DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 9th September 2009
revzalot's Avatar
revzalot revzalot is offline
Shell Scout
 
Join Date: May 2008
Posts: 123
Thanked 1 Time in 1 Post
Default my pf won't allow my server to resolve

My pf works fine except my server cannot resolve. Yes I already checked my networking items and resolving works when pf is disabled. I know I'm missing a filtering rule.
Thanks in advance.

Code:
+tcp_services = "{ssh, sftp, imap, imaps, smtp, 587, pop3 \
+                    domain, ntp, www, http, https}"
+udp_services= "{domain, ntp}"
+
+
+set skip on lo
+set loginterface $ext_if
+
+scrub in all random-id fragment reassemble
+
+block return in log all
+block out all
+
+antispoof quick for $ext_if
+
+
+pass out quick on $ext_if proto tcp to any port $tcp_services
+pass out quick on $ext_if proto udp to any port $udp_services
+
+pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state      
+pass in on $ext_if proto tcp from any to any port smtp flags S/SA synproxy  state  
+pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy state 
+pass in on $ext_if proto tcp from any to any port https flags S/SA synproxy state  
+pass in on $ext_if proto tcp from any to any port pop3 flags S/SA synproxy state 
+pass in on $ext_if proto udp from any to any port domain     
+pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
Reply With Quote
  #2   (View Single Post)  
Old 9th September 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

I loaded this exact ruleset (with ext_if defined as an extra ..) and it worked fine for DNS, and nothing strange showed up in 'pfctl -sr' either.

Last edited by DutchDaemon; 9th September 2009 at 01:26 PM.
Reply With Quote
  #3   (View Single Post)  
Old 9th September 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

Try 'block out log all' and watch pflog.
Reply With Quote
  #4   (View Single Post)  
Old 9th September 2009
revzalot's Avatar
revzalot revzalot is offline
Shell Scout
 
Join Date: May 2008
Posts: 123
Thanked 1 Time in 1 Post
Default

DD, Sorry to give you wrong info. I can dns lookup just fine but I'm getting a 'no route to host' error so my routing is messed up when pf is enable. Here's the error:

Code:
Begin dump of root

  DUMP: Date of this level 0 dump: Wed Sep  9 00:05:02 2009
  DUMP: Date of last level 0 dump: the epoch
  DUMP: Dumping /dev/rwd0a (/) to standard output
  DUMP: mapping (Pass I) [regular files]
  DUMP: mapping (Pass II) [directories]
  DUMP: estimated 46424 tape blocks.
  DUMP: Volume 1 started at: Wed Sep  9 00:05:02 2009
  DUMP: dumping (Pass III) [directories]
  DUMP: dumping (Pass IV) [regular files]
  DUMP: 46805 tape blocks
  DUMP: Date of this level 0 dump: Wed Sep  9 00:05:02 2009
  DUMP: Volume 1 completed at: Wed Sep  9 00:05:31 2009
  DUMP: Volume 1 took 0:00:29
  DUMP: Volume 1 transfer rate: 1613 KB/s
  DUMP: Date this dump completed:  Wed Sep  9 00:05:31 2009
  DUMP: Average transfer rate: 1613 KB/s
  DUMP: level 0 dump on Wed Sep  9 00:05:02 2009
  DUMP: DUMP IS DONE

curl: (7) Failed to connect to 192.168.0.200: No route to host
I'll try the pflog after work. Thanks for the suggestion.
Reply With Quote
  #5   (View Single Post)  
Old 9th September 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

You are blocking ICMP traffic, as part of your default block rule. You may want it, as it would allow ping, traceroute, and similar information to flow unimpeded.

It is not clear, from your last post, what platform you were running your failed curl command from, and the path it would take to connect to 192.168.0.200. Were you running this from the firewall, or from another platform on the network that connects to 0.200 *through* the firewall?

If it is going through your router, did you enable the IP forwarding sysctl?
Does the curl connection function correctly when pf is disabled?
Reply With Quote
  #6   (View Single Post)  
Old 9th September 2009
revzalot's Avatar
revzalot revzalot is offline
Shell Scout
 
Join Date: May 2008
Posts: 123
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by jggimi View Post
You are blocking ICMP traffic, as part of your default block rule. You may want it, as it would allow ping, traceroute, and similar information to flow unimpeded.

It is not clear, from your last post, what platform you were running your failed curl command from, and the path it would take to connect to 192.168.0.200. Were you running this from the firewall, or from another platform on the network that connects to 0.200 *through* the firewall?

If it is going through your router, did you enable the IP forwarding sysctl?
Does the curl connection function correctly when pf is disabled?
Everything is behind the firewall/router and I'm doing nightly dumps on my openbsd server and then I use curl to ftp the dumps to another server. Thanks I'll allow ICMP traffic to come on in. Setting up pf for a client server is different from a firewall which is the reason of the clumsy mistakes.
Reply With Quote
  #7   (View Single Post)  
Old 9th September 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

Straight ftp or sftp? Only the latter is allowed in your ruleset.
Reply With Quote
  #8   (View Single Post)  
Old 9th September 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Do I understand the curl failure's topology to be:
Code:
 [Router]
     |
[network with both the sending and receiving servers]
If so, then your problem is not PF, nor is it the router, its that your two boxes are addressed incorrectly.

In order to communicate via IP on the same network, they must have addresses in the same IP subnet.

e.g.: If the receiving box at 192.168.0.200 is using the netmash 255.255.255.0, also known as a /24 block, then the sending box needs to have an address in the same block, somewhere between 192.168.0.1 and 192.168.0.254. If a different netmask is used, the range of addresses in the subnet will expand or contract accordingly.

If I've misunderstood, please clarify your topology and addressing, which are guesses, since you haven't articulated it clearly.
Reply With Quote
  #9   (View Single Post)  
Old 9th September 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Confusion, because of limited information. DutchDaemon thinks the interconnection is through the router; I do not. One of us is incorrect, but we don't know for sure which one, yet.
Reply With Quote
Old 9th September 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

Quote:
my routing is messed up when pf is enable(d)
This would point to pf as the culprit, so I wonder if 'No route to host' is reported when pf is set to 'block drop' (as it implicitly is for outgoing traffic). May be a coincidence, so we're keenly awaiting a network diagram nested in [code] tags
Reply With Quote
Old 9th September 2009
revzalot's Avatar
revzalot revzalot is offline
Shell Scout
 
Join Date: May 2008
Posts: 123
Thanked 1 Time in 1 Post
Default

pf enabled:

$ ping 192.168.0.200
PING 192.168.0.200 (192.168.0.200): 56 data bytes
ping: sendto: No route to host
ping: wrote 192.168.0.200 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote 192.168.0.200 64 chars, ret=-1
--- 192.168.0.200 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss


pf disabled:
$ ping 192.168.0.200
PING 192.168.0.200 (192.168.0.200): 56 data bytes
64 bytes from 192.168.0.200: icmp_seq=0 ttl=64 time=0.405 ms
64 bytes from 192.168.0.200: icmp_seq=1 ttl=64 time=0.210 ms
--- 192.168.0.200 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.210/0.307/0.405/0.099 ms


My network is simple: both servers are behind my router/firewall. I just want to add an additional layer of protection on my obsd mail server.

Thanks i'll add ftp in my ruleset if it's not there.

Last edited by revzalot; 9th September 2009 at 04:28 PM.
Reply With Quote
Old 9th September 2009
revzalot's Avatar
revzalot revzalot is offline
Shell Scout
 
Join Date: May 2008
Posts: 123
Thanked 1 Time in 1 Post
Default

Revised but haven't tested yet.

Code:
ext_if="re0"

tcp_services = "{ssh, ftp, sftp, imap, imaps, smtp, 587, pop3 \
                    domain, ntp, www, http, https}"
udp_services= "{domain, ntp}"
### allow ping / pong ####
icmp_types = "{ echoreq, unreach }"

set skip on lo
set loginterface $ext_if

scrub in all random-id fragment reassemble

block return in log all
block log out all

antispoof quick for $ext_if


pass out quick on $ext_if proto tcp to any port $tcp_services
pass out quick on $ext_if proto udp to any port $udp_services

# Allow trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep stat
e


pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state      
pass in on $ext_if proto tcp from any to any port smtp flags S/SA synproxy  state  
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy state 
pass in on $ext_if proto tcp from any to any port https flags S/SA synproxy state  
pass in on $ext_if proto tcp from any to any port pop3 flags S/SA synproxy state 
pass in on $ext_if proto udp from any to any port domain     
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state 
pass inet proto icmp all icmp-type $icmp_types keep state
Reply With Quote
Old 9th September 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Sigh.

Here are my guesses:
Guess #1: Both servers are on the same physical infrastructure.
Guess #2: That doesn't matter, because the servers are on different IP subnets, and cannot communicate directly.
Guess #3: Because they are on different subnets, packets between them must be routed. This adds a "hop" and unnecessary replication of traffic on the physical infrastructure, and adds resource consumption on the router, as well.
Guess #4: Pings fail because ICMP was blocked.
Guess #5: ftp fails because only port 21 control traffic is passed, the backchannel traffic is blocked. A review of the "Issues with FTP" chapter of the PF User's guide is recommended.
If these guesses are wrong, it's because your information continues to be misleading / unclear / incomplete. If you want better guesses, or responses that are actual answers, you will have to provide better info.
Reply With Quote
Old 9th September 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

I just noticed that these various pf.conf rule sets only have one NIC, $ext_if (re0). Assuming, for the moment, that there is a second NIC, there are no pass in rules for its traffic. All traffic initiated on a local LAN (assuming there is one) will be blocked, except for the limited set of ICMP traffic added to your second pf.conf example.
Reply With Quote
Old 9th September 2009
revzalot's Avatar
revzalot revzalot is offline
Shell Scout
 
Join Date: May 2008
Posts: 123
Thanked 1 Time in 1 Post
Default

The pf rules above are not for my firewall/router. They're for my openbsd mail/web server.

router/firewall - openbsd ( pf works fine)
|
|
switch <----> 192.168.0.200 file server
|
|
|
mail/server - openbsd ( pf stated above ) *

* this is on the same subnet as my file server.
Reply With Quote
Old 9th September 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

OK.

Let's start over, and have you spoon feed us information, since every time you reply, we get different, and yet still incomplete information.

So I'll ask a few initial, basic questions, and you provide answers. OK?

1. What is the IP address and netmask of your mail server?
2. What is the netmask of your file server at 0.200?
3. a) Is your failure to ftp occuring when you try to connect from your mail server? Yes or no? If no, b) was it when you were trying to connect from your router/firewall to your file server? Yes or no? If no, c) what is the IP address and netmask of the device you failed-to-connect with?

Start with those three questions. Good luck.
Reply With Quote
Old 9th September 2009
revzalot's Avatar
revzalot revzalot is offline
Shell Scout
 
Join Date: May 2008
Posts: 123
Thanked 1 Time in 1 Post
Default

1. 192.168.0.4 netmask 255.255.255.0
2. 255.255.255.0
3. a) no
b) no, with pf disabled, I can ftp from .4 to .200
c) 192.168.0.200 netmask 255.255.255.0


Quote:
Originally Posted by jggimi View Post
OK.

Let's start over, and have you spoon feed us information, since every time you reply, we get different, and yet still incomplete information.

So I'll ask a few initial, basic questions, and you provide answers. OK?

1. What is the IP address and netmask of your mail server?
2. What is the netmask of your file server at 0.200?
3. a) Is your failure to ftp occuring when you try to connect from your mail server? Yes or no? If no, b) was it when you were trying to connect from your router/firewall to your file server? Yes or no? If no, c) what is the IP address and netmask of the device you failed-to-connect with?

Start with those three questions. Good luck.
Reply With Quote
Old 9th September 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

I still have no clarity about what system you were trying to connect to 0.200 with and getting failures. Your answers to #3 were unhelpful:
For 3a you stated that you did not have trouble connecting to the file server (0.200) from the mail server (0.4).

For 3b you stated that you did not have trouble connecting to the file server (0.200) from your router/firewall (address unknown). You also stated that when PF was disabled, you didn't have trouble from the mail server. But you'd already denied having communication trouble in 3a.

For 3c you stated that the device you had trouble connecting to the file server (0.200) was the file server(0.200).
So, giving up, forever, and making the assumption that your mail server and its individual PF configuration is the source of your problem, log onto it and use:

# tcpdump -neti pflog0 action block

That will show you, in real time, what type of IP traffic is being blocked, if you manage to retain the "log" options in your two block rules. What's critical for repairing the problem is for you to understanding what traffic is being blocked, why that traffic is necessary, then writing appropriate pass rules.

I won't try to help you any further.
Reply With Quote
Old 10th September 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

In the future please volunteer as much information as possible revzalot, otherwise you're forcing us to guess how you've configured your systems after installation.

Nobody here has to take the time and effort to search your previous posts to get an outlook of your network topology, it's simply unreasonable to assume we will.

In the future, think of this forum as a proverbial dump(8) site.. nobody will complain if you give them too much information, although be sure not to leak any sensitive information if you're employed by someone.

Here partial list of information that should be included when reporting routing/networking issues:
  • Try to describe your problem in as much details as possible, using your own words.. remembering we do not have physic powers.
  • Perhaps attempt to create a diagram if that will help communicate the problem, this means a labelled network topology.
  • Full output of ifconfig(8) and route(8), this is simply a must.. very minimal effort.
  • OpenBSD uses plain-text configuration files, we know nothing of their contents on your system.. post the output of at least your interface files, perhaps mygate if relevant and anything else that you deem significant.
  • Describe any changes you may have made to your systems recently that may be effecting things, either hardware or software.
  • Do you have any non-OpenBSD systems that you've failed to mention? are they configured properly? have you eliminated that as a candidate?

You scared off jggimi, an long time member of this forum.. perhaps this will open your eyes to your communication deficiencies..

It is simply unfair to paint half of a picture and leave the rest of it up to our imaginations.

Good luck.
Reply With Quote
Old 10th September 2009
revzalot's Avatar
revzalot revzalot is offline
Shell Scout
 
Join Date: May 2008
Posts: 123
Thanked 1 Time in 1 Post
Default

Sorry guys for the incomplete and confusing info and thanks for spending time on this. I'm still learning a lot about pf and I'll take your advise using pflog to troubleshoot. No worries.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pkg_add - can't resolve <packagename> nihonto OpenBSD Packages and Ports 11 28th January 2009 10:03 PM
Sun Java System Web Server - Active Server Pages (yes ASP) hopla FreeBSD General 0 26th September 2008 08:22 AM


All times are GMT. The time now is 02:09 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick