pf redirect through socks tunnel?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

pf redirect through socks tunnel?

Pieter Verberne
Hi there,

When I use a client, which is behind a pf firewall, I use this redirect
rule:
pass in on $ext_if proto {tcp, udp} from any to any port 12345 rdr-to
10.1.2.3

Now I have a client that is connected via a socks5 SSH tunnel to the pf
firewall. Can I still have a pf redirect to this client?

Gr,
  Pieter Verberne

Reply | Threaded
Open this post in threaded view
|

Re: pf redirect through socks tunnel?

Giancarlo Razzolini-3
Em 30-01-2014 15:02, Pieter Verberne escreveu:

> Hi there,
>
> When I use a client, which is behind a pf firewall, I use this redirect
> rule:
> pass in on $ext_if proto {tcp, udp} from any to any port 12345 rdr-to
> 10.1.2.3
>
> Now I have a client that is connected via a socks5 SSH tunnel to the pf
> firewall. Can I still have a pf redirect to this client?
>
> Gr,
>  Pieter Verberne
>
Hi,

    I read your e-mail a couple of times and it's still confusing to me.
If I understood you correctly, you can redirect, but I suggest that you
use a divert instead of rdr. Take a look on the pf.conf man page. Also
it would help if you elaborate a little bit more.

Cheers,

--
Giancarlo Razzolini
GPG: 4096R/77B981BC

Reply | Threaded
Open this post in threaded view
|

Re: pf redirect through socks tunnel?

Pieter Verberne
In reply to this post by Pieter Verberne
On 2014-01-30 18:02, Pieter Verberne wrote:
> When I use a client, which is behind a pf firewall, I use this redirect
> rule:
> pass in on $ext_if proto {tcp, udp} from any to any port 12345 rdr-to
> 10.1.2.3
>
> Now I have a client that is connected via a socks5 SSH tunnel to the pf
> firewall. Can I still have a pf redirect to this client?

I'm sorry my mail is not clear.

I have two machines. One is an OpenBSD machine with pf configured. I
call this machine lilium. The other machine is a Windows client, let's
call this machine bob.

On bob I'm using a gnutella client which is listening to tcp and udp
port 13648. When bob is connected to the same LAN as lilium, I'm using
the following pf.conf line on lilium to make gnutella work:

pass in on $ext_if proto {tcp, udp} from any to any port 13648 rdr-to
10.0.0.18

On the LAN bob has ip address 10.0.0.18 .

Now somethimes, I'm at a remote location and I'm using putty to create a
SSH/SOCKS5 tunnel to lilium. I still want to be able to use my gnutella
client through this SOCKS5 proxy, however, the redirect rule does not
work (ofcourse). How should I solve this?

Can I actually do this with SOCKS, or should I start thinking about some
VPN solution? It would be cool if I can do it with SOCKS.

Okay, it's only gnutella (file sharing), but apart from that, I just
want to know. :-)

Thanks,

Gr,
  Pieter Verberne

Reply | Threaded
Open this post in threaded view
|

Re: pf redirect through socks tunnel?

Giancarlo Razzolini-3
Em 30-01-2014 16:16, Pieter Verberne escreveu:

> On 2014-01-30 18:02, Pieter Verberne wrote:
>> When I use a client, which is behind a pf firewall, I use this redirect
>> rule:
>> pass in on $ext_if proto {tcp, udp} from any to any port 12345 rdr-to
>> 10.1.2.3
>>
>> Now I have a client that is connected via a socks5 SSH tunnel to the pf
>> firewall. Can I still have a pf redirect to this client?
>
> I'm sorry my mail is not clear.
>
> I have two machines. One is an OpenBSD machine with pf configured. I
> call this machine lilium. The other machine is a Windows client, let's
> call this machine bob.
>
> On bob I'm using a gnutella client which is listening to tcp and udp
> port 13648. When bob is connected to the same LAN as lilium, I'm using
> the following pf.conf line on lilium to make gnutella work:
>
> pass in on $ext_if proto {tcp, udp} from any to any port 13648 rdr-to
> 10.0.0.18
>
> On the LAN bob has ip address 10.0.0.18 .
>
> Now somethimes, I'm at a remote location and I'm using putty to create a
> SSH/SOCKS5 tunnel to lilium. I still want to be able to use my gnutella
> client through this SOCKS5 proxy, however, the redirect rule does not
> work (ofcourse). How should I solve this?
>
> Can I actually do this with SOCKS, or should I start thinking about some
> VPN solution? It would be cool if I can do it with SOCKS.
>
> Okay, it's only gnutella (file sharing), but apart from that, I just
> want to know. :-)
>
> Thanks,
>
> Gr,
>  Pieter Verberne
>
You can use the VPN functionality of OpenSSH and do this. But as far as
I could understand your situation, your redirect will work only for tcp
based connections if you make a reverse ssh tunnel. But not for udp. My
suggestion is to go for the VPN solution. There are plenty of options in
OpenBSD, both on base and in packages. I myself use OpenVPN. But don't
be biased by me and see what's is best for your case.

Cheers,

--
Giancarlo Razzolini
GPG: 4096R/77B981BC

Reply | Threaded
Open this post in threaded view
|

Re: pf redirect through socks tunnel?

Darren Tucker
In reply to this post by Pieter Verberne
On Fri, Jan 31, 2014 at 4:02 AM, Pieter Verberne
<[hidden email]> wrote:
> Hi there,
>
> When I use a client, which is behind a pf firewall, I use this redirect
> rule:
> pass in on $ext_if proto {tcp, udp} from any to any port 12345 rdr-to
> 10.1.2.3
>
> Now I have a client that is connected via a socks5 SSH tunnel to the pf
> firewall. Can I still have a pf redirect to this client?

I wrote code to do this for PF some time back based on work by Luca
Barbieri for the same functionality on Linux:
https://bugzilla.mindrot.org/show_bug.cgi?id=1295

I suspect the patch will have bitrotted since then.

The other gotcha is that it needed to be run as root to open the PF
device to look up the NAT states.  That could potentially be mitigated
by a setuid helper program, but from memory it needed write access for
the DIOCNATLOOK ioctl, so it'd still be potentially dangerous.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Reply | Threaded
Open this post in threaded view
|

Re: pf redirect through socks tunnel?

Stuart Henderson
On 2014-01-31, Darren Tucker <[hidden email]> wrote:

> On Fri, Jan 31, 2014 at 4:02 AM, Pieter Verberne
><[hidden email]> wrote:
>> Hi there,
>>
>> When I use a client, which is behind a pf firewall, I use this redirect
>> rule:
>> pass in on $ext_if proto {tcp, udp} from any to any port 12345 rdr-to
>> 10.1.2.3
>>
>> Now I have a client that is connected via a socks5 SSH tunnel to the pf
>> firewall. Can I still have a pf redirect to this client?
>
> I wrote code to do this for PF some time back based on work by Luca
> Barbieri for the same functionality on Linux:
> https://bugzilla.mindrot.org/show_bug.cgi?id=1295
>
> I suspect the patch will have bitrotted since then.
>
> The other gotcha is that it needed to be run as root to open the PF
> device to look up the NAT states.  That could potentially be mitigated
> by a setuid helper program, but from memory it needed write access for
> the DIOCNATLOOK ioctl, so it'd still be potentially dangerous.

Rather than writing a helper running as root, you can change from using
nat redirects (rdr-to) to using divert sockets (divert-to), then the proxy
will receive unmodified packets and can just use getsockname(2) to retrieve
the original address which does not require privileges.

Same method will also work with FreeBSD ipfw.

Reply | Threaded
Open this post in threaded view
|

Re: pf redirect through socks tunnel?

Darren Tucker
On Sun, Feb 2, 2014 at 9:33 AM, Stuart Henderson <[hidden email]> wrote:
[...]
> Rather than writing a helper running as root, you can change from using
> nat redirects (rdr-to) to using divert sockets (divert-to), then the proxy
> will receive unmodified packets and can just use getsockname(2) to retrieve
> the original address which does not require privileges.

That does look like a better way of doing it and would likely also
simplify things.  If I'm reading commit logs correctly, divert-to was
added about 6 months after I originally wrote that code.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.