DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th April 2021
dnslc's Avatar
dnslc dnslc is offline
Port Guard
 
Join Date: Jun 2020
Location: Australia
Posts: 24
Default PF defauly deny NAT help

I am having trouble doing NAT between 2 interfaces with PF.
Here is my setup:

--------fxp0-----[computer]--(rum0)

fxp0 is the `main' internet connection coming in from an ethernet cable
rum0 is a USB Wireless Access Point.

I want to be able to connect to rum0 and access the internet through fxp0.

Here is a simple way of doing that:
Code:
$ cat /etc/pf.conf
pass out on fxp0 from rum0:network to any nat-to (fxp0)
(I have rum0 setup with DHCPd and /etc/hostname.rum0 etc.)

So with that pf.conf I can connect to rum0 and access the internet.

However, I would like to setup PF to do this through a default deny stance.

Here is what I have tried:
Code:
# default deny policy
block all

# allow all traffic coming in(to this computer(fxp0)) from rum0
pass in on rum0
pass out on fxp0

# DNS
pass quick proto {tcp, udp} from any to any port 53 keep state

# SSH on 192.168.0/24, in case I am locked out
pass proto tcp from fxp0:network to port ssh

# NAT
pass out on fxp0 from rum0:network to any nat-to (fxp0)
With this pf.conf however I am unable to even ping 172.16.0.1(rum0) when I connect to it from another computer. I obviously also do not have access to the internet ether.
Reverting back to the simple 1 line:
Code:
pass out on fxp0 from rum0:network to any nat-to (fxp0)
fixes everything though.

Thank you for any help.
Reply With Quote
  #2   (View Single Post)  
Old 25th April 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

The options "in" "out" and "on" can be confusing. They limit what rules match. In this case, I will guess that any stateless response traffic (such as a ping response) is currently blocked from returning out on rum0, because it does not match your general pass rules.

While building your rules, it is always beneficial to add the "log" option to your pass and block rules and trace rule matching on the pflog(4) pseudo-NIC with tcpdump(8). That way, you can see what traffic is passed or blocked, and by which rule number.
Reply With Quote
  #3   (View Single Post)  
Old 26th April 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

I may not understand your network topology correctly. I wonder how you can login through your fxp0 interface while it is facing the internet?

Anyway, what about something like this? :
Code:
# -----
set skip on lo0

TCP_SERVICES = "{ domain, https, http }"
UDP_SERVICES = "{ domain, ntp }"

# ---- NAT
match out log  on egress inet from ! egress to any  nat-to (egress)

# --- rule set

# --- default deny policy 
# To see what is being blocked: # tcpdump -eni pflog0
block log all

# --- TCP out going
pass out quick proto tcp from any to any port $TCP_SERVICES

# SSH on 192.168.0/24, in case I am locked out
pass quick proto tcp from fxp0:network to port ssh
#pass quick proto tcp from egress:network to port ssh
pass quick proto tcp from rum0:network to port ssh

# --- UDP out going
pass out quick proto udp from any to any port $UDP_SERVICES 

# --- Wireless USB access point 
pass quick on rum0
  • This ruleset just lets everything in on the USB access point rum0.
  • It applies filter rules on traffic that is heading out for the Big Bad Internet.
  • Traffic that is not allowed out is blocked and logged by the default deny policy.
  • Traffic that is OK to go out, is NATted with the match rule.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 26th April 2021 at 09:25 PM. Reason: Not quite understanding how fxp0 can be used to log in
Reply With Quote
  #4   (View Single Post)  
Old 30th April 2021
dnslc's Avatar
dnslc dnslc is offline
Port Guard
 
Join Date: Jun 2020
Location: Australia
Posts: 24
Default

Quote:
Originally Posted by J65nko View Post
I may not understand your network topology correctly. I wonder how you can login through your fxp0 interface while it is facing the internet?

Anyway, what about something like this? :
Code:
# -----
set skip on lo0

TCP_SERVICES = "{ domain, https, http }"
UDP_SERVICES = "{ domain, ntp }"

# ---- NAT
match out log  on egress inet from ! egress to any  nat-to (egress)

# --- rule set

# --- default deny policy 
# To see what is being blocked: # tcpdump -eni pflog0
block log all

# --- TCP out going
pass out quick proto tcp from any to any port $TCP_SERVICES

# SSH on 192.168.0/24, in case I am locked out
pass quick proto tcp from fxp0:network to port ssh
#pass quick proto tcp from egress:network to port ssh
pass quick proto tcp from rum0:network to port ssh

# --- UDP out going
pass out quick proto udp from any to any port $UDP_SERVICES 

# --- Wireless USB access point 
pass quick on rum0
  • This ruleset just lets everything in on the USB access point rum0.
  • It applies filter rules on traffic that is heading out for the Big Bad Internet.
  • Traffic that is not allowed out is blocked and logged by the default deny policy.
  • Traffic that is OK to go out, is NATted with the match rule.
This works great, thank you.

fxp0 is actually from a switch so that is how I can ssh from it.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
hosts.allow and hosts.deny amrogers3 OpenBSD Security 10 10th November 2011 11:28 AM
I need a list of websites that my isp deny undercoverdaememon Off-Topic 5 14th April 2010 04:01 AM


All times are GMT. The time now is 11:06 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick