relay dhcp across openbsd pf

Sat Aug 26 18:41:30 PDT 2006

On 8/26/06, Jens Ropers <ropers at ropersonline.com> wrote:
> I have to reply to myself here. First, I have solved some of my
> problems and want to put the solution out there, for the benefit of
> the archives. Second, I'm still interested in soliciting some replies
> from you all insofar as I don't really know what I'm doing -- so if
> you can point out any errors in my setup, I'd love to hear from you.
> Please see my interspersed comments below:
>
> On 22/08/06, Jens Ropers <ropers at ropersonline.com> wrote:
> > Hi everyone,
>
> (...)
>
> > I've got a Windows Server 2003 server in dire need of firewall protection.
> > I've now put an OpenBSD 3.9 box in front of it. The current setup is
> > (pls use fixed width font):
> >
> > Network w/ Win clients <==> OpenBSD box <==> Win Srv 2003
> >
> > Because the Windows Server logically is on the same subnet as the
> > Windows clients, I used bridging, as described at:
> >   http://www.openbsd.org/faq/faq6.html#Bridge
> >
> > My network interfaces look like this:
> > # cat /etc/hostname.rl0
> > inet x.y.z.99 255.255.255.0 NONE
> > # cat /etc/hostname.rl1
> > up
> >
> > So the OpenBSD box's external interface has an IP but the internal one
> > hasn't one.
> >
> > My bridge looks like this:
> > # cat /etc/bridgename.bridge0
> > add rl0
> > add rl1
> > up
> >
> > My /etc/sysctl.conf substantially looks like this:
> > net.inet.ip.forwarding=1
> >
> > The OpenBSD firewall rules currently are extremely basic, they're
> > merely restricting access to the Windows server to the clients by IP.
> > (Yes, the rules need to be strengthened, but I need to understand
> > things better so I can do that.)
> >
> > My /etc/pf.conf substantially looks like this:
>
> I've changed my pf.conf now. What follows is my "new and improved" pf.conf:
>
> --- begin quote ---
> # MACROS
> ext_if = "rl0"
> int_if = "rl1"
> winserver = "x.y.z.79"
> myself = "x.y.z.99"
>
>
> # TABLES
> table <goodoutsiders> const { x.y.z.70/31, x.y.z.72/29, x.y.z.80/28,
> x.y.z.96/30, !$winserver, !$myself }
>
>
> # NORMALIZATION
> scrub in
>
>
> # FILTERING RULES
>
> #default deny:
> block all
>
> #only filter on $ext_if, don't filter on $int_if:
> pass quick on $int_if all
>
> #allow sysadmin SSH access from home:
> pass in on $ext_if proto tcp from any to $myself port ssh keep state
>
> #allow sysadmin to establish RDP/Remote Desktop connection to winserver:
> pass in on $ext_if proto tcp from a.b.c.d to $winserver port 3389 keep state
>
> #allow sysadmin to establish RDP/Remote Desktop connections from winserver:
> pass out on $ext_if proto tcp from $winserver to any port 3389 keep state
>
> #allow known good hosts full access to winserver:
> pass on $ext_if from <goodoutsiders> to $winserver
> pass on $ext_if from $winserver to <goodoutsiders>

Nooooo! It's easy to spoof IP addresses. If an attacker can figure out
who one of your goodoutsiders is then they can send lots of TCP SYN
packets, which would of course never actually end up creating a real
connection but would fill up the statetable on $winserver. Also,
connectionless traffic (UDP, ICMP and raw IP) would go right through.

It's probably not too much to worry about, because they'd still need
to be able to exploit a bug in the windows server....

> #allow DHCP traffic to/from winserver:
> pass on $ext_if proto udp from { 0.0.0.0, <goodoutsiders> } port 68 to
> $winserver port 67
> pass on $ext_if proto udp from any port 68 to 255.255.255.255 port 67
> pass on $ext_if proto udp from $winserver port 67 to {
> 255.255.255.255, <goodoutsiders> } port 68
>
> #allow winserver to download SOPHOS update:
> pass out on $ext_if proto tcp from $winserver to
> softsrv.uni-rostock.de port 80 keep state
>
> #allow DNS requests from winserver:
> pass out on $ext_if proto { tcp, udp } from $winserver to { x.y.z.8,
> x.y.z.7 } port 53 synproxy state
>
> #allow DNS requests from myself:
> pass out on $ext_if proto { tcp, udp } from $myself to { $winserver,
> x.y.z.8, x.y.z.7 } port 53 synproxy state
>
> #allow NTP/OpenNTPD/Network Time Protocol synchronization to work:
> pass out on $ext_if proto udp from $myself to any port 123 synproxy state
>
> #allow websurfing from myself and winserver:
> pass out on $ext_if proto tcp from $myself to any port { 80, 443 } keep state
> pass out on $ext_if proto tcp from $winserver to any port { 80, 443 } keep state
>
> #allow TIVOLI backups from winserver:
> pass out on $ext_if proto tcp from $winserver to
> backupserver.domain.tld port 1500 keep state

Keep in mind that the DNS lookup here is done at rule-loadtime and never again.

> --- end quote ---
>
>

I can't help you with the rest. As far as I know they are okay, but
don't trust me.

-Nick