DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 27th August 2010
gpatrick gpatrick is offline
Shell Scout
 
Join Date: Nov 2009
Posts: 103
Thanked 0 Times in 0 Posts
Default PF cannot access Internet from internal network

My first try at PF and I must have something wrong because I'm unable to go out from the internal network. Would someone review my configuration and let me know where I've gone wrong. Also, any tips or hints would be helpful.

Code:
##### Macros #####
# ext_if -- the interface to the outside world
ext_if="axe0"

# prv_if -- the interface to the private hosts
prv_if="axe1"
localnet = $prv_if:network

# dmz_if -- the interface to the DMZ
dmz_if="axe2"

# prv_hosts -- the list of addresses of hosts on the screened LAN
prv_hosts = "{ 192.168.1.129/25, 192.168.1.130/25 }"

# dmz_hosts -- the list of addresses of hosts in the DMZ
dmz_hosts = "{ 192.168.2.1/25, 192.168.2.2/25, 192.168.2.3/25 }"

# dmz_www -- the address of the WWW server in the DMZ
dmz_www = "192.168.2.1/25"

# dmz_smtp -- the address of the SMTP server in the DMZ
dmz_smtp = "192.168.2.2/25"
# dmz_dns -- the address of the DNS server in the DMZ
dmz_dns = "192.168.2.3/25"

# known ports
www_ports = "{ http, https }"
mail_ports = "{ smtp, pop3, imap, imaps, pop3s }"

##### Tables #####
# Non-routable addresses
table <rfc1918> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }

##### Options #####
set skip on lo
set reassemble yes
set require-order yes
set block-policy drop
set loginterface $ext_if
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none
set optimization aggressive
set timeout { frag 30, tcp.established 120 }
set timeout { tcp.first 30, tcp.closing 30, tcp.closed 30, tcp.finwait 30 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }

##### Traffic Normalization #####
match in all scrub (no-df random-id min-ttl 5 set-tos lowdelay max-mss 1440 reassemble tcp)
match out on $ext_if scrub (no-df random-id)

##### Queueing #####

##### Translation (NAT) #####
# Network Address Translation
# nat for the private hosts
match out on egress from $prv_hosts to any nat-to egress
# nat for the DMZ hosts
match out on egress from $dmz_hosts to any nat-to egress
# redirect connections to port 80 (HTTP) to DMZ
match in on egress inet proto tcp from any to any port $www_ports rdr-to $dmz_www
# redirect connections to port 25 (SMTP) to DMZ
match in on egress inet proto tcp from any to any port 25 rdr-to $dmz_smtp
# redirect connections to port 53 (DNS) to DMZ
match in on egress inet proto { tcp, udp } from any to any port 53 rdr-to $dmz_dns 

##### Filtering #####
# Block all incoming connections sent from the outside
# Log all blocked packets
block log on $ext_if
block return log on $prv_if
block return log on $dmz_if

# Block to/from illegal sources/destinations
block drop in quick on $ext_if from <rfc1918> to any
block drop out quick on $ext_if from any to <rfc1918> 
block in quick on $ext_if inet from any to 255.255.255.255
block in log quick on $ext_if inet from urpf-failed to any
block in log quick on $ext_if inet from no-route to any

# Block spoofed packets: enable "set state-policy if-bound" above
antispoof log quick for { lo0 $dmz_if $prv_if ($ext_if) }

# pass all connections originating from the firewall
pass out quick on $ext_if inet \
        from ($ext_if) to any flags S/SA modulate state
# pass all connections originating from the screened LAN
pass in quick on $prv_if from $prv_hosts to any flags S/SA

# pass all connections originating from the DMZ
pass in quick on $dmz_if from $dmz_hosts to any flags S/SA

# pass all connections to the WWW host in the DMZ
pass in on $ext_if proto { tcp, udp } from any to $dmz_www \
        port $www_ports flags S/SA synproxy state

# pass all connections to the SMTP host in the DMZ
pass in on $ext_if proto { tcp, udp } from any to $dmz_smtp \
        port $mail_ports flags S/SA synproxy state

# pass all connections to the DNS host in the DMZ
pass in on $ext_if proto { tcp, udp } from any to $dmz_dns \
        port 53 flags S/SA keep state

# Allow anything on the internal interface
pass in on $prv_if from $localnet to any keep state
pass out on $prv_if from any to $localnet keep state

# Allow anything from the internal network out onto the Internet
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { tcp, icmp } all keep state
Reply With Quote
  #2   (View Single Post)  
Old 27th August 2010
asemisldkfj's Avatar
asemisldkfj asemisldkfj is offline
Fdisk Soldier
 
Join Date: Aug 2008
Posts: 50
Thanked 1 Time in 1 Post
Default

did you change the net.inet.ip.forwarding sysctl?

http://www.openbsd.org/faq/pf/nat.html#ipfwd
__________________
chat.taucher.net #bsd
Reply With Quote
  #3   (View Single Post)  
Old 28th August 2010
gpatrick gpatrick is offline
Shell Scout
 
Join Date: Nov 2009
Posts: 103
Thanked 0 Times in 0 Posts
Default

Yes,
Code:
net.inet.ip.forwarding=1
is uncommented in /etc/sysctl.conf
Reply With Quote
  #4   (View Single Post)  
Old 29th August 2010
gpatrick gpatrick is offline
Shell Scout
 
Join Date: Nov 2009
Posts: 103
Thanked 0 Times in 0 Posts
Default

I made a change and can now successfully reach the Internet from my internal network.

Can someone review my configuration and let me know any problems you see?

Code:
##### Macros #####
# ext_if -- the interface to the outside world
ext_if="axe0"

# prv_if -- the interface to the private hosts
prv_if="axe1"
localnet = $prv_if:network

# dmz_if -- the interface to the DMZ
dmz_if="axe2"

# prv_hosts -- the list of addresses of hosts on the screened LAN
prv_hosts = "{ 192.168.1.129/25, 192.168.1.130/25 }"

# dmz_hosts -- the list of addresses of hosts in the DMZ
dmz_hosts = "{ 192.168.1.1/25, 192.168.1.2/25, 192.168.1.3/25 }"

# dmz_www -- the address of the WWW server in the DMZ
dmz_www = "192.168.1.1/25"

# dmz_smtp -- the address of the SMTP server in the DMZ
dmz_smtp = "192.168.1.2/25"

# dmz_dns -- the address of the DNS server in the DMZ
dmz_dns = "192.168.1.3/25"

# known ports
www_ports = "{ http, https }"
mail_ports = "{ smtp, pop3, imap, imaps, pop3s }"

##### Tables #####
# Non-routable addresses
table <rfc1918> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }

##### Options #####
set skip on lo
set reassemble yes
set require-order yes
set block-policy drop
set loginterface $ext_if
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none
set optimization aggressive
set timeout { frag 30, tcp.established 120 }
set timeout { tcp.first 30, tcp.closing 30, tcp.closed 30, tcp.finwait 30 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }

##### Traffic Normalization #####
match in all scrub (no-df random-id min-ttl 5 set-tos lowdelay max-mss 1440 reassemble tcp)
match out on $ext_if scrub (no-df random-id)

##### Queueing #####

##### Translation (NAT) #####
# Network Address Translation
# nat for the private hosts
match out on egress from $prv_hosts to any nat-to egress
# nat for the DMZ hosts
match out on egress from $dmz_hosts to any nat-to egress
# redirect connections to port 80 (HTTP) to DMZ
match in on egress inet proto tcp from any to any port $www_ports rdr-to $dmz_www
# redirect connections to port 25 (SMTP) to DMZ
match in on egress inet proto tcp from any to any port 25 rdr-to $dmz_smtp
# redirect connections to port 53 (DNS) to DMZ
match in on egress inet proto { tcp, udp } from any to any port 53 rdr-to $dmz_dns 

##### Filtering #####
# Block all incoming connections sent from the outside
# Log all blocked packets
block log on $ext_if
block return log on $prv_if
block return log on $dmz_if

# Block to/from illegal sources/destinations
block drop in quick on $ext_if from <rfc1918> to any
block drop out quick on $ext_if from any to <rfc1918> 
block in quick on $ext_if inet from any to 255.255.255.255
block in log quick on $ext_if inet from urpf-failed to any
block in log quick on $ext_if inet from no-route to any

# Block spoofed packets: enable "set state-policy if-bound" above
antispoof log quick for { lo0 $dmz_if $prv_if ($ext_if) }

# pass all connections originating from the firewall
pass out quick on $ext_if inet \
        from ($ext_if) to any flags S/SA modulate state
# pass all connections originating from the screened LAN
pass in quick on $prv_if from $prv_hosts to any flags S/SA

# pass all connections originating from the DMZ
pass in quick on $dmz_if from $dmz_hosts to any flags S/SA

# pass all connections to the WWW host in the DMZ
pass in on $ext_if proto { tcp, udp } from any to $dmz_www \
        port $www_ports flags S/SA synproxy state

# pass all connections to the SMTP host in the DMZ
pass in on $ext_if proto { tcp, udp } from any to $dmz_smtp \
        port $mail_ports flags S/SA synproxy state

# pass all connections to the DNS host in the DMZ
pass in on $ext_if proto { tcp, udp } from any to $dmz_dns \
        port 53 flags S/SA keep state

# Allow anything from the internal network out onto the Internet
pass out on $ext_if proto tcp from $localnet to any modulate state flags S/SA
pass out on $ext_if proto { tcp, icmp } from $localnet to any keep state
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Redirect Internal Network to Internal Website plexter OpenBSD Security 12 12th February 2009 08:00 PM
Internet Access Problem OpenBSD 4.3 alcy OpenBSD General 3 19th September 2008 06:00 PM
NIC with internal cable; how to remove? TerryP Off-Topic 9 14th July 2008 06:33 AM
Internet access within jail Weaseal FreeBSD General 5 26th June 2008 02:45 PM
2 external NIC + 1 internal NIC AlexV FreeBSD General 7 4th June 2008 08:18 AM


All times are GMT. The time now is 01:30 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick