DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 14th January 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default PF Blocking VPN Traffic

Hello all,

I am having difficulty allowing VPN traffic to pass through my firewall.

I have tried various combination's with the below being my latest.

Code:
pass on $ext_if proto esp from any to any
pass on $ext_if proto udp from any to any port {isakmp, ipsec-nat-t}
pass on $int_if proto esp from any to any
pass on $int_if proto udp from any to any port {isakmp, ipsec-nat-t}
Basically all I am trying to do is allow any traffic that is connected to my VPN (not setup on PF machine) to pass through my firewall (PF).

Hope someone can assist.

Thanks!
Reply With Quote
  #2   (View Single Post)  
Old 15th January 2009
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,165
Default

You can assist your self by using a block log all default policy and then use tcpdump on the pflog0 device to see which packets are being blocked .
Code:
# tcpdump -eni pflog0
tcpdump will show detailed info about the protocol and/or ports being blocked. You then use this info to adjust your pf.conf.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 15th January 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

Doesn't a VPN need protocol gre as well?
Reply With Quote
  #4   (View Single Post)  
Old 16th January 2009
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,165
Default

A VPN could be built with gre and PPTP, but this is not generally done when you use ESP, one of the IPSEC protocols.

Way back in 2004 on bsdforums.org I assisted Dachozenone with a pf.conf for a VPN using ESP.
http://74.125.77.132/bsd?q=cache:tsI...&hl=en&strip=1

The secret is to allow enc0 traffic and UDP port 500.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 19th January 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Hello J65nko

I have realized my error (I think)

Since I am not actually hosting the VPN on the OpenBSD box the traffic coming to it is not actually "VPN" but standard traffic at that point. I added a rule to permit the IP address block for the VPN users and traffic flowed.

I am curious if this is the best way to do this. IF someone where somehow able to "spoof" the source IP of the VPN traffic would they be permitted in then?

My network looks something like this:

[firewall w/ VPN] <--> [OpenBSD FW] <-> rest of network

Thanks
Reply With Quote
  #6   (View Single Post)  
Old 19th January 2009
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,165
Default

If your firewall VPN uses certificates or public key authentication and tightly filters the non-VPN traffic I don't think you have to worry about that.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 23rd January 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

hmm... alright well I presume it is filtering correctly via rules and also NAT is enabled.

Thank you for your help.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
See what process is generating DNS traffic? Bruco FreeBSD General 3 2nd July 2009 05:57 PM
Dynamic Traffic Shaping LordZ OpenBSD Security 6 19th January 2009 04:30 PM
Firewall Blocking Good Traffic plexter OpenBSD Security 6 8th January 2009 05:58 PM
PF Blocking schrodinger OpenBSD Security 6 6th October 2008 10:33 PM
Suggestions for Web Traffic Logging? Bruco FreeBSD Ports and Packages 16 18th September 2008 10:54 PM


All times are GMT. The time now is 09:57 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick