Security question

A slightly different problem I stumbled into.
I wonder if anyone has had this problem. Say you have a freebsd host A, running virtual machine B. I turn on PF firewall on A, and switch off B's firewall just to be clear, still I am unable to ssh from my home pc into B. Note that home pc is completely different. I can ssh from host A no problem, not from any other host. I tried setting static routes on A and B. still no luck. Somehow PF on host seems to only allow the host ssh'ng into the virtual machine!
Is there any PF ruleset that needs to be set to eliminate this behavior. I've never had this issue earlier.
 
ROFLMAO... label your personal PC with C. B is a virtual machine on A.
C -> A: no go, A has a firewall rule, therefore cannot get into B, either, thanks to external firewall on A!

Of course A -> B is possible, B has no firewall.
 
astyle said:
ROFLMAO... label your personal PC with C. B is a virtual machine on A.
C -> A: no go, A has a firewall rule, therefore cannot get into B, either, thanks to external firewall on A!

Of course A -> B is possible, B has no firewall.
Click to expand...
No.
C -> A is perfectly fine. C has a static route to A. In addition C is allowed by A's firewall explicitly.
C- -> B no go, whereas A->B is fine as well.
The same properties hold with and without firewall in B.
 
We just had a 4 page thread on Hardening FreeBSD last month:

forums.freebsd.org

Hardening bsd.

There are a few sysctl settings I can think off, loader.conf security.bsd.allow_destructive_dtrace=0 sysctl.conf security.bsd.see_other_uids=0 security.bsd.see_other_gids=0 security.bsd.see_jail_proc=0 security.bsd.unprivileged_read_msgbuf=0 security.bsd.unprivileged_proc_debug=0...
forums.freebsd.org forums.freebsd.org

What good was it if you're going to search Google for the term?
 
Trihexagonal said:
We just had a 4 page thread on Hardening FreeBSD last month:

forums.freebsd.org

Hardening bsd.

There are a few sysctl settings I can think off, loader.conf security.bsd.allow_destructive_dtrace=0 sysctl.conf security.bsd.see_other_uids=0 security.bsd.see_other_gids=0 security.bsd.see_jail_proc=0 security.bsd.unprivileged_read_msgbuf=0 security.bsd.unprivileged_proc_debug=0...
forums.freebsd.org forums.freebsd.org

What good was it if you're going to search Google for the term?
Click to expand...
Google uses a different search algorithm than what is implemented by XenForo (the software that powers FreeBSD forums). You'd have to know the difference in what's known as "Link Scoring" . FreeBSD's main site (freebsd.org) uses duckduckgo.com as the backend for their search function, rather than Google. XenForo uses an internal implementation. This is why Lamia 's suggestion was a good one. But, nothing wrong with digging up old forum threads that contain useful info. Just how useful that info is - that's ultimately up to OP to decide.
 
stream said:
No.
C -> A is perfectly fine. C has a static route to A. In addition C is allowed by A's firewall explicitly.
C- -> B no go, whereas A->B is fine as well.
The same properties hold with and without firewall in B.
Click to expand...
Ok I managed to get in. So C->B and C->A are both ok.
Both A and B are using different ports for ssh. I had to explicitly allow both ports in the pf ruleset:
"pass in on ... from .. to ... port { pA pB} "

I still have a problem though. B cannot access internet when host A's firewall is on.
However, A can can access the internet just fine.
I have tried various things:
like set skip on vm0 etc, where vm0 is the bridge interface for B.
Nothing seems to work.

Does anyone have suggestion on how to setup pf so the bhyve m/c, i.e B can run normally.
 
stream said:
Ok I managed to get in. So C->B and C->A are both ok.
Both A and B are using different ports for ssh. I had to explicitly allow both ports in the pf ruleset:
"pass in on ... from .. to ... port { pA pB} "

I still have a problem though. B cannot access internet . I have tried various things:
like set skip on vm0 etc, where vm0 is the bridge interface for B.

Does anyone have suggestion on how to setup pf so the bhyve m/c, i.e B can run normally.
Click to expand...
PF should have options for both inbound rules and outbound rules. it sounds like you need to RTFM and figure out the flag for outbound.
 
astyle said:
PF should have options for both inbound rules and outbound rules. it sounds like you need to RTFM and figure out the flag for outbound.
Click to expand...
Humm. Let me clarify if I haven't already.
A is able to do everything normally (downloading/ssh/ping) with its own PF on. But B cannot. I have tried all variants of inbound and outbound. Outbound rules have been totally relaxed- all packets can go from any to any and through any port.
 
stream said:
Humm. Let me clarify if I haven't already.
A is able to do everything normally (downloading/ssh/ping) with its own PF on. But B cannot. I have tried all variants of inbound and outbound. Outbound rules have been totally relaxed- all packets can go from any to any and through any port.
Click to expand...
Seems like A is not letting vm B access the Internet... And if firewall is not the issue, then you probably have misconfigured NAT between A and B.
 
astyle said:
Seems like A is not letting vm B access the Internet... And if firewall is not the issue, then you probably have misconfigured NAT between A and B.
Click to expand...
Possible. Not sure though. I set up B with vm-bhyve. I didnt manually configure the switch and to my knowledge it doesn't NAT. Also vm switch info does not show any nat. It shows "standard", and tap device.

The problem seems to be firewall only. B can access internet when I switch off A's firewall.
And I haven't found good simple working examples of pf with bhyve- including TFM ;-)
I did see some posts in the forum- they seem to have different constraints and problems however.
 
stream said:
Not sure.. I set up B with vm-bhyve. I didnt manually configure the switch and to my knowledge it doesn't NAT. Also vm switch info does not show any nat. It shows "standard", and tap device.

The problem seems to be firewall only. B can access internet when I switch off A's firewall.
Click to expand...
NAT is done on network interfaces. I think you need to look at NAT on A's ethernet interface, not on B's virtual switch. This is usually done with natd_enable="YES" on host A.
 
astyle said:
NAT is done on network interfaces. I think you need to look at NAT on A's ethernet interface, not on B's virtual switch. This is usually done with natd_enable="YES" on host A.
Click to expand...
Nope. I don't have any such thing on A.
 
That's probably where your issue is - on NAT on A. I would suggest reading up on NAT (Network Address Translation) a bit, and understand how it works. In a nutshell, it's like having 2 ethernet ports on a router, one port has 192.168.1.0/24 net on it, the other port has 172.16.0.0/16 net on it. Both networks should communicate, but they don't. This is where NAT comes in.
 
astyle said:
You'd have to know the difference in what's known as "Link Scoring" .
Click to expand...
What makes you think I don't? I held 3 of the top 5 spots n a Google search for FreeBSD Desktop. Then took it offline for over a year and have to start over.:
google_ranking.png

But still hold #1 Google rank over the https://freebsdfoundation.org tutorial. My freebsdnews.com article slipped to 6th.

But I'm back with a bullet n a different search for Building a FreeBSD Desktop From Scratch and hold #2, #3 and #4 spots behind #1 spot https://docs.freebsd.org and they might as well give it up now because not even they can't compete. I'm putting the member screenshot pages back up and all my wallpapers:

status.png

Because they are poor business decision makers when it comes to who and who does not work for them and gets paid as a representative.

My Mind is not for rent, to any God or Government, $$$ doesn't cloud my good judgement to the detriment of those who depend on it. The River!

astyle said:
This is why Lamia 's suggestion was a good one. But, nothing wrong with digging up old forum threads that contain useful info. Just how useful that info is - that's ultimately up to OP to decide.
Click to expand...
Have you actually searched google for that term? No, you have not.

Or you would know it sends you right back here, with the FreeBSD forums holding #1 Google ranking on a search for Hardening FreeBSD.
 
  • Thanks
Reactions: a6h
astyle said:
Google uses a different search algorithm than what is implemented by XenForo (the software that powers FreeBSD forums). You'd have to know the difference in what's known as "Link Scoring" . FreeBSD's main site (freebsd.org) uses duckduckgo.com as the backend for their search function, rather than Google. XenForo uses an internal implementation. This is why Lamia 's suggestion was a good one. But, nothing wrong with digging up old forum threads that contain useful info. Just how useful that info is - that's ultimately up to OP to decide.
Click to expand...
Thanks a million. The forum search should be his first point of contact. Google would list relevant results from the forum and if he wants to use Google yet limit the results to the forum, he could add a filter "hardening freebsd box site:forums.freebsd.org".
 
It does list a thread from May, which i when the one I referenced was started, but not that one.

That one was started by the same person who initially suggested searching google in this thread:
Alain De Vos said:
Google "Freebsd hardening".
Click to expand...
I meant nothing personal towards anyone by it, it was just my mind balking at the logic of it.

Logic. It's an antiqued concept these days. When the masses can't handle it, they change reality and facts become an annoyance.

I'm so glad I lived to see 1984.
 
  • Thanks
Reactions: a6h
Trihexagonal said:
It does list a thread from May, which i when the one I referenced was started, but not that one.
Click to expand...
English slipping a bit, sentence not making sense, sorry!

Trihexagonal said:
Logic. It's an antiqued concept these days. When the masses can't handle it, they change reality and facts become an annoyance.
Click to expand...
Just me being more anal than a compiler: it's "antiquated". Responding to the sentence itself: Forget the masses, it's like that at the top, too.

Trihexagonal said:
I'm so glad I lived to see 1984.
Click to expand...
Me, too.
 
Trihexagonal said:
What makes you think I don't? I held 3 of the top 5 spots n a Google search for FreeBSD Desktop. Then took it offline for over a year and have to start over.:
View attachment 10397

But still hold #1 Google rank over the https://freebsdfoundation.org tutorial. My freebsdnews.com article slipped to 6th.

But I'm back with a bullet n a different search for Building a FreeBSD Desktop From Scratch and hold #2, #3 and #4 spots behind #1 spot https://docs.freebsd.org and they might as well give it up now because not even they can't compete. I'm putting the member screenshot pages back up and all my wallpapers:

View attachment 10400

Because they are poor business decision makers when it comes to who and who does not work for them and gets paid as a representative.

My Mind is not for rent, to any God or Government, $$$ doesn't cloud my good judgement to the detriment of those who depend on it. The River!


Have you actually searched google for that term? No, you have not.

Or you would know it sends you right back here, with the FreeBSD forums holding #1 Google ranking on a search for Hardening FreeBSD.
Click to expand...
Trihexagonal : What you're doing is called SEO - Search Engine Optimization. That is different from knowing the actual formula that Google's crawler uses to analyze links, give them a score, and place the page into a list. OTOH, XenForo's devs decided to go with their own formula for deciding what comes up first. Google's formula (a.k.a. secret sauce) has a truckload of engineering brainpower behind it. That alone makes it different from XenForo.
 
You must log in or register to reply here.
Back
Top