|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Openbsd NAT router + pf + suricata
I will update this post a I progress toward working setup. So I myself can use it next time i re install, or might somebody else googling.
I am no expert. Hope somebody will find a thing or two to improve, and comment on it. I have a OpenBSD firewall with PF. It get fiber broadband in on em3. I have a network internal usage em2 (dont want tor / p2p, ) I have a network for guests re0 (dont want tor / p2p ) Thanks to : https://www.solrac.nl/openbsd-firewall-pf/ Part 1: Enable NAT /etc/sysctl.conf Code:
net.inet.ip.forwarding=1 (I used hours trying different pf.conf, when this was the problem) Code:
sysctl | grep forward Code:
net.inet.ip.forwarding=1 Part 2 : PF /etc/pf.conf Code:
# Create blocks that are variable ext_if="em3" int_if="em2" int_if2="re0" icmp_types="echoreq" # Bruters table <bruters> persist file "/etc/bruters" block quick from <bruters> #Badhosts -DE table <badhosts> persist file "/etc/badhosts" block in quick on egress from <badhosts> #Badstuff table <badstuff> persist file "/etc/badstuff" block drop out log (all) quick on $ext_if from any to <badstuff> #Max new ssh connections 4 pr 7200s, pr ip pass quick proto tcp from any to any port 22 \ flags S/SA keep state \ (max-src-conn 5, max-src-conn-rate 4/7200, \ overload <bruters> flush global) # Skip all loopback traffic set skip on lo # Perform NAT on external interface match out on $ext_if from $int_if:network to any nat-to $ext_if match out on $ext_if from $int_if2:network to any nat-to $ext_if # Define default behavior block in pass out keep state # Allow inbound traffic on internal interface pass quick on $int_if pass quick on $int_if2 # Protect against spoofing antispoof quick for { lo $int_if $int_if2 } # Allow other traffic pass in on $ext_if proto tcp to ($ext_if) port ssh flags S/SA keep state # Let suricata listen pass out quick on egress inet proto tcp to port 80 divert-packet port 700 Script to download IP of bad actors from blocklist.de and send these to badhosts. Code:
#! /bin/ksh ftp https://lists.blocklist.de/lists/all.txt cat all.txt > /etc/badhosts pfctl -f /etc/pf.conf exit Part 4 Suricata Code:
pkg_add suricata Code:
suricata-update Code:
rcctl set suricata flags -i em3 [/HTML] Last edited by psypro; 5th November 2020 at 07:15 PM. |
|
|||
With this command suricata will start in command line.
Code:
suricata -c suricata.yaml -s signatures.rules -i re0 Code:
3/11/2020 -- 19:28:15 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode 3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - could not open: "/etc/suricata/classification.config": No such file or directory 3/11/2020 -- 19:28:15 - <Error> - [ERRCODE: SC_ERR_OPENING_FILE(40)] - please check the "classification-file" option in your suricata.yaml file 3/11/2020 -- 19:28:15 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/etc/suricata/reference.config": No such file or directory 3/11/2020 -- 19:28:15 - <Error> - [ERRCODE: SC_ERR_OPENING_FILE(40)] - please check the "reference-config-file" option in your suricata.yaml file 3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/app-layer-events.rules 3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/decoder-events.rules 3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/dns-events.rules 3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/files.rules 3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/http-events.rules 3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/smtp-events.rules 3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/stream-events.rules 3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/tls-events.rules 3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern signatures.rules 3/11/2020 -- 19:28:15 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 9 rule files specified, but no rule was loaded at all! 3/11/2020 -- 19:28:15 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started. Code:
rcctl start suricata suricata(failed) Code:
rcctl -d start suricata doing _rc_parse_conf doing _rc_quirks suricata_flags >-i em3rcctl set suricata flags -i em3< doing rc_check suricata doing rc_start doing _rc_wait start doing rc_check 3/11/2020 -- 19:40:16 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode 3/11/2020 -- 19:40:16 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl for 'em3rcctl': Device not configured (6) 3/11/2020 -- 19:40:16 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl for 'em3rcctl': Device not configured (6) 3/11/2020 -- 19:40:16 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata.pid' exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata.pid. Aborting! doing _rc_rm_runfile (failed) Last edited by psypro; 3rd November 2020 at 06:41 PM. |
|
|||
rm suricata pid file. Then it starts witt rcctl.
suricata is starting to fil in information in /var/log/suricata/fastlog |
|
|||
Can you detail the types of NIC on that machine that are involved in this router setup?
__________________
FreeBSD 13-STABLE |
|
|||
Code:
ifconfig Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768 index 7 priority 0 llprio 3 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet 127.0.0.1 netmask 0xff000000 em0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:1b:21:18:10:18 index 1 priority 0 llprio 3 media: Ethernet autoselect (none) status: no carrier em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:1b:21:18:10:19 index 2 priority 0 llprio 3 media: Ethernet autoselect (none) status: no carrier em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:1b:21:18:10:20 index 3 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 em3: flags=808843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF4> mtu 1500 lladdr XXXXXXXXXXX index 4 priority 0 llprio 3 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr c0:3f:d5:ee:9d:0b index 5 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 enc0: flags=0<> index 6 priority 0 llprio 3 groups: enc status: active pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136 index 8 priority 0 llprio 3 groups: pflog |
|
|||
I added :
stream: checksum-validation: auto Auto will turn off checksum-validation if it keep giving errors from what I understand. Why is it recommended to turn in ON? and then drop the packages. If one are to use checksum-validation it cant be offloaded to hardware, and in OpenBSD this is stander for hardware with intel em driver and re driver to do. Code:
Outbound packets don't have a correct checksum yet due to checksum offloading, therefore suricata will log "SURICATA TCPv4 invalid checksum" and ignore these packets. To workaround this set the following in suricata.yaml: stream: checksum-validation: yes Also adjust the configuration to drop packets: - drop: enabled: yes |
|
|||
Part from suricata.yaml
Add own IP. Code:
## Step 1: inform Suricata about your network ## vars: # more specific is better for alert accuracy and performance address-groups: HOME_NET: "[192.168.1.0/24,192.168.0.0/24]" #HOME_NET: "[192.168.0.0/16]" #HOME_NET: "[10.0.0.0/8]" #HOME_NET: "[172.16.0.0/12]" #HOME_NET: "any" EXTERNAL_NET: "!$HOME_NET" #EXTERNAL_NET: "any" HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET" DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: "$EXTERNAL_NET" DC_SERVERS: "$HOME_NET" DNP3_SERVER: "$HOME_NET" DNP3_CLIENT: "$HOME_NET" MODBUS_CLIENT: "$HOME_NET" MODBUS_SERVER: "$HOME_NET" ENIP_CLIENT: "$HOME_NET" ENIP_SERVER: "$HOME_NET" port-groups: HTTP_PORTS: "80" SHELLCODE_PORTS: "!80" ORACLE_PORTS: 1521 SSH_PORTS: 22 DNP3_PORTS: 20000 MODBUS_PORTS: 502 FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" FTP_PORTS: 21 VXLAN_PORTS: 4789 TEREDO_PORTS: 3544 |
|
|||
Hi psypro,
Did you write the suricata settings into /etc/rc.d/suricata? If you did not then rcctl daemon wont start, and it does not know where your config files are. Hope this helps. BR SimpL Last edited by SimpL; 9th November 2020 at 09:03 AM. |
|
|||
#cat /etc/rc.conf.local
dhcpd_flags= pkg_scripts=suricata suricata_flags=-d 700 unbound_flags= # rcctl check suricata suricata(ok) |
|
|||
Wrong file there Psypro
I ment this: /etc/rc.d/suricata #!/bin/ksh # # $OpenBSD: suricata.rc,v 1.2 2018/02/15 16:19:41 ajacoutot Exp $ daemon="/usr/local/bin/suricata -D -c /etc/suricata/suricata.yaml -s /var/suricata/rules/suricata.rules -i XXXXXXX(the network card u want suricata to run on)" . /etc/rc.d/rc.subr rc_cmd $1 This file is responsible for suricata daemon If you dont set this then the daemon wont work properly |
|
|||
With you rc.d guide I get suricata running. From command line.
But recomondation from pkg_readme does not work. Running 6.9 beta. /etc/rc.d/suricata Code:
#!/bin/ksh # # $OpenBSD: suricata.rc,v 1.2 2018/02/15 16:19:41 ajacoutot Exp $ daemon="/usr/local/bin/suricata -D -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i re0" . /etc/rc.d/rc.subr rc_cmd $1 Code:
rcctl enable suricata rcctl: service suricata does not exist |
|
|||
Did you make the rc file executable?
Actually, why are you modifying the rc.d/suricata file at all? Write all of your flags into the suricata_flags in rc.conf.local Last edited by TronDD; 3rd April 2021 at 03:12 PM. |
|
|||
Thank you TronDD. I was trying following advice : "Wrong file there Psypro
I ment this: /etc/rc.d/suricata" Was about to ask question about that. Reading webpage about it https://www.oreilly.com/library/view...d_scripts.html I will revert back to orginal rc.d/suricata, and put changes into rc.conf.local /etc/rc.conf.llocal Code:
dhcpd_flags= unbound_flags= pkg_scripts="suricata" suricata_flags="-c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i re0" /etc/rc.d/suricata Code:
#!/bin/ksh # # $OpenBSD: suricata.rc,v 1.3 2021/01/31 18:03:49 sthen Exp $ daemon="/usr/local/bin/suricata -D" . /etc/rc.d/rc.subr rc_pre() { /usr/bin/install -d -o _suricata -g _suricata -m 0750 /var/run/suricata } rc_cmd $1 Last edited by psypro; 3rd April 2021 at 03:43 PM. |
|
|||
I can now start suricata with rcctl. But it "dies".I guess it happens when it goes from "root" user process to "suricata" user process. I see in "top" command.
Code:
Firestorm# rcctl start suricata suricata(ok) Firestorm# top Firestorm# nano /etc/rc.conf.local Firestorm# top Firestorm# rcctl check suricata suricata(failed) Code:
_suricata:*:800:800:Suricata Account:/nonexistent:/sbin/nologin |
|
|||
I did not make any progress. Vacation ended. Might give it a try next vacation.
Last edited by psypro; 21st April 2021 at 02:28 PM. |
|
|||
Hy again
Sorry was not on the forum for a while. So. rcctl enable suricata (run demon on startup) rcctl start suricata You get it working. What im curious about is what happens when u do this: rcctl stop suricata suricata-update rcctl restart suricata If its not running then you can skip the stop. The update should run the update and see if you get the things you need to work. If there is a problem maybe the directory access is not ok, and suricata cant write or read the dir. If there is an error beside that then it is what you must check. Try checking the /var/log/messages. If there are any errors then post them and maybe we can see the problem there. btw: passwd: Code:
_suricata:*:800:800:Suricata Account:/nonexistent:/sbin/nologin Code:
_suricat xxx etcetcetc:) /usr/local/bin/suricata -D -c /etc/suricata/suricata.yaml -s /var/suricata/rules/suricata.rules -i em0 -F /etc/suricata Code:
#!/bin/ksh # # $OpenBSD: suricata.rc,v 1.2 2018/02/15 16:19:41 ajacoutot Exp $ daemon="/usr/local/bin/suricata -D -c /etc/suricata/suricata.yaml -s /var/suricata/rules/suricata.rules -i em0 -F /etc/suricata/whitelist.bpf" . /etc/rc.d/rc.subr rc_cmd $1 rc.conf.local: Code:
pkg_scripts=suricata Last edited by SimpL; 28th April 2021 at 02:39 PM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
VLAN's with OpenBSD router | Zmyrgel | OpenBSD Security | 5 | 15th February 2019 11:41 AM |
Using OpenBSD directly without a router | bsd007 | OpenBSD Security | 21 | 2nd December 2017 03:19 PM |
User rips OpenBSD as a router | jjstorm | OpenBSD General | 5 | 17th April 2016 11:27 PM |
OpenBSD 5.7 Router Issues | Peter_APIIT | OpenBSD General | 8 | 18th June 2015 06:31 AM |
Using OpenBSD as a second router | paran0iaX | OpenBSD Security | 32 | 20th March 2009 04:51 AM |