Created: Tue 14:35

Transcription

1 PF - PACKETFILTER FIREWALL - INTRODUCTION CARSTEN STROTMANN, SUN 00:00 Created: Tue 14:35 1 AGENDA Day 1 History of the PF rewall Types of rewalls PF Firewall basics Logging and rewall testing Tables and Anchors Simple IPv4- lter rules 2. 1

2 PF-FIREWALL pf (or paket lter) is the default rewall in OpenBSD pf is also available for NetBSD, FreeBSD, MacOS X and Solaris 11 NetBSD and FreeBSD offer alternative rewalls (npf, ipfw, ip lter, ) distributions of pf with commercial support exist (pfsense Firewall, OPNsense) in this training, we cover pf from FreeBSD 12 (OpenBSD 4.5) 3. 1 PF-HISTORY pf was created after a license change in the ipfilter (ipf) rewall in May 2001 rst shipped with OpenBSD 3.0 the original version was matching the function and con guration of ipfilter newer versions surpassed ip lter in function, and are not compatible to the ipfilter rule-set con guration anymore 4. 1

3 TYPES OF FIREWALLS (1) simple packet lter only look at the IP header (source / destination address) and UDP / TCP ports no state (every packet is evaluated) usually fast can be build with Access Control Lists (ACL) in router 5. 1 TYPES OF FIREWALLS (2) stateful inspection packet lter inspect the TCP connection setup, match packets against a state table can keep state for UDP and ICMP traf c usually very fast 6. 1

4 TYPES OF FIREWALLS (3) application level gateway (ALG) check the traf c on the application layer (by proxying the traf c) need support for all application layers (http, smtp, ftp ) and features need update if the application layer changes (example: EDNS0 in DNS) usually slow (latency) and can be brittle 7. 1 TYPES OF FIREWALLS (4) deep packet inspection rewall (DPI-FW) check the application layer data without proxying the connection can lter on traf c content resource hungry 8. 1

5 HOW DOES PF FIT IN? pf is a stateful inspection packet lter it keeps state for TCP, UDP and ICMP packets pf can be augmented with proxy components to build an ALG rewall (ftp, smtp, http ) 9. 1 TCP THREE WAY HANDSHAKE pf is tracking the state of TCP sessions (buildup and tear-down) incoming packets will be checked against the state table rst only if there is no match in the state table, the rule-set will be evaluated 10. 1

6 ENABLING THE FIREWALL the pf rewall must be included in the kernel (or loaded as a kernel module) pf is included in the stock OpenBSD kernel and enabled by default ENABLING THE PF FIREWALL 12. 1

7 TO DISABLE THE PF FIREWALL THE RULE-SET the rule-set is stored in a le named /etc/pf.conf the le location can be changed in the system con guration 14. 1

8 LOAD THE CURRENT RULE-SET A SIMPLE RULE-SET lets rst have a look at a simple rule-set: 16. 1

9 A SIMPLE RULE-SET (1) pf has a "pass all" default policy. We turn that into a "block all" policy only explicit permitted connection are allowed all blocked connection attempts will be logged A SIMPLE RULE-SET (2) Action: is either "pass" (allow) or "block" (disallow) 18. 1

10 A SIMPLE RULE-SET (3) Direction: is either "in" (entering the rewall) or "out" (leaving the rewall) "direction" is always relative to the rewall machine, not to any network! A SIMPLE RULE-SET (4) Interface: is either the name of a network interface (em1, fxp2, lo0) or the name of an interface group (a symbolic name for one of more network interfaces) 20. 1

11 A SIMPLE RULE-SET (5) Address family: is either inet (IPv4) or inet6 (IPv6) A SIMPLE RULE-SET (6) IP Protocol: the upper layer protocol on top of IP. Common values are TCP, UDP, ICMP or ICMP6 the whole list of supported protocol names and numbers can be found in the le /etc/protocols 22. 1

12 A SIMPLE RULE-SET (7) Source address: the source of the IP packet. Possible values: a single IP address ( , 2001:db8::1) a network block in CIDR notation ( /24, 2001:db8:1::/64) a range of addresses in the format "start-end" the keyword any (any address) the keyword self (all addresses on the rewall) DNS name, interface name or the name of an interface group more advanced selectors (later in this training) A SIMPLE RULE-SET (8) Destination address: the destination of the IP packet. The same values as for the source address are possible 24. 1

13 A SIMPLE RULE-SET (9) Port: the number or service name of the upper layer protocol. a list of service names can be found in the le /etc/services A SIMPLE RULE-SET (10) only the action part of a rule is mandatory, all other parts have defaults: Direction - both directions Interface - all interfaces Address family - IPv4 and IPv6 Protocol - all protocols Source Destination - any source or destination Service port - all services and ports 26. 1

14 STRUCTURING A RULE-SET FILE the pf rule-set le can be structured into multiple smaller les les can be included into the main "pf.conf" rule-set COMMENTS AND MULTIPLE LINES the hashmark starts a comment until the end of the line the "\" masks the line end (extends the current rule to the next line) 28. 1

15 QUIZ is the following con guration le valid? Answer: Yes, it is. The hash-mark comments out the whole line, and the line is continued TESTING A RULE-SET -n: test run (just parse the rule-set and print errors, but do not recon gure the rewall) -v: verbose, print the rules generated -f le: the rule-set le to load 30. 1

16 LOADING A RULE-SET there is no need to ush the rule-set before loading a new one! current connections (states) will not change, existing connections will continue to work unless the new rule-set blocks them LIST THE RUNNING RULE-SET the rules generated by pfctl from the rule-set might be slightly different from the content of /etc/pf.conf due to optimizations 32. 1

17 THE LAB NETWORK LOGIN TO THE FIREWALL 1 IPv4-Address: see Whiteboard Username: root Password: FreeBSD start "tmux" after login! 34. 1

18 DOES MY FIREWALL WORK? the "log" keyword con gures pf to write a log entry when a new connection is established using this rule all log information is written to the log interface device pflog THE LOG DEVICE the pflog0 device is a virtual network card sniffer tools can be used to read the data from the device tcpdump, wireshark etc 36. 1

19 PFLOGD - THE PF LOGGING DAEMON the pflogd process reads the log data from the p og device and writes it into a log le /var/log/pflog the log le is in pcap format (binary format) and can be read by common network snif ng tools (tcpdump, wireshark) LAB - FIREWALL LOGGING AND TROUBLESHOOTING open a new tmux console (CTRL-b+c) on rewall 1 use the tcpdump commands below to monitor your rewall rule-set (optional) install wireshark on your Laptop, copy the pflog le to your laptop and inspect it with wireshark 38. 1

20 PFLOGD SNAPLEN in the default con guration, pflogd stores 160 bytes (snaplen) from the packet in the log le 160 bytes is enough for the header, but often does not include the upper layer protocol information the snaplen can be changed in /etc/rc.conf a larger snaplen requires more disk space for the log le! PFTOP pftop displays the pf state-table in realtime (similar to the Unix top command) pftop is an optional package on FreeBSD 40. 1

21 MACROS to keep a pf rule-set concise and manageable, the pf rule-set le supports macros the macros work like shell scripting variables they need to be de ned before use macro names must begin with a letter, but can contain letters, numbers and underscores macro names can not have names of reserved words (log, pass, from ) MACRO EXAMPLES 42. 1

22 LISTS similar rules that only differ in the interface, protocol, source and destination or service port can be combined into one line in the rule-set using lists a list contains a comma separated list of entries in curly braces {} pfctl will expand a rule-line with lists into multiple rules EXAMPLE LIST this will expand to 44. 1

23 MORE LIST EXAMPLES how many rules will be created from this line? Answer: 60 rules NEGATION the exclamation mark can be used to indicate negation 46. 1

24 CAUTION: LISTS AND NEGATIONS be careful with lists and negations what is the effect of this rule? Answer: it prevents and to reach the webserver, but allows access from any. That is probably not the intend of the rewall admin LAB - MAKING CONTACT TO SERVER 1 Reaching server 1 adjust the rule-set on the rewall and on the server 1 to allow icmp, ssh (port 22), ftp (port 21) and http (port 80) connections set a route from your laptop to the server network segment ( /24) towards the external IP of your primary rewall test if you can login from your laptop to server 1 using secure shell (ssh) test if you can reach server 1 with a web-browser from your laptop 48. 1

25 RULE-SET EVALUATION pf evaluates the rule-set for every IP packet that has no prior state in the state table evaluation is from top to bottom of the rule-set the last rule that matches the packet will apply (last rule wins) pf will always evaluate all rules (except for quick rules) QUICK RULES the rewall operator can shortcut the rule-set evalutation on a rule with the quick keyword whenever a rule with a quick keyword is matching the current packet, this rule will be used and the remainder of the rule-set will not be evaluated connection heavy protocols (such as DNS) should use the quick keyword and be placed at the beginning of the rule-set 50. 1

26 DROP OR RETURN (1) by the default, the pf rewall drops blocked packets the sender will never know what happen, it must wait for a timeout this can lead to issues (esp. for internal machines) it is more polite to block with a return message, saying that the connection is administratively prohibited (esp. towards internal client machines) DROP OR RETURN (2) if the block policy is set to "return", pf will send a "RESET" (RST) for TCP connections send a ICMP unreachable for other connection types the block policy can be de ned on each block rule: 52. 1

27 DROP OR RETURN (3) the block policy can also be de ned globally: FILTERING ICMP due to errors in early TCP/IP stacks in desktop operating systems (in the 1990), rewall admins started to block ICMPv4 many of these security issues are long solved ICMP is used to communicating error messages between hosts the IETF has an (expired) Internet-Draft on how ICMP should be ltered ( draft-ietf-opsec-icmp- ltering) see RFC "ICMP Attacks against TCP" for current problems with ICMP 54. 1

28 FILTERING ICMPV4 the following ICMPv4 codes should be permitted to pass the rewall (RFC names used) ICMPv4-unreach-net ICMPv4-unreach-host ICMPv4-unreach-frag-needed ICMPv4-unreach-admin (rate-limit) ICMPv4-timed-ttl ICMPv4-timed-reass ICMPv4-req-echo-message (optional) ICMPv4-req-echo-reply (optional) FILTERING ICMPV4 RULE-SET ICMPv4 message code names for pf can be found in the icmp(4) man page 56. 1

29 TABLES sometimes a rewall rule-set requires a huge number of almost identical rules example: rules where only the from/to IP addresses change pf offers the table datastructure to optimize large rule-sets with almost idenical rules (> 10 almost identical rules) tables content is accessed using hashes which is much faster (and uses less memory) than evaluating separate rules CREATING TABLES tables are identi ed by angle brackets < > around their names tables can be dynamic or static (constant) can be de ned inline in pf.conf or through an external le can be dynamically changed using pfctl or by external tools (through an API) 58. 1

30 TABLE DEFINITION IN PF.CONF the above rule-set creates the table <client-machines> with two IP addresses and all IP addresses that can be resolved from DNS for host.domain.test when the rule-set is loaded(!) the table is dynamic and can be extended during runtime the table is used in a rule that permits all machines from the table to communicate with the outside world NON-DYNAMIC (STATIC) TABLES tables can be "locked" so that they cannot be extended during runtime they can only be changed by changing pf.conf and reloading the con guration 60. 1

31 PERSISTENT TABLES pf drops tables that become empty (to save memory) if we want to keep a table around (even if empty), it must be marked with the persist keyword ADDING ADDRESSES TO A TABLE pfctl can be used to add one or more address to a table the table name is given without the angle brackets external tools can add entries to a table through an API (the pf interface) 62. 1

32 LOADING THE TABLE CONTENT FROM A FILE (1/2) for large tables, the table content can be loaded from a le the le must contain the IP addresses, network de nitions or hostnames for the table, one line per address hostnames are resolved to all their addresses (IPv4 and IPv6) at the time the le is loaded because of DNS spoo ng, it is recommended not to use DNS name resolution in a rewall rule-set without DNSSEC validation LOADING THE TABLE CONTENT FROM A FILE (2/2) Example source le for a table de nition 64. 1

33 LOADING ADDRESSES FROM A FILE new table content can be added from a le REMOVING ENTRIES FROM A TABLE the pfctl subcommand "delete" is used to remove single entries from a table the command " ush" can be used to remove all entries from a table 66. 1

34 REMOVING A TABLE a table can be removed from the rewall with the "kill" command LAB - TABLES on Firewall 1 change the rule-set to create a table including all machines from the server and client network segment create a rule that permits ICMPv4 traf c from the client and server network segments to the rewall test using the ping tool from a server and a client VM towards the rewall if the rule-set works 68. 1

35 ANCHORS Anchors are containers of rewall rules similar to directories in a le system think of the main rule-set as the root-directory, and anchors are subdirectories anchors can contain anchors, rules and tables rules inside anchors can be changed during runtime (without the need to change and reload pf.conf) anchors are mostly used by software tools that dynamically change the rewall rule-set EXAMPLE RULE-SET WITH ANCHOR (1) Aim for this rule-set is to allow all internal clients to communicate out but we want to be able to "blacklist" (stop) abusers 70. 1

36 EXAMPLE RULE-SET WITH ANCHOR (2) the default policy is to block everything EXAMPLE RULE-SET WITH ANCHOR (3) an empty anchor named "blacklist" is de ned at this point in the rule-set, all rules that are in the anchor "blacklist" will be evaluated 72. 1

37 EXAMPLE RULE-SET WITH ANCHOR (4) this allows traf c from our client segment to leave the network (and the return traf c to pass back in) DEFINING THE ANCHOR CONTENT INLINE the content of an anchor can be de ned inline in pf.conf the anchor content is enclosed an curly braces "{ }" 74. 1

38 ANCHOR WITH FILTER anchor can use the same lter parameters as normal ltering rules if anchor lter are being used, the content of the anchor is only evaluated for matching packets this anchor blocks DNS traf c coming in on interface em LOADING ANCHOR CONTENT FROM A FILE the rules inside an anchor can be loaded from a le: the le /etc/pf-blacklist.conf can contain rewall rules, tables and other anchors 76. 1

39 CHANGING THE ANCHOR CONTENT FROM THE COMMANDLINE the above command pipes a new lter rule into pfctl for anchor "blacklist" "-f -" tells pfctl to read the new rule from stdin the echo command prints the new rule, which is piped into pfctl changing the rule-set this way will always remove all previous rules from the anchor before applying the new rule(s) LOADING ANCHOR CONTENT FROM A FILE DYNAMICALLY read and replace all rules in the named anchor (blacklist) with the rules in the le /etc/pf-blacklist.conf 78. 1

40 LIST THE ACTIVE RULES BELOW AN ANCHOR pfctl can be used to list all rules and sub-anchors below an anchor list sub-anchors below anchor with the name "blacklist" FLUSHING ALL RULES FROM AN ANCHOR to erase all rules from an anchor, use all ush (-F) commands can be applied to anchors 80. 1

41 LAB - ANCHORS de ne an anchor called protocol-blacklist the aim of this blacklist is to stop traf c from the client segment that is generated by unwanted protocols or should otherwise never leave the local network the blacklist should block: smtp (port 25), netbios ( ), mysql (3306), postgresql (5432), ms-sql (1433) test and make sure that these ports are blocked FTP AND FIREWALLS FTP (File Transfer Protocol, RFC 959, October 1985) is a rather ancient protocol that predates TCP/IP the original FTP (active mode) is using a control channel to port 21, and a data-backchannel from port 20 on the server to a random high port on the client the high port is negotiated inside the control-channel, invisible to the rewall a pure packet- lter rewall is not able to open the port for the data-channel some FTP clients and server support "passive" FTP, where the client opens both connections, but "passive" FTP is sometimes not available 82. 1

42 FTP AND THE PF FIREWALL the PF rewall has special support for FTP: ftp-proxy ftp-proxy is a special ALG (application layer gateway) component will observe the FTP communication between client and server can dynamically open the port for the data-channel FTP-PROXY DEBUG MODE to trace the operation of ftp-proxy, stop the running ftpproxy process and start the proxy in debug mode only do this for debugging purposes! 84. 1

43 PF RULE-SET FOR FTP-PROXY OPERATIONS (1) the anchor ftp-proxy/* will contain all dynamically created rules for the FTP data-channel PF RULE-SET FOR FTP-PROXY OPERATIONS (2) incoming FTP traf c (from client to outside server) will be diverted to port 8021 on the loopback address (where ftpproxy is listening) 86. 1

44 PF RULE-SET FOR FTP-PROXY OPERATIONS (3) rule to allow ftp traf c generated from the rewall itself (client FTP traf c going through ftp-proxy) to leave the rewall with this rule, all FTP traf c is going through the ftpproxy ALG TESTING THE FIREWALL WITH NMAP after writing a new rewall rule-set, test the rule-set testing should be automated if possible (like untit-tests) nmap is a popular port scanner that can be used to test the rewall and all networks controlled the rewall the rewall should be tested in all directions (outside-in and inside-out) 88. 1

45 LAB - TEST YOUR FIREWALL WITH NMAP install nmap on your laptop machines run nmap -v -A -PN [target] against the rewalls IP address, as well as against the server and client networks are the results expected? SEPARATING LOG INFORMATION Sometimes logging for speci c uses should be separated from the general output for debugging purposes to monitor traf c patterns pf can send log information to extra logging devices 90. 1

46 CREATING EXTRA LOG DEVICES extra p og devices can be created using ifconfig: or create the le /etc/hostname.pflog1 containing just the word "up" SENDING LOG INFORMATION example of sending the log information from two rules to device pflog

47 SPECIAL LOGGING the pf rewall supports keywords to ne-tune the log output log (all) will log all packets, not only the rst that creates the state. Use carefully, this can create HUGE amounts of log information log (matches) will log every subsequent rule that matches this packet, even if the rule itself does not have a log statement log (user) logs the user-id (UID) and process-id (PID) of the local process that sends or receives the packet. This only works for packets that terminate on the local machine TAGGING OF PACKETS pf supports the tagging of incoming packets each packet can have only one tag at a time lter rules can act on the tags on a packet tagging incoming packets can make the rule-set simpler (and a simple(r) rule-set is always good) 94. 1

48 SKIP FILTERING ON INTERFACES Sometimes it is desired not to lter traf c on a speci c interface common examples are the loopback interface (lo0) or pfsync interfaces the skip on keyword can be used to disable ltering on an interface it is recommended to list the skip on directive at the top of the rule-set LABEL TRAFFIC The keyword label can be used to create extra statistics counter inside the pf rewall. The statistic counters can be listed with pfctl 96. 1

49 ACCOUNTING TRAFFIC BY LABEL label can be used for traf c accounting: pfctl -vsl prints: times the rule have been evaluated number of packets passed number of bytes packets / bytes passed in packets / bytes passed out LAB - ADVANCED LOGGING create a new log device con gure a rule on the rewall to log all packets onto the new log device for all www communication between the client and server 1 use the text mode browser links to access the website on server 1 use tcpdump to inspect the traf c on the new p og device 98. 1

50 INTERFACE GROUP LABEL on operating systems that support the "group" function on network interfaces (OpenBSD, NetBSD, FreeBSD), pf rules can be speci ed by the interface group this can make the de nition of rules simpler group labels on interfaces are stable and do not change automatically (for example if the hardware NIC is replaced) EXAMPLE OF INTERFACE GROUP LABELS (1/2) interface group label can be set using ifconfig

51 EXAMPLE OF INTERFACE GROUP LABELS (2/2) Example rule with interface group label interface group label without a modi er resolve in all IP addresses (IPv4 and IPv6) on that interface INTERFACE GROUP MODIFIER (1) <interface-group>:0 - only resolve to the primary IP address of that interface (IPv4 or IPv6), ignore any alias addresses <interface-group>:network - resolve to the full network of the interface

52 INTERFACE GROUP MODIFIER (2) <interface-group:broadcast> - resolve to the IPv4 broadcast address of that interface group <interface-group:peer> - resolve to the peer address of the remote end of the connection END DAY