DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 27th February 2013
petter petter is offline
Port Guard
 
Join Date: Feb 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default port redirection problem in pf

hello im new with openbsd. i having problems with port forwarding on my openbsd 5.2 dhcp server.
i have forwarded port 80 and port 443 to my web server, its working from outside my lokal network, but its not working to visit mydomain.com when im in my local network. what rule du i need for making this happen?
pf.conf :
Code:
# Set network interfaces
ext_if="em0" #internet
int_if="em1" #LAN

wwwserver = "192.168.1.12"
openvpn ="192.168.1.148"
windows ="192.168.1.15"

services = "{ http, https, domain }"

# Non-routable IP numbers
nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8,
    0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3,
    255.255.255.255/32 }"

# Skip all loopback traffic
set skip on lo

# DEFAULT IS BLOCK IN FROM INTERNET, PASS ALL ELSE
block log all
pass on $int_if all
pass out on $ext_if all

block in log quick on $ext_if inet proto icmp from any to any icmp-type redir
block in quick on $ext_if from $nonroutable to any
block out quick on $ext_if from any to $nonroutable

# Allow inbound traffic on internal interface
pass quick on $int_if

# Protect against spoofing
antispoof quick for { lo $int_if }
#NAT
##web server##
pass in quick on $ext_if proto { tcp } from any to any port { http, https } flags S/SA rdr-to $wwwserver
##openvpn##
pass in quick on $ext_if proto { tcp, udp } from any to any port { 1194 } flags S/SA rdr-to $openvpn
pass in quick on $ext_if proto { tcp } from any to any port { 2301 } flags S/SA rdr-to $openvpn
##windows##
pass in quick on $ext_if proto { tcp, udp } from any to any port { 32400 } flags S/SA rdr-to $windows

block return-rst in log quick on $ext_if inet proto tcp from any to any
block return-icmp in log quick on $ext_if inet proto udp from any to any
block in quick on $ext_if all
Reply With Quote
  #2   (View Single Post)  
Old 27th February 2013
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,185
Thanked 182 Times in 149 Posts
Default

This is normal This issue is explained at http://www.openbsd.org/faq/pf/rdr.html#reflect
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 27th February 2013
petter petter is offline
Port Guard
 
Join Date: Feb 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default rdr-to nat did not work

i tried first this one:
Code:
pass in on $int_if proto tcp from $int_net to $ext_if port { http, https } flags S/SA \
   rdr-to $wwwserver
pass out on $int_if proto tcp to $wwwserver port { http, https } flags S/SA \
   received-on $int_if nat-to $int_if
and so this one:
pf.conf
Code:
pass in on $int_if proto tcp from $int_net to $ext_if port 80 \
   rdr-to 127.0.0.1 port 5000
inetd.conf:
Code:
127.0.0.1:5000 stream tcp nowait proxy /usr/bin/nc nc -w \
   20 192.168.1.12 80
none of them worked cant visit my web server from local net any suggestions? thanks

Last edited by petter; 27th February 2013 at 11:54 PM.
Reply With Quote
  #4   (View Single Post)  
Old 27th February 2013
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,185
Thanked 182 Times in 149 Posts
Default

Quote:
Originally Posted by petter View Post
and so this one:
pf.conf
Code:
pass in on $int_if proto tcp from $int_net to $ext_if port 80 \
   rdr-to 127.0.0.1 port 5000
inetd.conf:
Code:
127.0.0.1:5000 stream tcp nowait proxy /usr/bin/nc nc -w \
   20 192.168.1.10 80
none of them worked cant visit my web server from local net any suggestions? thanks
The proxy is redirecting to 192.168.1.10 while in your case the webserver is at 192.168.1.12

Also make sure you restarted inetd. Does $ netstat -an -f inet confirm that the proxy is listening on port 5000?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 27th February 2013
petter petter is offline
Port Guard
 
Join Date: Feb 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default *edit*

copy paste error

the ip in my proxy was 192.168.1.12.
i did a reboot but it did not help any suggestions?
tcp 0 0 127.0.0.1.5000 *.* LISTEN

pfctl -s rules:
pass in on em1 inet proto tcp from 192.168.1.0/24 to "my external ip" port = 80 flags S/SA rdr-to 127.0.0.1 port 5000

Last edited by petter; 27th February 2013 at 11:51 PM.
Reply With Quote
  #6   (View Single Post)  
Old 28th February 2013
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,185
Thanked 182 Times in 149 Posts
Default

If I were you, I first would reorganize the pf.conf. Order the rules nicely by interface and direction. Add quick if you want to defeat pf's the last matching rule wins strategy.

For the internal interface this would look like this:
Code:
# ----- INTERNAL INTERFACE in
pass in quick on em1 inet proto tcp from 192.168.1.0/24 to "my external ip" port = 80 flags S/SA rdr-to 127.0.0.1 port 5000

# ---- INTERNAL INTERFACE out
pass out quick on $int_if all
Also run tcpdump on the pflog0 device to check whether any rule blocks the HTTP traffic.
From another xterm run tcpdump on the internal interface to see the proxied packets (port 80).
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 28th February 2013
petter petter is offline
Port Guard
 
Join Date: Feb 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default

i did change the pf.conf and used the quick statement, and all in tcpdump i could se from my ip address is on the internal network card on the server.
02:45:32.318181 192.168.1.1.ssh > 192.168.1.14.58767: P 30464:30864(400) ack 49 win 2172 <nop,nop,timestamp 3017630544 969479246> [tos 0x10]
thats alls between me and the server, nothing interesting on external network card

this is from my mac os x:
01:50:55.378112 IP 192.168.1.14.65245 > "externalIP": Flags [S], seq 701491116, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 969744836 ecr 0,sackOK,eol], length
Reply With Quote
  #8   (View Single Post)  
Old 4th March 2013
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,185
Thanked 182 Times in 149 Posts
Default

Did you manage to get this working?

I spent some time on this last night, but somehow became busier fighting proxy-arp on my wireless connection then debugging the proxy on 127.0.0.1:500
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #9   (View Single Post)  
Old 5th March 2013
petter petter is offline
Port Guard
 
Join Date: Feb 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default

no but i dont think the problem is the proxy, im a student living in a student apartment, and the school offers internet connection. wi have our own external ip with a domain apartment-nr-schoolname.no. and my web domain i bought is mydomain.com. when im trying to get to mydomain.com from my local network, the route was:

Code:
15:16:37.137129 192.168.1.14.51290 > apartment-nr-schoolname.no.www: S 546874096:546874096(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,timestamp 753873359 0,sackOK,eol> (DF)

15:16:37.137148 apartment-nr-schoolname.no.www > 192.168.1.14.51290: R 0:0(0) ack 546874097 win 0
so i dont think the openbsd firewall like this. and when im trying to go to apartment-nr-schoolname.no from another network its dosent work either.

and just some extra: mydomain.com works when im connected with vpn pptp or openvpn to a server in my local network, from the internet with send all the traffic over vpn

i dont have any idea how to fix this, i looked at split-horizon dns but it seems difficult for a beginner.

Last edited by petter; 6th March 2013 at 06:55 PM.
Reply With Quote
Old 10th March 2013
petter petter is offline
Port Guard
 
Join Date: Feb 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default

wtf??! it suddenly worked.. did nothing at all and the redirection starded to work. good for me^^

Code:
pass in on $int_if proto tcp from $int_net to $ext_if port { http, https } \
                   rdr-to $wwwserver
           pass out on $int_if proto tcp to $wwwserver port { http, https } \
                   received-on $int_if nat-to $int_if
Reply With Quote
Old 10th March 2013
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,185
Thanked 182 Times in 149 Posts
Default

RE: split-horizon DNS

If you do not host the name server for your web server on your local LAN, you do not have to do a split-horizon DNS at all.

You can use the simple configuration described in
BIND 9 : Caching and forward-only named.conf as starting point. You only have to add something like:

Code:
zone "de.filo" in {
         type master ;
         file "master/de.filo" ;
 };
This will tell the caching and forwarding nameserver to forward all queries, except those for the "de.filo" domain.
These "de.filo" queries should be answered as an authoritative nameserver using the "de.filo" zone file in the # ls -l /var/named/master/ directory.

The "de.filo" example zone file can be found at Authoritative only BIND nameserver for local domain

I just tested this and the configuration file looks like this:
Code:
// Caching and forward only configuration

// Access Control List

acl  clients    {
    127.0.0.1 ; 192.168.222.0/24  ;
};

options {
    forward only ;
    forwarders { 192.168.222.10 ; } ; 
    allow-query { clients ; } ;
    // max-cache-size is in bytes : echo '2 * 1024^2' | bc
    max-cache-size 2097152 ; 
    empty-zones-enable yes;
} ;

zone "de.filo" in {
         type master ;
         file "master/de.filo" ;
 };

# After editing this file please use 'named-checkconf' to validate!
IMHO using DNS is the best solution to solve this issue.

In case you would like to give it a shot, first get this exact configuration working on your OBSD firewall and then adjust the name and contents of this zone file to match your internal web server data.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OBSD 4.1/NAT port redirection/interception across 7 Class C's element OpenBSD Security 4 27th October 2010 08:17 PM
No redirection pass with one interface ? Simon OpenBSD Security 11 8th March 2010 11:51 AM
Boot problem. Geometry problem? gulanito FreeBSD Installation and Upgrading 0 3rd July 2009 03:03 AM
Local BOX Port Foward Problem paul-lkw FreeBSD Security 6 7th February 2009 06:47 PM
Redirection c0mrade Other BSD and UNIX/UNIX-like 1 11th July 2008 05:19 AM


All times are GMT. The time now is 02:49 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick