PF niemozliwosc przekierowania Oident do Jaila FreeBSD

[bryn1u 17]

Witam,

 

Posiadam FreeBSD 10, 1 jaila i PF Firewall. Probuje na wszystkie rozne sposoby przekierowac oidentd do jaila, ale to w ogole nie chce dzialac. Z hosta chodzi bez problemu lecz z jaila to jakas masakra. Czy ktos mial podobny problem. Moj pf.conf ponizej:

 

 

IP_PUB="178.xxx.xxx.xxx"

IP_JAIL="192.168.0.1"

NET_JAIL="192.168.0.0/24"

PORT_JAIL="{80,31337,6667,113,12345}"

martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

# connected to internet

ext_if = "em0"

### Stateful Tracking Options (STO) ###

stossh ="(max 5, source-track rule, max-src-states 5, max-src-nodes 5, max-src-conn-rate 4/30, overload <bruteforce> flush global)"

stowww ="(max 500, source-track rule, max-src-states 50, max-src-nodes 75, max-src-conn-rate 120/100, overload <bruteforce> flush global)"

### Queues, States and Types ###

#IcmpPing ="icmp-type 8 code 0"

#SshQueue ="(ssh_bulk, ssh_login)"

#SynState ="flags S/SA synproxy state"

tcpstate ="flags S/SA modulate state"

udpstate ="keep state"

### Tables ###

#table <blockperm> counters file "/etc/blockperm"

#table <brutforce> counters persist file "/etc/bruteforce"

table <bruteforce> persist

################ Options #####################################################

### Misc Options

set skip on lo

set skip on lo1

set debug urgent

set block-policy drop

set loginterface $ext_if

set state-policy if-bound

set fingerprints "/etc/pf.os"

set ruleset-optimization none

### Timeout Options ###

set optimization normal

set timeout { tcp.closing 60, tcp.established 7200}

################ Normalization ###############################################

# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize-Throughput

# scrub out log on $ext_if all random-id min-ttl 15 set-tos 0x1c fragment reassemble

# scrub in log on $ext_if all min-ttl 15 fragment reassemble

################ Translation #################################################

### NAT and Redirection rules are first match ###

nat pass on em0 from $NET_JAIL to any -> $IP_PUB

rdr pass on em0 proto tcp from any to $IP_PUB port $PORT_JAIL -> $IP_JAIL

rdr pass on em0 proto tcp from any to $IP_PUB port 113 -> 192.168.0.1 port 113

################ Filtering ###################################################

# Rules are best (closest) match. Notice we optimized the rules so external

# interface parsing is first followed by the internal interface.

### $ExtIf block abusive hosts in temp and perm tables

################ Filtering ###################################################

### Drop incoming everything ###

block quick from <bruteforce>

block in all

block return

# keep stats of outgoing connections

pass out keep state

# unlimited traffic for loopback and lan / vpn

# activate spoofing protection for all interfaces

block in quick from urpf-failed

#antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses

antispoof log for $ext_if

#block RCF

block drop in log (all) quick on $ext_if from $martians to any

block drop out log (all) quick on $ext_if from any to $martians

# Block all ips

# pfctl -t blockedip -T show

block drop in log (all) quick on $ext_if from <bruteforce> to any

block drop out log (all) quick on $ext_if from any to <bruteforce>

# Allow incoming ssh, http, bind traffic

# pass in

pass in on $ext_if proto tcp from any to any port 22 $tcpstate $stossh

pass in on $ext_if proto tcp from any to any port 6667 $tcpstate $stossh

# pass for jail ports

pass in on $ext_if proto tcp from any to $IP_JAIL port 31337 $tcpstate $stossh

pass in on $ext_if proto tcp from any to $IP_JAIL port 80 $tcpstate $stowww

pass in on $ext_if proto tcp from any to $IP_JAIL port 113 $tcpstate

pass in on $ext_if proto tcp from any to $IP_JAIL port 12345 $tcpstate $stowww

pass in on $ext_if proto tcp from any to $IP_JAIL port 6667 $tcpstate

 

 

Edytowano Czerwiec 10, 2014 przez bryn1u (zobacz historię edycji)

[m0t 0]

poprostu dodaj sobie wszedzie log i odpal tcpdumpa na pflogu bo chyba nikomu nie bedzie sie chcialo tego studiowac przy +30 za oknem

[bryn1u 17]

Zminimalizowalem pf.conf do paru linijek:

 nat pass on em0 from $NET_JAIL to any -> $IP_PUB
 
 rdr pass on em0 proto tcp from any to 178.32.219.66 port 21 -> 192.168.0.1 port 21
 rdr pass on em0 proto tcp from any to 178.32.219.66 port 80 -> 192.168.0.1 port 80
 rdr pass on em0 proto tcp from any to 178.32.219.66 port 113 -> 192.168.0.1 port 113
 rdr pass on em0 proto tcp from any to 178.32.219.66 port 6667 -> 192.168.0.1 port 6667
 rdr pass on em0 proto tcp from any to 178.32.219.66 port 31337 -> 192.168.0.1 port 31337

Problem dalej ten sam. Najdziwniejsze jest to, ze z hosta dziala, laczac sie z odpalonym oidentem wszystko chodzi jak w zegarku. Podczas przekierowania

rdr pass on em0 proto tcp from any to 178.32.219.66 port 113 -> 192.168.0.1 port 113

zaczyna sie problem. Czy ktos moze wie dlaczego tak sie dzieje ? Chodzi mi nawet o prymitywna tylde "~" pod ircem. Z hosta przy odpalonym oidentd dziala bez problemu, dostaje user@host a z jaila z przekierowaniem dostaje ~user@host. Probowalem pod iptables z tego samego servera i przekierowanie z LXC tez dziala bez problemu.

Edytowano Czerwiec 24, 2014 przez bryn1u (zobacz historię edycji)

[Gość]

Edytowano Marzec 26, 2018 przez Gość (zobacz historię edycji)

[bryn1u 17]

sprobuj skompilowac oidentd bez wsparcia dla nat/masq i ipv6.

 

@samu

niestety dupa .... to samo

 

Sprobowalem:

 

Z wlaczonym PF, przekierowalem porty 113, 6667 (host):

 

pass in on $ext_if proto tcp from any to any port { 22, 113, 6667 }

 

i dziala, ale niestety wszystko tylko z hosta a ja potrzebuje z jaila. Do jaila przkierowywuje ruch oraz porty i nie dziala.

16:47 -!- bryn1u [bryn1u@oksymoron.edu.pl]
16:47 -!-  ircname  : User Bryn1u
16:47 -!-  server   : ircnet.optilian.net [France]
16:47 -!-  idle     : 0 days 0 hours 0 mins 4 secs [signon: Wed Jul  2 16:47:32 2014]
16:47 -!- End of WHOIS

Dla jaila nie ma wielkiej filozofi:

rdr on em0 proto tcp from any to $ip_pub port 113 -> $ip_jail port 113

rdr on em0 proto tcp from any to $ip_pub port 6667 -> $ip_jail port 6667

pass in on $ext_if proto tcp from any to $ip_jail port 113 $tcpstate $stossh

pass in on $ext_if proto tcp from any to $ip_jail port 6667 $tcpstate $stossh

Czy ktos mi jest w stanie wytlumaczyc o co to chodzi ? Bede bardzo wdzieczny

Pzdr,

Edytowano Lipiec 2, 2014 przez bryn1u (zobacz historię edycji)

[bryn1u 17]

Problem rozwiazany:

 

Your TCP connections to IRC are coming from another port than you
think, static-port fixes that.

 

Na koncu regulki nat wystarczy dodac static-port. Mam nadzieje, ze sie komus przyda. Sprawdzalem dziala swietnie !