DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th December 2013
bsd_matt bsd_matt is offline
Port Guard
 
Join Date: Oct 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default Perfectly Frustrating/Part 2

The company I work for has a /26 subnet, and we have several servers (httpd, mail, ftp, ssh, etc..) that I need to poke hole in the firewall to allow access.

Basic setup:
OBSD v5.4
em0 = Internet connection (all /26 public IP's are aliased in /etc/hostname.em0)
em1 = future DMZ
em2 = LAN (192.168.0.xxx)

Right now everything is on the LAN, my workstation and the servers.
I have a rule on the firewall that allows SSH access to my workstation as follows:
This works 100%

This is the result from tcpdump:
Code:
rule 2/(match) match in on em0: 72.38.43.86.2776 > 50.x.x.x.22: 
rule 13/(match) pass in on em0: 72.38.43.86.2776 > 192.168.0.191.22:
rule 11/(match) pass out on em2: 72.38.43.86.2776 > 192.168.0.191.22:
These are the rules in pf.conf that match:
Code:
RULE #2:   match in log all scrub (no-df)
RULE #13: pass in log on egress inet proto { tcp, udp } to $testing_pub_ip port { ssh } rdr-to $bsd_matt
RULE #11: pass in log on { $int_if }
As I said this works perfectly. What doesn't work if I add a rule to allow a hole for another computer. (i.e. ssh access to a different computer)
New Line:
Code:
 
pass in log on egress inet proto { tcp, udp } to $sync_pub_ip port { ssh } rdr-to $netfs
tcpdump looks like its working:

rule 2/(match) match in on em0: 72.38.43.86.3553 > 50.x.x.x.22
rule 15/(match) pass in on em0: 72.38.43.86.3553 > 192.168.0.152.22
rule 11/(match) pass out on em2: 72.38.43.86.3553 > 192.168.0.152.22

But the server at 192.168.0.152 never sees the ssh attempt. By watching:

tail -f /var/log/auth.log


So in summary:
I have a line in my pf.conf that works perfectly, but it only connects to one computer. When I edit it to connect to other computers it doesn't work..

Last edited by ocicat; 5th December 2013 at 04:42 PM. Reason: fixed incorrect [/code] tag
Reply With Quote
  #2   (View Single Post)  
Old 5th December 2013
bsd_matt bsd_matt is offline
Port Guard
 
Join Date: Oct 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default

Sanitized pf.conf

Code:
ext_if="em0"
int_if="em2"

testing_pub_ip          =       "50.x.x.a"
sync_pub_ip             =       "50.x.x.b"

netfs               =       "192.168.0.152"
workstation     =       "192.168.0.191"

icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types

set block-policy drop
set loginterface egress
set limit { states 1000000, src-nodes 100000, tables 1000000, table-entries 1000000 }
set skip on lo0

match in log all scrub (no-df)

# NAT
match out log on egress inet from !(egress:network) to any nat-to (egress:0)

antispoof quick for egress
block in log quick on egress from urpf-failed
block in log quick from no-route to any

# No IPv6 please
block in quick inet6 all
block out quick inet6 all

block in log all

# Let your traffic go through to the internet
pass out log quick inet keep state

# Allow all LAN traffic
pass in log on { $int_if }

pass in log on egress inet proto { tcp, udp } to $testing_pub_ip port { ssh } rdr-to $workstation
pass in log on egress inet proto { tcp, udp } to $sync_pub_ip port { ssh } rdr-to $netfs

Last edited by ocicat; 5th December 2013 at 05:47 PM. Reason: fixed yet another incorrect [/code] tag
Reply With Quote
  #3   (View Single Post)  
Old 5th December 2013
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,697
Thanked 214 Times in 189 Posts
Default

Hello, again.

All I can see that jumps out at me is your second pass/rdr-to rule uses a different matching address. As with your last thread, I have limited information, so I wonder if $sync_pub_ip is a valid listening address.

I would also run tcpdump with em2, because if packets are flowing to $netfs on em2, the problem is external to your router.
Reply With Quote
  #4   (View Single Post)  
Old 5th December 2013
bsd_matt bsd_matt is offline
Port Guard
 
Join Date: Oct 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default

I figured it out!!!!

My problem was because all the other devices on my network were using a different gateway then this new firewall I was setting up.

My workstation worked because I 'converted' it first!!!
Note to future readers: Make sure your default Gateway is the same device on all devices you are testing against.

Last edited by bsd_matt; 5th December 2013 at 08:01 PM. Reason: spelling
Reply With Quote
  #5   (View Single Post)  
Old 5th December 2013
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,697
Thanked 214 Times in 189 Posts
Default

I'm glad you were able to resolve the problem!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf = Perfectly Frustrating? =) bsd_matt OpenBSD Security 6 16th October 2013 08:40 PM
OpenBSD installation goes perfectly passthejoe OpenBSD Installation and Upgrading 4 16th November 2012 02:40 AM
OBSD 4.9 Frustrating kernel panic on boot edwebdev OpenBSD General 1 16th July 2011 09:37 PM
pf.conf examples (part 2) lumiwa OpenBSD Security 3 13th January 2010 05:07 AM
shell: how to take part of the line... graudeejs Programming 8 6th September 2008 11:13 PM


All times are GMT. The time now is 10:31 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick