Fwd: Openbsd-newbies Digest, Vol 24, Issue 22

Jens Ropers ropers at ropersonline.com
Sun Aug 27 13:44:35 PDT 2006 

> Date: Sat, 26 Aug 2006 21:41:30 -0400
> From: "Nick Guenther" <kousue at gmail.com>
> Subject: Re: relay dhcp across openbsd pf
> To: Openbsd-newbies at sfobug.org
>
> >
> > #allow known good hosts full access to winserver:
> > pass on $ext_if from <goodoutsiders> to $winserver
> > pass on $ext_if from $winserver to <goodoutsiders>
>
> Nooooo! It's easy to spoof IP addresses. If an attacker can figure out
> who one of your goodoutsiders is then they can send lots of TCP SYN
> packets, which would of course never actually end up creating a real
> connection but would fill up the statetable on $winserver. Also,
> connectionless traffic (UDP, ICMP and raw IP) would go right through.
>
> It's probably not too much to worry about, because they'd still need
> to be able to exploit a bug in the windows server....

What I tried first was
pass in on $ext_if from <goodoutsiders> to $winserver synproxy state

...which didn't seem to work (again, the Windows box is a domain controller).
>From reading the faq/manual, it seemed to me that synproxy state was
just a better version of keep state, but things just don't seem to fly
with synproxy state. I don't understand when I should use keep state
and when I should use synproxy state.

But even using
pass in on $ext_if from <goodoutsiders> to $winserver keep state

didn't seem to work. Only by using

pass on $ext_if from <goodoutsiders> to $winserver keep state
pass on $ext_if from $winserver to <goodoutsiders> keep state

could I actually get stuff to work.
But since keep state is really for allowing return traffic, I figured
that there's no need for keeping state if I'm allowing all reverse
direction traffic anyway.
Am I wrong in this? Is there a benefit to keeping state in both direction?

Apart from that, I'm aware that I'd be much better off restricting
stuff to only known required ports, but what with Windows domain
controller network traffic requiring, among other things, all of TCP
1024-65535 to be open anyway for RPC, there's maybe not a huge point,
or is there? Also, if I restrict to known ports, wouldn't I defeat my
purpose of setting up a rock solid, set-up-once-and-forget-about-it
box, as I'm guaranteed that my users will need some app somewhere down
the line that needs a port I didn't allow?

> > #allow TIVOLI backups from winserver:
> > pass out on $ext_if proto tcp from $winserver to
> > backupserver.domain.tld port 1500 keep state
>
> Keep in mind that the DNS lookup here is done at rule-loadtime and never again.

Hmm, does anyone have any ideas for making it do the DNS lookup at TCP
connection initiation time? Ok, I could probably set up

pfctl -Fr -f /etc/pf.conf

as a once-a-day cron job, but do people have better ideas?

TIA, Jens


-- 
www.ropersonline.com

More information about the Openbsd-newbies mailing list