BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


Securing Small Networks with OpenBSD, Part 4
Pages: 1, 2

Which Packets Do You Want to Capture?

Why do some packets get written to /var/log/pflog and some do not? It all boils down to the way pf works.



Packets are written to /var/log/pflog, when the last pf rule they match includes the log keyword. Packets that are not caught by rules with the log keyword won't be logged. Therefore, if you want to capture all traffic, you need to add the log keyword to all in and out rules in your /etc/pf.conf, save for the lo0 loopback device. On the flip side, if you want to limit logging to a smaller group of packets, add the log keyword only to those rules that catch the packets you want to log. For example, to log all inbound packets sent to your networks from the outside, add the log keyword to all pass in and block in rules for the external interface. Therefore, the rules for the tun0 (ExtIF) interface, described in the second installment of this series, would now look like this:

#################################################################
# Internet (tun0)

# block and log spoofing non-routable addresses

block in log quick on $ExtIF from $NoGoIPs to any
block out quick on $ExtIF from any to $NoGoIPs

# block and log all incoming packets

block in log on $ExtIF all

pass in log on $ExtIF inet proto tcp from any to $rdrIPs port $rdrPorts keep state
pass in log on $ExtIF inet proto udp from any to $rdrIPs port $rdrPorts keep state

# block all outgoing packets

block out on $ExtIF all

# allow TCP IPv4 connections to the outside world, keep state

pass out on $ExtIF inet proto tcp all flags S/SA modulate state
pass out on $ExtIF inet proto { udp, icmp } all keep state

Two special cases we have not discussed yet are the keep state and modulate state rules. We have a choice of using either of the log or log-all keywords here, depending on which packets we want to log. The log keyword will only log those packets that make state, while log-all will log all packets. Therefore, to capture all packets matching state rules, you'd need to change:

pass in log on $ExtIF inet proto tcp from any to $rdrIPs port $rdrPorts keep state
pass in log on $ExtIF inet proto udp from any to $rdrIPs port $rdrPorts keep state

to

pass in log-all on $ExtIF inet proto tcp from any to $rdrIPs port $rdrPorts keep state
pass in log-all on $ExtIF inet proto udp from any to $rdrIPs port $rdrPorts keep state

To log all traffic on ExtIF, we'd need to add the log keyword to the out rules.

#################################################################
# Internet (tun0)

# block and log spoofing non-routable addresses

block in log quick on $ExtIF from $NoGoIPs to any
block out log quick on $ExtIF from any to $NoGoIPs

# block and log all incoming packets

block in log on $ExtIF all

pass in log-all on $ExtIF inet proto tcp from any to $rdrIPs port $rdrPorts keep state
pass in log-all on $ExtIF inet proto udp from any to $rdrIPs port $rdrPorts keep state

# block and log all outgoing packets

block out log on $ExtIF all

# allow TCP IPv4 connections to the outside world, keep state

pass out log-all on $ExtIF inet proto tcp all flags S/SA modulate state
pass out log-all on $ExtIF inet proto { udp, icmp } all keep state

Previously in this series:

Securing Small Networks with OpenBSD, Part 1 -- Small networks are often more vulnerable than large ones because they lack the money to implement good security. Artymiak Jacek explains how to secure a small network on a tight budget.

Securing Small Networks With OpenBSD, Part 2 -- OpenBSD switched from using IPFilter as its default firewall to PF, or Packet Filter, as the new default. Jacek Artymiak explains how to make a smooth transition from ipf to pf.

Securing Small Networks With OpenBSD, Part 3 -- In the third installment of our series on OpenBSD networking, Jacek Artymiak examines pf rules and potential sendmail problems.

But if we are really concerned about security, shouldn't we be logging all packets arriving and leaving on all interfaces on the firewall? Ideally, yes, because that is the only way to ensure that you know what goes on over the boundary between your network and the rest of the world. But in such cases, you need to construct an efficient system for automated log analysis and management. Log files grow fast and take up a lot of storage space; it is essential that you gather only as much data as you can analyze.

OK, suppose that you decide to log all traffic on all interfaces. The first thing you need to do is turn global logging on by adding the log or log-all keywords (where appropriate) to every rule for every external interface on the firewall (ne0, ne1, tun0, or whatever the names of the interfaces that you are telling pf to monitor are). Load those new rules into pf, as described earlier in this article, and check that the packets are being logged into /var/log/pflog with:

# /usr/sbin/tcpdump -r /var/log/pflog

Rather than being a real time display, this command updates in short intervals. If all goes well, you are now monitoring all traffic passing, and attempting to pass, through the firewall. There is a lot of data to munch through, and if you are to manage it, you need to learn how to use tcpdump. The man page for tcpdump (man tcpdump) provides plenty of information, so instead of repeating it all, I'll only point you in the right direction.

You can decide which packets are displayed by tcpdump using one of many options and expressions:

  • Display information in a more compact way

    # /usr/sbin/tcpdump -q -r /var/log/pflog

    or

    # /usr/sbin/tcpdump -q
  • Display only packets related to a specific port

    # /usr/sbin/tcpdump -r /var/log/pflog port 80

    or

    # /usr/sbin/tcpdump port 80
  • Display only packets related to a specific host

    # /usr/sbin/tcpdump -r /var/log/pflog host chumbawamba

    or

    # /usr/sbin/tcpdump host chumbawamba
  • Display only packets related to a specific network (or network segment)

    # /usr/sbin/tcpdump -r /var/log/pflog net xxx.xxx.xxx.xxx

    or

    # /usr/sbin/tcpdump host chumbawamba net xxx.xxx.xxx.xxx

    Additional expressions allow us to filter packets by their destination and protocol (see man tcpdump for details). Even more elaborate filtering can be achieved by combining tcpdump expressions, e.g.:

    # /usr/sbin/tcpdump -r /var/log/pflog "host chumbawamba and port 80"

    or

    # /usr/sbin/tcpdump "host chumbawamba and port 80"

Remember that you can safely experiment with filtering expressions, because they do not affect the contents of /var/log/pflog. Try different tcpdump options and expressions and try to make sense of them with the help of the already mentioned "Tools of the Trade " article by Carl Constantine. I also recommend that you read Dru Lavigne's "TCP Protocol Layers Explained," "Capturing TCP Packets," "IP Packets Revealed," and "Examining ICMP Packets," all on the O'Reilly Network.

You've go a lot of reading to do this time, so I'll leave you now to learn a few things, and will return soon to tackle the problem of managing pf logs and intrusion detection.

Until next time.

Jacek Artymiak started his adventure with computers in 1986 with Sinclair ZX Spectrum. He's been using various commercial and Open Source Unix systems since 1991. Today, Jacek runs devGuide.net, writes and teaches about Open Source software and security, and tries to make things happen.


Return to the BSD DevCenter.






Sponsored by: