DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd June 2008
maurobottone maurobottone is offline
Real Name: Mauro Bottone
Port Guard
 
Join Date: May 2008
Location: Aversa, IT
Posts: 24
Thanked 0 Times in 0 Posts
Default DMZ for two networks users...

I need to create a DMZ for 192.168.0.13 and 192.168.0.14.
Reading pf howto, I see the redirection context; it let me choose port forwarding for each masqueraded ip, but I need to pass in and pass out all to and from the two ip: I need that, only, these users skip firewall rules...except queueing rules.
How can I do this?
Thanks.
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat."

Last edited by maurobottone; 2nd June 2008 at 08:45 AM.
Reply With Quote
  #2   (View Single Post)  
Old 2nd June 2008
maurobottone maurobottone is offline
Real Name: Mauro Bottone
Port Guard
 
Join Date: May 2008
Location: Aversa, IT
Posts: 24
Thanked 0 Times in 0 Posts
Default

I try to explain better my whishes:
I've a ps3 that should be use UPNP for open the ports every time it needs for online gaming...now, I'm using "miniupnpd", but I wouldn't use it: is there any way for open ALL tcp and udp ports for ps3 for incoming and outgoing connections (192.168.0.13) in my pf.conf?
Thanks.
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat."
Reply With Quote
  #3   (View Single Post)  
Old 2nd June 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Why forward all "TCP" ports? According to this, UDP 3658 is all you need.. additional ports are listed on that article, definitely a better idea to setup a pf(4) ruleset... UPnP and DMZ are drastically insecure.

EDIT: Scroll down to "NAT Type 3" in that article, that's where the related information is.

Last edited by BSDfan666; 2nd June 2008 at 02:00 PM.
Reply With Quote
  #4   (View Single Post)  
Old 2nd June 2008
maurobottone maurobottone is offline
Real Name: Mauro Bottone
Port Guard
 
Join Date: May 2008
Location: Aversa, IT
Posts: 24
Thanked 0 Times in 0 Posts
Default

Thanks for answer BSDfan666,
I've already tried all writed in that article, but it doesn't work for me o_0 I always obtain "nat Type 3" and I don't able to play online...so, I would try to open ALL tcp and udp port only for one ip of my lan and see if "nat type" switch from 3 to 2.
Can you let me know how?
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat."
Reply With Quote
  #5   (View Single Post)  
Old 2nd June 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

If it didn't work, you probably didn't configure it properly... if you paste your pf configuration file here, perhaps one of our network gurus can help you fix the problem "without" blatantly setting up a DMZ?
Reply With Quote
  #6   (View Single Post)  
Old 2nd June 2008
maurobottone maurobottone is offline
Real Name: Mauro Bottone
Port Guard
 
Join Date: May 2008
Location: Aversa, IT
Posts: 24
Thanked 0 Times in 0 Posts
Default

Here my conf:

----------
Code:
### macros
int_if = "re0"
ext_if = "pppoe0"

tcp_services = "{ 20, 21, 22, 25, 80, 110, 113 }"
udp_service = "{ 53, 5060 }"

icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16 }"

bnd_upstream="480Kb"
bnd_downstream="20480Kb"

host_usr1="192.168.0.1"
host_usr4="192.168.0.4"
host_usr5="192.168.0.5"
host_usr6="192.168.0.6"
host_usr8="192.168.0.8"
host_usr9="192.168.0.9"
host_usr10="192.168.0.10"
host_usr11="192.168.0.11"
host_usr12="192.168.0.12"
#host_usr13 = ps3 host
host_usr13="192.168.0.13"
host_usr14="192.168.0.14"
host_usr15="192.168.0.15"
host_usr16="192.168.0.16"



### options
set optimization normal
set block-policy return
set loginterface $ext_if
set skip on lo0


### scrub
scrub in all
scrub out on $ext_if max-mss 1440



### altq
altq on $ext_if cbq bandwidth $bnd_upstream   queue { up_def }
altq on $int_if cbq bandwidth $bnd_downstream queue { dn_def }

queue up_def    bandwidth   100% cbq(default) { up_host1 up_host4 up_host5 up_host6 up_host8 up_host9 up_host10 up_host11 up_host12 up_host13 up_host14 up_host15 up_host16 }
        queue up_host1   bandwidth    7% cbq(borrow)
        queue up_host4   bandwidth   10% cbq(borrow)
        queue up_host5   bandwidth   10% cbq(borrow)
        queue up_host6   bandwidth   10% cbq(borrow)
        queue up_host8   bandwidth    7% cbq(borrow)
        queue up_host9   bandwidth    7% cbq(borrow)
        queue up_host10  bandwidth    7% cbq(borrow)
        queue up_host11  bandwidth    7% cbq(borrow)
        queue up_host12  bandwidth    7% cbq(borrow)
        queue up_host13  bandwidth    7% cbq(borrow)
        queue up_host14  bandwidth    7% cbq(borrow)
        queue up_host15  bandwidth    7% cbq(borrow)
        queue up_host16  bandwidth    7% cbq(borrow)

queue dn_def    bandwidth   100% cbq(default) { dn_host1 dn_host4 dn_host5 dn_host6 dn_host8 dn_host9 dn_host10 dn_host11 dn_host12 dn_host13 dn_host14 dn_host15 dn_host16 }
        queue dn_host1   bandwidth    7% cbq(borrow)
        queue dn_host4   bandwidth   10% cbq(borrow)
        queue dn_host5   bandwidth   10% cbq(borrow)
        queue dn_host6   bandwidth   10% cbq(borrow)
        queue dn_host8   bandwidth    7% cbq(borrow)
        queue dn_host9   bandwidth    7% cbq(borrow)
        queue dn_host10  bandwidth    7% cbq(borrow)
        queue dn_host11  bandwidth    7% cbq(borrow)
        queue dn_host12  bandwidth    7% cbq(borrow)
        queue dn_host13  bandwidth    7% cbq(borrow)
        queue dn_host14  bandwidth    7% cbq(borrow)
        queue dn_host15  bandwidth    7% cbq(borrow)
        queue dn_host16  bandwidth    7% cbq(borrow)



### nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
#line for external program: miniupnpd (for ps3) *
#rdr-anchor miniupnpd
#redirect per anima, xaser ed enjoy
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 4001:4005 -> $host_usr1
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1000:1020 -> $host_usr8
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port {1021:1041, 3724, 6112 } -> $host_usr9
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1042:1062 -> $host_usr10
rdr pass on $ext_if proto udp from any to ($ext_if) port 3658 -> $host_usr13



### filter rules
block all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in on $int_if proto { tcp udp } from $host_usr1  to any queue up_host1
pass in on $int_if proto { tcp udp } from $host_usr4  to any queue up_host4
pass in on $int_if proto { tcp udp } from $host_usr5  to any queue up_host5
pass in on $int_if proto { tcp udp } from $host_usr6  to any queue up_host6
pass in on $int_if proto { tcp udp } from $host_usr8  to any queue up_host8
pass in on $int_if proto { tcp udp } from $host_usr9  to any queue up_host9
pass in on $int_if proto { tcp udp } from $host_usr10 to any queue up_host10
pass in on $int_if proto { tcp udp } from $host_usr11 to any queue up_host11
pass in on $int_if proto { tcp udp } from $host_usr12 to any queue up_host12
pass in on $int_if proto { tcp udp } from $host_usr13 to any queue up_host13
pass in on $int_if proto { tcp udp } from $host_usr14 to any queue up_host14
pass in on $int_if proto { tcp udp } from $host_usr15 to any queue up_host15
pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host16

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_service keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any

pass out on $int_if proto { tcp udp } from any to $host_usr1  queue dn_host1
pass out on $int_if proto { tcp udp } from any to $host_usr4  queue dn_host4
pass out on $int_if proto { tcp udp } from any to $host_usr5  queue dn_host5
pass out on $int_if proto { tcp udp } from any to $host_usr6  queue dn_host6
pass out on $int_if proto { tcp udp } from any to $host_usr8  queue dn_host8
pass out on $int_if proto { tcp udp } from any to $host_usr9  queue dn_host9
pass out on $int_if proto { tcp udp } from any to $host_usr10 queue dn_host10
pass out on $int_if proto { tcp udp } from any to $host_usr11 queue dn_host11
pass out on $int_if proto { tcp udp } from any to $host_usr12 queue dn_host12
pass out on $int_if proto { tcp udp } from any to $host_usr13 queue dn_host13
pass out on $int_if proto { tcp udp } from any to $host_usr14 queue dn_host14
pass out on $int_if proto { tcp udp } from any to $host_usr15 queue dn_host15
pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host16

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $int_if from any to $int_if:network

#*
#anchor miniupnpd



###Deny spoofing
antispoof for $ext_if
antispoof for $int_if
----------
Thanks for help
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat."

Last edited by maurobottone; 2nd June 2008 at 03:01 PM. Reason: [code][/code] :D
Reply With Quote
  #7   (View Single Post)  
Old 2nd June 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Use [code][/code] tags please! That way formatting will be preserved.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How secure are wireless home networks? JMJ_coder General software and network 37 18th April 2011 04:04 PM
ssh key access non root users carpman FreeBSD Security 7 12th August 2009 06:09 PM
Prevent users from using proxy bichumo General software and network 8 20th April 2009 01:00 PM
Securing wifi networks with ipsec/ssh and openbsd Oko OpenBSD Security 4 16th April 2009 07:32 AM
TeX for troff users? DrJ Off-Topic 0 2nd May 2008 09:29 PM


All times are GMT. The time now is 10:24 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick