Re: [PLUG] Can't access to Webserver Packet Filter OpenBSD. Need help pl

Rich Kulawiec on 13 Feb 2017 18:53:52 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Can't access to Webserver Packet Filter OpenBSD. Need help please!

From: Rich Kulawiec <rsk@gsp.org>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] Can't access to Webserver Packet Filter OpenBSD. Need help please!
Date: Mon, 13 Feb 2017 21:53:46 -0500
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mutt/1.5.23 (2014-03-12)

On Sun, Feb 12, 2017 at 10:43:32PM -0500, sebastien yapo wrote:
> I am experiencing an issue to access a webserver  from outside my
> networksince I used Router/Firewall with OpenBSD. However, I am able to
> access to the firewall from outside by SSH. Network diagram and pf.conf
> file are attached to this email.

1. Please label the interfaces on the firewall with name and IP address.
It'd make things just a bit easier to correlate.

2. Please be more specific about what you mean by "access".  In both
cases you mention, there's some ambiguity that needs to be resolved.
It'd probably be best to show the command line.

3. Note that the group of rules preceded by the comment "NORMAL TRAFFIC"
is not flagged "quick", which means that rule evaluation will continue
through subsequent rules.  One of the those rules is "block all".

4. In the interest of security, you might wish to move "block all" up front --
thus blocking all traffic by default -- and then enumerate the traffic
you want to permit.  (And then you can use the "quick" flag, since
any matched rule should be the last applicable one anyway.)

e.g.:

	block all
	pass quick log on dc0 from <lanhosts>

	block quick log on dc0 proto tcp from <abusers-http> to $myself port http

will block everything, then allow all traffic arriving at interface dc0
from the lists of hosts enumerated in "lanhosts" -- and stop evaluating
subsequent rules -- and will then block all traffic arriving at dc0,
if it's TCP to port 80 and is coming from any of the hosts enumerated
in "abusers-http" -- and will also stop evaluating subsequent rules.

This is done not just for efficiency's sake (rule evaluation is fast
enough in most cases without it) but to prevent a spurious match by
a subsequent rule from doing something that's unexpected by a previous
one.  Of course this does mean that the order of rules is critical.

---rsk
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] Can't access to Webserver Packet Filter OpenBSD. Need help please!
  - From: sebastien yapo <yaposebastien@gmail.com>

Prev by Date: [PLUG] [plug-announce] Tue, Feb 14, 2017: PLUG North - "Flask: A Web Framework...or Not?" by Charlie Li (6:30 pm at CoreDial in Blue Bell)
Next by Date: Re: [PLUG] Can't access to Webserver Packet Filter OpenBSD. Need help please!
Previous by thread: Re: [PLUG] Can't access to Webserver Packet Filter OpenBSD. Need help please!
Next by thread: [PLUG] Avoid Arvixe at all costs!
Index(es):
- Date
- Thread