DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 22nd March 2013
petter petter is offline
Port Guard
 
Join Date: Feb 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default redirect outgoing http

hello, i have installed HAVP with clamAV and AVG on a ubuntu server on my lan. how could i redirect outgoing http traffic from lan to port 8080 on 192.168.1.11(ubuntu server)
i have a openbsd 5.2 dhcp server as my router.
thanks

Last edited by J65nko; 24th March 2013 at 12:53 AM. Reason: fixed "speling" in title ;)
Reply With Quote
  #2   (View Single Post)  
Old 22nd March 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,686
Thanked 214 Times in 189 Posts
Default

See the Traffic Redirection chapter of the PF User's Guide.

Your redirection rule might be something like:
Code:
pass in on $internal proto tcp from any to any port 80 \
   rdr-to 192.168.1.11 port 8080
Note that this will only redirect traffic based on TCP port number, not on underlying protocol; there is no inspection of TCP packet data payloads where the HTTP protocol is carried.
Reply With Quote
  #3   (View Single Post)  
Old 22nd March 2013
petter petter is offline
Port Guard
 
Join Date: Feb 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default

pass in quick on $int_if proto tcp from any to any port 80 \
rdr-to 192.168.1.11 port 8080

it did not work, i lost my web connection, but i have also a webserver on my lan. does this cause troubles?

##web server##
pass in quick on $ext_if proto { tcp } from any to any port { http, https } flags S/SA rdr-to $wwwserver

pass in on $int_if proto tcp from $int_net to $ext_if port { http, https } \
rdr-to $wwwserver
pass out on $int_if proto tcp to $wwwserver port { http, https } \
received-on $int_if nat-to $int_if
Reply With Quote
  #4   (View Single Post)  
Old 24th March 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,686
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by petter View Post
pass in quick on $int_if proto tcp from any to any port 80 \
rdr-to 192.168.1.11 port 8080

it did not work, i lost my web connection...
You asked for traffic redirection. I have never used HAVP; however after your post about failure I Googled for a minute or two. HAVP is an HTTP Proxy, and could certainly be configured for use as an HTTP proxy in your client browsers, in the event you are unable to resolve this particular problem.
Quote:
..but i have also a webserver on my lan. does this cause troubles?
You have a conflict. The new redirection rule you added for the server at 192.168.1.11 conflicts directly with the redirection rule you already have for internal traffic headed outbound which you redirect to $wwwserver.

The new redirection rule is for any IP address with destination port 80. The existing redirection is for any $int_if traffic headed to $ext_if for destination ports 80 or 443 . These two rules will both match the same traffic, and the last matching rule will be used.

I can't tell which rule is first or last, as you have only posted your pf.conf in fragments.

I'm not sure why you were already redirecting all outbound external HTTP/S traffic to your $wwwserver. However, if you wish to do this and also direct the exact same packets to your HAVP server, there is dup-to, which will duplicate the packets. Is that what you had in mind?

It may help if you start by explaining what it is you are actually trying to accomplish, then I (and others) may be able to make suggestions for possible solutions for you to consider.
Reply With Quote
  #5   (View Single Post)  
Old 24th March 2013
petter petter is offline
Port Guard
 
Join Date: Feb 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default

i have configured openbsd 5.2 as a dhcp server/router. i have one internal network with servers and clients. one of my servers running HAVP (Http Anti Virus Proxy) with ClamAV and AVG as scanners. i want to direct all http traffic to port 8080 on my server running HAVP from my local network. i have also a web server with http/https port directed from my local network.
any suggestions for how to solve this, or could i use dup-to? thanks.

p.s! i have also a extra network card i could use to create a own DMZ for the server network if that would be easier.
pf.conf:

Code:
# Set network interfaces
ext_if="em0" #internet
int_if="em1" #LAN
int_net="192.168.1.0/24"
wwwserver = "192.168.1.12"
openvpn ="192.168.1.148"
windows ="192.168.1.15"
# Non-routable IP numbers
nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8,
    0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3,
    255.255.255.255/32 }"

# Skip all loopback traffic
set skip on lo

match in all scrub (no-df)

##external
# DEFAULT IS BLOCK IN FROM INTERNET, PASS ALL ELSE
block log all
pass out on $ext_if all

#nonroutable
block in quick on $ext_if from $nonroutable to any
block out quick on $ext_if from any to $nonroutable

##ssh-block##
table <ssh_block> persist file "/etc/ssh_block"
block drop in from <ssh_block> to any

##internal
# Allow inbound traffic on internal interface
pass  on $int_if all

# Protect against spoofing
antispoof quick for { $int_if, lo0 }


## Nat ##
pass out on $ext_if from $int_if:network to any nat-to ($ext_if)

#AV scan http traffic
 #pass in quick on $int_if proto tcp from any to any port 80 \
 # rdr-to 192.168.1.11 port 8080

##iptv
 #nrk1
  #pass in quick on $ext_if inet proto udp from any to any port 1234 rdr-to 192.168.1.14
  #pass quick on { $ext_if, $int_if } proto igmp allow-opts

##web server##
 pass in quick on $ext_if proto { tcp } from any to any port { http, https } flags S/SA rdr-to $wwwserver

 pass in on $int_if proto tcp from $int_net to $ext_if port { http, https } \
                   rdr-to $wwwserver
           pass out on $int_if proto tcp to $wwwserver port { http, https } \
                   received-on $int_if nat-to $int_if
##openvpn-ubuntu##
 #openvpn#
  pass in quick on $ext_if proto { tcp, udp } from any to any port { 1194 } flags S/SA rdr-to $openvpn
  
  pass in on $int_if proto { tcp, udp } from $int_net to $ext_if port { 1194 } \
               rdr-to $openvpn
  
  pass out on $int_if proto { tcp, udp } to $openvpn port { 1194 } \
                received-on $int_if nat-to $int_if
 #ssh#
  pass in quick on $ext_if proto { tcp } from any to any port { 2301 } flags S/SA rdr-to $openvpn

##windows Server2012##
 #plex#
  pass in quick on $ext_if proto { tcp, udp } from any to any port { 32400 } flags S/SA rdr-to $windows

 ##Microsoft VPN
  #PPTP#
    pass in log quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 1723 \
        rdr-to $windows port 1723
  #L2TP#
    pass in log quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 1701 \
        rdr-to $windows port 1701

    pass in log quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 4500 \
        rdr-to $windows port 4500

    pass in log quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 500 \
        rdr-to $windows port 500
Reply With Quote
  #6   (View Single Post)  
Old 24th March 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,147
Thanked 182 Times in 149 Posts
Default

What you want is to use pf to implement a "transparent proxy". You intercept the http traffic and force it, or redirect it to the Ubuntu HAVP box.

https://en.wikipedia.org/wiki/Transp...nsparent_proxy explains some problems of using a transparent proxy. It would be better to tell your local LAN users to configure their browsers to use the Ubuntu HAVP proxy.

Then you can simply block all http traffic not originating from the proxy. This has the positive side affect. Now any blocked web traffic is a signal to you as system administrator, that something is wrong with one your LAN clients.

BTW I learned this from Nonesuch, a forum member at the now defunct bsdforums.org
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 24th March 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,686
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by petter View Post
...i have also a web server with http/https port directed from my local network...
This confuses me. At the moment, you have commented out the HAVP redirection. For this discussion, I have removed the comments:
Code:
.
.
.
pass in quick on $int_if proto tcp from any to any port 80 \
rdr-to 192.168.1.11 port 8080
.
.
.
pass in on $int_if proto tcp from $int_net to $ext_if port { http, https } \
                 rdr-to $wwwserver
.
.
.
These two rules will affect the same traffic. The "http" port mentioned in the second rule is port 80, the same as in the first rule.
The names for standard port numbers are defined in /etc/services. The file structure is defined in the services(5) man page.
Both of your rules intercept all traffic sourced from your internal LAN destined for web servers reachable on your external network. Instead of letting the traffic pass to the destination requested, they redirect that traffic to local servers. The first rule redirects all traffic to your HAVP server, the second rule redirects the same traffic to your web server.

However, PF has a simple way of handling conflicts. The last matching rule wins. The first rule will be ignored, the second rule will apply, and all outbound traffic will be redirected to $wwwserver.
I do not understand why are you redirecting all outbound web traffic to your local web server. For example, with this rule set, if a workstation on your local network attempted to reach www.daemonforums.org, those requests would be redirected to your local web server instead. With this rule set, no outbound HTTP/S traffic is currently possible from your internal network.
While dup-to can replicate packets, keep in mind that HTTP and HTTPS are sent via TCP. TCP traffic is unicast and includes flow control, error detection and correction. Replicated traffic is likely to cause more problems than it solves, unless $wwwserver is not a web server at all but a passive monitor.
Reply With Quote
  #8   (View Single Post)  
Old 24th March 2013
petter petter is offline
Port Guard
 
Join Date: Feb 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default

Code:
pass in quick on $int_if proto tcp from any to any port 80 \
rdr-to 192.168.1.11 port 8080
this is comment out because it was not working, even if i comment out the rules for the wwwserver.

Code:
pass in on $int_if proto tcp from $int_net to $ext_if port { http, https } \
                   rdr-to $wwwserver
           pass out on $int_if proto tcp to $wwwserver port { http, https } \
                   received-on $int_if nat-to $int_if
without this rules i cant visit my web server from my local lan.

so you say that all my web traffic from local network goes to the web server and from the web server to the internet? then i could just use system proxy on the web server to 192.168.1.11:8080 if it works?
Reply With Quote
  #9   (View Single Post)  
Old 25th March 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,686
Thanked 214 Times in 189 Posts
Default

My apologies. I made an error in my analysis. These rules are not the same. "On <interface>" is not the same as "from/to <interface>". Your rule for $wwwserver uses "to $ext_if", which maps to the address(es) assigned to the external interface itself. That rule does not redirect all traffic.

HAVP is an HTTP proxy. It would need to be configured as a transparent proxy in order to accept redirected traffic.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
http://c0t0d0s0.org/ - closed vermaden News 2 26th July 2011 12:41 PM
Feasibility: "Load Balance Outgoing Traffic" with 2 NICs only Tramboi FreeBSD Security 3 29th April 2010 09:13 AM
Apache HTTP Server 1.3.42 Released J65nko News 1 5th February 2010 02:47 AM
permissions and FTP/HTTP Yuka FreeBSD General 0 20th October 2008 10:32 PM


All times are GMT. The time now is 12:16 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick