DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th August 2015
roggy roggy is offline
Port Guard
 
Join Date: Nov 2013
Posts: 41
Default Problem with PF

Dear,

I have the following rules on the link below for a test environment.
http://pastebin.com/BGHQvfRu

All IPs, with the exception of 192.168.50.4 are redirected to the proxy on port 8080.
I wonder how do I get requests coming from IP 192.168.50.2 on port 80 and 443 bound for 200.200.200.200, are not redirected to port 8080.
Below the proxy rules, I tried the following rule and not worked.
Code:
match in on $INT_INTERNAL proto tcp from 192.168.50.2 to 200.200.200.200 port  { 80 443 }
Thanks!!

Last edited by ocicat; 6th August 2015 at 02:05 PM. Reason: Please use [code] & [/code] tags when posting configurations.
Reply With Quote
  #2   (View Single Post)  
Old 6th August 2015
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Please provide the output of the following command:

$ sysctl kern.version
Reply With Quote
  #3   (View Single Post)  
Old 6th August 2015
roggy roggy is offline
Port Guard
 
Join Date: Nov 2013
Posts: 41
Default

root@srv01~# sysctl kern.version
Quote:
kern.version=OpenBSD 5.5 (GENERIC) #276: Wed Mar 5 09:57:06 MST 2014
deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
Reply With Quote
  #4   (View Single Post)  
Old 12th August 2015
roggy roggy is offline
Port Guard
 
Join Date: Nov 2013
Posts: 41
Default

It would be a bug?
Reply With Quote
  #5   (View Single Post)  
Old 12th August 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by christianoliberato View Post
It would be a bug?
Who cares? That system is unsupported. Only 5.6 and 5.7 are currently supported and 5.6 is very close to the end of its life.
Reply With Quote
  #6   (View Single Post)  
Old 12th August 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Don't be rude, Oko. 5.5 is no longer receiving patches, but we can still try to help with problem analysis.

-----

Match rules are not the same as block and pass. They are evaluated for every packet. The "last matching rule" state does not apply.

Therefore, to set up an exception rule, consider applying the rdr-to option on the pass rules instead of on match rules.

1. General case pass with rdr-to.
2. Exception case pass without rdr-to.

This way, the last-matching rule (2) would apply to the exception, and it would not have rdr-to applied to the rule.
Reply With Quote
  #7   (View Single Post)  
Old 12th August 2015
roggy roggy is offline
Port Guard
 
Join Date: Nov 2013
Posts: 41
Default

jggimi,

then you are saying to use
Quote:
pass in on $INT_INTERNAL proto tcp from <NOPROXY> to any port 80 rdr-to $HOST_PROXY port 8080
pass in on $INT_INTERNAL proto tcp from <NOPROXY> to any port 443 rdr-to $HOST_PROXY port 8080
pass in on $INT_INTERNAL proto tcp from 192.168.50.2 to 200.200.200.200 port { 80 443 }
as opposed to
Quote:
match in on $INT_INTERNAL proto tcp from <NOPROXY> to any port 80 rdr-to $HOST_PROXY port 8080
match in on $INT_INTERNAL proto tcp from <NOPROXY> to any port 443 rdr-to $HOST_PROXY port 8080
match in on $INT_INTERNAL proto tcp from 192.168.50.2 to 200.200.200.200 port { 80 443 }
?
Reply With Quote
  #8   (View Single Post)  
Old 12th August 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Basically, yes. But you will need to revise your later pass rules, as last-matching-rule will apply.

A match rule is used to set options for later block/pass rules. These are commonly used for broad application, such as for NAT, or logging.

The match rules are less helpful for this particular use-case.
Reply With Quote
  #9   (View Single Post)  
Old 13th August 2015
roggy roggy is offline
Port Guard
 
Join Date: Nov 2013
Posts: 41
Unhappy

Quote:
Originally Posted by jggimi View Post
Basically, yes. But you will need to revise your later pass rules, as last-matching-rule will apply.

A match rule is used to set options for later block/pass rules. These are commonly used for broad application, such as for NAT, or logging.

The match rules are less helpful for this particular use-case.
Using
Quote:
pass in on $INT_INTERNAL proto tcp from <NOPROXY> to any port 80 rdr-to $HOST_PROXY port 8080
pass in on $INT_INTERNAL proto tcp from <NOPROXY> to any port 443 rdr-to $HOST_PROXY port 8080
pass in on $INT_INTERNAL proto tcp from 192.168.50.2 to 200.200.200.200 port { 80 443 }
all ips network pass off the proxy.
I honestly do not know what else to do.
Reply With Quote
Old 13th August 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

The quick option can help you locate your error.

If you add a quick option to the third rule, and the platform at 192.168.50.2 no longer uses the proxy, there is a follow-on rule which matches this traffic, overriding the third rule. This is because the quick option is used to end further rule evaluation.

If the quick option does not change behavior, then there are two possibilities: 1) either the rule does not match the traffic, or, 2) you have a match rule in the ruleset that is setting the rdr-to option.

If you enable logging for your rules, you can use tcpdump(8) with pflog(4) to see exactly which rule is being applied to the traffic.
Reply With Quote
Old 24th August 2015
roggy roggy is offline
Port Guard
 
Join Date: Nov 2013
Posts: 41
Default

Sorry for not answering before. I completely forgot ...
Your suggestion to quick work. Shifted in the position of some rules and the environment worked correctly.
Thank you!!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Boot problem. Geometry problem? gulanito FreeBSD Installation and Upgrading 0 3rd July 2009 03:03 AM


All times are GMT. The time now is 09:32 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick