OpenBSD firewall/router with (so far) two minor issues

[mefisto]

Greetings all,

I am trying to replace my pre-stoneage router with one based on OpenBSD. I have the basics working, i.e., pf, unbound, dhcp, but have two problems.

1. Regardless of the correct line in the file /etc/sysconf.conf

Code:

#	$OpenBSD: syslog.conf,v 1.21 2021/10/13 20:34:03 sthen Exp $
#

*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none	/var/log/messages
kern.debug;syslog,user.info				/var/log/messages
auth.info						/var/log/authlog
authpriv.debug						/var/log/secure
cron.info						/var/cron/log
daemon.info						/var/log/daemon
ftp.info						/var/log/xferlog
lpr.debug						/var/log/lpd-errs
mail.info						/var/log/maillog

# Uncomment this line to send "important" messages to the system
# console: be aware that this could create lots of output.
#*.err;auth.notice;authpriv.none;kern.debug;mail.crit	/dev/console

# Uncomment this to have all messages of notice level and higher
# as well as all authentication messages sent to root.
#*.notice;auth.debug					root

# Everyone gets emergency messages.
#*.emerg							*

# Uncomment to log to a central host named "loghost" using syslog-tls.
# You need to run syslogd with the -S option on the remote host if you
# are using this.
#*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none	@tls://loghost
#auth,daemon,syslog,user.info;authpriv,kern.debug		@tls://loghost

# Uncomment to log messages from doas(1) to its own log file.  Matches are done
# based on the program name.
# Program-specific logs:
#!doas
#*.*							/var/log/doas

# Enable forwarding between machine ports
net.inet.ip.forwarding=1

, the system is complaining:

Code:

starting early daemons: sysLogdDec "date" firewall syslogd[8305]: unknown priority name "inet.ip.forwarding=1"

2. I disabled ssh in the /etc/pf.conf on the Internet facing interface, but I do not know how to enable it on all the LAN interfaces so that I can log-in through one of them.

Any help wold be greatly appreciated.

Kindest regards,

M

[jggimi]

It appears that you have confused two different provisioning files:

• /etc/sysctl.conf
• /etc/syslog.conf

The sysctl.conf(5) file provisions system control variables set during boot, while the syslog.conf(5) file provisions system log facilities used with syslogd(8).

---

With PF configurations, the last matching rule applies. I find it easiest to start with the more broad rules, then get more specific. You could, for example, start by passing all incoming ssh traffic, then blocking ssh traffic that is incoming on the internet-facing interface.

Code:

pass proto tcp from any to (self) port ssh
block on $my.internet.facing.interface proto tcp from any to (self) port ssh

[mefisto]

jggimi for the win.

Thank you very much for spotting my idiocy regarding the /etc/sys*.conf.

Regarding the /etc/pf.conf, although my testing suggest that the rules are doing what I intended, I still struggle with some of the concepts. For example, this is an excerpt from my "General traffic rules", that are applied before the rules for the VLANs.

Code:

#---------------------------------#
# Default traffic rules
#---------------------------------#

# Spoofing protection for all NICs.
block in quick from no-route
block in quick from urpf-failed

# Block non-routable private addresses.
block in quick on $ext_if from <martians> to any
block return out quick on $ext_if from any to <martians>

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild

# Default blocking all traffic in on all LAN NICs from any computer or device
block return in on { $vlan_1 }

# Default blocking and logging all traffic in on the external NIC from the Internet/ISP,
block drop in log on $ext_if

# Block DNS over HTTPS
block in quick on { $vlan_1 } to <block_doh>

# Allow ICMP.
match in on $ext_if inet proto icmp icmp-type $icmp_types tag ICMP_IN
block drop in on $ext_if proto icmp
pass in proto icmp tagged ICMP_IN max-pkt-rate 100/10

# Allow traceroute
pass out on $ext_if inet proto udp to port 33433 >< 33626

# Allow SSH
# pass in on $ext_if inet proto tcp to ($ext_if) port 22

# Allow traffic from LAN via the external NIC to the Internet.
pass out inet from $ext_if

However, I also saw a code that instead of all the specific blocking rules have just:

Code:

block in all

and then just have following rules allowing the desirable traffic in the spirit of last rule wins.

The only dubious(?) explanation I was able to find was that it is better to be paranoid and explicitly block all the potentially harmful traffic. Although it appeals to my paranoid mind, it seems that

Code:

block in all

would be better beause nothing is overlooked.

But, even Mr. Hansen lists those more detailed rules, so I must be still overlooking something.

Kindest regards,

M

[jggimi]

You can provision PF many different ways. For my servers, I usually start with a "default block" rule and then explicitly state what traffic I allow to pass. For my workstations, I usually use a "default pass" rule set, and there may not be any block rules at all.

My personal PF guidelines:

• If there's a rule I don't completely understand, then it shouldn't be in my rule set.
• Because "quick" isn't a default, I use it only when necessary.
• Start with broad, global rules, then get narrower, because the last matching rule will apply.