Hi Kyle,
so why not exchanging information? By the way, I still owe you a report
;) More about that later on, through the "official" ways of communication.
"I can bypass inter-lan block rules by routing my traffic through the
squid-cache."
^^ Its not going through the squid cache. To avoid the routing of
private address traffic through squid they've added the "Bypass proxy
for Private Address Space (RFC 1918) destination" option.
Here: "no rdr on $iface proto tcp from any to { 192.168.0.0/16,
172.16.0.0/12, 10.0.0.0/8 } port 80\n";
The mistake comes through the rule-set which allows the access to port
80 from that particular LAN:
$rules .= "pass in quick on $iface proto tcp from any to !($iface) port
80 flags S/SA keep state\n";
$rules .= "pass in quick on $iface proto tcp from any to !($iface) port
$port flags S/SA keep state\n";
It allows traffic to any other interface on port 80 (except the
interface where the user is on).
By changing the interface to the localhost IP it does not override the
user rules:
$rules .= "pass in quick on $iface proto tcp from any to 127.0.0.1 port
80 flags S/SA keep state\n";
$rules .= "pass in quick on $iface proto tcp from any to 127.0.0.1 port
$port flags S/SA keep state\n";
There are small differences in the former releases. This bugfix is for
1.2.3-RC3. E.g. in the former releases the PPPoE tunnels were not
considered at all. I also had to patch this manual.
You can find the changes where I excluded a line with //
/usr/local/pkg/squid.inc file:
switch($type) {
case 'nat':
$rules .= "\n# Setup Squid proxy redirect\n";
if ($squid_conf['private_subnet_proxy_off'] == 'on') {
foreach ($ifaces as $iface) {
$rules .= "no rdr on $iface proto tcp from any to {
192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n";
}
if($config['pppoe']['mode'] == "server" &&
$config['pppoe']['localip']) {
for ($x=1; $x <= $config['pppoe']['n_pppoe_units'];
$x++) {
$rules .= "no rdr on ng$x proto tcp from any to
{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n";
}
}
}
if (!empty($squid_conf['defined_ip_proxy_off'])) {
$defined_ip_proxy_off = explode(";",
$squid_conf['defined_ip_proxy_off']);
$exempt_ip = "";
foreach ($defined_ip_proxy_off as $ip_proxy_off) {
if(!empty($ip_proxy_off)) {
$ip_proxy_off = trim($ip_proxy_off);
$exempt_ip .= ", $ip_proxy_off";
}
}
$exempt_ip = substr($exempt_ip,2);
foreach ($ifaces as $iface) {
$rules .= "no rdr on $iface proto tcp from {
$exempt_ip } to any port 80\n";
}
}
foreach ($ifaces as $iface) {
$rules .= "rdr on $iface proto tcp from any to !($iface)
port 80 -> 127.0.0.1 port 80\n";
}
/* Handle PPPOE case */
if($config['pppoe']['mode'] == "server" &&
$config['pppoe']['localip']) {
//$rules .= "rdr on $PPPOE_ALIAS proto tcp from any to
!127.0.0.1 port 80 -> 127.0.0.1 port 80\n";
for ($x=1; $x <= $config['pppoe']['n_pppoe_units']; $x++) {
$rules .= "rdr on ng$x proto tcp from any to !(ng$x)
port 80 -> 127.0.0.1 port 80\n";
}
}
/* Handle PPTP case */
if($config['pptpd']['mode'] == "server" &&
$config['pptpd']['localip']) {
$rules .= "rdr on $PPTP_ALIAS proto tcp from any to
!127.0.0.1 port 80 -> 127.0.0.1 port 80\n";
}
$rules .= "\n";
break;
case 'filter':
case 'rule':
foreach ($ifaces as $iface) {
$rules .= "# Setup squid pass rules for proxy\n";
//$rules .= "pass in quick on $iface proto tcp from any
to !($iface) port 80 flags S/SA keep state\n";
//$rules .= "pass in quick on $iface proto tcp from any
to !($iface) port $port flags S/SA keep state\n";
$rules .= "pass in quick on $iface proto tcp from any to
127.0.0.1 port 80 flags S/SA keep state\n";
$rules .= "pass in quick on $iface proto tcp from any to
127.0.0.1 port $port flags S/SA keep state\n";
$rules .= "\n";
};
if($config['pppoe']['mode'] == "server" &&
$config['pppoe']['localip']) {
//$rules .= "pass in quick on $PPPOE_ALIAS proto tcp
from any to !127.0.0.1 port $port flags S/SA keep state\n";
for ($x=1; $x <= $config['pppoe']['n_pppoe_units']; $x++) {
$rules .= "pass in quick on ng$x proto tcp from any
to 127.0.0.1 port 80 flags S/SA keep state\n";
}
}
if($config['pptpd']['mode'] == "server" &&
$config['pptpd']['localip']) {
$rules .= "pass in quick on $PPTP_ALIAS proto tcp from
any to !127.0.0.1 port $port flags S/SA keep state\n";
}
break;
You mentioned the traffic shaper. We've build traffic shaping appliances
based on pfsense (drop-in-mode, without natting -> re-translating of the
LAN's IP addresses). Unfortunately, the squid proxy traffic can not be
captured by the traffic shaping rules. That is because of squid running
on the localhost IP, automatically using the system's standard gateway
route. I.e. it bypasses the shaping rules and the load balancer rules.
Furthermore, the current traffic shaper does not work with multiple LANs
and WANs. We will have to wait for the new release (in alpha) where they
use a fancy piping mode. I didn't test the alpha yet, if it is already
working as advertised.
What works fine are the built-in traffic management features of the
Squid package.
Best regards,
Rocco
Kyle Spencer wrote:
Rocco,
Thanks for the heads up.
Disclaimer: I have directly contributed to a few bug-fixes in various
pfSense packages.
I just tested what you're saying and it's true. I can bypass
inter-lan block rules by routing my traffic through the squid-cache.
Example: telnet pfsenseboxip 80 > HTTP GET otherlanip
pfSense is a nice, simple, all-in-one system for people who don't want
to be bothered with manual firewall/traffic shaping implementations.
As far as I can tell, it works very well out of the box -- even for an
"enterprise" user.
Start adding downloadable packages, however, and everything goes to hell.
I absolutely despise pfSense's lack of quality control for their
downloadable packages. For example, NRPEv2 wouldn't even load on
startup because its /usr/local/etc/rc.d/ script didn't have a .sh
extension and the /etc/rc.start_packages only runs *.sh files.
Essentially, whomever released the package NEVER EVEN TESTED IT.
Snort wouldn't run properly on boot without modifications.
Squid-cache opens up this huge, rather obvious vulnerability that
Rocco pointed out.
The list goes on and on and on.
IT-Doc24 Ltd. - Rocco Radisch wrote:
Hi Reinier,
I will put it on my long long list ;- and if I would have more time I
would consider to contribute. Its a great product but development is
quite slow due to lack of people.
regards,
Rocco
Reinier Battenberg wrote:
Well, only one way to find out: post the bug (again ;-) )!
(i wouldnt downplay the use of pfsense, its use is for whomever
finds it a handy tool. I know Kyle, at IMG is using it. I think that
could easily be considered an enterprise..)
rgds,
Reinier Battenberg
Director
Mountbatten Ltd.
+256 782 801 749
www.mountbatten.net
Do you have a businessplan? Make your idea work:
www.startyourbusiness.ug
On Tuesday 01 December 2009 09:25:40 IT-Doc24 Ltd. - Rocco Radisch
wrote:
Hi Reinier,
I know and I think I tried to submit a bug fix report. We discovered
that issue already 2 years ago. I guess my English was too weak at
this
time ;-)
Furthermore, the only way to fix it without altering the basic
usage of
pfSense is to shift the rules, which allow the transparent proxy
traffic
(port 80), to be loaded after the user rule-set. As far as I
understood
the programming framework all the package scripts are loaded before
the
custom user rule-sets. If you would set a rule to generally block
private IP traffic from one LAN to the other LAN you won't be able to
intentionally allow traffic via the user rules. So it seems that it is
not an easy fix and pfSense is not meant for enterprise usage, hence
most people won't mind (I guess).
Best regards,
Rocco
Reinier Battenberg wrote:
Hi Rocco,
Well, if you found a bug in a FOSS project, the best thing to do
is to
make sure it gets in the next release. That way, you wont have to
patch
all the servers you are maintaining in the future. And so will all
other
pfSense users worldwide.
I guess pfSense has a bugtracker where you can post your fix.
rgds,
Reinier Battenberg
Director
Mountbatten Ltd.
+256 782 801 749
www.mountbatten.net
Do you have a businessplan? Make your idea work:
www.startyourbusiness.ug
On Tuesday 01 December 2009 08:25:42 IT-Doc24 Ltd. - Rocco Radisch
wrote:
Hi Reiner,
multi lan is if you maintain several local area networks all
connected
to the same Firewall.
"Can you substantiate that statement with some URL's?"
No, I can look if someone else discovered the same issue in the
Forums.
"It turns out"
We discovered this in-house.
Code of squid.inc:
foreach ($ifaces as $iface) {
$rules .= "# Setup squid pass rules for proxy\n";
$rules .= "pass in quick on $iface proto tcp from
any to
!($iface) port 80 flags S/SA keep state\n";
$rules .= "pass in quick on $iface proto tcp from
any to
!($iface) port $port flags S/SA keep state\n";
$rules .= "\n";
};
The rules are loaded before the custom configured rule-set.
Meaning it
will allow access to http servers from one LAN to the other LAN.
Best regards,
Rocco
Reinier Battenberg wrote:
"it turns out"
Can you substantiate that statement with some URL's?
Else, i dont consider it a true statement.
And for non-networkies: what is Multi-LAN?
rgds,
Reinier Battenberg
Director
Mountbatten Ltd.
+256 782 801 749
www.mountbatten.net
Do you have a businessplan? Make your idea work:
www.startyourbusiness.ug
On Monday 30 November 2009 17:12:46 IT-Doc24 Ltd. - Rocco
Radisch wrote:
Hi Joseph,
pfSense has modules to work either way, as normal web proxy or
as a
reverse proxy. If you need help we have done a couple of custom
pfSense installations as well as custom re-programming of front
and
back-end. Furthermore, it turns out that the standard pf rules
used in
conjunction with a transparent web-proxy installation will open
security flaws if used in a multi-wan & multi-lan set-up.
Best regards,
Rocco
Reinier Battenberg wrote:
Hi Joseph,
This seems more targetted at the other end of proxiying.
You can put this proxy in front of your website, which will
take the
load off your apache server.
rgds,
Reinier Battenberg
Director
Mountbatten Ltd.
+256 782 801 749
www.mountbatten.net
Do you have a businessplan? Make your idea work:
www.startyourbusiness.ug
On Monday 30 November 2009 14:50:04 joseph mpora wrote:
Pfsense has been pretty good for us, haven't seen need to
change :)
Joseph
On 11/30/09, Emmanuel Mulo <[email protected]> wrote:
Hi all,
I am not sure whether this information has been previously
posted
on this mailing list, however I saw something about Yahoo
traffic
server being released as open source. Since I have seen
previously
a number of requests concerning proxy servers for load
balancing,
content filtering etc... would be interesting to hear from any
sysadmins experimenting with this. It is used by Yahoo so
it has
to be good for something no? :)
http://cwiki.apache.org/confluence/display/TS/Traffic+Server
http://ostatic.com/blog/guest-post-yahoos-cloud-team-open-sources-t
ra ff ic -server
Anybody who does something with it please update us.. at
least I
would be interested to hear.. Joseph? Reinier?
cheers
Mulo
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including attachments if any). The List's Host is not
responsible
for them in any way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including attachments if any). The List's Host is not
responsible
for them in any way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including attachments if any). The List's Host is not
responsible
for them in any way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including attachments if any). The List's Host is not
responsible for
them in any way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including
attachments if any). The List's Host is not responsible for them
in any
way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including
attachments if any). The List's Host is not responsible for them
in any
way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including
attachments if any). The List's Host is not responsible for them
in any
way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including
attachments if any). The List's Host is not responsible for them in
any
way. ---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including attachments if any). The List's Host is not responsible
for them in any way.
---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including attachments if any). The List's Host is not responsible
for them in any way.
---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any way.
---------------------------------------
