DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3rd January 2011
afcelie afcelie is offline
New User
 
Join Date: Dec 2010
Posts: 8
Thanked 0 Times in 0 Posts
Default Pf.conf issues

I am trying to get Nat working but I think I don't see it :
below is an example of my config file:
I do have apache running locally for now.

# cat pf.conf
web_serv_int = "192.168.7.232"
web_serv_ext = "192.168.1.1"
# gateways

set skip on lo
#
block in all
#block in quick on em0 from 192.168.0.0/16 to any
block in quick on em0 from 172.16.0.0/12 to any
block in quick on em0 from 10.0.0.0/8 to any
block in quick on em0 from 127.0.0.0/8 to any
block in quick on em0 from 0.0.0.0/8 to any
block in quick on em0 from 169.254.0.0/16 to any
block in quick on em0 from 192.0.2.0/24 to any
block in quick on em0 from 204.152.64.0/23 to any
block in quick on em0 from 224.0.0.0/3 to any
#pass in quick on em0 from 192.168.1.0/24 to any
#pass out all

tcp_services = "{ ssh, smtp, www, domain, pop3, auth, pop3s }"
udp_services = "{ domain }"

#Network adress translations
pass on em0 from $web_serv_int to any binat-to $web_serv_ext

#Rules
pass in proto tcp to port $tcp_services
pass proto udp to port $udp_services
pass out on em1 from 192.168.7.232 to any nat-to 192.168.1.1
#block in quick from urpf-failed to any # use with care

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
Reply With Quote
  #2   (View Single Post)  
Old 3rd January 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,709
Thanked 214 Times in 189 Posts
Default

I can't make sense of this configuration file, by itself. Nor, honestly, could I make any from your previous thread where you posted a confusing pf.conf and an intermediate shell script from your builder program.

What I can tell looking at this alone, due to a lack of any additional information:

  • You have two NICs configured, em0 and em1.
  • You are attempting to use both bi-directional NAT (binat-to) and standard NAT (nat-to) at the same time.
  • You have a default block design
  • You have a series of block in rules which are defined as "quick" -- preventing any later pass rules from being evaluated. I cannot tell if that is intentional, but all traffic originating from any of those subnets will always be blocked, no matter how many subsequent pass rules are defined.
Some other things to note:
  • You are still using "lo" rather than "lo0". Please see my comments about "lo" in your previous thread.
  • You are blocking inbound X traffic -- but by default on OpenBSD, X listens on loopback only. See /usr/X11/xdm/{Xservers,Xaccess}. X is not normally used on a dedicated firewall anyway.
All I know of your environment is from your other thread:

  • You are currently testing in a virtual machine
  • You intend to have a dual firewall configuration.
Everything else I could add is conjecture. Questions come to mind:

  • I'm confused about a commented rule mentioning 192.168/16 -- if that is a valid subnet, then I do not understand how a 192.168.7 address could be internal, and a 192.168.1 address could be external. Both addresses are on the same subnet.
  • Your only standard NAT traffic must originate on the "inner" web server at 192.168.7.232. Any other traffic from your "inner" network will not be translated. Was this intentional?
  • BINAT and NAT rules for 192.168.7.232 are both included, as mentioned above, but only the NAT rule will apply.
  • You set a variable for 192.168.7.232 but then refer to the address anyway.
I recommend you post the following information, since when you submit questions you leave a great deal out:

  1. Your intended functionality -- what are you actually trying to do here?
  2. Your network topology -- what are the addresses of em0 and em1? The netmasks? (This is critical, especially if 192.168 addresses use a netmask of 255.255.0.0 -- that would show a broken topology.)
Reply With Quote
  #3   (View Single Post)  
Old 3rd January 2011
afcelie afcelie is offline
New User
 
Join Date: Dec 2010
Posts: 8
Thanked 0 Times in 0 Posts
Default

Thanx for the quick reply.

my network topolopy is normally an out side adres with 64 ip-adresses.
My firewall needs to be able to do NAT to serveral webservers (5), all different functions, 2 can by for instance load balanced in the future.
Need to access a mailserver, sftpserver, and special ports.
say for instance my external adres is : 84.12.34.1 till 84.12.34.63
My internal network behind the firewall is : 192.168.1.0/24
My NIC's are named : em0, em2, em3 and I have the lo0 interface.
Reply With Quote
  #4   (View Single Post)  
Old 3rd January 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,709
Thanked 214 Times in 189 Posts
Default

Afcelie, you have set up a test system with addresses not mentioned in your description. It was not quite what I was looking for. I'm interested in the test environment, and what you intend there.

First, please edit your post, above, and remove your actual Internet addresses from your post. There is no reason to publish information that, combined with a configuration file (with possible errors) might provide a vector to an attacker.

Second, post the following information, since perhaps I wasn't clear.

1) For your test environment: Either post the entire output of "ifconfig" from the OpenBSD system, or, post the IP addresses and netmasks for em0 and em1. That's really what I was looking for.

2) For your network topology, barely described in your prior thread and here, what does the layout look like? (Now, or intended) For example -- and in these examples, any of the individual firewalls can be multiple systems with CARP for redundancy:

A) Did you intend to have your internet-exposed servers in a tiered DMZ, such as:
Code:
{internet} [fw1] exposed servers [fw2] inner servers and user workstations
B) Or did you mean a single bastion firewall configuration, with no DMZ, such as:

Code:
{internet} [fw] all servers and workstations
C) Or did you mean a single bastion firewall configuration, with separate DMZ, such as:

Code:
{internet} [fw] inner servers and workstations
            |
       exposed servers
If you have the flexibility and budget, option A would be preferable, as the inner servers (database, application servers) would be protected by any direct attack from the Internet. The vector would have to come from the DMZ. And the connections from the DMZ inward should be extremely restrictive.

I hope you can see from this simple set of three alternative designs that what you've posted so far has not been of sufficient clarity, nor your questions specific.
Reply With Quote
  #5   (View Single Post)  
Old 3rd January 2011
afcelie afcelie is offline
New User
 
Join Date: Dec 2010
Posts: 8
Thanked 0 Times in 0 Posts
Default

I want to us a setting like this

Internet --> Fw (2 clustered) --> DMZ --> FW (2 Clustered) --> Trusted Zone.
This is what is needs to be finally.
We now hav setup with Ubuntu servers, but I think openBSD is more secure than Ubuntu and a bit lighter.
So it is option A which is suitable.
Here is my ifconfig also
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200
priority: 0
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:d8:0a:35
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 192.168.1.231 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::20c:29ff:fed8:a35%em0 prefixlen 64 scopeid 0x1
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:d8:0a:3f
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 192.168.7.231 netmask 0xffffff00 broadcast 192.168.7.255
inet6 fe80::20c:29ff:fed8:a3f%em1 prefixlen 64 scopeid 0x2
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:d8:0a:49
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 192.168.9.231 netmask 0xffffff00 broadcast 192.168.9.255
inet6 fe80::20c:29ff:fed8:a49%em2 prefixlen 64 scopeid 0x3
enc0: flags=0<>
priority: 0
groups: enc
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200
priority: 0
groups: pflog
Reply With Quote
  #6   (View Single Post)  
Old 3rd January 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,709
Thanked 214 Times in 189 Posts
Default

Thank you. Again, please edit your post above, and remove reference to your 84.x.x.x addresses, for reasons of limiting exposure to future attack.

---

Your test system has three /24 subnets, and uses the same address for the final octet: 192.168.{1,7,9}.231/24 -- and based on the test PF configuration you provided at the top of this thread, you are using subnet 1 as an external network, and subnet 7 as an internal network. Subnet 9 is not involved yet.
  • Confirm you have already turned on IP forwarding as described in FAQ 6.2.7.
Bi-directional NAT has undergone changes over the years. As of 4.7, internally it no longer exists. Instead, it creates a standard NAT rule outbound, and a port forwarding or complete redirection inbound. However, the pf.conf rules are such that you can code address pools and translate entire subnets with a single line. To use your simple example from above, the single rule in pf.conf:
Code:
pass from 192.168.7.232 to any binat-to 192.168.1.1
converts to the following set of rules internally:
Code:
pass out inet from 192.168.7.232 to any flags S/SA keep state nat-to 192.168.1.1 static-port
pass in inet from any to 192.168.1.1 flags S/SA keep state rdr-to 192.168.7.232
Your follow on nat-to rule you had would have replaced the first nat-to, as it would be the last matching rule. I assume the rdr-to would still have been in place.

Please let me know if you are still confused. If there is something that is not working correctly, please, be very clear when you ask again, and include details of what is not working.

Last edited by jggimi; 3rd January 2011 at 09:19 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Pf.conf erict35 OpenBSD Security 1 30th January 2010 10:19 PM
pf.conf lumiwa FreeBSD Security 11 20th September 2008 01:01 AM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM
PolicyKit.conf issues teig FreeBSD General 4 10th June 2008 05:34 PM
KVM issues lil_elvis2000 FreeBSD General 5 9th June 2008 07:55 PM


All times are GMT. The time now is 02:31 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick