DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 9th July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default Using authpf to access a network

Hi I'm having a little trouble getting my solution to work.

I have a VM with two interfaces network vlan 10 and network vlan 20. I want users to SSH to the IP on network vlan 10 so they are authenticated to access network vlan 20. I have authpf working but I don't know how to incorporate this into the pf rules to open up access for that user to the network. Can some please help.

Thanks
Reply With Quote
  #2   (View Single Post)  
Old 9th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Hello and welcome!

I'm not sure what guidance you would need. There's an authpf(8) man page, and there's a chapter on authpf in the PF User's Guide. Both should help. In particular, the PF User's Guide chapter has examples.
Reply With Quote
  #3   (View Single Post)  
Old 10th July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

Quote:
Originally Posted by jggimi View Post
Hello and welcome!

I'm not sure what guidance you would need. There's an authpf(8) man page, and there's a chapter on authpf in the PF User's Guide. Both should help. In particular, the PF User's Guide chapter has examples.
Hello and thank you for your reply. I am quite new to pf and I just, after reading the user guide, understand if I am using the correct syntax.

I used the rdr-to but the only examples I find pertain to redirecting to an IP and not a whole network in the DMZ.

Am I approaching this incorrectly?

So as I explained from my client I ssh to lets say 192.168.100.1 this authenticates me with authpf to enter the DMZ network 192.168.14.0/24. I can't seem to get this working.

This is what I have done so far:

authpf is running and I have a blank authpf.rules file globally.
I have allowed incoming ssh and ping for the interface that holds the IP 192.168.100.1

from there I am lost.... I read that you have to use anchors etc but I cannot seem to figure this out.

Do you or are there any real world examples that will help me?

Many thanks in anticipation!
Reply With Quote
  #4   (View Single Post)  
Old 10th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I would not use rdr-to, as that is designed for port forwarding. Instead, I would simply block the traffic by default, and use pass rules in the auth-pf anchor to pass the desired traffic. The example in the PF User's Guide uses pass rules for the anchor set.


For more specific help, please post your PF ruleset, and your authpf anchor rules. (You should redact any "real" Internet network addresses to maintain privacy.)
Reply With Quote
  #5   (View Single Post)  
Old 10th July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

Quote:
Originally Posted by jggimi View Post
I would not use rdr-to, as that is designed for port forwarding. Instead, I would simply block the traffic by default, and use pass rules in the auth-pf anchor to pass the desired traffic. The example in the PF User's Guide uses pass rules for the anchor set.


For more specific help, please post your PF ruleset, and your authpf anchor rules. (You should redact any "real" Internet network addresses to maintain privacy.)
ok here you go, my guess is its a mess:

pf.conf
Code:
#  Interfaces 
extif="em0"
intif="em1"
# Variables
allowed_tcp_ports="{ ssh, https, rdp }"
set block-policy drop
set loginterface $extif
set skip on lo

# Block all Incoming Traffic 
block all

# Allow  temporary ICMP on ext interface
pass in on $extif inet proto icmp to ($extif) icmp-type 8 code 0 keep state
pass in on $extif proto tcp to ($extif) port $allowed_tcp_ports
authpf.rules
Code:
extif = "em0"
allowed_tcp_ports="{ ssh, https, rdp }"
pass out on $extif inet proto tcp from any to any port $allowed_tcp_ports
Reply With Quote
  #6   (View Single Post)  
Old 10th July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

oh and my test is to try and ssh to a machine in the DMZ for example

ssh user@192.168.14.10

But I cannot reach this machine at all
Reply With Quote
  #7   (View Single Post)  
Old 10th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

It's not a mess. It is readable, and your intent is understandable.
  • Your main ruleset is missing an anchor point, so the anchor rules are never applied. See Linking authpf into the Main Ruleset in the PF User's Guide chapter, and the example configuration in the same page, for anchor point use examples.
  • Your authpf rules do not use $user_ip or $user_id. A single authpf session will pass all outbound traffic for $allowed_tcp_ports.
Reply With Quote
  #8   (View Single Post)  
Old 10th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by calanon View Post
oh and my test is to try and ssh to a machine in the DMZ for example

ssh user@192.168.14.10

But I cannot reach this machine at all
I can't tell from what you've posted what your DMZ is. Your rules only have an internal and external interface. You permit ssh, https, and rdp inbound on the external interface in your main ruleset, and it must be destined for the OpenBSD machine. That is the only TCP traffic permitted.
Reply With Quote
  #9   (View Single Post)  
Old 10th July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

Quote:
Originally Posted by jggimi View Post
It's not a mess. It is readable, and your intent is understandable.
  • Your main ruleset is missing an anchor point, so the anchor rules are never applied. See Linking authpf into the Main Ruleset in the PF User's Guide chapter, and the example configuration in the same page, for anchor point use examples.
  • Your authpf rules do not use $user_ip or $user_id. A single authpf session will pass all outbound traffic for $allowed_tcp_ports.
So the anchor is linked. With the other point would this be correct:

/etc/authpf/users/myuser/authpf.rules

Code:
pass out on $intif inet proto tcp from $user_ip to any port $allowed_tcp_ports
Reply With Quote
Old 10th July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

Quote:
Originally Posted by jggimi View Post
I can't tell from what you've posted what your DMZ is. Your rules only have an internal and external interface. You permit ssh, https, and rdp inbound on the external interface in your main ruleset, and it must be destined for the OpenBSD machine. That is the only TCP traffic permitted.
It could be my words are wrong:

So I use this bsd machine as the gateway from my exposed LAN to the DMZ.

I want to be able to ssh authpf to the bsd box. Then once authenticated I can ssh into any box in the DMZ. I feel my rules do not reflect this.
Reply With Quote
Old 10th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by calanon View Post
So the anchor is linked. With the other point would this be correct:
You do not need to use separate /users/ authpf rule files, unless you need rules that are unique to each authenticating user. You can use $user_ip or $user_id in a single rules file, as each user who authenticates will have its set of rules defined under its own anchor point, located at the authpf/* anchor point you defined.
Quote:
Originally Posted by calanon View Post
It could be my words are wrong:

So I use this bsd machine as the gateway from my exposed LAN to the DMZ.

I want to be able to ssh authpf to the bsd box. Then once authenticated I can ssh into any box in the DMZ. I feel my rules do not reflect this.
Is the address 192.168.14.10 the address of the external interface? Your pass rule
Code:
pass in on $extif proto tcp to ($extif) port $allowed_tcp_ports
is the only TCP pass rule in effect, until you authenticate. This rule will pass TCP traffic inbound on the external interface from any IP address, with any source port number, as long as the destination address is an address assigned to that external interface, with a destination port number matching the port numbers for ssh, https, and rdp defined in /etc/services.
Reply With Quote
Old 10th July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

Quote:
Originally Posted by jggimi View Post
You do not need to use separate /users/ authpf rule files, unless you need rules that are unique to each authenticating user. You can use $user_ip or $user_id in a single rules file, as each user who authenticates will have its set of rules defined under its own anchor point, located at the authpf/* anchor point you defined.
Is the address 192.168.14.10 the address of the external interface? Your pass rule
Code:
pass in on $extif proto tcp to ($extif) port $allowed_tcp_ports
is the only TCP pass rule in effect, until you authenticate. This rule will pass TCP traffic inbound on the external interface from any IP address, with any source port number, as long as the destination address is an address assigned to that external interface, with a destination port number matching the port numbers for ssh, https, and rdp defined in /etc/services.
Yes that is the external interface, so what rule would I need once authenticated to allow SSH to be passed through the internal interface allowing me to SSH to other boxes in that DMZ ?
Reply With Quote
Old 10th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Your auth.rules file should include a pass that allows ssh traffic through your internal interface. Such as:
Code:
allowed_tcp_ports="{ ssh, https, rdp }"

pass proto tcp from $user_ip to any port $allowed_tcp_ports
Several notes:
  • Position of the anchor in the main ruleset is important. The last matching rule wins.
  • Be careful with in, out, and on directives. These restrictions often cause more confusion, and therefore more problems, than they solve. You'll note my example rule doesn't use them.
Reply With Quote
Old 22nd July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

Quote:
Originally Posted by jggimi View Post
Your auth.rules file should include a pass that allows ssh traffic through your internal interface. Such as:
Code:
allowed_tcp_ports="{ ssh, https, rdp }"

pass proto tcp from $user_ip to any port $allowed_tcp_ports
Several notes:
  • Position of the anchor in the main ruleset is important. The last matching rule wins.
  • Be careful with in, out, and on directives. These restrictions often cause more confusion, and therefore more problems, than they solve. You'll note my example rule doesn't use them.
I assume that you mean place the anchor at the end?
Reply With Quote
Old 22nd July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Generally, yes.
Reply With Quote
Old 22nd July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

Quote:
Originally Posted by jggimi View Post
Generally, yes.
I will tell you what issue I am facing.

I have enabled forwarding on the sysctl.conf file. I have created a test route from my desktop machine to go to the test vm vai the gateway I created.

The ports are open but I am unable to ping the endpoint client. This is the icmp rule I have in authpf:

Code:
pass out on egress inet proto icmp icmp-type echoreq no state
Reply With Quote
Old 22nd July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Your icmp rule applies to traffic already permitted through or originating on the gateway, not from the workstation that has authenticated with an authpf(8) shell.
Reply With Quote
Old 25th July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

Quote:
Originally Posted by jggimi View Post
Your icmp rule applies to traffic already permitted through or originating on the gateway, not from the workstation that has authenticated with an authpf(8) shell.
Sorry to keep bothering you. This is what I did to test the concept:

From my local machine I added a route to another VM 192.168.0.254 via the gateway 192.168.15.5 (The bsd machine with authpf)

Once authenticated I am able to ssh to the IP 192.168.0.254.

When I remove that route and I add the following route.

ip route add 192.168.0.0/16 via 192.168.15.5

I cannot log into any other server in that subnet not even 192.168.0.254

Any ideas?
Reply With Quote
Old 25th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by calanon View Post
....I add the following route.

ip route add 192.168.0.0/16 via 192.168.15.5
That's not a route(8) syntax. Where are you adding this?
Reply With Quote
Old 25th July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

Quote:
Originally Posted by jggimi View Post
That's not a route(8) syntax. Where are you adding this?
I am adding this to my linux box to explicitly state that if I want to access the 192.168.0.0/16 network I should use the gateway 192.168.15.5
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Alix3d2 + Mikrotik R52nM Wifi Access point network performance jkusniar OpenBSD General 3 13th January 2015 07:59 AM
AuthPF Configuration EverydayDiesel OpenBSD Security 30 16th July 2014 03:37 PM
authpf setup dbach OpenBSD General 14 19th January 2013 04:25 AM
authpf, authpf.rules unable to modify filters kbeaucha OpenBSD Security 16 10th May 2012 09:46 PM
PF cannot access Internet from internal network gpatrick OpenBSD Security 3 29th August 2010 10:59 PM


All times are GMT. The time now is 09:39 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick