Re: OpenBSD 4.1: pf is not blocking anything

2007-05-22 Thread Bohdan Tashchuk 

Marcos Laufer wrote:


Hello,

I am testing pf in an OpenBSD 4.1. This same configuration works fine on
OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing
thru,
just like as if there was no 'block all'. What worries me most is that
anyone
on the outside can see my ssh service .
Is there anything wrong with the state of my rules? If i didn't
misunderstand ,
this rules should work just fine

Any ideas?
Thanks in advance,

Marcos




# good guys
table goodhosts persist
pass in quick on egress from goodhosts to any keep state


I'm no pf expert, so here's a simple question. What, if anything, is in 
table goodhosts? Maybe you're allowing everything in because of that 
table, or maybe you're testing from an IP defined as OK in that table?

Re: OpenBSD 4.1: pf is not blocking anything

2007-05-22 Thread Stuart Henderson 
 I am testing pf in an OpenBSD 4.1. This same configuration works fine on
 OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing
 thru, just like as if there was no 'block all'.

Is pf enabled? (pfctl -si)
Did your ruleset load ok? (pfctl -sr)

 What worries me most is that anyone on the outside can see my ssh service .

I do different things on different boxes, but my usual setup these days
is something like this:

PasswordAuthentication no

Match Address 192.168.*,10.*
PasswordAuthentication yes

This allows passwords to work on selected networks and forces keys
for the rest of the internet. Allows me to hop from machine to machine
on an internal network, access it from anywhere from trusted boxes
with keys, and discourages me from typing passwords in from untrusted
boxes (reduces risk from keyloggers).

Re: OpenBSD 4.1: pf is not blocking anything

2007-05-22 Thread Peter N. M. Hansteen 
Marcos Laufer [EMAIL PROTECTED] writes:

 I am testing pf in an OpenBSD 4.1. This same configuration works
 fine on OpenBSD 3.9, but in 4.1 it is not filtering anything,
 everything is passing thru, just like as if there was no 'block
 all'.

Are you sure that your rule set actually does get loaded?  

pfctl -s rules will show you which rules are loaded (a possible first
step), but syntax errors should show up (with line number indicated)
when you try to load your rules.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: OpenBSD 4.1: pf is not blocking anything [solved]

2007-05-22 Thread Marcos Laufer 
Hello ,

Just found out what was wrong. I knew that the ruleset was allright...
I just forgot to activate pf by placing pf=YES in rc.local.conf
I'm glad that OpenBSD works just fine, and it's me who needs to be repaired
:)

I am very sorry for the noise , thanks to everybody for the tips and advice

Marcos

- Original Message - 
From: Peter N. M. Hansteen [EMAIL PROTECTED]
To: Marcos Laufer [EMAIL PROTECTED]
Cc: misc@openbsd.org
Sent: Tuesday, May 22, 2007 8:23 AM
Subject: Re: OpenBSD 4.1: pf is not blocking anything


Marcos Laufer [EMAIL PROTECTED] writes:

 I am testing pf in an OpenBSD 4.1. This same configuration works
 fine on OpenBSD 3.9, but in 4.1 it is not filtering anything,
 everything is passing thru, just like as if there was no 'block
 all'.

Are you sure that your rule set actually does get loaded?

pfctl -s rules will show you which rules are loaded (a possible first
step), but syntax errors should show up (with line number indicated)
when you try to load your rules.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

OpenBSD 4.1: pf is not blocking anything

2007-05-21 Thread Marcos Laufer 
Hello,

I am testing pf in an OpenBSD 4.1. This same configuration works fine on
OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing
thru,
just like as if there was no 'block all'. What worries me most is that
anyone
on the outside can see my ssh service .
Is there anything wrong with the state of my rules? If i didn't
misunderstand ,
this rules should work just fine

Any ideas?
Thanks in advance,

Marcos


---
#
set skip on lo
scrub in
icmp_nets={ 10.10.10.0/24 }

block all

# good guys
table goodhosts persist
pass in quick on egress from goodhosts to any keep state

# blackhole
table badhosts persist
block in quick log on egress from badhosts to any

# no ipv6
block in quick inet6 all


##
# outgoing

# dns
pass out on egress proto { tcp, udp } from (self)/32 to any port domain
flags S/SA keep state

# smtp, http , https
pass out on egress proto tcp from (self)/32 to any port { smtp, www, https }
flags S/SA keep state

# ntp
ntp_servers={ 10.10.10.4 }
pass out on egress proto udp from (self)/32 to $ntp_servers port ntp keep
state

# ssh
ssh_friends={ 10.10.10.0/24 }
pass out on egress proto tcp from (self)/32 to $ssh_friends port ssh flags
S/SA keep state


# mysql
pass out on egress proto tcp from (self)/32 to any port 3306 flags S/SA keep
state

##
# incoming

# private
friends={ 10.10.10.0/24 }
friends_srvs={ ftp, ftp-data, ssh }
pass in on egress proto tcp from $friends to (self)/32 port $friends_srvs
flags S/SA keep state

# MySQL y PgSQL
sql_www_apps_srv={ 10.10.10.0/24 }
pass in quick proto tcp from $sql_www_apps_srv to self/32 port { 3306,
5432 } flags S/SA keep state

# icmp
pass in quick proto icmp from $icmp_nets to self/32 keep state

Re: OpenBSD 4.1: pf is not blocking anything

2007-05-21 Thread Todd Alan Smith 

On 5/21/07, Marcos Laufer [EMAIL PROTECTED] wrote:

Hello,

I am testing pf in an OpenBSD 4.1. This same configuration works fine on
OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing
thru,
just like as if there was no 'block all'. What worries me most is that
anyone
on the outside can see my ssh service .
Is there anything wrong with the state of my rules? If i didn't
misunderstand ,
this rules should work just fine

Any ideas?
Thanks in advance,

Marcos


---
#
set skip on lo
scrub in
icmp_nets={ 10.10.10.0/24 }

block all

# good guys
table goodhosts persist
pass in quick on egress from goodhosts to any keep state

# blackhole
table badhosts persist
block in quick log on egress from badhosts to any

# no ipv6
block in quick inet6 all


##
# outgoing

# dns
pass out on egress proto { tcp, udp } from (self)/32 to any port domain
flags S/SA keep state


Marcos, 'keep state' and 'flags S/SA' are now default settings. Did
you read about what's new in 4.1[0], as well as the updated FAQ[1],
before upgrading your firewall?

-Todd

[0] http://openbsd.org/41.html#new
[1] http://openbsd.org/faq/pf/index.html

Re: OpenBSD 4.1: pf is not blocking anything

2007-05-21 Thread Mariusz Makowski 

check pfctl -sr -vv
use log and pflog
check pflog via tcpdump and you will find answer
On 2007-05-21, at 20:36, Marcos Laufer wrote:


Hello,

I am testing pf in an OpenBSD 4.1. This same configuration works  
fine on
OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is  
passing

thru,
just like as if there was no 'block all'. What worries me most is that
anyone
on the outside can see my ssh service .
Is there anything wrong with the state of my rules? If i didn't
misunderstand ,
this rules should work just fine

Any ideas?
Thanks in advance,

Marcos


---
#
set skip on lo
scrub in
icmp_nets={ 10.10.10.0/24 }

block all

# good guys
table goodhosts persist
pass in quick on egress from goodhosts to any keep state

# blackhole
table badhosts persist
block in quick log on egress from badhosts to any

# no ipv6
block in quick inet6 all


##
# outgoing

# dns
pass out on egress proto { tcp, udp } from (self)/32 to any port  
domain

flags S/SA keep state

# smtp, http , https
pass out on egress proto tcp from (self)/32 to any port { smtp,  
www, https }

flags S/SA keep state

# ntp
ntp_servers={ 10.10.10.4 }
pass out on egress proto udp from (self)/32 to $ntp_servers port  
ntp keep

state

# ssh
ssh_friends={ 10.10.10.0/24 }
pass out on egress proto tcp from (self)/32 to $ssh_friends port  
ssh flags

S/SA keep state


# mysql
pass out on egress proto tcp from (self)/32 to any port 3306 flags  
S/SA keep

state

##
# incoming

# private
friends={ 10.10.10.0/24 }
friends_srvs={ ftp, ftp-data, ssh }
pass in on egress proto tcp from $friends to (self)/32 port  
$friends_srvs

flags S/SA keep state

# MySQL y PgSQL
sql_www_apps_srv={ 10.10.10.0/24 }
pass in quick proto tcp from $sql_www_apps_srv to self/32 port { 3306,
5432 } flags S/SA keep state

# icmp
pass in quick proto icmp from $icmp_nets to self/32 keep state