DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 11th July 2022
TCH TCH is offline
Shell Scout
 
Join Date: Mar 2017
Posts: 85
Default Separate filter rules for two ethernet devices

If i have two ethernet devices, say rl0 and msk0 and i would like to block all incoming traffic on all ports, except port 80 and 443, but only on msk0, then is that possible?
Reply With Quote
  #2   (View Single Post)  
Old 11th July 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

With PF, because it is "last matching rule wins," I find it easiest to start with the most general rule first, then work my way to more specific rules.

If I've understood your use case correctly, something like this:
Code:
block in all
pass in proto tcp to (msk0) port {80 443}
  • With TCP and UDP, every packet has two port numbers: a destination port number where a service is listening, and that's what we always think of when we think of ports -- but there is also a source port number used by the initiating system.
  • In PF, you can filter on either port number.
  • Destination port numbers follow the destination IP address, which follows after "to".
  • There is an implied "from any port any" in front of the "to" in this second rule. And "port any" isn't correct syntax, but if you don't specify a source port then any source port will match.

Last edited by jggimi; 11th July 2022 at 12:45 PM. Reason: syntax clarity
Reply With Quote
  #3   (View Single Post)  
Old 11th July 2022
TCH TCH is offline
Shell Scout
 
Join Date: Mar 2017
Posts: 85
Default

Thanks, so this has to go into pf.conf?

Also, will not this block all on rl0 too? I only would like to block everything on msk0 and apply no filter on rl0.
Reply With Quote
  #4   (View Single Post)  
Old 11th July 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by TCH View Post
Thanks, so this has to go into pf.conf?
Yes, the default PF configuration file is /etc/pf.conf.
Quote:
Also, will not this block all on rl0 too? I only would like to block everything on msk0 and apply no filter on rl0.
It is very easy for us to misunderstand one another, which is why I started with the caveat about understanding your use case. I'd interpreted your first post above as blocking all inbound traffic except the two destination ports on msk0. To block all incoming traffic only on msk0, revise the first line accordingly:
Code:
block in on msk0
pass in proto tcp to (msk0) port {80 443}
For more information on configuring PF, you should start with the PF User's Guide.
Reply With Quote
  #5   (View Single Post)  
Old 11th July 2022
TCH TCH is offline
Shell Scout
 
Join Date: Mar 2017
Posts: 85
Default

First i was going to say that, but i have explicitedly said, that "but only on msk0", but you're actually right, my statement can be interpreted either as "block everything, but enable 80 and 440 on msk0", or as "block everything on msk0, but 80 and 440".

Anyway, thank you very much, that will perfectly do it.
Reply With Quote
  #6   (View Single Post)  
Old 11th July 2022
TCH TCH is offline
Shell Scout
 
Join Date: Mar 2017
Posts: 85
Default

BTW, this will work, even if msk0 is PPPoE, right?
Reply With Quote
  #7   (View Single Post)  
Old 11th July 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

An empty PF configuration file will pass all traffic on all interfaces, as if you'd provisioned a single rule containing the two words pass all. So absent any other rules, the most recent example will pass all traffic on all interfaces except msk0.

The most general rule is the first, blocking all incoming traffic on the msk0 interface. All outgoing traffic already passes.

The second rule is more fine-grained, and passes traffic to destination ports 80/443, if the destination address is any of the addresses assigned to the msk0 interface. Internally, there are individual rules for each address, which can be seen with # pfctl -sr.

The parentheses around the interface will cause PF to adjust the internal rule list any time the address list changes, such as may happen with dynamic auto-configuration with SLAAC / IPv6 or DHCP / IPv4.

Last edited by jggimi; 11th July 2022 at 03:58 PM. Reason: clarity
Reply With Quote
  #8   (View Single Post)  
Old 11th July 2022
TCH TCH is offline
Shell Scout
 
Join Date: Mar 2017
Posts: 85
Default

Thank you for the detailed explanation. However this is not entirely clean to me:
Quote:
Originally Posted by jggimi View Post
The second rule is more fine-grained, and passes traffic to destination ports 80/443, if the destination address is any of the addresses assigned to the msk0 interface.
This applies to PPPoE devices too, right?
Reply With Quote
  #9   (View Single Post)  
Old 11th July 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I have no direct experience with PPPoE. My understanding is that you would write your filtering rules for the pppoe(4) pseudo-NIC, and not for the encapsulating Ethernet NIC. The latter doesn't even need an IP address.
Reply With Quote
Old 11th July 2022
TCH TCH is offline
Shell Scout
 
Join Date: Mar 2017
Posts: 85
Default

I see, thanks.
Reply With Quote
Old 11th July 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

If using PPPoE, be sure to read about MTU/MSS size limitations in the pppoe(4) man page.
Reply With Quote
Old 13th July 2022
TCH TCH is offline
Shell Scout
 
Join Date: Mar 2017
Posts: 85
Default

I will.

BTW, i think i got something wrong about PPPoE; can /etc/netstart "launch" a device which is configured as PPPoE in /etc/hostname.msk0?
Reply With Quote
Old 13th July 2022
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

I never had to use PPPOE either. But pppoe(4) says that your /etc/hostname.msk0 should only contain the word 'up'.
The /etc/hostname.pppoe0 should contain pppoedev msk0

So # /etc/netstart pppoe0 should do it.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 13th July 2022
TCH TCH is offline
Shell Scout
 
Join Date: Mar 2017
Posts: 85
Default

I see, thanks. So, that was i was doing wrong: putting the PPPoE credentials to the wrong file.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
BGP in separate rdomains fencepencil OpenBSD General 3 27th February 2020 09:37 PM
PDF/Postscript -> print filter -> Print Queue Filter shep Programming 6 24th December 2018 03:33 PM
ethernet > wifi > ethernet more seamlessly? FreeBSD jb_daefo General software and network 1 6th May 2016 07:17 PM
Adding a separate /home JMJ_coder NetBSD General 2 29th August 2008 10:45 AM
/etc on a separate partition DarkEnergy FreeBSD Installation and Upgrading 13 20th May 2008 04:24 AM


All times are GMT. The time now is 12:03 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick