Run multiple services on one port and use PF’s overload to switch between them
At work we have a http/https proxy which requires authentication, I would like to access both ssh and a subversion https repository at my server.
The easy solution would be to use two IP addresses. I do not have an additional IP address available.
Using any port other than 443 also has problems, since there’re blocked.
As a sidenote, you may be wondering why I’m not just using http for my subversion access. The reason is that the HTTP proxy we have doesn’t support certain WebDAV extensions that are required.
The solution
Use pf’s overload feature to switch between services on a given port.
Using it is simple:
I can use svn whenever I need, if I would like to use ssh I open my browser, go to http://94.142.244.51 three times in 42 seconds and I can use ssh.
After closing ssh and waiting for a minute will remove my work’s IP from the rdr_ssh table and I can use svn again.
This solution will work for FreeBSD and OpenBSD. The concept can probably be implemented in most other stateful firewalls too.
/etc/pf.conf
Simplified ruleset for demonstration purposes
dummy_server.py
From pf.conf(5):
It took me some time to realize that if no service is running on port 80 the connection attempt will just time out and the 3-way handshake is not completed.
You can use Python to start a simple “donothing webserverâ€:
Or you can use your webserver with a document root of /var/empty/ if you prefer.
/etc/crontab
You can also add a crontab entry to flush the table periodically to switch back to svn when you’re done with ssh. To your /etc/crontab add:
From pfctl(8):
In other words: As long as a connection is open, the address won’t be removed, but if no connection has been open for 60 seconds the address is removed.
Or, if you prefer, you can manually clear the table with:
Further reading
pfctl(8)
pf.conf(5)
PF user’s guide from the OpenBSD site
FreeBSD handbook: 30.4 The OpenBSD Packet Filter (PF) and ALTQ
At work we have a http/https proxy which requires authentication, I would like to access both ssh and a subversion https repository at my server.
The easy solution would be to use two IP addresses. I do not have an additional IP address available.
Using any port other than 443 also has problems, since there’re blocked.
As a sidenote, you may be wondering why I’m not just using http for my subversion access. The reason is that the HTTP proxy we have doesn’t support certain WebDAV extensions that are required.
The solution
Use pf’s overload feature to switch between services on a given port.
Using it is simple:
I can use svn whenever I need, if I would like to use ssh I open my browser, go to http://94.142.244.51 three times in 42 seconds and I can use ssh.
After closing ssh and waiting for a minute will remove my work’s IP from the rdr_ssh table and I can use svn again.
This solution will work for FreeBSD and OpenBSD. The concept can probably be implemented in most other stateful firewalls too.
/etc/pf.conf
Simplified ruleset for demonstration purposes
Code:
# Interface to filter
if="re0"
# My server's IP
ip="94.142.244.51"
# IP from my work
work={"80.246.203.133"}
# Table to keep track of who should be redirected from port 443 to port 22
table persist
# Redirect everyone in the rdr_ssh table from port 443 to port 22
rdr on $if inet proto tcp from to $ip port https -> $ip port ssh
# Default rules
block in log
pass out quick
# Allow traffic on port 443
pass in on $if proto tcp from any to $ip port https
# Allow traffic on port 80 for svn/ssh "switching", allow it only from my work.
# Most browsers will try to load /favicon.ico so opening a page once are two
# connections.
pass in log quick proto tcp from $work to $ip port http keep state
(max-src-conn-rate 6/42, overload )dummy_server.py
From pf.conf(5):
Code:
For stateful TCP connections, limits on established connections (connec-
tions which have completed the TCP 3-way handshake) can also be enforced
per source IP.
max-src-conn
Limits the maximum number of simultaneous TCP connections which
have completed the 3-way handshake that a single host can make.
max-src-conn-rate /
Limit the rate of new connections over a time interval. The con-
nection rate is an approximation calculated as a moving average.It took me some time to realize that if no service is running on port 80 the connection attempt will just time out and the 3-way handshake is not completed.
You can use Python to start a simple “donothing webserverâ€:
Code:
#!/usr/bin/env python
from BaseHTTPServer import *
host = '94.142.244.51'
port = 80
HTTPServer((host, port), BaseHTTPRequestHandler).serve_forever()Or you can use your webserver with a document root of /var/empty/ if you prefer.
/etc/crontab
You can also add a crontab entry to flush the table periodically to switch back to svn when you’re done with ssh. To your /etc/crontab add:
Code:
* * * * * root /sbin/pfctl -t rdr_ssh -T expire 60 > /dev/null 2>&1From pfctl(8):
Code:
-T expire number
Delete addresses which had their statistics cleared
more than number seconds ago. For entries which
have never had their statistics cleared, number
refers to the time they were added to the table.Or, if you prefer, you can manually clear the table with:
Code:
pfctl -t rdr_ssh -T delFurther reading
pfctl(8)
pf.conf(5)
PF user’s guide from the OpenBSD site
FreeBSD handbook: 30.4 The OpenBSD Packet Filter (PF) and ALTQ