PF: OpenBSD

1.

o PF:
o
o
o
o NAT
o
o

PF:

:
pf , /etc/rc.conf :
pf=YES
, .
pf pfctl(8):
# pfctl-e # pfctl-d
. , ,
, pf.
:
pf /etc/pf.conf , rc.scripts. ,
/etc/pf.conf - , ,
pfctl(8) pf(4).
. UNIX, pf
.
pf.conf :
1.
2.
3.
4.
5.
6.

: , IP, , ..
: IP
: , pf
Scrub:
: .
: NAT

7.

,
.
, # .
:
pf pfctl(8). :

#
#
#
#
#
#
#
#
#

pfctl
pfctl
pfctl
pfctl
pfctl
pfctl
pfctl
pfctl
pfctl

-f /etc/pf.conf
pf.conf
-nf /etc/pf.conf ,
-Nf /etc/pf.conf NAT
-Rf /etc/pf.conf
-sn
NAT
-sr

-ss

-si

-sa

man pfctl(8).

:
, - IP ,
.. , IP ,
, IP .
{}.
pfctl(8) , ,
. :

block out on fxp0 from { 192.168.0.1, 10.5.32.6 } to any

:

block out on fxp0 from 192.168.0.1 to any

block out on fxp0 from 10.5.32.6 to any
:

rdr on fxp0 proto tcp from any to any port { 22 80 } -> \

192.168.0.6
block out on fxp0 proto { tcp udp } from { 192.168.0.1, \
10.5.32.6 } to any port { ssh telnet }
, .
:
- , IP , , ,
.. .
, , .
, pass, out, queue.

ext_if = "fxp0"

block in on $ext_if from any to an

ext_if. , $.
.

friends = "{ 192.168.1.1, 10.0.2.5, 192.168.43.53 }"

. :

host1 = "192.168.1.1"
host2 = "192.168.1.2"
all_hosts = "{" $host1 $host2 "}"
$all_hosts 192.168.1.1, 192.168.1.2.

pfctl

:
IPv6 / IPv4.
, . , ,
, 50 000 - 50 .
:

/ filter, scrub, NAT, redirection rules

NAT

route-to, reply-to, dup-to

pf.conf pfctl(8).
:
pf.conf table. :

const - . , pfctl(8)
, ,
securelevel(7), .

persist - , .
, , , .

table <goodguys> { 192.0.2.0/24 }

table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, \

10.0.0.0/8 }
table <spammers> persist

block in on fxp0 from { <rfc1918>, <spammers> } to any

pass in on fxp0 from <goodguys> to any
, ( ""):

table <goodguys> { 192.0.2.0/24, !192.0.2.5 }

goodguys 192.0.2.0/24, 192.0.2.5.
, <>.
, IP :

table persist file "/etc/spammers"

block in on fxp0 from to any

/etc/spammers IP CIDR. #,
.
pfctl:
, pfctl(8). , <spammers> :

# pfctl -t spammers -Tadd 218.70.0.0/16

, . :

# pfctl -t spammers -Tshow

-v -Tshow .
:

# pfctl -t spammers -Tdelete 218.70.0.0/16

, pfctl(8).
:
IP , . IP ,
. IP
"self", IP , .
:
. :

table { 172.16.0.0/16, !172.16.1.0/24, 172.16.1.100 }

block in on dc0 all

pass in on dc0 from to any

, dc0 :

172.16.50.5 - - 172.16.0.0/16;
172.16.1.25 - - !172.16.1.0/24; ,
( "!" );
172.16.1.100 - 172.16.1.100;
10.1.4.55 -

Default Deny

quick
Keeping State
Keeping State UDP
TCP
TCP SYN Proxy

IP

:
- , . pf(4)
3 OSI (IPv4 IPv6) 4 OSI (TCP, UDP, ICMP, ICMPv6).
- , , .
, . .
, quick, ,
, , . ,
. " " , , ,
.
:
:

action direction [log] [quick] on interface [af] [proto protocol] \

from src_addr [port src_port] to dst_addr [port dst_port] \
[tcp_flags] [state]
action
, - pass block. pass
, block block-policy. ,
block drop block return.
direction
- in out.
log
, pflogd(8). keep state, modulate state,
synproxy state, , . ,
log-all.
quick

 quick, ,
.
interface
, .
af
, inet IPv4 inet6 IPv6. PF ,
/ .
protocol
:

tcp
udp
icmp
icmp6
/etc/protocols
0 255

src_addr, dst_addr
/ IP. :

IPv4 IPv6.

. , , .

CIDR
, DNS .
IP .
, / ( /24).
, CIDR

(). PF , IP ()
. , DHCP
, .

, :network :broadcast.
CIDR ( 192.168.0.0/24) ( 192.168.0.255)

.
, () ! ("") .
,
any
all, from any to any.

src_port, dst_port
/. :

1 65535
/etc/services
,
:
o ! = ( )
o < ( )
o > ( )
o <= ( )
o >= ( )
o > <()
o <> ( )
- ( ) .

tcp_flags
, TCP proto tcp.
flags check/mask. : flags S/SA - PF S A (SYN ACK) ,
SYN.
state

, , .

keep state - TCP, UDP, ICMP

synproxy state - TCP , TCP SYN .

keep state modulate state.

modulate state - TCP. PF Initial Sequence Numbers (ISNs) ,

.

Default Deny:
"default deny".
"default deny":

block in all
block out all
, , IP .
:
, . - ,
/, / , . ,
, () , .
, .
:

# Pass traffic in on dc0 from the local network, 192.168.0.0/24,

# to the OpenBSD machine's IP address 192.168.0.1. Also, pass the
# return traffic out on dc0.
pass in on dc0 from 192.168.0.0/24 to 192.168.0.1
pass out on dc0 from 192.168.0.1 to 192.168.0.0/24

# Pass TCP traffic in on fxp0 to the web server running on the

# OpenBSD machine. The interface name, fxp0, is used as the
# destination address so that packets will only match this rule if
# they're destined for the OpenBSD machine.
pass in on fxp0 proto tcp from any to fxp0 port www
quick:
, . , ,
, .
"". : quick,
.
:
:

block in on fxp0 proto tcp from any to any port ssh

pass in all
, ,
.
:

block in quick on fxp0 proto tcp from any to any port ssh

pass in all
, quick,
, ssh. .
Keeping State:
PF "keeping state" "stateful inspection".
PF . , PF
, ,
. , .
Keeping state ,
. PF , , , stateful
ruleset , , PF .
keep state, , "state"
. ,
.
:

pass out on fxp0 proto tcp from any to any keep state
TCP
"state" . - ,
, " state"
.
modulate state keep state, , TCP.
modulate state Initial Sequence Number (ISN) .
, , , ISN
.
Keep state TCP, UDP, ICMP ISN:

pass out on fxp0 proto tcp from any to any modulate state
pass out on fxp0 proto { udp, icmp } from any to any keep state
keeping state - ICMP . , keep state
TCP , ICMP , ICMP
.
, stateful , .
, pf, "default deny".
,
.
nat, binat, rdr "state" , .
Keeping State UDP:
, UDP "state" , ! , UDP
( ),
PF UDP . "" "" , PF
, . , "state"
. pf.conf
TCP:

F: .
S: , .
R: .
P: push.
.
A: , , .
U: , , urg=1.
E: ECE - (.. - ...)
W: CWR - (.. - ...)

PF flags :

flags check/mask
mask check , () ""
.

pass in on fxp0 proto tcp from any to any port ssh flags S/SA
TCP SYN, SYN ACK.
: OpenBSD, :

. . . flags S
. /mask .
keep state .

pass out on fxp0 proto tcp all flags S/SA keep state
TCP SYN,
SYN ACK.
., .
, " SYN ".
:

. . . flags S/FSRPAUEW bad idea!!

- , ECN , ECN, ,
. :

. . . flags S/SAFR
, FIN RST scrubbed.
PF TCP ( SYN
FIN SYN RST). :

scrub in on fxp0
.
.
.
pass in on fxp0 proto tcp from any to any port ssh flags S/SA \
keep state
TCP SYN Proxy:
, , pf
. PF . PF
, .
, , .
spoofed TCP SYN ,
.

pass in on $ext_if proto tcp from any to $web_server port www \

flags S/SA synproxy state
.

 synproxy state , SYN keep

state modulate state.
SYN - , PF bridge(4).
:
"spoofing" IP
. , IP
.
PF antispoof

antispoof [log] [quick] for interface [af]

log
, pflogd (8).
quick
quick, ,
.
interface
, . .
af
- inet IPv4 inet6 IPv6.
:

antispoof for fxp0 inet

, antispoof .
, fxp0 IP 10.0.0.1 255.255.255.0 ( ,/24),
:

block in on ! fxp0 inet from 10.0.0.0/24 to any

block in inet from 10.0.0.1 to any
:

, 10.0.0.0/24, fxp0. 10.0.0.0/24

fxp0,
.

IP 10.0.0.1 fxp0.
, ,
.

: antispoof ,
. . :

pass in quick on lo0 all

antispoof for fxp0 inet
antispoof , IP . antispoof
IP :

block drop in on ! fxp0 inet all

block drop in inet all

 .
IP:
pf IP. ,
nmap. , , multicast IGMP,
allow-opts:

pass in quick on fxp0 all allow-opts

:
- . pf ,
Internet. ; queueing, nat, rdr ..
.

ext_if = "fxp0"
int_if = "dc0"
lan_net = "192.168.0.0/24"
# scrub incoming packets
scrub in all
# setup a default deny policy
block in all
block out all
# pass traffic on the loopback interface in either direction
pass quick on lo0 all
# activate spoofing protection for the internal interface.
antispoof quick for $int_if inet
# only allow ssh connections from the local network if it's from the
# trusted computer, 192.168.0.15. use "block return" so that a TCP RST is
# sent to close blocked connections right away. use "quick" so that this
# rule is not overridden by the "pass" rules below.
block return in quick on $int_if proto tcp from ! 192.168.0.15 \
to $int_if port ssh flags S/SA
# pass all traffic to and from the local network
pass in on $int_if from $lan_net to any
pass out on $int_if from any to $lan_net
# pass tcp, udp, and icmp out on the external (Internet) interface.
# keep state on udp and icmp and modulate state on tcp.
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
# allow ssh connections in on the external interface as long as they're
# NOT destined for the firewall (i.e., they're destined for a machine on
# the local network). log the initial packet so that we can later tell
# who is trying to connect. use the tcp syn proxy to proxy the connection.
pass in log on $ext_if proto tcp from any to { !$ext_if, !$int_if } \
port ssh flags S/SA synproxy state

NAT

NAT
NAT
IP
NAT
Bidirectional Mapping (1:1 mapping)

NAT

:
(NAT) - ( ) IP . NAT ,
IP , ,
Internet. NAT RFC 1631.
NAT , RFC 1918. ,
:

10.0.0.0/8 (10.0.0.0 - 10.255.255.255)

172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
192.168.0.0/16 (192.168.0.0 - 192.168.255.255)

NAT OpenBSD , Internet,

. NAT , , OpenBSD
.
NAT:
Internet, IP , .
, . NAT
:

IP (, 192.168.1.35)
TCP UDP (, 2132)

NAT, , , , NAT
. NAT , ,
a),
b) , .
, :

IP: (, 24.5.0.5)
: , (, 53136)

, Internet . NAT
- Internet. , Internet NAT ;
.
IP NAT (24.5.0.5) (53136). NAT
, , .
IP/, PF, ,
192.168.1.35. PF
.
ICMP , .
NAT :
:
.
pass NAT. NATed .
,
IP .
IP :
NAT ,

 OpenBSD . sysctl(3) :
# sysctl -w net.inet.ip.forwarding=1 # sysctl -w net.inet6.ip6.forwarding=1 (if using IPv6)
, , /etc/sysctl.conf:
net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1
, ( #) . #,
. IP .
NAT:
NAT :
nat [pass] on interface [af] from src_addr [port src_port] to \
dst_addr [port dst_port] -> ext_addr [pool_type] [static-port]
nat
, NAT
pass
,
interface
,
af
, inet IPv4 inet6 IPv6. PF ,
/ .
src_addr
, . :

o
o
o
o
o
o
o
o
o
o

IPv4 IPv6.
CIDR
, DNS .
IP .
. , , .
, / ( /24).
, CIDR
, :network.
CIDR ( 192.168.0.0/24).
.
, () ! ("") .
,
any

src_port
. :

o
o
o
o

1 65535
/etc/services
,
:
! = ( )
< ( )
> ( )
<= ( )
>= ( )
> <()
<> ( )
- ( ) .
port NAT,
().

dst_addr
, . ,
.
dst_port
. src_port.
ext_addr

o
o
o
o
o

NAT , .
:
IPv4 IPv6.
CIDR
, DNS .
IP .
. , , .
(). PF , IP ()
. , DHCP
, .

o
o

, :network.
CIDR ( 192.168.0.0/24).
,

pool_type
, .
static-port
PF TCP UDP .
:

nat on tl0 from 192.168.1.0/24 to any -> 24.5.0.5

, tl0 NAT , 192.168.1.0/24
IP 24.5.0.5.
, .
,
. (tl0, , dc0 ):

nat on tl0 from dc0/24 to any -> tl0

: IP , .
, IP pf.conf
, . DHCP, ,
. , , ,
. , PF
, .

nat on tl0 from dc0/24 to any -> (tl0)

: ,
.
Bidirectional Mapping (1:1 mapping):
bidirectional mapping - , binat. binat
. , , ,
. Internet
, ( DNS) .
:

web_serv_int = "192.168.1.100"
web_serv_ext = "24.5.0.6"
binat on tl0 from $web_serv_int to any -> $web_serv_ext
:
no. :

no nat on tl0 from 192.168.1.10 to any

nat on tl0 from 192.168.1.0/24 to any -> 24.2.74.79
192.168.1.0/24 192.168.1.10 IP 24.2.74.79.
, , "no", . "no"
with binat rdr.
NAT:
NAT pfctl(8), -s state.

# pfctl -s state
TCP 192.168.1.35:2132 -> 24.5.0.5:53136 -> 65.42.33.245:22 TIME_WAIT:TIME_WAIT
UDP 192.168.1.35:2491 -> 24.5.0.5:60527 -> 24.2.68.33:53 MULTIPLE:SINGLE
( ):
TCP
, .
192.168.1.35:2132
(192.168.1.35) (2132) . ,
IP .
24.5.0.5:53136
IP (24.5.0.5) (53136) , .
65.42.33.245:22
IP (65.42.33.245) (22), .
TIME_WAIT:TIME_WAIT
- .

o DNS
o DMZ
o TCP
o RDR NAT

:
NAT, Internet. , NAT,
. , .
, NAT.
:

rdr on tl0 proto tcp from any to any port 80 -> 192.168.1.20
, TCP 80 , ,
192.168.1.20. from any to any rdr . IP
, :

rdr on tl0 proto tcp from 27.146.49.0/24 to any port 80 -> \

192.168.1.20

27.146.49.0/24.
. ,
, .
:

rdr on tl0 proto tcp from 27.146.49.14 to any port 80 -> \

192.168.1.20
rdr on tl0 proto tcp from 16.114.4.89 to any port 80 -> \
192.168.1.22
rdr on tl0 proto tcp from 24.2.74.178 to any port 80 -> \
192.168.1.23
:

 :
.
pass rdr.
.
, , .
:

192.0.2.1 -
24.65.1.13 - OpenBSD
192.168.1.5 -

rdr on tl0 proto tcp from 192.0.2.1 to 24.65.1.13 port 80 \

-> 192.168.1.5 8000
rdr :

: 192.0.2.1
: 4028 ( )
: 24.65.1.13
: 80

rdr:

: 192.0.2.1
: 4028
: 192.168.1.5
: 8000

.
:
. ,
. web CGI
, , .
, , , .
" "(DMZ) " "(PSN).
, , DMZ.
:
, , Internet
, :

server = 192.168.1.40
rdr on $ext_if proto tcp from any to $ext_if port 80 -> $server \
port 80
. ,
, ($ext_if, , ).
, , ,
. TCP/IP
,
. . , PF
, .
.
, TCP
. ,

 . ,
, .
.
, pf,
.
. .
DNS:
DNS, ,
Internet. , ,
.
.
DMZ:
.
, , ,
Internet. , .
( Internet), ,
,
.
TCP :
- TCP, ,
, .
, - , ,
.
inetd(8) nc(1). etc/inetd.conf ,
(127.0.0.1) 5000. 80 192.168.1.10.

127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w \

20 192.168.1.10 80
80 -:

rdr on $int_if proto tcp from $int_net to $ext_if port 80 -> \

127.0.0.1 port 5000
RDR NAT:
NAT .

rdr on $int_if proto tcp from $int_net to $ext_if port 80 -> \

$server
no nat on $int_if proto tcp from $int_if to $int_net
nat on $int_if proto tcp from $int_net to $server port 80 -> \
$int_if
, ,
.
, NAT RDR .
, .
, . , rdr
TCP/IP , .
, ICMP , , :

# sysctl -w net.inet.ip.redirect=0
# sysctl -w net.inet6.ip6.redirect=0 (if using IPv6)
, ...

PF
o
o Return
o

:
PF . - .
, .
, , .
:
, , ,
, .., . IP ? ,
.
PF , . , ,
, . -
, :

# define macros for each network interface

IntIF = "dc0"
ExtIF = "fxp0"
DmzIF = "fxp1"
:

# define our networks

IntNet = "192.168.0.0/24"
ExtAdd = "24.65.13.4"
DmzNet = "10.0.0.0/24"
, :

IntNet = " {192.168.0.0/24, 192.168.1.0/24} "

.
:
, , RFC 1918 -
.

block in quick on tl0 inet from 127.0.0.0/8 to any

block in quick on tl0 inet from 192.168.0.0/16 to any
block in quick on tl0 inet from 172.16.0.0/12 to any
block in quick on tl0 inet from 10.0.0.0/8 to any
block out quick on tl0 inet from any to 127.0.0.0/8
block out quick on tl0 inet from any to 192.168.0.0/16
block out quick on tl0 inet from any to 172.16.0.0/12
block out quick on tl0 inet from any to 10.0.0.0/8
:

block in quick on tl0 inet from { 127.0.0.0/8, 192.168.0.0/16, \

172.16.0.0/12, 10.0.0.0/8 } to any

block out quick on tl0 inet from any to { 127.0.0.0/8, \
192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
, . :

NoRouteIPs = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \

10.0.0.0/8 }"
ExtIF = "tl0"
block in quick on $ExtIF from $NoRouteIPs to any
block out quick on $ExtIF from any to $NoRouteIPs
, pf.conf, pfctl(8)
. :

block in quick on tl0 inet from 127.0.0.0/8 to any

block in quick on tl0 inet from 192.168.0.0/16 to any
block in quick on tl0 inet from 172.16.0.0/12 to any
block in quick on tl0 inet from 10.0.0.0/8 to any
block out quick on tl0 inet from any to 10.0.0.0/8
block out quick on tl0 inet from any to 172.16.0.0/12
block out quick on tl0 inet from any to 192.168.0.0/16
block out quick on tl0 inet from any to 127.0.0.0/8
- pf.conf, pf(4).
:

pre = "pass in quick on ep0 inet proto tcp from "

post = "to any port { 80, 6667 } keep state"
# David's classroom
$pre 21.14.24.80 $post
# Nick's home
$pre 24.2.74.79 $post
$pre 24.2.74.178 $post
:

pass in quick on ep0 inet proto tcp from 21.14.24.80 to any \

port = 80 keep state
pass in quick on ep0 inet proto tcp from 21.14.24.80 to any \
port = 6667 keep state
pass in quick on ep0 inet proto tcp from 24.2.74.79 to any \
port = 80 keep state
pass in quick on ep0 inet proto tcp from 24.2.74.79 to any \
port = 6667 keep state
pass in quick on ep0 inet proto tcp from 24.2.74.178 to any \
port = 80 keep state
pass in quick on ep0 inet proto tcp from 24.2.74.178 to any \
port = 6667 keep state
PF:
PF , . PF ,

, .
:
"default deny", :
block in all block out all
:
block all
, pf , ,
.
"from any to any" "all" . :
block in on rl0 all pass in quick log on rl0 proto tcp from any to any port 22 keep state
:
block in on rl0 pass in quick log on rl0 proto tcp to port 22 keep state
Return:
ICMP Unreachable TCP RST :
block in all block return-rst in proto tcp all block return-icmp in proto udp all block out all block return-rst out proto tcp all
block return-icmp out proto udp all
:
block return
PF return, , ,
.
:
. , :
pass in log quick on rl0 proto tcp to port 22 \ flags S/SA keep state queue ssh label ssh
:
pass in quick log on rl0 proto tcp to port 22 \ queue ssh keep state label ssh flags S/SA
.