PF server ntpd error

VladiBG

Aspiring Daemon

Reaction score: 331
Messages: 773

You are making too many changes at the same time which lead to too many errors. Start with the simplest configuration and when you get it working expand it until desired result.

I think pf is a good firewall to use
There's no bad firewall. The good firewall is this one that you know how to use/setup.
 

mickey

Aspiring Daemon

Reaction score: 149
Messages: 521

You should also allow "unreach" for path MTU discovery:
Actually, you shouldn't. As I said before, pf handles ICMP error responses in a smart way so you don't have to take care of that manually. From pf.conf(5):
Code:
     Furthermore, correct handling of ICMP error messages is critical to many
     protocols, particularly TCP.  pf(4) matches ICMP error messages to the
     correct connection, checks them against connection parameters, and passes
     them if appropriate.  For example if an ICMP source quench message
     referring to a stateful TCP connection arrives, it will be matched to the
     state and get passed.
The only ICMP message you should allow by explicit filter rules is ICMP echo request, provided you actually want your machine to be able to ping/be pinged.

Add keep state here and your server will be allowed to initiate connections.
There is nothing to gain from that, as keep state is the default behaviour for pass rules:
Code:
     pass  The packet is passed; state is created unless the no state option
           is specified.
this is what gets printed to the screen:
May 6 14:51:46 server webmin[#####]: Non-existent login as webmin from 212.166.56.110
this repeats 4 times, then
May 6 14:51:53 server webmin[#####]: Security alert: Host 212.166.54.110 blocked after 5 failed logins for user webmin

So, I will not work on my server from outside my home anymore, and I just closed the ports at the router. I do keep 443 open because we must provide a patient portal. That needs to be accessible to patients.
I believe you really want to restrict access to webmin to your internal network (192.168.1.0/24) and not forward the webmin port at all on your router.

Regarding NAT, I misspoke, I meant redirect. I read somewhere that traffic needed to be redirected when jails were used. I did not mean that I need NAT.
My idea is to have MySQL in one jail, Nginx in one jail, and the www directory with the server applications in another jail, and finally the data directories yet in another jail. I would like to have backups in a NAS.
Is this too ambitious a project?
If you try to do it all at once, probably. One step at a time.
Regarding your pf.conf(5) also keep in mind that pf requires a strict ordering of statements: Macros, Tables, Options, Normalization, Queueing, Translation and Filtering. It helps to clearly mark those sections with comments and double check that every statement is in the section where it belongs.
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

I have used OS/2 Weasel for a mail server (for a week), Plan 9 upas for mail (for a week), Sendmail (egad!) and OpenSMTPD. I would recommend OpenSMTPD. Everyone has their own opinion of what is best and what they prefer, but the syntax for OpenSMTPD is easy to read. And you don't need a 1400 page "Bat book" for it (reference to the O'Reilly Sendmail book).

This is my current smtpd.conf for OpenSMTPD on OpenBSD. I think there is still a FreeBSD port.
Code:
queue compression
queue encryption key 44d1ee9dd2f0a54e4a6c21bd24b2c2d1
# pki setup
pki mail.myname.email certificate "/etc/ssl/mail.myname.email.crt"
pki mail.myname.email key "/etc/ssl/private/mail.myname.email.key"
pki mail.business.com certificate "/etc/ssl/mail.business.com.crt"
pki mail.business.com key "/etc/ssl/private/mail.business.com.key"
# tables setup
table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
table users file:/etc/mail/users
table secrets file:/etc/mail/secrets
table blacklist-recipients file:/etc/mail/blacklist-recipients
# listen ports setup
listen on lo0
#listen on egress port 25
#listen on egress port 587 tls-require pki mail.myname.email auth <secrets>
listen on egress port 25 tls auth-optional <secrets> hostname mail.myname.email
listen on egress port 587 tls-require auth <secrets> hostname mail.myname.email
# allow local messages
#accept from local for local alias <aliases> deliver to maildir "/var/mail/%{user.username}/Inbox"
accept recipient ! <blacklist-recipients> from local for local alias <aliases> deliver to mbox
# allow virtual domains
accept from any recipient ! <blacklist-recipients> for domain <domains> \
    virtual <users> deliver to maildir "/var/mail/%{user.username}/Inbox"
# allow outgoing mails
accept from local for any relay
BTW, I should consider openSMTPD as opposed to postfix?
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

I believe you really want to restrict access to webmin to your internal network (192.168.1.0/24) and not forward the webmin port at all on your router.
Yes, I changed this at the router level.
 

Jose

Active Member

Reaction score: 106
Messages: 222

Actually, you shouldn't. As I said before, pf handles ICMP error responses in a smart way so you don't have to take care of that manually. From pf.conf(5):
Code:
     Furthermore, correct handling of ICMP error messages is critical to many
     protocols, particularly TCP.  pf(4) matches ICMP error messages to the
     correct connection, checks them against connection parameters, and passes
     them if appropriate.  For example if an ICMP source quench message
     referring to a stateful TCP connection arrives, it will be matched to the
     state and get passed.
The only ICMP message you should allow by explicit filter rules is ICMP echo request, provided you actually want your machine to be able to ping/be pinged.
I'm not sure that would work for UDP traffic, and in the case of intermediate routers, like say a machine doing NAT for multiple jails. In any case, no offense, but I'm going to take Peter N. M. Hansteen's word over yours:

There is nothing to gain from that, as keep state is the default behaviour for pass rules:
Code:
     pass  The packet is passed; state is created unless the no state option
           is specified.
Good to know. That behavior was added in Openbsd 4.1. I'm showing my age.
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

Ok, it turns out the syntax error is because I needed a blank line at the end.
But, I am still locking myself out, even with these simple rules. Hmm!
It is not because there is a switch between the windows computer and the router, whereas the server is connected directly to the router, is it?
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

My apologies, it worked beautifully, I had left out the line for the ports. Sorry, got distracted there for a minute.
The problem then was just that I needed one blank line at the end.
And I have read what every single one of you have said.
I will post a final solution along with my topography here for anyone else who will have a similar situation in the future.
Thank you all, Sys Admins are THE BEST!
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

Alrighty then, this is the rules that are allowing me to get into my FreeBSD box from my windows machines within my LAN. (Please note there needs to be a blank line at the very bottom of pf.conf otherwise you get a syntax error message.):
Code:
# macros
ext_if="e0"

tcp_services="{ 80, 443 }"
adm_services="{ 22, 3306, 10000, 11000 }"
icmp_types="echoreq"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
#nat on $ext_if inet from !($ext_if) -> ($ext_if:0)

# filter rules
block in
block drop in quick on $ext_if inet proto tcp from 212.166.54.0/24 to any

pass out

antispoof quick for { lo }

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
pass in on $ext_if inet proto tcp from any to ($ext_if) port $adm_services
pass in inet proto icmp all icmp-type $icmp_types
This is My topology:
Network topology.jpg
Kindly comment.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,924
Messages: 33,312

But, I am still locking myself out, even with these simple rules. Hmm!
Tips from the trenches:

Write your new rules to /etc/pf.conf.new for example. Then on the command line use something like this: pfctl -f /etc/pf.conf.new && sleep 60 && pfctl -f /etc/pf.conf
This will load the ruleset from /etc/pf.conf.new, sleep for 60 seconds then load /etc/pf.conf again. In that 60 seconds you can test your new rules, if you happen to lock yourself out wait the 60 seconds and your original ruleset is loaded again, allowing access again. Set the timer to 120 or 180 if you need more time to test.

Prevent syntax errors by loading the rules with pfctl -nf /etc/pf.conf. This will only check the rules for validity, it doesn't apply them.
 
OP
gutiersa

gutiersa

Member

Reaction score: 6
Messages: 61

I find myself stuck once more.
Because I have not been able to achieve full functionality of my openemr application in nginx, I have set it up a second instance of it with apache 2.4 as the httpd server in a 12.1-RELEASE jail. My question is now two-fold:
1. Does the apache jail need to have an IP address in a different subnet from the host machine, and if so, can I choose for example 192.168.0.9/24 (again, my host being 192.168.1.10, default router: 192.168.1.1)
2. How do I now tell my host PF firewall to direct traffic to and from the jail? When I try to access the jails server (at the address bar from a windows computer from within the LAN), it gets sent to the mains host Nginx server instead, (hence, I know my networking is messed up).

TIA
 

VladiBG

Aspiring Daemon

Reaction score: 331
Messages: 773

It's better to open a new thread for this problem and describe how your jail network is setup inside the host.
 

pyret

Active Member

Reaction score: 94
Messages: 192

VladiBG is right that a new thread with how your network is laid out, and your pf.conf, as well as your nginx.conf might be better. But no, Apache/nginx doesn't need to be on a separate network. It depends how you want it.

Personally, I'd use VNET/VIMAGE jails over traditional jails because you get a separate and real network stack, and it simplifies things. Or use bhyve. But that's just preference.
 
Top