Created: Tue 14:30

Transcription

1 PF - PACKETFILTER FIREWALL - ADVANCED CARSTEN STROTMANN, TUE 00:00 Created: Tue 14:30 1 ORDER OF PF-RULES (FOR FREEBSD OR OPENBSD <4.6) must be in order: Options Traf c Normalization (scrubbing) Queueing NAT/Redirect Rules Filer Rules can appear anywhere, but mus be de ned before use Macros Tables 2. 1

2 NETWORK ADDRESS TRANSLATION (NAT) Network Address Translation (NAT) has been designed in the mid-1990s to ght IPv4 address exhaustion (see RFC 2663) NAT can hide many private IPv4 addresses behind one single public address this scheme is called many-to-one NAT, IP masquerading, NAPT (Network Address and Port Translation) or Cone- NAT it is the most popular version of NAT NAT can also be used to map one single internal address onto one external address this NAT is often used for server type machines to allow access from the outside Internet to an internal server 3. 1 NAPT (NETWORK ADDRESS AND PORT TRANSLATION) NAPT is the most popular avor of NAT used to hide multiple internal IPv4 addresses behind one internal address often used to map RFC 1918 private addresses to public routeable addresses each outgoing connection is mapped on a dedicated port on the public address approx ports are available, an internal device can have up to 300 concurrent connections one public IPv4 address can be used to hide ~213 internal devices 4. 1

3 NAPT (MANY-TO-ONE NAT) WITH PF this rule maps traf c leaving the rewall through the em0 interface onto an IPv4 address(es) and ports of the em0 interface 5. 1 NAPT IN THE STATE TABLE the NAT mapping (including the ports) can be listed via the pfctl "show state table" command 6. 1

4 ONE-TO-ONE NAT pf calls one-to-one NAT "bi-directional NAT" 7. 1 LAB - NAT change the rewall con g on VM Firewall 1 so that the DNS server on server 1 can communicate with the outside world (Internet/VM Host Machine ) the client VM can query DNS names through the DNS server on server 1 the client VM cannot query DNS names directly in the Internet the client VM can access web sites in the Internet (test with links) using NAPT (one-to-many NAT) 8. 1

5 ADVANCED FILTER (1) the source and destination elds in a lter (or anchor) rule can contain: value example description IP address a single IPv4 or IPv6 address hostname test.domain.example. hostname resolved during load time address/pre x /24 a network block in CIDR notation start-end a range of IP addresses interface fxp0 any interface name if-group egress interface group name 9. 1 ADVANCED FILTER (2) the source and destination elds in a lter (or anchor) rule can contain: value example description any any a single IPv4 or IPv6 address route <label> route intern any address matching a route(8) label no-route no-route any address that is not routeable from the rewall self self any address assigned to the rewall <table> <blackhole> any address in the table urpffailed urpf-failed any source address that fails a unicast reverse path forwarding check 10. 1

6 ADVANCED FILTER (3) TCP and UDP ports and port-ranges can be speci ed with operator description example = equal port = www!= not equal port!= 22 < less than port < 1025 > greater than port > 1024 <= less than or equal port <= 1024 >= greather than or equal port >= 1025 : range including port 1000:1050 >< range excluding port 1000><1025 <> except range port 137<> REDIRECTION pf can redirect traf c bound to a speci c port on an external or internal IP address towards a different address and port combination this can be used to map ports on the rewall to internal servers redirect rules must specify the protocol (tcp and/or udp) and the port to be redirected redirect rules must also have matching lter rules to allow the original and the redirected traf c 12. 1

7 PORT-REDIRECTION in addition to redirect to a new destination IP address, pf can also redirect to different ports SOURCE BASED REDIRECTION redirection can be combined with source based lters to redirect only traf c coming from speci c address blocks 14. 1

8 SIMPLE LOAD SHARING REDIRECTION (1) redirection can be used to redirect traf c to a pool of machines this can be use to implement a simple load sharing MODIFIERS FOR LOAD SHARING REDIRECTION (1) Modi er random roundrobin sourcehash Description selects a random address from the pool loops equally through the addresses in the pool creates a hash table lookup on the pool addresses from the source address 16. 1

9 MODIFIERS FOR LOAD SHARING REDIRECTION (2) random and round-robin can be con gured to remember the redirection choice based on the source address (same client will always be redirected to the same server) use the sticky-address modi er OTHER MODIFIERS FOR REDIRECTION Modi er bitmask staticport Description applies the netmask of the redirection address to the address being modi ed prevents the rewall to change the source port on UDP and TCP connections 18. 1

10 LAB - SSH REDIRECTION con gure Firewall 1 to redirect port to port 22 on the loopback ( ) address of the rewall allow traf c on port login with ssh on port block all traf c coming to port 22 (ssh) LAB - LOAD SHARING copy the rewall setup from server 1 to server 2 change the default route on server 2 to point to Firewall 1 create a load-sharing rule-set on rewall 1 for port 80 towards server 1 and server 2 create the le index.html in /var/www/htdocs on each server to read welcome to server 1 on server 1 welcome to server 2 on server 2 test the load sharing with a web-browser from the laptop with and without sticky-address 20. 1

11 FIREWALL-UNIT-TESTS Firewall should have automated testing procedures for each change, a test should prove that the intended traf c can pass the rewall not wanted traf c will be blocked by the rewall multiple tests per rule in the rule-set SETUP Traf c Probes: active components on each side of the network that can generate IP traf c traf c probes should be remote controllable Traf c Detectors: passive components on each side of the rewall that can detect IP traf c, store information on the detected traf c in database, have an API to query the database 21. 2

12 ORCHESTRATING TESTS Tests runs will be orchestrated using con guration management tools Ansible FUNC SaltStack TRAFFIC PROBES Operating System tools: ping, wget / curl, nc / netcat / socat, traceroute Security Tools: THC nmap, openssl, gnutls Paket Generation Tools: scapy

13 TRAFFIC DETECTORS Application Logs Firewall Logs (logs of an block all Firewall setup to detect traf c) Network Intrusion Detection Systems ( Snort, Suricata) UNIT-TEST RUNNER Emacs with Org-Mode and Babel: Unit-Tests with automatic documentation Org-Mode: Babel: Python Unit test tools: Lua Unit test tools: Ruby Unit Test tools:

14 TODO LAB: SIMPLE UNIT-TEST AND DOCUMENTATION WITH EMACS FIGHTING ABUSE WITH OVERLOAD TABLES (0) pf can place the source addresses of devices that exceed a de ned number of connections or connection-rate into an overload table hosts in this table can then be ltered (blocked, redirected, bandwidth-managed) 22. 1

15 FIGHTING ABUSE WITH OVERLOAD TABLES (1) table to hold the source addresses of abusers of a web-service FIGHTING ABUSE WITH OVERLOAD TABLES (2) pass rule for the web traf c to an internal web-server (for example running a resource-intensive java server application) 24. 1

16 FIGHTING ABUSE WITH OVERLOAD TABLES (3) each source address can make 100 concurrent connections, and create at max 30 new connections in 5 seconds FIGHTING ABUSE WITH OVERLOAD TABLES (4) if the connection constrains are exceeded, the source address is placed into the table abusers and all ongoing connections will be terminated (all state-tables for this host will be ushed) 26. 1

17 FIGHTING ABUSE WITH OVERLOAD TABLES (5) all connections coming from a host in the abusers table are redirected to a webserver with a static "sorry, we are currently overloaded" webpage FIREWALL FAILOVER having just one rewall is a single point of failure if the rewall is down, all communication managed by the rewall is stopped network operators prefer rewalls to by high-available to decrease network downtime because of hardware failures because of maintenance 28. 1

18 PF AND CARP OpenBSD offers a full redundant rewall with the help of two functions CARP - the Common Address Redunancy Protocol makes sure that the rewalls production IP address and hardware MAC-Address can be shared among multiple rewall cluster nodes PFSYNC - a service that synchronizes the rewall state table between rewall cluster nodes CARP the Common Address Redunancy Protocol (CARP) has been developed by the OpenBSD project to replace VRRP (Virtual Router Redunancy Protocol) to mitigate patent issues with VRRP for a network administrator, CARP works very similar as VRRP CARP de nes virtual interfaces that share the same hardware MAC address and the same IP address across multiple cluster nodes only one CARP interface of a group is active at a time (MASTER), other interfaces are in BACKUP state until the master is unavilable 30. 1

19 CARP VIRTUAL HOST IDS each CARP interface group is identi ed by the virtual host ID (VHID) the VHID is a 8 bit value (0-255) that must be unique in one network segment (broadcast domain) every CARP interface is associated to a network interface adapter (usually the interface that shares the same IP pre x with the CARP adapter) the CARP protocol is based on IP multicast and communicates over the associated network interface PFSYNC The pfsync protocol operates over an dedicated "pfsync" network interface updates of the state tables are synchronized between rewall nodes pfsync also uses IP multicast it is highly recommended to use a dedicated network link for pfsync communication for security reasons (pfsync does not support authentication) if no dedicated network link is possible, the pfsync traf c should be secured with IPSec 32. 1

20 CARP IN OUR LAB NETWORK (1) CARP IN OUR LAB NETWORK (2) 34. 1

21 CARP IN OUR LAB NETWORK (3) pf rewall rules to allow pfsync and CARP traf c SETUP FREEBSD KERNEL 36. 1

22 DEFINE THE CARP INTERFACES (1) on the primary cluster node in /etc/rc.conf DEFINE THE CARP INTERFACES (2) on the backup cluster node advskew de nes the delay for CARP announcements this de nes the the priority of a backup server (higher value = less preferred) 38. 1

23 CARP WITH AUTHENTICATION CARP communication can be authenticated by a password. The password must be de ned on all CARP interfaces that belong to the same VHID group: Master Backup DEFINE THE PFSYNC INTERFACE (1) the same on master and backup node (in File /etc/rc.conf) by default, the pfsync protocol is using IP multicast 40. 1

24 IFCONFIG AND CARP the ifconfig command displays the current state of the PFSYNC and CARP interfaces CARP LOADBALANCING we have seen CARP used in a failover (Master/Backup) mode CARP can also be used in a load-balancing mode 42. 1

25 LAB - HIGH-AVAILABLE FIREWALL WITH CARP create a high available rewall make sure the pf ruleset on both rewalls are the same and working con gure CARP and pfsync for the client and the server segments adjust the default route on the client and both servers test communication across the virtual CARP interfaces (ssh, www, icmp) keep ping (and a SSH session) from the client to the server(s) running, reboot the rewall that has the master role (command reboot) does the "ping" (and the SSH session) continue to operate? VISUALIZING FIREWALL OPERATIONS pfstat is a tool to create graphs from the rewall operations can work on the rewall host, or query the state remotely using pfstatd pfstat is available in the xbsd ports system 44. 1

26 PFSTAT CONFIGURATION the pfstat con guration le is /etc/pfstat.conf NORMALIZING IP TRAFFIC pf can normalize IP packets normalization has to be enabled in the pf ruleset le drop incomplete and mangled packets re-assemble fragmented traf c 46. 1

27 PACKET "SCRUBBING" pf can be con gured to "clean" IP packets that are non-optimal or possible attacks use the scrub keyword with parameters ANTISPOOF the pf Firewall has build-in antispoo ng support an internal macro that expands to rules that block spoofed traf c from direct connected networks the antispoof function cannot detect spoofed traf c from routed networks 48. 1

28 EXAMPLE ANTISPOOF SETTING The rule: will expand to: RULES BASED ON OPERATING SYSTEM FINGERPRINTING OpenBSD pf can lter on the operating system TCP signature it checks for a OS speci c signature on the SYN packets all signatures can be found in /etc/pf.os the current loaded signatures can be seen with pfctl -s os 50. 1

29 EXAMPLE OS-FINGERPRINTING RULE block connections from insecure Windows machines to the SSH service: OS FINGERPRINTING OS Fingerprinting should not be used for a security policy OS ngerprints can easily spoofed by attackers OS ngerprints can augment existing policy rules 52. 1

30 FILTERING IPV6 ICMPv6 is essential for IPv6 operations if ICMPv6 is completely blocked, IPv6 will not work on the next slides we will see the essential and some optional IPv6 lter rules IPV6 DUPLICATE ADDRESS DETECTION 54. 1

31 IPV6 NEIGHBORHOOD DISCOVERY ESSENTIAL ICMPV6 MESSAGING 56. 1

32 IPV6 "PING" IPV6 ROUTER ADVERTISEMENTS 58. 1

33 NTP MULTICAST MULTICAST DNS (MDNS, AVAHI, BONJOUR/RENDEZVOUS) this is interesting for FreeBSD, Solaris, MacOS X and Linux machines 60. 1

34 ROUTER ADVERTISEMENTS AND OPENBSD IPv6 contains Stateless Autmomatic Address Con guration (SLAAC) as a way to assign IPv6 addresses to hosts the default OpenBSD kernel does not listen on router advertisements and SLAAC for security reasons SLAAC traf c can be spoofed in the local network! IPV6 TO IPV4 NAT relayd can be used to implement an IPv6 to IPv4 reverse proxy it forwards IPv6 traf c to one or more backend webserver with IPv4 only solves problems if the webserver cannot be con gured to be "dual-stack" can also be used in the ooposite direction to publish IPv6 only server on the legacy IPv4 Internet 62. 1

35 RELAYD CONFIGURATION PF.CONF IPV6 TO IPV4 MAPPING The rule below redirects IPv6 traf c to the IPv6 loopback interface on the rewall (where relayd is listening) 64. 1

36 BRIDGE FIREWALL (1) A bridge rewall is operating in bridgeing mode, no routing is taking place a bridge rewall can work without IP addresses on its interfaces, it is nearly invisible to users in the network still, it can lter and redirect traf c (for example it can be a stealth transparent proxy) BRIDGE FIREWALL (2) 66. 1

37 SETTING UP A BRIDGE FIREWALL (1) create a new bridge0 network interface SETTING UP A BRIDGE FIREWALL (2) add the physical interfaces em0 and em1 to the bridge these interfaces should be up, but should not have any IP address assigned 68. 1

38 SETTING UP A BRIDGE FIREWALL (3) block all non-ip protocols on the bridge. Only IP based protocols will be relayed between the bridge interfaces THE RULESET there is nothing special about the ruleset for a bridge rewall de ne lter, nat or redirect rules as usual using relayd is not possible on a bridge rewall without IP addresses for the rewall to work on the packets, the default route must be set in a way so that the packets must go though the bridge rewall 70. 1

39 THANK YOU! Carsten Strotmann