Pf on lo0

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Pf on lo0

Luke Small
I'm trying to have pf limit sending TCP packets over lo0 from a specific
user. I made some rules, but they seem to be ignored when I check on pfctl
-vvvs rules it goes to the default lo0 pass rule: "pass out quick on lo0
proto { tcp, udp } from self port 6379 to any port 6379 user luke" and
"block out quick on lo0 proto {tcp,udp} from self to any port 6379"
obviously I'm using redis. Redis has authentication, but I think it'd be
cool to have that extra layer of protection.

Reply | Threaded
Open this post in threaded view
|

Re: Pf on lo0

Sebastien Marie-3
On Mon, Jan 16, 2017 at 11:04:48PM +0000, Luke Small wrote:
> I'm trying to have pf limit sending TCP packets over lo0 from a specific
> user. I made some rules, but they seem to be ignored when I check on pfctl
> -vvvs rules it goes to the default lo0 pass rule: "pass out quick on lo0
> proto { tcp, udp } from self port 6379 to any port 6379 user luke" and
> "block out quick on lo0 proto {tcp,udp} from self to any port 6379"
> obviously I'm using redis. Redis has authentication, but I think it'd be
> cool to have that extra layer of protection.
>

check your /etc/pf.conf if it contains a line like:

        set skip on lo

(it is in default pf.conf file), and remove it.

pf(4) will not skip lo group, so lo0 will be filtered.
--
Sebastien Marie

Reply | Threaded
Open this post in threaded view
|

Re: Pf on lo0

Peter Nicolai Mathias Hansteen
In reply to this post by Luke Small
On Mon, Jan 16, 2017 at 11:04:48PM +0000, Luke Small wrote:
> I'm trying to have pf limit sending TCP packets over lo0 from a specific
> user. I made some rules, but they seem to be ignored when I check on pfctl
> -vvvs rules it goes to the default lo0 pass rule: "pass out quick on lo0
> proto { tcp, udp } from self port 6379 to any port 6379 user luke" and
> "block out quick on lo0 proto {tcp,udp} from self to any port 6379"
> obviously I'm using redis. Redis has authentication, but I think it'd be
> cool to have that extra layer of protection.

hm. "Beware of quick rules, for they fsck with the regular ruleset
evaluation logic".

Without more context it's hard to tell whether that is your actual problem, but
keep in mind that once a quick rule matches, evaluation stops right there and
further rules are simply not evaluated for the packet.

Also as Sebastien mentioned do check for any "set skip on lo" or similar
in your ruleset.  If you have that, filtering simply does not happen on
interfaces or interface groups in the "set skip" rule.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: Pf on lo0

Luke Small
In reply to this post by Sebastien Marie-3
It doesn't. The "pass in quick on lo0 proto {tcp,udp}from any port 6379 to
self port 6379 user luke" works.

On Mon, Jan 16, 2017, 23:48 Sebastien Marie <[hidden email]> wrote:

> On Mon, Jan 16, 2017 at 11:04:48PM +0000, Luke Small wrote:
> > I'm trying to have pf limit sending TCP packets over lo0 from a specific
> > user. I made some rules, but they seem to be ignored when I check on
> pfctl
> > -vvvs rules it goes to the default lo0 pass rule: "pass out quick on lo0
> > proto { tcp, udp } from self port 6379 to any port 6379 user luke" and
> > "block out quick on lo0 proto {tcp,udp} from self to any port 6379"
> > obviously I'm using redis. Redis has authentication, but I think it'd be
> > cool to have that extra layer of protection.
> >
>
> check your /etc/pf.conf if it contains a line like:
>
>         set skip on lo
>
> (it is in default pf.conf file), and remove it.
>
> pf(4) will not skip lo group, so lo0 will be filtered.
> --
> Sebastien Marie

Reply | Threaded
Open this post in threaded view
|

Re: Pf on lo0

Luke Small
After running a program that interfaces with the two redis instances, from
"luke" to "redis6379" and "redis6380" with the following pf.conf, the pfctl
-vvvs rules shows that the pass rules I set up are not being used (I
suppose I could do inet6 too!:


pf.conf

#
# Rule  0
# anti spoofing rule
antispoof log quick for { lo0, vio0 } label "RULE 0 antispoof "
#
#
anchor "snort2pf"
#
#
# Rule  1a (lo0)
# Allow redis6379 loopback networking to receive on port 6379
pass in quick on lo0 inet proto tcp from any to self port 6379 \
user redis6379 label "Rule 1a"
#
# Rule  1b (lo0)
# Block user loopback networking to receive on port 6379
block in quick on lo0 inet proto { tcp, udp } from any to self port 6379 \
label "Rule 1b"
#
#
# Rule  1c(lo0)
# Allow luke loopback networking to send on port 6379
pass out quick on lo0 inet proto tcp from self port 6379 to any user luke \
label "Rule 1c"
#
# Rule  1d(lo0)
# Block user loopback networking to send on port 6379
block out quick on lo0 inet proto { tcp, udp } from self port 6379 to any \
label "Rule 1d"
#
#
# Rule  1e (lo0)
# Allow redis6380 loopback networking to receive on port 6380
pass in quick on lo0 inet proto tcp from any to self port 6380 user \
redis6380 label "Rule 1e"
#
# Rule  1f (lo0)
# Block loopback networking to receive on port 6380
block in quick on lo0 inet proto { tcp, udp } from any to self \
port 6380 label "Rule 1f"
#
#
# Rule  1g(lo0)
# Allow luke loopback networking to send on port 6380
pass out quick on lo0 inet proto tcp from self port 6380 to any \
user luke label "Rule 1g"
#
# Rule  1h(lo0)
# Block user loopback networking to send on port 6380
block out quick on lo0 inet proto { tcp, udp } from self port 6380 to any \
label "Rule 1h"
#
#
# Rule  1 (lo0)
# Allow all loopback networking
pass quick on lo0 inet  from any  to any  label "RULE 1 -- ACCEPT "

...

@0 block drop in log quick on ! lo0 inet6 from ::1 to any label "RULE 0
antispoof "
  [ Evaluations: 47        Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@1 block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any label
"RULE 0 antispoof "
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@2 block drop in log quick on ! vio0 inet from 10.0.2.0/24 to any label
"RULE 0 antispoof "
  [ Evaluations: 34        Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@3 block drop in log quick inet from 10.0.2.15 to any label "RULE 0
antispoof "
  [ Evaluations: 17        Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@4 anchor "snort2pf" all
  [ Evaluations: 47        Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@5 pass in quick on lo0 inet proto tcp from any to 127.0.0.1 port = 6379
user = 1001 flags S/SA label "Rule 1a"
  [ Evaluations: 47        Packets: 28        Bytes: 1671        States:
8     ]
  [ Inserted: uid 0 pid 89214 State Creations: 8     ]
@6 pass in quick on lo0 inet proto tcp from any to 10.0.2.15 port = 6379
user = 1001 flags S/SA label "Rule 1a"
  [ Evaluations: 0         Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@7 block drop in quick on lo0 inet proto tcp from any to 127.0.0.1 port =
6379 label "Rule 1b"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@8 block drop in quick on lo0 inet proto tcp from any to 10.0.2.15 port =
6379 label "Rule 1b"
  [ Evaluations: 0         Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@9 block drop in quick on lo0 inet proto udp from any to 127.0.0.1 port =
6379 label "Rule 1b"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@10 block drop in quick on lo0 inet proto udp from any to 10.0.2.15 port =
6379 label "Rule 1b"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@11 pass out quick on lo0 inet proto tcp from 127.0.0.1 port = 6379 to any
user = 1000 flags S/SA label "Rule 1c"
  [ Evaluations: 26        Packets: 0         Bytes: 0           States:
0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@12 pass out quick on lo0 inet proto tcp from 10.0.2.15 port = 6379 to any
user = 1000 flags S/SA label "Rule 1c"
  [ Evaluations: 0         Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@13 block drop out quick on lo0 inet proto tcp from 127.0.0.1 port = 6379
to any label "Rule 1d"
  [ Evaluations: 0         Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@14 block drop out quick on lo0 inet proto tcp from 10.0.2.15 port = 6379
to any label "Rule 1d"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@15 block drop out quick on lo0 inet proto udp from 127.0.0.1 port = 6379
to any label "Rule 1d"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@16 block drop out quick on lo0 inet proto udp from 10.0.2.15 port = 6379
to any label "Rule 1d"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@17 pass in quick on lo0 inet proto tcp from any to 127.0.0.1 port = 6380
user = 1002 flags S/SA label "Rule 1e"
  [ Evaluations: 26        Packets: 519       Bytes: 31009       States:
9     ]
  [ Inserted: uid 0 pid 89214 State Creations: 9     ]
@18 pass in quick on lo0 inet proto tcp from any to 10.0.2.15 port = 6380
user = 1002 flags S/SA label "Rule 1e"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@19 block drop in quick on lo0 inet proto tcp from any to 127.0.0.1 port =
6380 label "Rule 1f"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@20 block drop in quick on lo0 inet proto tcp from any to 10.0.2.15 port =
6380 label "Rule 1f"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@21 block drop in quick on lo0 inet proto udp from any to 127.0.0.1 port =
6380 label "Rule 1f"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@22 block drop in quick on lo0 inet proto udp from any to 10.0.2.15 port =
6380 label "Rule 1f"
  [ Evaluations: 0         Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@23 pass out quick on lo0 inet proto tcp from 127.0.0.1 port = 6380 to any
user = 1000 flags S/SA label "Rule 1g"
  [ Evaluations: 17        Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@24 pass out quick on lo0 inet proto tcp from 10.0.2.15 port = 6380 to any
user = 1000 flags S/SA label "Rule 1g"
  [ Evaluations: 0         Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@25 block drop out quick on lo0 inet proto tcp from 127.0.0.1 port = 6380
to any label "Rule 1h"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@26 block drop out quick on lo0 inet proto tcp from 10.0.2.15 port = 6380
to any label "Rule 1h"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@27 block drop out quick on lo0 inet proto udp from 127.0.0.1 port = 6380
to any label "Rule 1h"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@28 block drop out quick on lo0 inet proto udp from 10.0.2.15 port = 6380
to any label "Rule 1h"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@29 pass quick on lo0 inet all flags S/SA label "RULE 1 -- ACCEPT "
  [ Evaluations: 17   Packets: 547  Bytes: 32680   States: 17    ]
  [ Inserted: uid 0 pid 89214 State Creations: 17    ]
...

On Tue, Jan 17, 2017 at 2:00 AM Luke Small <[hidden email]> wrote:

> It doesn't. The "pass in quick on lo0 proto {tcp,udp}from any port 6379 to
> self port 6379 user luke" works.
>
> On Mon, Jan 16, 2017, 23:48 Sebastien Marie <[hidden email]> wrote:
>
> On Mon, Jan 16, 2017 at 11:04:48PM +0000, Luke Small wrote:
> > I'm trying to have pf limit sending TCP packets over lo0 from a specific
> > user. I made some rules, but they seem to be ignored when I check on
> pfctl
> > -vvvs rules it goes to the default lo0 pass rule: "pass out quick on lo0
> > proto { tcp, udp } from self port 6379 to any port 6379 user luke" and
> > "block out quick on lo0 proto {tcp,udp} from self to any port 6379"
> > obviously I'm using redis. Redis has authentication, but I think it'd be
> > cool to have that extra layer of protection.
> >
>
> check your /etc/pf.conf if it contains a line like:
>
>         set skip on lo
>
> (it is in default pf.conf file), and remove it.
>
> pf(4) will not skip lo group, so lo0 will be filtered.
> --
> Sebastien Marie