PF How to run SSLproxy deep SSL inspection in FreeBSD?

alfa

Member

Reaction score: 4
Messages: 25

Hi, i am trying to run sonertari's SSLproxy packet on FreeBSD 13 for deep SSL inspection . It successfully works on UTMFW (OpenBSD 6.8)
but when i installed and configured like UTMFW's working conf below on FreeBSD but no lucks.

I commented user authentication section from sslproxy.conf because don't works on FreeBSD
according to sslproxy man page:
Successfully generated ca.key and ca.crt and installed ca.crt to my Firefox browser
starting sslproxy /usr/local/bin/sslproxy -f /etc/sslproxy/sslproxy.conf

no packet pass on this divert rule
Code:
pass in log quick on $int_if proto tcp from $int_net to !$int_if port https divert-to lo port 8443

Thanks for any help...

sslproxy FreeBSD man page

Code:
#
# Use the -f command line option to start sslproxy with a config file.
# See sslproxy.conf(5) and sslproxy(1) for documentation.

# Use CA cert (and key) to sign forged certs.
# Equivalent to -c command line option.
CACert /etc/sslproxy/ca.crt

# Use CA key (and cert) to sign forged certs.
# Equivalent to -k command line option.
CAKey /etc/sslproxy/ca.key

# Use cert from pemfile when destination requests client certs.
# Equivalent to -a command line option.
#ClientCert /etc/sslproxy/client.crt

# Use key from pemfile when destination requests client certs.
# Equivalent to -b command line option.
#ClientKey /etc/sslproxy/client.key

# Use CA chain from pemfile (intermediate and root CA certs).
# Equivalent to -C command line option.
#CAChain /etc/sslproxy/chain.crt

# Use key from pemfile for leaf certs.
# Equivalent to -K command line option.
# (default: generate)
#LeafKey /etc/sslproxy/leaf.key

# Use URL as CRL distribution point for all forged certs.
# Equivalent to -q command line option.
#LeafCRLURL http://example.com/example.crl

# Use cert+chain+key PEM files from certdir to target all sites matching the
# common names (non-matching: generate if CA).
# Equivalent to -t command line option.
#LeafCertDir /etc/sslproxy/leaf.d

# Use cert+chain+key from PEM file instead of generating leaf keys on the fly.
# Equivalent to -A command line option.
#DefaultLeafCert /etc/sslproxy/leaf.pem

# Write leaf key and only generated certificates to gendir.
# Equivalent to -w command line option.
#WriteGenCertsDir /var/log/sslproxy

# Write leaf key and all certificates to gendir.
# Equivalent to -W command line option.
#WriteAllCertsDir /var/log/sslproxy

# Deny all OCSP requests on all proxyspecs.
# Equivalent to -O command line option.
#DenyOCSP yes

# Passthrough SSL connections if they cannot be split because of client cert
# auth or no matching cert and no CA.
# Equivalent to -P command line option.
# (default: drop)
#Passthrough yes

# Use DH group params from pemfile.
# Equivalent to -g command line option.
# (default: keyfiles or auto)
#DHGroupParams /etc/sslproxy/dh.pem

# Use ECDH named curve.
# Equivalent to -G command line option.
# (default: prime256v1)
#ECDHCurve prime256v1

# Enable/disable SSL/TLS compression on all connections.
# Equivalent to -Z command line option.
#SSLCompression no

# Force SSL/TLS protocol version only.
# Equivalent to -r command line option.
# (default: all)
#ForceSSLProto tls12

# Disable SSL/TLS protocol version.
# Equivalent to -R command line option.
# (default: none)
#DisableSSLProto tls10

# Min SSL/TLS protocol version.
# (default: tls10)
#MinSSLProto tls10

# Max SSL/TLS protocol version.
# (default: tls12 or tls13, depending on the version of SSL library)
#MaxSSLProto tls13

# Use the given OpenSSL ciphers spec.
# Equivalent to -s command line option.
# (default: ALL:-aNULL)
Ciphers ALL:!RC4

# Use the given OpenSSL ciphersuites spec.
# The ciphersuites spec is for TLS 1.3.
# Equivalent to -U command line option.
# (default: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256)
#CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

# Leaf key RSA keysize in bits, use 1024|2048|3072|4096.
# (default: 2048)
LeafKeyRSABits 2048

# OpenSSL engine to activate, either ID or full path to shared library
# Equivalent to -x command line option
#OpenSSLEngine cloudhsm

# Specify default NAT engine to use.
# Equivalent to -e command line option.
#NATEngine pf

# Drop privileges to .
# Equivalent to -u command line option.
# (default: nobody, if run as root)
User _sslproxy

# Drop privileges to group.
# Equivalent to -m command line option.
# (default: primary group of user)
Group _sslproxy

# chroot() to jaildir (impacts sni proxyspecs, see sslproxy(1)).
# Equivalent to -j command line option.
#Chroot /var/run/sslproxy

# Write pid to file.
# Equivalent to -p command line option.
# (default: no pid file)
PidFile /var/run/sslproxy.pid

# Connect log: log one line summary per connection to logfile.
# Equivalent to -l command line option.
#ConnectLog /var/log/sslproxy/connect.log

# Content log: full data to file or named pipe
# (excludes ContentLogDir/ContentLogPathSpec).
# Equivalent to -L command line option.
#ContentLog /var/log/sslproxy/content.log

# Content log: full data to separate files in dir
# (excludes ContentLog/ContentLogPathSpec).
# Equivalent to -S command line option.
#ContentLogDir /var/log/sslproxy/content

# Content log: full data to sep files with % subst
# (excludes ContentLog/ContentLogDir).
# Equivalent to -F command line option.
#ContentLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.log

# Look up local process owning each connection for logging.
# Equivalent to -i command line option.
#LogProcInfo yes

# Pcap log: packets to pcapfile (excludes PcapLogDir/PcapLogPathSpec).
# Equivalent to -X command line option.
#PcapLog /var/log/sslproxy/content.pcap

# Pcap log: packets to separate files in dir
# (excludes PcapLog/PcapLogPathSpec).
# Equivalent to -Y command line option.
#PcapLogDir /var/log/sslproxy/pcap

# Pcap log: packets to sep files with % subst (excludes PcapLog/PcapLogDir).
# Equivalent to -y command line option.
#PcapLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.pcap

# Mirror packets to interface.
# Equivalent to -I command line option.
#MirrorIf lo

# Mirror packets to target address (used with MirrorIf).
# Equivalent to -T command line option. Leave commented if the target is
# irrelevant (e.g. mirror to dummy device)
#MirrorTarget 192.0.2.1

# Log master keys to logfile in SSLKEYLOGFILE format.
# Equivalent to -M command line option.
#MasterKeyLog /var/log/sslproxy/masterkeys.log

# Daemon mode: run in background, log error messages to syslog.
# Equivalent to -d command line option.
Daemon yes

# Debug mode: run in foreground, log debug messages on stderr.
# Equivalent to -D command line option.
#Debug yes

# Verbose debug level
#DebugLevel 4

# Close connections after this many seconds of idle time
ConnIdleTimeout 120

# Check for expired connections every this many seconds
ExpiredConnCheckPeriod 10

# Log statistics to syslog
# Equivalent to -J command line option.
LogStats yes

# Log statistics every this many ExpiredConnCheckPeriod periods
StatsPeriod 1

# Remove HTTP header line for Accept-Encoding
RemoveHTTPAcceptEncoding no

# Remove HTTP header line for Referer
RemoveHTTPReferer yes

# Verify peer using default certificates
VerifyPeer yes

# When disabled, never add the SNI to forged certificates, even if the SNI
# provided by the client does not match the server certificate's CN/SAN.
# Helps pass the wrong.host test at https://badssl.com.
AllowWrongHost no

# Require authentication for users to use SSLproxy
#UserAuth yes

# Path to user db file
#UserDBPath /var/db/users.db

# Time users out after this many seconds of idle time
#UserTimeout 300

# Redirect URL for users to log in to the system
#UserAuthURL https://192.168.8.1/userdblogin.php

# Comma separated list of users diverted by all proxyspecs
# Connections from these users are diverted to listening programs.
# Users not listed in DivertUsers or PassUsers are blocked.
# Max of 50 users can be listed.
#DivertUsers utmfw

# Comma separated list of users passed through by all proxyspecs
# Connections from these users are simply passed through to their original destinations,
# not diverted to listening programs.
# Users not listed in DivertUsers or PassUsers are blocked.
# Max of 50 users can be listed.
#PassUsers admin

# Validate proxy spec protocols
ValidateProto yes

# Max HTTP header size in bytes for protocol validation
MaxHTTPHeaderSize 8192

# Set open files limit, use 50-10000
OpenFilesLimit 1024

# Proxy specifications
# type listenaddr+port up:utmport ua:utmaddr ra:returnaddr
#ProxySpec https 127.0.0.1 8443 up:8080 [ua:127.0.0.1 ra:127.0.0.1]
ProxySpec http 127.0.0.1 8081 up:8080
ProxySpec https 127.0.0.1 8443 up:8080
ProxySpec pop3 127.0.0.1 8994 up:8110
ProxySpec pop3s 127.0.0.1 8995 up:8110
ProxySpec smtp 127.0.0.1 8464 up:9199
ProxySpec smtps 127.0.0.1 8465 up:9199
ProxySpec autossl 127.0.0.1 8466 up:9199

# Passthrough sites
# site [(clientaddr|(user|*) [description keyword])]
#PassSite example.com
#PassSite example.com 192.168.0.1
#PassSite example.com soner
#PassSite *.google.com * android

Code:
# UTMFW pf rules
# See pf.conf(5) and /etc/examples/pf.conf
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

int_if = "igb1"
ext_if = "igb0"
int_net = "192.168.8.0/24"


set loginterface $int_if

# Do not skip lo, we have rules for lo conns
#set skip on lo

scrub in log all

nat on igb0 from { !igb0 } to any -> (igb0)

pass in log quick on $int_if proto tcp from $int_net to !$int_if port https divert-to lo port 8443

pass in quick on lo proto { tcp udp } from any to any port 53
pass in quick on igb1 proto { tcp udp } from any to any port 53

pass in log all
pass out log all
 

wolffnx

Aspiring Daemon

Reaction score: 230
Messages: 675

Hi alfa , I want to do almost the same, a DPI FreeBSD box, but without luck
the PF version in FreeBSD is not the same on OpenBSD, so you cant
maybe with IPFW but I use PF
 
OP
alfa

alfa

Member

Reaction score: 4
Messages: 25

Thanks, but i also tried https to 8443 diversion with IPFW but result is same no luck.
 

covacat

Well-Known Member

Reaction score: 195
Messages: 417

you probably need ipfw fwd for a transparent proxy (not divert) (unless the proxy is compiled with specific options and knows how to read from the divert socket (natd like))
 
OP
alfa

alfa

Member

Reaction score: 4
Messages: 25

Hi, my IPFW & PF configurations and SSLproxy's error logs here below .
Any help would be appreciated..

Code:
### sslproxy ERROR logs ###

Connecting to [52.35.247.112]:443
Client-side BEV_EVENT_ERROR
Error from bufferevent: 61:Connection refused 0:0:-:0:-:0:-
HTTPS disconnected to [-]:-, fd=107
HTTPS disconnected from [192.168.57.111]:48036, fd=107
SSL_free() in state 00000001 = 0001 = SSLOK  (SSL negotiation finished successfully) [connect socket]
STATS: thr=2, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=12
STATS: thr=0, mld=1, mfd=109, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=4, si=12
STATS: thr=5, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=12
STATS: thr=4, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=12
STATS: thr=3, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=12
STATS: thr=1, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=12
STATS: thr=6, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=12
STATS: thr=7, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=12
STATS: thr=2, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=13
STATS: thr=1, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=13
STATS: thr=0, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=13
STATS: thr=4, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=13
STATS: thr=5, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=13
STATS: thr=7, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=13
STATS: thr=3, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=13
STATS: thr=6, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=13


######## IPFW RULES ##########

ipfw -q -f flush

ipfw -q add 1 allow all from any to any out via lo0
ipfw -q add 2 allow all from any to any in via lo0

ipfw -q add 3 fwd 127.0.0.1,8443 tcp from 192.168.57.0/24 to any 443

ipfw -q add 65534 allow ip from any to any

######## PF RULES ##########

int_if = "igb1"
ext_if = "igb0"
int_net = "192.168.57.0/24"

set loginterface igb1

# Do not skip lo, we have rules for lo conns
#set skip on lo

#openbsd's pf rule# scrub in (no-df)
scrub in log all

nat on igb0 from { !igb0 } to any -> (igb0)

pass out quick on lo0 from any to any
pass in quick on lo0 from any to any

pass in quick on igb1 proto { tcp udp } from any to any port 53
pass in quick on igb0 proto { tcp udp } from any to any port 53
 
Top