Re: pf examples needed [solved]
Glad it's working; however, depending on your security level needs there are some variants on the configuration you may wish to consider. rdr pass is an unrestricted pass or opening. An improvement to it follows. #---EG1--- rdr log (all) on $external proto tcp from any to $external port 80 \ - 192.168.200.122 port 80 ... pass in quick log on $external inet proto tcp \ from any to 192.168.200.122 port 80 tag _PASSED_ \ flags S/FSRA synproxy state ... pass out quick log on $dmz inet proto tcp \ tagged _PASSED_ \ keep state #---EG1--- The flags allows only clean, well formed tcp hand shake through. The synproxy further helps shield your webserver from probing and assaults. The PASS OUT $DMZ is better then your rdr pass. This also means the WEB server can only reply to a _PASSED_ request (usually a good thing); it cannot initiate a session to the internet. A further security enhancement follows. #---EG2--- table Hackers persist ... rdr log (all) on $external proto tcp from !Hackers to $external port 80 \ - 192.168.200.122 port 80 ... block in on $external from Hackers to $external port 80 pass in quick log on $external inet proto tcp \ from any to 192.168.200.122 port 80 \ flags S/FSRA synproxy state \ (max-src-conn-rate 10/30, overload Hackers flush) ... pass out quick log on $dmz inet proto tcp \ tagged _PASSED_ \ keep state #---EG2--- Where 10/30 is specific to your site's environment. IN THIS EXAMPLE, it means any source ip bashing away at your port 80 exceeding 10 tries in 30 seconds is auto-magically added to the Hackers table. The Hackers table is then used to BLOCK the 11th and subsequent tries. The 10/30 values are YOURS to pick Also the block/pass pair can be re-written into one pass stmt as follows. #---EG3--- pass in quick log on $external inet proto tcp \ from !Hackers to 192.168.200.122 port 80 \ flags S/FSRA synproxy state \ (max-src-conn-rate 10/30, overload Hackers flush) #---EG3--- I used the block/pass pair for better clarity AND if your trying to get this working the first time, the pair is easier to debug and understand the affect when looking at tcpdumps and others. Let the debates begin. Good luck, /Scott Charles Farinella wrote: Charles Farinella wrote: = # Network interfaces external = dc0 internal = dc1 dmz = dc2 # Address ranges int_add = 192.168.100.0/24 dmz_add = 192.168.200.0/24 ext_add = X.X.X.25 rdr pass log (all) on $external proto tcp from any to $external port 80 - 192.168.200.122 port 80 rdr pass log (all) on $internal proto tcp from any to $external port 80 - 192.168.200.122 port 80 == I actually had it working and didn't realize it as I was accessing the server via dc1 and only had the dc0 rule set. Martin Toft tipped me off when he pointed that out to me, and indeed checking from a machine outside of our network confirmed that. Creating the internal redirect has solved my problem. Thanks again. --charlie -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668 -- View this message in context: http://www.nabble.com/pf-examples-needed-tf3021355.html#a8440660 Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: pf examples needed [solved]
Charles Farinella wrote: On Tue, Jan 16, 2007 at 09:32:02AM -0500, Charles Farinella wrote: I have an OpenBSD 3.9 machine with a public IP providing NAT and firewalling for our internal network. It has 3 interfaces: dc0: public ip from internet X.X.X.25 dc1: 192.168.100.x to internal network. This works well. dc2: 192.168.200.x -- to Windows server. I need to allow public access to the Windows server connected to dc2 (one port only). Currently I have a private network address assigned to dc2 and a public one (X.X.X.26) assigned to the machine connected to it. I have this working, thanks for the help. :-) = # Network interfaces external = dc0 internal = dc1 dmz = dc2 # Address ranges int_add = 192.168.100.0/24 dmz_add = 192.168.200.0/24 ext_add = X.X.X.25 rdr pass log (all) on $external proto tcp from any to $external port 80 - 192.168.200.122 port 80 rdr pass log (all) on $internal proto tcp from any to $external port 80 - 192.168.200.122 port 80 == I actually had it working and didn't realize it as I was accessing the server via dc1 and only had the dc0 rule set. Martin Toft tipped me off when he pointed that out to me, and indeed checking from a machine outside of our network confirmed that. Creating the internal redirect has solved my problem. Thanks again. --charlie -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668
pf examples needed
I have an OpenBSD 3.9 machine with a public IP providing NAT and firewalling for our internal network. It has 3 interfaces: dc0: public ip from internet X.X.X.25 dc1: 192.168.100.x to internal network. This works well. dc2: 192.168.200.x -- to Windows server. I need to allow public access to the Windows server connected to dc2 (one port only). Currently I have a private network address assigned to dc2 and a public one (X.X.X.26) assigned to the machine connected to it. I need to know how to access the X.X.X.26 machine from the internet. My attempts at redirecting with pf rules haven't been successful so far, and I'm not sure that's how I should be approaching it. I've been playing with this for a few days, and am kind of lost, so any advice, pointers to docs, examples, etc. would be very much appreciated. thanks, --charlie -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668
Re: pf examples needed
Charles Farinella wrote: I have an OpenBSD 3.9 machine with a public IP providing NAT and firewalling for our internal network. It has 3 interfaces: dc0: public ip from internet X.X.X.25 dc1: 192.168.100.x to internal network. This works well. dc2: 192.168.200.x -- to Windows server. I need to allow public access to the Windows server connected to dc2 (one port only). Currently I have a private network address assigned to dc2 and a public one (X.X.X.26) assigned to the machine connected to it. I need to know how to access the X.X.X.26 machine from the internet. My attempts at redirecting with pf rules haven't been successful so far, and I'm not sure that's how I should be approaching it. If dc2 and your Windows server are on an ethernet LAN they need to be addressed in such a fashion that at least one IP address on the dc2 interface is in the same subnet as at least one IP address on Windows box interface. If the only address on dc2 is 192.168.200.x and the only address on the Windows box is X.X.X.26, they just won't talk. At least not IP. I can think of two solutions, neither perfect (nothing is perfect in the presence of NAT :-): Address the Windows box in 192.168.200.x and put a bidirectional mapping rule into pf (read up on binat) between X.X.X.26 and the internal address. Address dc2 in X.X.X. and actually use your public addresses for the subnet attached to dc2. You won't want to be using X.X.X.25 for dc0 anymore, but you could still use that address as a PAT address for traffic coming from dc1. If you have only the one server in your DMZ and want the easiest solution, I'd go for option 1. --Jon Radel [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: pf examples needed
On Tuesday, January 16, 2007, Charles Farinella wrote: I have an OpenBSD 3.9 machine with a public IP providing NAT and firewalling for our internal network. It has 3 interfaces: dc0: public ip from internet X.X.X.25 dc1: 192.168.100.x to internal network. This works well. dc2: 192.168.200.x -- to Windows server. I need to allow public access to the Windows server connected to dc2 (one port only). Currently I have a private network address assigned to dc2 and a public one (X.X.X.26) assigned to the machine connected to it. Your network will be difficult at best to manage in your current configuration, it can be done, but not without some serious wasted effort in my opinion. I'm still trying to figure out how you're going to route a known public ip address (x.x.x.26) over an interface (192.168.200.x) assigned with a private network address. Are you planning on adding manual route statements on the x.x.x.26 web server to the 192.168.200.x 'net? What would be your default gateway on the x.x.x.26 server? I can only imagine the route, nat, rdr, and other pf statements you'd need to accomplish this. Switch this logic, assign the public IP address x.x.x.26 to dc2 and the private address 192.168.200.x to the Windows server. Physically connect dc2 to your WAN, make sure you add appropriate block in log rules in pf.conf. Add your rdr and pass in statements and your done. PF is great, OpenBSD is a powerful OS, however, physical, data, and network-layer stuff is necessary too. Good Luck --- Todd M. Boyer, CISSP AutumnTECH, LLC http://www.AutumnTECH.com ---
Re: pf examples needed
On Tue, Jan 16, 2007 at 09:32:02AM -0500, Charles Farinella wrote: I have an OpenBSD 3.9 machine with a public IP providing NAT and firewalling for our internal network. It has 3 interfaces: dc0: public ip from internet X.X.X.25 dc1: 192.168.100.x to internal network. This works well. dc2: 192.168.200.x -- to Windows server. I need to allow public access to the Windows server connected to dc2 (one port only). Currently I have a private network address assigned to dc2 and a public one (X.X.X.26) assigned to the machine connected to it. You should put a private 192.168.200.x IP address on the Windows box, not a global X.X.X.26 address. Afterwards, do a simple port forwarding (redirection in pf language) at the OpenBSD box, e.g. rdr on dc0 proto tcp from any to (dc0) port $wbpp - $wbip pass in on dc0 inet proto tcp from any to $wbip port $wbpp flags S/SA \ keep state where $wbip is the private IP address of the Windows box and $wbpp is the port you want to redirect to the Windows box (wbpp = 'Windows box public port'). I guess the rules could be combined into a single 'rdr pass' rule but I like it this way... Remember to set up a default route on the Windows box (it should of course use the OpenBSD box as its default route). Regards, Martin I need to know how to access the X.X.X.26 machine from the internet. My attempts at redirecting with pf rules haven't been successful so far, and I'm not sure that's how I should be approaching it. I've been playing with this for a few days, and am kind of lost, so any advice, pointers to docs, examples, etc. would be very much appreciated. thanks, --charlie
Re: pf examples needed
On Tue, Jan 16, 2007 at 04:44:03PM +0100, Martin Toft wrote: On Tue, Jan 16, 2007 at 09:32:02AM -0500, Charles Farinella wrote: I have an OpenBSD 3.9 machine with a public IP providing NAT and firewalling for our internal network. It has 3 interfaces: dc0: public ip from internet X.X.X.25 dc1: 192.168.100.x to internal network. This works well. dc2: 192.168.200.x -- to Windows server. I need to allow public access to the Windows server connected to dc2 (one port only). Currently I have a private network address assigned to dc2 and a public one (X.X.X.26) assigned to the machine connected to it. You should put a private 192.168.200.x IP address on the Windows box, not a global X.X.X.26 address. Afterwards, do a simple port forwarding (redirection in pf language) at the OpenBSD box, e.g. rdr on dc0 proto tcp from any to (dc0) port $wbpp - $wbip pass in on dc0 inet proto tcp from any to $wbip port $wbpp flags \ S/SA keep state where $wbip is the private IP address of the Windows box and $wbpp is the port you want to redirect to the Windows box (wbpp = 'Windows box public port'). I guess the rules could be combined into a single 'rdr pass' rule but I like it this way... Remember to set up a default route on the Windows box (it should of course use the OpenBSD box as its default route). Regards, Martin I need to know how to access the X.X.X.26 machine from the internet. My attempts at redirecting with pf rules haven't been successful so far, and I'm not sure that's how I should be approaching it. Hmm, sorry, I didn't take the above paragraph into account before. If you decide to try my earlier advice, you should add X.X.X.26 as an alias to the dc0 interface and replace (dc0) with X.X.X.26 in the rdr rule. Regards, Martin I've been playing with this for a few days, and am kind of lost, so any advice, pointers to docs, examples, etc. would be very much appreciated. thanks, --charlie
Re: pf examples needed
Thanks to all for the help. Martin Toft wrote: On Tue, Jan 16, 2007 at 09:32:02AM -0500, Charles Farinella wrote: I have an OpenBSD 3.9 machine with a public IP providing NAT and firewalling for our internal network. It has 3 interfaces: dc0: public ip from internet X.X.X.25 dc1: 192.168.100.x to internal network. This works well. dc2: 192.168.200.x -- to Windows server. I need to allow public access to the Windows server connected to dc2 (one port only). Currently I have a private network address assigned to dc2 and a public one (X.X.X.26) assigned to the machine connected to it. You should put a private 192.168.200.x IP address on the Windows box, not a global X.X.X.26 address. Afterwards, do a simple port forwarding (redirection in pf language) at the OpenBSD box, e.g. I currently have it set up like this: dc0 = X.X.X.25 dc2 = 192.168.200.254 test_box = 192.168.25.123 services = { ssh, smtp, http, https } I have the following in my pf.conf: rdr pass on dc0 proto tcp from any to X.X.X.25 port 80 - 192.168.25.122 port 80 If I ssh into the X.X.X.25 box I can access the test_box on port 80. I cannot access X.X.X.25 port 80 however. I've been using pfctl -f /etc/pf.conf to reload my rules. I see no reference in my pflog to any attempts to access port 80 on X.X.X.25. Remember to set up a default route on the Windows box (it should of course use the OpenBSD box as its default route). Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface default192.168.25.254 UGS 07 - ne3 loopback localhost.localnet UGRS00 33224 lo0 localhost.localnet localhost.localnet UH 09 33224 lo0 192.168.25/24 link#1 UC 00 - ne3 192.168.25.254 00:18:f8:08:b4:27 UHLc0 592 - ne3 BASE-ADDRESS.MCAST localhost.localnet URS 00 33224 lo0 Is this correct? Thanks again. --charlie -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668
Re: pf examples needed
On Tue, Jan 16, 2007 at 12:23:45PM -0500, Charles Farinella wrote: Thanks to all for the help. Martin Toft wrote: On Tue, Jan 16, 2007 at 09:32:02AM -0500, Charles Farinella wrote: I have an OpenBSD 3.9 machine with a public IP providing NAT and firewalling for our internal network. It has 3 interfaces: dc0: public ip from internet X.X.X.25 dc1: 192.168.100.x to internal network. This works well. dc2: 192.168.200.x -- to Windows server. I need to allow public access to the Windows server connected to dc2 (one port only). Currently I have a private network address assigned to dc2 and a public one (X.X.X.26) assigned to the machine connected to it. You should put a private 192.168.200.x IP address on the Windows box, not a global X.X.X.26 address. Afterwards, do a simple port forwarding (redirection in pf language) at the OpenBSD box, e.g. I currently have it set up like this: dc0 = X.X.X.25 dc2 = 192.168.200.254 test_box = 192.168.25.123 services = { ssh, smtp, http, https } I have the following in my pf.conf: rdr pass on dc0 proto tcp from any to X.X.X.25 port 80 - 192.168.25.122 port 80 If I ssh into the X.X.X.25 box I can access the test_box on port 80. I cannot access X.X.X.25 port 80 however. You can't access X.X.X.25 port 80 from the OpenBSD box itself, as the redirection happens on the dc0 interface. That's OK and shouldn't be thought of as a problem. I've been using pfctl -f /etc/pf.conf to reload my rules. I see no reference in my pflog to any attempts to access port 80 on X.X.X.25. That's probably because you don't log anything. Remember to set up a default route on the Windows box (it should of course use the OpenBSD box as its default route). Routing tables [snip] Is this correct? Sorry, but I can't answer that, as I can't figure out how your machines are connected etc... I'm very confused about all your machines, interfaces (dc0, dc1, dc2, ne3), and networks (192.168.100.x, 192.168.200.x, 192.168.25.x, X.X.X). Regards, Martin Thanks again. --charlie
Re: pf examples needed
Charles Farinella wrote: Thanks to all for the help. Martin Toft wrote: On Tue, Jan 16, 2007 at 09:32:02AM -0500, Charles Farinella wrote: I have an OpenBSD 3.9 machine with a public IP providing NAT and firewalling for our internal network. It has 3 interfaces: dc0: public ip from internet X.X.X.25 dc1: 192.168.100.x to internal network. This works well. dc2: 192.168.200.x -- to Windows server. I need to allow public access to the Windows server connected to dc2 (one port only). Currently I have a private network address assigned to dc2 and a public one (X.X.X.26) assigned to the machine connected to it. You should put a private 192.168.200.x IP address on the Windows box, not a global X.X.X.26 address. Afterwards, do a simple port forwarding (redirection in pf language) at the OpenBSD box, e.g. I currently have it set up like this: dc0 = X.X.X.25 dc2 = 192.168.200.254 test_box = 192.168.25.123 oops, my error, sorry. That should be 192.168.200.123 services = { ssh, smtp, http, https } I have the following in my pf.conf: rdr pass on dc0 proto tcp from any to X.X.X.25 port 80 - 192.168.25.122 port 80 If I ssh into the X.X.X.25 box I can access the test_box on port 80. I cannot access X.X.X.25 port 80 however. I've been using pfctl -f /etc/pf.conf to reload my rules. I see no reference in my pflog to any attempts to access port 80 on X.X.X.25. Remember to set up a default route on the Windows box (it should of course use the OpenBSD box as its default route). Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface default192.168.25.254 UGS 07 - ne3 loopback localhost.localnet UGRS00 33224 lo0 localhost.localnet localhost.localnet UH 09 33224 lo0 192.168.25/24 link#1 UC 00 - ne3 192.168.25.254 00:18:f8:08:b4:27 UHLc0 592 - ne3 BASE-ADDRESS.MCAST localhost.localnet URS 00 33224 lo0 Is this correct? Thanks again. --charlie -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668
Re: pf examples needed
Hi Charles, If you try to access X.X.X.25 from within 192.168.100.x it will not work. Because of the NAT. The same apply for 192.168.200.x. It will be much easy to have two separate firewalls, one for browsing and one for servers. Rosen Charles Farinella wrote: Thanks to all for the help. Martin Toft wrote: On Tue, Jan 16, 2007 at 09:32:02AM -0500, Charles Farinella wrote: I have an OpenBSD 3.9 machine with a public IP providing NAT and firewalling for our internal network. It has 3 interfaces: dc0: public ip from internet X.X.X.25 dc1: 192.168.100.x to internal network. This works well. dc2: 192.168.200.x -- to Windows server. I need to allow public access to the Windows server connected to dc2 (one port only). Currently I have a private network address assigned to dc2 and a public one (X.X.X.26) assigned to the machine connected to it. You should put a private 192.168.200.x IP address on the Windows box, not a global X.X.X.26 address. Afterwards, do a simple port forwarding (redirection in pf language) at the OpenBSD box, e.g. I currently have it set up like this: dc0 = X.X.X.25 dc2 = 192.168.200.254 test_box = 192.168.25.123 services = { ssh, smtp, http, https } I have the following in my pf.conf: rdr pass on dc0 proto tcp from any to X.X.X.25 port 80 - 192.168.25.122 port 80 If I ssh into the X.X.X.25 box I can access the test_box on port 80. I cannot access X.X.X.25 port 80 however. I've been using pfctl -f /etc/pf.conf to reload my rules. I see no reference in my pflog to any attempts to access port 80 on X.X.X.25. Remember to set up a default route on the Windows box (it should of course use the OpenBSD box as its default route). Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface default192.168.25.254 UGS 07 - ne3 loopback localhost.localnet UGRS00 33224 lo0 localhost.localnet localhost.localnet UH 09 33224 lo0 192.168.25/24 link#1 UC 00 - ne3 192.168.25.254 00:18:f8:08:b4:27 UHLc0 592 - ne3 BASE-ADDRESS.MCAST localhost.localnet URS 00 33224 lo0 Is this correct? Thanks again. --charlie