DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 26th January 2021
notooth notooth is offline
Shell Scout
 
Join Date: Jul 2015
Posts: 125
Default Need help with pf rules

Hello,

I have a VM with an IP 10.0.0.5 on an OpenBSD host. I want to send all of the VM's traffic through Tor on the host, so I add this rule to the host's default pf.conf:
Code:
pass in proto { udp tcp } from 10.0.0.0/24 to any port domain rdr-to 127.0.0.1 port 9050
The result is that the VM cannot access the internet. Can anyone help me fix this?
Reply With Quote
  #2   (View Single Post)  
Old 27th January 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

The rule will redirect ONLY matching traffic:
  • UDP or TCP
  • From the 10.0.0.0/24 network
  • To any IPv4 address with a destination port "domain" -- that's port number 53, as defined in /etc/services. Port 53 is the standard destination port number for the Domain Name System.
All of the traffic from 10.0.0.0/24 destined for domain name servers will match and use this redirection. Any other network traffic -- such as traffic destined to HTTP/HTTPS servers -- will not match and will not use this redirection rule.

Last edited by jggimi; 27th January 2021 at 02:50 AM. Reason: clarity
Reply With Quote
  #3   (View Single Post)  
Old 27th January 2021
notooth notooth is offline
Shell Scout
 
Join Date: Jul 2015
Posts: 125
Default

I got a new rule, but it didn't work either:
Code:
pass in proto { udp tcp } from 10.0.0/24 to { any !192.168.1/24 } rdr-to 127.0.0.1 port 9050
Reply With Quote
  #4   (View Single Post)  
Old 27th January 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Your new rule does not apply the "!192.168.1/24" filter, because of the combination with any within the braces. Test this with # pfctl -sr
Reply With Quote
  #5   (View Single Post)  
Old 27th January 2021
notooth notooth is offline
Shell Scout
 
Join Date: Jul 2015
Posts: 125
Default

It is fine if the rule does not apply the "!192.168.1/24", but it should re-direct the internet packets through Tor. In fact, the VM cannot access the internet at all.
Reply With Quote
  #6   (View Single Post)  
Old 27th January 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Add the log option to your rules, so that you can then inspect which rules actually pass or block your traffic with something like # tcpdump -ni pflog0. Assigned rule numbers can be seen with # pfctl -vvsr. It is a lot faster to see your own traffic pass and block, than it is to post a rule or two on a forum and wait with hope that someone can figure out what may be happening.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf rules calanon OpenBSD Security 3 29th July 2019 12:16 PM
DOAS(1) rules jjstorm OpenBSD General 8 11th April 2016 08:09 PM
PF Rules for DoS chazz FreeBSD Security 3 14th July 2009 09:35 PM
Help with pf rules TerranAce007 OpenBSD General 4 16th January 2009 10:14 PM


All times are GMT. The time now is 09:27 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick