.168.0.10/24"
/etc/mygate contained "192.168.0.1"
# nc -l 80

Router:
/etc/hostname.ne3 contained "inet 10.0.0.1/24"
/etc/hostname.ne4 contained "inet 192.168.0.1/24"
/etc/sysctl.conf contained "net.inet.ip.forwarding=1"
an empty /etc/ssh-violate was created with touch(1)
your pf.conf was enabled, with the following changes: ext_if="ne3", int_if="ne4", wifi_if="ne5"

Workstation:
/etc/hostname.ne3 contained "inet 10.0.0.2/24"
# nc 10.0.0.1 80

Two-way TCP communication was established and confirmed between nc applets on the workstation and server, through the router.

Last edited by jggimi; 10th July 2009 at 08:59 PM.
Reply With Quote
Old 10th July 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

jggimi has gone the extra mile by testing your ruleset, he has found no obvious problems.

It would seem the issue is elsewhere, one probable cause is that your ISP is filtering packets themselves... perhaps they're blocking incoming traffic on port 80.

Please try using a different port to confirm if this is the case.
Reply With Quote
Old 11th July 2009
birdmansdomain birdmansdomain is offline
Port Guard
 
Join Date: Jun 2009
Posts: 13
Thanked 0 Times in 0 Posts
Default

Hmm strange.

Quote:
Server:
/etc/hostname.ne3 contained "inet 192.168.0.10/24"
/etc/mygate contained "192.168.0.1"
Maybe i need to clarify more, web server is running ubuntu there is no hostname.*. There is a hostname "phreaks-desktop" Also there is no mygate

Quote:
Router:
/etc/hostname.ne3 contained "inet 10.0.0.1/24"
/etc/hostname.ne4 contained "inet 192.168.0.1/24"
/etc/sysctl.conf contained "net.inet.ip.forwarding=1"
an empty /etc/ssh-violate was created with touch(1)
your pf.conf was enabled, with the following changes: ext_if="ne3", int_if="ne4", wifi_if="ne5"
mygate is 192.168.1.1
hostname.re0 contains inet 192.168.0.1
hostname.ral0 contains inet 192.168.1.1
Router is OpenBSD

Workstation is ubuntu as well, there is no hostname.*

Quote:
It would seem the issue is elsewhere, one probable cause is that your ISP is filtering packets themselves... perhaps they're blocking incoming traffic on port 80.
When i run tcpdump -neti pflog0 action pass i see the connection
Reply With Quote
Old 11th July 2009
birdmansdomain birdmansdomain is offline
Port Guard
 
Join Date: Jun 2009
Posts: 13
Thanked 0 Times in 0 Posts
Default

BTW thanks for being so helpfull
Reply With Quote
Old 11th July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,803
Thanked 214 Times in 189 Posts
Default

#1:
-------
Please post the output of
$ route -n show -inet
You may redact any private information, such as your Internet IP address.

I ask for your routing information, because you just stated that you have a mygate(1) file, containing incorrect information ("192.168.1.1"). Your default route should be assigned by your ISP. If your ISP connection uses DHCP, the default route will be added when you connect. If your ISP connection is static, your ISP should have provided this information.

/etc/mygate is used for static ip address configurations, and describes the default route. Perhaps, if you are using DHCP, a default route is already correctly added, then the use of an incorrect /etc/mygate just causes an error when /etc/netstart issues the route add for it. (That error should appear in /var/log/messages with each boot; you may want to look for it.)
-------
#2
-------
Run tcpdump against your internal wired network, to see if the incoming Sync packet from the Internet makes it onto the local LAN. Perhaps the source of your problem is the server at 192.168.0.10. If you see packets get sent to the server, but no valid responses, you have a server problem. If you see valid two-way traffic back and forth, then run tcpdump against your external network. On the external network, if you only see the incoming packet, but no outbound responses, you have a routing problem.

e.g.:

# tcpdump -neti re0 host 192.168.0.10
# tcpdump -neti em0 host <your remote workstation>

Last edited by jggimi; 11th July 2009 at 01:25 PM.
Reply With Quote
Old 11th July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,803
Thanked 214 Times in 189 Posts
Default

To be clear, regarding IP routing:
  • Communication between two addresses on the same subnet do not need routing; the underlying subnet protocol (usually Ethernet) provides the addressing (usually MAC), via Address Resolution Protocol (ARP). This is used between your server and your router on the 192.168.0/24 subnet, between your wireless workstations and your router on the 192.168.1/24 subnet, and betwen your router and your ISP's router, on whatever subnet your router connects to within your ISP.
  • All communications that goes beyond a single subnet must be routed.
  • A subnet with a single router only needs a default route: the IP address of the router on that subnet. e.g.: Your wireless workstations on 192.168.1/24 need only a default gateway of 192.168.1.1; the address of your OpenBSD router on that subnet. Your wired servers on 192.168.0/24 need only a default gateway of 192.168.0.1; the address of your OpenBSD router on that subnet.
  • Your OpenBSD router is connected to three different subnets. It's default route should be to your ISPs router somewhere on the em0 subnet.
Reply With Quote
Old 12th July 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Thanked 9 Times in 8 Posts
Default

Change your /etc/pf.conf per the BLUE and RED config fragments. Be careful about OBSERVING the very subtle changes (e.g. no "pass" in the rdr) and differences in keyword spellings (e.g. tag and tagged)

restart pf...

Code:
pfctl -F all -vvf pf.conf
Re-test and advise -- with ACTUAL paste of whole pf.conf. Including
Code:
tcpdump -eni pflog0
would help us help you.

Code:
ext_if="em0"
int_if="re0"
wifi_if="ral0"
local_net="{192.168.0.1/24, 192.168.1.1/24}"
server="{ 192.168.0.10/32 }"
icmp_types="echoreq"
tcp_flags="flags S/SA keep state"
table <abusers> persist

set require-order no
set skip on lo
scrub in all

nat on $ext_if from !($ext_if) -> ($ext_if:0)
# ---- start group -----
rdr on $ext_if inet proto { tcp udp } \
 from any to ($ext_if:0) port 80 tag MyWWW -> $server port 80
#
pass in log quick on $ext_if inet proto {tcp udp} \
 tagged MyWWW flags S/SA modulate state
#
pass out log quick on $int_if inet proto {tcp udp} \
 tagged MyWWW keep state
# ----- end group -----

block drop log all
block in log quick from <abusers>

pass out log on $ext_if proto tcp from any to any flags S/SA
pass out log on $ext_if proto { udp,icmp } from any to any

pass in log quick inet proto icmp all icmp-type $icmp_types
pass in log quick on $wifi_if proto tcp to ($wifi_if) port ssh $tcp_flags (max-src-conn 8, max-src-conn-rate 15/5, overload <abusers> flush global)

pass quick on { lo, $int_if, $wifi_if } # I don't write rules this way.

# antispoof quick for { lo, $int_if, $ext_if, $wifi_if } # comment out for test purposes
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 12th July 2009 at 09:55 AM.
Reply With Quote
Old 23rd July 2009
birdmansdomain birdmansdomain is offline
Port Guard
 
Join Date: Jun 2009
Posts: 13
Thanked 0 Times in 0 Posts
Default

yeh your sample didnt work, i put www on firewall and didnt have to worry about rdr rule. Working great now
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
back-sql - SQLConnect() failed vol_o3 OpenBSD General 0 9th September 2009 09:36 AM
pfstat fopen failed: ? Calderon FreeBSD General 3 7th May 2009 08:52 AM
phpPgAdmin login failed gosha General software and network 14 17th March 2009 11:49 PM
Communication with su failed amandus OpenBSD Packages and Ports 7 17th July 2008 07:17 AM
Failed Installs dctr OpenBSD Installation and Upgrading 23 4th June 2008 04:25 AM


All times are GMT. The time now is 07:02 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick