DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th April 2012
whispersGhost's Avatar
whispersGhost whispersGhost is offline
Real Name: heather
Package Pilot
 
Join Date: May 2008
Location: ny
Posts: 168
Thanked 1 Time in 1 Post
Default Help please open port 8005 pf rule set

Hi
i miss you all

i haven't been using BSD in some years now since
my old server was Down.and Sickness in my family.

i have The old Server up and running with
OpenBSD 5.0 which i really am lost on the pf rules.

part of my pf.conf here

--------------------------------------------------------------------------
block in all
pass out all keep state
pass in on egress proto tcp from <nospand> to any port 8005
--------------------------------------------------------------------------
also
see here
----------------------------------------------------------------------------------------------------------
Config File :: /etc/apache2/httpd2 (THIS is where i made the listen change port from 80 to 8005)

start/stop :: /usr/local/sbin/apachectl2 (start|stop|restart|graceful|graceful-
----------------------------------------------------------------------------------------------------------
(((i did not realize OpenBSD already had the hardened version in here starting over from scratch)))

Config File :: /var/www/conf/httpd.conf
start/stop :: /usr/sbin/apachectl (start|startssl|stop|restart|graceful|

i removed apache 2.2 just now and am making another attempt to get this working properly
in the meantime can someone help me with the pf rule set i have below thank you.


Even if i disable my pf for some reason i cant get Apache to work properly on that port
i had set the proper listen to the port to 8005 in Apache for that to work.

it seems to work locally the Apache page comes up fine from that port

Even through my router i even set the computers 192.1xx.0.1 to port 8005 i had tried both or just tcp and still i can not connect.for some reason it only works when i type in the address locally
192.1xx.0.1:8005 apache page works fine

But when i try it with my actual ip address and port number it does not work

Even with pf disabled it wont work
----------------------------------------------------------------------------------------

i must have been sleeping for ages i cant remember if the last version i used was 4.0 or 4.7
but i do know the book on pf applied to both versions. but not the 5.0

Yes i did read the faq pages and still i am a little slow on understanding what to do unless its in my face as an Example.

My first mistake was i had two modems on my machine one i did not disable in my bios so that through me off quite a bit and i wound up entering the correct ip address and netmasks but for the wrong network adapter.

So then i plugged it into the correct card it to get a connection but by that time i believe the rules were already set to the using the other cards info.

Each time i tested the pf file and reloaded it nothing seemed to have changed at all.even block in and out.

So i decided to wipe it clean and installed a fresh version of 5.0 at shell with no desktop.

This New version i am not use to using yet.

yes i did all the web searching reading all the faq pages.i have all my old notes but they do not apply to the new version.

Please i only would like help with 3 things

i know OpenBSD is by default Secure but i do not thing pf has anything loaded into the rule set yet.

Can Someone show me a sample Rule set that i can apply that will do the following.

1)Block all
2)Block Ping
3)allow port 8005 for my web server.

in other words i do not want anything going in or out but i wish for the the web server to be active on port 8005

i do not wish to use mail Nor web surfing

Thank you all in advance
__________________
The journey is better then the destination

Last edited by whispersGhost; 16th April 2012 at 01:15 PM.
Reply With Quote
  #2   (View Single Post)  
Old 16th April 2012
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,894
Thanked 214 Times in 189 Posts
Default

Heather, welcome back!

First, I note you've edited this posting. Those who had already read it will not know you've edited it. In your additional information, which you top-posted, you wrote:
Quote:
part of my pf.conf here
You'll want to post the entire file, if you want us to review it. Partial information isn't very helpful.

I can't quite tell which apache server you have decided to run, either the built in Apache 1.3 or the Apache2 port. I do not think that is germane to your problem.

I also am clueless about your network configuration. Is your OpenBSD platform acting as a NAT router? If so, then even without seeing your PF configuration, I will assume your tests will always fail, proper configuration or not, if you are testing from behind the router.

The PF User's Guide chapter on Traffic Redirection (Port Forwarding) has this to say, highlights mine:
Quote:
Redirection and Reflection

Often, redirection rules are used to forward incoming connections from the Internet to a local server with a private address in the internal network or LAN, as in:
server = 192.168.1.40

pass in on $ext_if proto tcp from any to $ext_if port 80 \
rdr-to $server port 80
But when the redirection rule is tested from a client on the LAN, it doesn't work. The reason is that redirection rules apply only to packets that pass through the specified interface ($ext_if, the external interface, in the example). Connecting to the external address of the firewall from a host on the LAN, however, does not mean the packets will actually pass through its external interface. The TCP/IP stack on the firewall compares the destination address of incoming packets with its own addresses and aliases and detects connections to itself as soon as they have passed the internal interface. Such packets do not physically pass through the external interface, and the stack does not simulate such a passage in any way. Thus, PF never sees these packets on the external interface, and the redirection rule, specifying the external interface, does not apply.
That chapter continues with several alternative solutions for addressing a forwarded server from inside and outside a translated LAN network.
Reply With Quote
  #3   (View Single Post)  
Old 16th April 2012
whispersGhost's Avatar
whispersGhost whispersGhost is offline
Real Name: heather
Package Pilot
 
Join Date: May 2008
Location: ny
Posts: 168
Thanked 1 Time in 1 Post
Default Thank you

Thank you for the warm welcome

Sorry for all the edits i know i am a mess when it comes to typing.

Well first of all its gonna be difficult to send the log since i cant putty as root into my machine and i dont have permissions to read the file.

As for the pf.conf im using the default one that came with OpenBSD 5.0.

i really did not change anything in there nor did i uncomment any of it.

i only added a few lines that you saw but since it did not work i removed what i put in there.

The only rule i see in there is the default rule

block in on ! lo0 proto tcp to port 6000:6010

Everything else in that file is commented out by default.

OpenBSD 5.0 and apache 1.3

i seem to have configured it correctly to work locally with port 8005

But for some reason i cant login to it with my ip address and port xxx.xxx.xx.xxx:8005

but locally no problem on port 8005

Now you mentioned $ext

Dont i have to have somewhere in my pf file
$ext_if =lo0 or rd1? for that to work

Please forgive me if i cant get to the file its on another machine and as i mentioned, i made no major changes at all to the pf.conf

Forgive me once again its been so long since i touched BSD
__________________
The journey is better then the destination
Reply With Quote
  #4   (View Single Post)  
Old 16th April 2012
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,894
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by heatherval View Post
As for the pf.conf im using the default one that came with OpenBSD 5.0.
That' file contains 3 rules (if you eliminate the comments):
Code:
set skip on lo
pass
block in on ! lo0 proto tcp to port 6000:6010
Quote:
i seem to have configured it correctly to work locally with port 8005
There must be more lines, because in the three lines you posted there is a reference to a table which has not been defined.
Quote:
But for some reason i cant login to it with my ip address and port xxx.xxx.xx.xxx:8005

but locally no problem on port 8005

Now you mentioned $ext
No, the PF User's Guide mentions it. $ext is a commonly used macro definition that is assign to an external network interface.

Once you have access to root on the platform, please post a copy of pf.conf.

Meanwhile, if you could "draw" a picture of the network involved, that would aid my understanding, and limit the misinformation you receive from me.

Here is an example of such a picture, made with [code] and [/code] wrappers:
Code:
{internet} --- [OpenBSD] --- {192.168.0/24} -- [Servers]
                         --- {192.168.1/24} ---[Workstations]

Last edited by jggimi; 16th April 2012 at 05:31 PM. Reason: typo
Reply With Quote
  #5   (View Single Post)  
Old 16th April 2012
whispersGhost's Avatar
whispersGhost whispersGhost is offline
Real Name: heather
Package Pilot
 
Join Date: May 2008
Location: ny
Posts: 168
Thanked 1 Time in 1 Post
Default PF

UPDATE

(It seems to be ok now that i replaced ext_if= "r10" with ext_if ="lo0")

It does not hang on the pf reload this time

When i do pf-s rules my output is
Exaxtly what i typed plus the block drop in on ! lo0 proto tcp to any port 6000:6010 with no errors
__________________
The journey is better then the destination

Last edited by whispersGhost; 16th April 2012 at 05:59 PM.
Reply With Quote
  #6   (View Single Post)  
Old 16th April 2012
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,894
Thanked 214 Times in 189 Posts
Default

Your edit has deleted your post that contained a more complete pf.conf and your description of hung commands which indicate a problem well beyond misconfiguration.

As I received an Email of that, I'm aware of it but anyone else reading it after your edit will not have seen it.

Please don't edit posts to update status, just post a reply, to ensure you don't cause information loss.
Reply With Quote
  #7   (View Single Post)  
Old 16th April 2012
whispersGhost's Avatar
whispersGhost whispersGhost is offline
Real Name: heather
Package Pilot
 
Join Date: May 2008
Location: ny
Posts: 168
Thanked 1 Time in 1 Post
Default SOLVED PF

@jggimi

Thanks for your help everything worked out well.

The server seemed to only work locally

I know why i was unable to connect to my web server from outside.

i had gotten a vonage adapter a few months back which is hooked up behind my Modem then to my router.

That is was why it was blocking what i was trying to do.from the outside.

So rather then playing with all the vonage settings internal router i reversed the set up.

Cable modem to Router, Router to vonage adapter.

Rebooted and everything was successfully moving along smoothly and i was able to access the server.

The port numbers i referenced to were not the actual port numbers but only a guide.

At first i thought it was a bug with the apache server, so i installed 2.2 and renamed the old one to apache-bak.

Now that all is working i can delete 2.2 and use the 1.3 version which they say is the hardened version.

Thank you so much

Hm the reason i edit was at some time back i was told i should check my spelling if i intend to get a proper reply for help
__________________
The journey is better then the destination
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PF rule to disable icmp? cyanide_christ OpenBSD Security 6 15th October 2009 05:35 AM
namp show me a 1720 open port ?? killa74 OpenBSD Security 11 11th February 2009 02:55 PM
pf: why is that rule not working? ivanatora FreeBSD General 14 11th December 2008 09:32 AM
PF wont open port despite rules... Dain_L OpenBSD Security 3 12th September 2008 01:14 AM
How to open port 80 on FreeBSD kapom FreeBSD General 14 19th June 2008 04:48 AM


All times are GMT. The time now is 10:48 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick