Re: pf.conf settings

2007-05-30 Thread Lontronics Mailinglist account 
Sorry to bother again.

Still no luck with pf in combination with ftp-proxy.
A connection is made, but then it is blocked (getting no route to host):

Here is the output of gftp:

Looking up ftp.lontronics.nl
Trying ftp.lontronics.nl:21
Connected to ftp.lontronics.nl:21
220 Gene6 FTP Server v3.9.0 (Build 2) ready...
USER lontronics
331 Password required for lontronics.
PASS 
230 User lontronics logged in.
SYST
215 UNIX Type: L8
TYPE I
200 Type set to I.
CWD /lontronics
550 CWD failed. /lontronics : no such file or directory.
PWD
257 / is current directory.
Loading directory listing / from server (LC_TIME=C)
PASV
227 Entering Passive Mode (195,8,208,48,81,216)
Cannot create a data connection: No route to host
Disconnecting from site ftp.lontronics.nl


I am running pf as firewall now with the following settings:

pf.conf:

# $OpenBSD: PF firewall rules $

# macros
# 6667 is used for irc
int_if= { bce0, wpi0 } 
tcp_services  = { ssh, smtp, domain, www, pop3, auth, ftp, sftp, pop3s, imap, 
imaps, https, 6667 }
udp_services  = { domain, ntp }

# options
set block-policy drop
set skip on lo0

#Translation
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr on $int_if proto tcp from any to any port ftp - 127.0.0.1 port 8021

antispoof for $int_if inet

# block all ipv6 and setup a default deny policy for ipv4
block inet6 all
block all

anchor ftp-proxy/* 
pass out on $int_if proto tcp  to any port $tcp_services
pass out on $int_if proto udp  to any port $udp_services
pass out on $int_if inet proto icmp all icmp-type echoreq


inetd.conf:

ftp stream  tcp nowait  root/usr/libexec/ftpd   ftpd -US
ftp stream  tcp6nowait  root/usr/libexec/ftpd   ftpd -US

rc.conf.local:

pf=YES  # enable pf firewall
pf_rules=/etc/pf.conf   # use /etc/pf.conf for pf setttings
pflogd_flags=NO # disable logging on pf firewall

ftpproxy_flags=   # enable the internal ftp proxy


Any suggestions of what settings are wrong?

Any help would really be appreciated, because I did not find the info on the 
internet, news groups and forums

Jan.

Re: pf.conf settings

2007-05-29 Thread Joachim Schipper 
On Mon, May 28, 2007 at 11:27:46PM +0200, Lontronics Mailinglist account wrote:
 Okay, this should be it, any commends are appreciated.
 The 1023 is used for ftp;

That is not the proper solution; use ftp-proxy, as documented in the
FAQ.

 ###
 
 # $OpenBSD: PF firewall rules $
 
 tcp_pass = { 21 22 25 53 80 110 123 1023}
 udp_pass = { 53 110 }

I'd recommend symbolic names for legibility:

tcp_pass = { ftp ssh smtp domain http pop3 }
udp_pass = { domain ntp }

I'm pretty certain you mean the above, by the way; NTP over TCP is about
as useful as POP3 over UDP...

 # scrub
 scrub in all

'scrub' is useful when using an OpenBSD machine as a firewall, as it
makes it far harder for attackers to get weird packets to machines with
badly-written TCP/IP stacks. However, the OpenBSD network stuff is
usually very good, and enabling scrub enables an attacker to attack far
more code (notably, the PF code as well). Plus it consumes some cycles.
Just skip it.

 # setup a default deny policy
 block in  all
 block out all

'block all'

 antispoof for { bce0, wpi0 } inet
 
 pass out on { bce0, wpi0 } proto tcp to any port $tcp_pass
 pass out on { bce0, wpi0 } proto udp to any port $udp_pass

As noted, you should add icmp.

Also, if you are sure that you will never use IPv6, 'block inet6'.

You didn't post it, but you will want to add 'set skip lo0' at least.
Strange things happen when pf blocks everything on the loopback
interface...

Joachim

-- 
TFMotD: fingerd (8) - remote user information server

Re: pf.conf settings

2007-05-29 Thread Lontronics Mailinglist account 
Thanks Joachim and Woodchuck for your replies.

To be RFC compliant I will add icmp.
I will also add logging to check the output, can indeed be very helpfull.

I am not using ssh and dhcp, so I have blocked those ports

About 'block inet6'; I thought that 'block all' did that job?

I will also add 'set skip lo0'; good point!

Scrub is removed now because of the notes from Joachim.

I will add the ftp proxy too.

Thanks again, will post the result later for a last check.

Re: pf.conf settings

2007-05-29 Thread Rogier Krieger 

On 5/28/07, Woodchuck [EMAIL PROTECTED] wrote:

I wonder if this setup will allow you to do dhcp.  Probably during
boot, (before it takes effect, when the rules in /etc/rc are active),
but afterwards, not.


Typically, dhclient(8) uses the bpf(4) devices and is not troubled by
PF's ruleset. If I'm not mistaken, this behaviour is hinted at in the
man page.



This might be an issue.  I dunno how dhcp communicates, don't use it myself.


If you're interested, you may want to see RFC 2131 and RFC 2132. In
short: DHCP uses UDP datagrams to/from ports 67 and 68.

Typically, conversations start with a discovery (broadcast by the
client). An active DHCP server may then provide a lease offer.
Normally, the client requests the address listed in the offer. If all
goes well, the server acknowledges the request.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

pf.conf settings

2007-05-28 Thread Lontronics Mailinglist account 
I want to use pf as firewall for my laptop.
It is connected wired and wireless, depending on the situation, but also to my 
own router/modem.

I have enabled pf and made a pf.conf which is looking like this:
#
# $OpenBSD: PF firewall rules $

# scrub
scrub in all

# setup a default deny policy
block in  all
block out all

antispoof for { bce0, wpi0 } inet

pass out on { bce0, wpi0 } proto tcp  from any to any
pass out on { bce0, wpi0 } proto udp  from any to any
pass out on { bce0, wpi0 } proto icmp from any to any
#

I was wondering if there are defaults which are better then these.
For example the pass out lines with from any to any, could they be tightened 
more?
I have tried some settings but till now I did not manage to get it working with 
other settings then these.

Any help to make my pf settings more secure would be appreciated.

To be sure; I am running pf on my laptop, and there is no other computer 
connected to my laptop.

Jan

Re: pf.conf settings

2007-05-28 Thread Lontronics Mailinglist account 
Okay, found some stuff on the internet; this is it at the moment:

# $OpenBSD: PF firewall rules $

# ports: see /etc/services
#   21 = ftp
#   22 = ssh
#   25 = smtp
#   53 = domain
#   80 = www
#  110 = pop3
#  123 = ntp
#  631 = ipp (CUPS)
# 6667 = irc

tcp_pass = { 21 22 25 53 80 110 123 6667}
udp_pass = { 53 110 }

# scrub
scrub in all

# setup a default deny policy
block in  all
block out all

antispoof for { bce0, wpi0 } inet

pass out on { bce0, wpi0 } proto tcp to any port  $tcp_pass
pass out on { bce0, wpi0 } proto udp to any port  $udp_pass


 
 Any help to make my pf settings more secure would be appreciated.
 
 To be sure; I am running pf on my laptop, and there is no other computer 
 connected to my laptop.
 
 Jan

Re: pf.conf settings

2007-05-28 Thread Lontronics Mailinglist account 
Okay, this should be it, any commends are appreciated.
The 1023 is used for ftp;

###

# $OpenBSD: PF firewall rules $

tcp_pass = { 21 22 25 53 80 110 123 1023}
udp_pass = { 53 110 }

# scrub
scrub in all

# setup a default deny policy
block in  all
block out all

antispoof for { bce0, wpi0 } inet

pass out on { bce0, wpi0 } proto tcp to any port $tcp_pass
pass out on { bce0, wpi0 } proto udp to any port $udp_pass

###

On Mon, 28 May 2007 22:01:53 +0200
Lontronics Mailinglist account [EMAIL PROTECTED] wrote:

 Okay, found some stuff on the internet; this is it at the moment:
 
  
  Any help to make my pf settings more secure would be appreciated.
  
  To be sure; I am running pf on my laptop, and there is no other computer 
  connected to my laptop.
  
  Jan

Re: pf.conf settings

2007-05-28 Thread Woodchuck 
On Mon, 28 May 2007, Lontronics Mailinglist account wrote:

 Okay, found some stuff on the internet; this is it at the moment:
 
 # $OpenBSD: PF firewall rules $
 
 # ports: see /etc/services
 #   21 = ftp
 #   22 = ssh
 #   25 = smtp
 #   53 = domain
 #   80 = www
 #  110 = pop3
 #  123 = ntp
 #  631 = ipp (CUPS)
 # 6667 = irc
 
 tcp_pass = { 21 22 25 53 80 110 123 6667}
 udp_pass = { 53 110 }
 
 # scrub
 scrub in all
 
 # setup a default deny policy
 block in  all
 block out all
 
 antispoof for { bce0, wpi0 } inet
 
 pass out on { bce0, wpi0 } proto tcp to any port  $tcp_pass
 pass out on { bce0, wpi0 } proto udp to any port  $udp_pass

You may wish to add pass in and out rules for icmp, to be RFC compliant.

If you are passing to 80 outbound, you may want to also pass 443
(SSL, https).

You may wish to add log options to the block statements, particularly
the out -- if you are trying to pass packets that you have forbidden,
you probably want to know that, either to allow those packets, or to
wonder where they are coming from, going to, and why. 

If you are going to be using pop and irc, you may wish to evalute
allowing inbound tcp on 113, the identd/auth service. (Also enabling
it in /etc/inetd.conf).  Or not.

I wonder if this setup will allow you to do dhcp.  Probably during
boot, (before it takes effect, when the rules in /etc/rc are active),
but afterwards, not.  This might be an issue.  I dunno how dhcp
communicates, don't use it myself.

But do try logging, maybe all packets at first, to familiarize
yourself with your normal network traffic.  A tcpdump process
in a little xterm can be fascinating and make debugging a more
complicated pf setup easy or possible.  I use

# /usr/sbin/tcpdump -n -e -ttt -i pflog0

to watch in realtime.

Dave