DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 27th March 2010
Septic Septic is offline
New User
 
Join Date: Mar 2010
Posts: 9
Thanked 0 Times in 0 Posts
Unhappy pf temporary dropouts

Hi all, I'm hoping the wealth of experience here will be able to solve my problem!

I've recently setup an OpenBSD 4.6 box to use as a dedicated firewall, got it configured, and all seems well - except that the packet filter is causing connection dropouts every few minutes or so.

e.g. If I try to download a large file, it will download for anywhere between 1 - 9 minutes, then simply hang, until I manually cancel. My connection to IRC is also dropped out constantly too.

I also bought 2 dedicated NICs (Dlink DGE-528T, supported Chipset) to use instead of the onboard gigabit NICs to see if they could be at fault, but the same thing occurs.
This is definitely a pf issue, as if I do a pfctl -d everything works fine from that point on.

If anyone has any idea as to what could be at fault in my configuration I'd be most grateful - after what little troubleshooting I can do at the moment, being somewhat of a BSD noob, all I can think of is forcing the adapters to 100/Mb & 1000/Mb.

Below are my ifconfig & pf.conf, and I also attached an image with systat output, with pf enabled on the left, and with it disabled on the right (my IRC connection got reset twice in the 6 minute period it was enabled). If any extra info. is needed I'd be happy to supply.

Thanks

Simple Network Layout
Code:
	INTERNET
	   |
	   |
       [ Router ]
	   |
	   |
	 (re0)
      [ Firewall ]
	 (re1)
	   |
	   |
       [ Switch ]
	   |
	   |
	  LAN
relevant ifconfig output
Code:
re0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:26:5a:e3:53:cc
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
        status: active
        inet6 fe80::226:5aff:fee3:53cc%re0 prefixlen 64 scopeid 0x2
        inet 192.168.134.2 netmask 0xffffff00 broadcast 192.168.134.255
re1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:26:5a:e3:52:8d
        priority: 0
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        inet6 fe80::226:5aff:fee3:528d%re1 prefixlen 64 scopeid 0x3
bridge0: flags=41<UP,RUNNING> mtu 1500
        priority: 0
        groups: bridge
pf.conf
Code:
# Ignore the loopback interface
set skip on lo0

# Defines - NIC for external/internal network routes and other addresses
nic_ext = "re0"
nic_int = "re1"
myaddr = "192.168.134.2"
mysub = "192.168.134.0/24"
myweb = "192.168.134.250"


# Allow everything through the secondary (Firewall->Switch) interface
set skip on $nic_int

# Implicit deny through the primary (Firewall->Router) interface
block in on $nic_ext all
block out on $nic_ext all

# Anti-spoof
antispoof quick for $nic_ext


# Now setup the standard rules


# SSH from internal network, else block & log
pass in quick proto tcp from $mysub to $myaddr port 22
block in log quick on $nic_ext proto tcp from any port 22

# Allow DNS requests, as we have a DNS server behind us (and in front)
pass out quick proto udp from $mysub port 53

# Hard-Coded blocks - todo: move these into a dedicated file & table
# Do not block: 208.100.20.98 - proxyscan.rizon.net
# 66.102.9.0/24 - google.com subnet, mostly for ad-blocking
# 63.88.212.91 - webtrends
blacklist = "{ 208.201.239.101, 222.208.183.218, 125.230.150.249, 66.102.9.0/24, 63.88.212.91 }"
block in quick on $nic_ext from $blacklist

# Allow inbound port 8080 traffic to the webserver only
pass in quick on $nic_ext proto tcp from any to $myweb port 8080

# Allow outbound traffic from internal network
pass out quick on $nic_ext proto tcp all from $mysub flags S/SA
pass out quick on $nic_ext proto udp all from $mysub

# NAT rule
nat on $nic_ext from !($nic_ext) to any -> ($nic_ext)
Reply With Quote
  #2   (View Single Post)  
Old 28th March 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,149
Thanked 182 Times in 149 Posts
Default

The ruleset allows out requests to your blacklisted IP addresses, but block
the incoming replies.
Try this (untested) version which does not allow outgoing requests to your blacklist.

Code:
# Defines - NIC for external/internal network routes and other addresses
nic_ext = "fxp0"
nic_int = "lo1"

myaddr = "192.168.134.2"
mysub = "192.168.134.0/24"
myweb = "192.168.134.250"

# Hard-Coded blocks 
# Do not block: 208.100.20.98 - proxyscan.rizon.net
# 66.102.9.0/24 - google.com subnet, mostly for ad-blocking
# 63.88.212.91 - webtrends

table <blacklist>  { 
    208.201.239.101
    222.208.183.218
    125.230.150.249
    66.102.9.0/24
    63.88.212.91
}

# Allow everything through the secondary (Firewall->Switch) interface
# and the loopback interface
set skip on { $nic_int lo0 }

# --- NAT rule
#nat on $nic_ext from !($nic_ext) to any -> ($nic_ext)

# --- Default policy
block log all

# -- External interface

antispoof quick for $nic_ext

# Allow outbound traffic from internal network      
pass out quick on $nic_ext inet proto tcp from $mysub to !<blacklist> port != ssh  
pass out quick on $nic_ext inet proto udp from $mysub to !<blacklist>

# Allow inbound port 8080 traffic to the webserver only
pass in quick on $nic_ext inet proto tcp from any to $myweb port 8080
You can see I elminated your DNS rule. If you pass out all UDP traffic you already allow DNS on port 53

If this doesn't work as expected, you can visualize which packets are being blocked with running tcpdump on the pflog0 interface.
Code:
# tcpdump -eni pflog0
BTW why doesn't your internal interface re1 have any IPv4 address? And what is that bridge0 interface supposed to do?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 28th March 2010
Septic Septic is offline
New User
 
Join Date: Mar 2010
Posts: 9
Thanked 0 Times in 0 Posts
Default

My apologies - my desired setup was to have a transparent Firewall, so all that would be needed was a straight bridged connection between the two adapters. I think I mis-read part of the documentation, but as it was working (~ish) I hadn't noticed!

Something along the lines of:
Code:
INTERNET -> [ Router ] -> (re0 - 1st NIC) [ Firewall ]
					| (Bridge)
			  [ Firewall ] (re1 - 2nd NIC) -> [ Switch ] -----> LAN Client	<--- Internet Access
									|-> LAN Client
I tried changing some of the settings as you had stated, but it didn't affect the dropouts - 20.8mb of a file & 9 minutes for IRC - viewing the # tcpdump -eni pflog0, nothing came up at all, even when I tried to trigger it.
Ctrl+C'ing out of it provided the stats (and yes, pf was enabled):
Code:
0 packets received by filter
0 packets dropped by kernel
As this particular bridge shouldn't have an IP address, I decided to rebuild the configuration from scratch (didn't reinstall).

Here is what I did:
Code:
# nano /etc/hostname.re0
up

# nano /etc/hostname.re1
up

# nano /etc/sysctl.conf
net.inet.ip.forwarding=1

# nano /etc/resolv.conf
nameserver 192.168.134.1
lookup file bind

# nano /etc/mygate
192.168.134.1

# nano /etc/bridgename.bridge0
add re0
add re1
up

# nano /etc/rc.conf
pf=YES

# pfctl -nf /etc/pf.conf

# reboot

# ifconfig
re0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> MTU 1500
        lladdr 00:26:5a:e3:53:cc
        priority: 0
        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
        status: active
        inet6 fe80::226:5aff:fee3:53cc%re0 prefixlen 64 scopeid 0x2
re1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:26:5a:e3:52:8d
        priority: 0
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        inet6 fe80::226:5aff:fee3:528d%re1 prefixlen 64 scopeid 0x3
bridge0: flags=41<UP,RUNNING> mtu 1500
        priority: 0
        groups: bridge
After the routing tables updated, I've been able to connect up fine, and in the current 20 minutes it's been setup, I haven't had a dropout yet No idea what I'd set the first time round that caused it to go awry..

I've updated the pf.conf to handle some of the new changes now too (such as the onboard NIC just for SSH), and so far all is running smoothly.


I had originally setup the blacklist purely for hosts that flagged in my webservers apache log, hence only the inbound block - thanks for pointing out it needed updating!

Many thanks for all your help, I would've spent many more hours banging my head against the table in frustration otherwise

I have only one remaining question - when I try to browse to a site that has a blacklisted entry, the page will continue to be in a loading state until the TCP connection times out - will set block-policy return solve this by simply resetting it immediately?

Thanks again
Reply With Quote
  #4   (View Single Post)  
Old 28th March 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,149
Thanked 182 Times in 149 Posts
Default

The ifconfig output from your first post shows 192.168.134.2 as the IP address of re0, and no IP for re1.
In your revised configuration, both re0 and re1 don't have an IP address. That could be a difference.

Re: set block-policy return

Just try it, it won't make your firewall less secure.

From the pf.conf man page, the block policy section
Code:
return           This causes a TCP RST to be returned for TCP pack-
                 ets and an ICMP UNREACHABLE for other types of
                 packets.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 29th March 2010
Septic Septic is offline
New User
 
Join Date: Mar 2010
Posts: 9
Thanked 0 Times in 0 Posts
Default

Yeah, that works exactly as the man page describes.

Have found some interesting side effects from blacklisting the 3 main Google subnets I have seen so far (good luck trying to use youtube, for example), but browsing the web on the whole is quicker now
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:56 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick