Re: pf redirect through socks tunnel?
On Sun, Feb 2, 2014 at 9:33 AM, Stuart Henderson s...@spacehopper.org wrote: [...] Rather than writing a helper running as root, you can change from using nat redirects (rdr-to) to using divert sockets (divert-to), then the proxy will receive unmodified packets and can just use getsockname(2) to retrieve the original address which does not require privileges. That does look like a better way of doing it and would likely also simplify things. If I'm reading commit logs correctly, divert-to was added about 6 months after I originally wrote that code. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: pf redirect through socks tunnel?
On 2014-01-31, Darren Tucker dtuc...@zip.com.au wrote: On Fri, Jan 31, 2014 at 4:02 AM, Pieter Verberne pieterverbe...@xs4all.nl wrote: Hi there, When I use a client, which is behind a pf firewall, I use this redirect rule: pass in on $ext_if proto {tcp, udp} from any to any port 12345 rdr-to 10.1.2.3 Now I have a client that is connected via a socks5 SSH tunnel to the pf firewall. Can I still have a pf redirect to this client? I wrote code to do this for PF some time back based on work by Luca Barbieri for the same functionality on Linux: https://bugzilla.mindrot.org/show_bug.cgi?id=1295 I suspect the patch will have bitrotted since then. The other gotcha is that it needed to be run as root to open the PF device to look up the NAT states. That could potentially be mitigated by a setuid helper program, but from memory it needed write access for the DIOCNATLOOK ioctl, so it'd still be potentially dangerous. Rather than writing a helper running as root, you can change from using nat redirects (rdr-to) to using divert sockets (divert-to), then the proxy will receive unmodified packets and can just use getsockname(2) to retrieve the original address which does not require privileges. Same method will also work with FreeBSD ipfw.
pf redirect through socks tunnel?
Hi there, When I use a client, which is behind a pf firewall, I use this redirect rule: pass in on $ext_if proto {tcp, udp} from any to any port 12345 rdr-to 10.1.2.3 Now I have a client that is connected via a socks5 SSH tunnel to the pf firewall. Can I still have a pf redirect to this client? Gr, Pieter Verberne
Re: pf redirect through socks tunnel?
Em 30-01-2014 15:02, Pieter Verberne escreveu: Hi there, When I use a client, which is behind a pf firewall, I use this redirect rule: pass in on $ext_if proto {tcp, udp} from any to any port 12345 rdr-to 10.1.2.3 Now I have a client that is connected via a socks5 SSH tunnel to the pf firewall. Can I still have a pf redirect to this client? Gr, Pieter Verberne Hi, I read your e-mail a couple of times and it's still confusing to me. If I understood you correctly, you can redirect, but I suggest that you use a divert instead of rdr. Take a look on the pf.conf man page. Also it would help if you elaborate a little bit more. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: pf redirect through socks tunnel?
On 2014-01-30 18:02, Pieter Verberne wrote: When I use a client, which is behind a pf firewall, I use this redirect rule: pass in on $ext_if proto {tcp, udp} from any to any port 12345 rdr-to 10.1.2.3 Now I have a client that is connected via a socks5 SSH tunnel to the pf firewall. Can I still have a pf redirect to this client? I'm sorry my mail is not clear. I have two machines. One is an OpenBSD machine with pf configured. I call this machine lilium. The other machine is a Windows client, let's call this machine bob. On bob I'm using a gnutella client which is listening to tcp and udp port 13648. When bob is connected to the same LAN as lilium, I'm using the following pf.conf line on lilium to make gnutella work: pass in on $ext_if proto {tcp, udp} from any to any port 13648 rdr-to 10.0.0.18 On the LAN bob has ip address 10.0.0.18 . Now somethimes, I'm at a remote location and I'm using putty to create a SSH/SOCKS5 tunnel to lilium. I still want to be able to use my gnutella client through this SOCKS5 proxy, however, the redirect rule does not work (ofcourse). How should I solve this? Can I actually do this with SOCKS, or should I start thinking about some VPN solution? It would be cool if I can do it with SOCKS. Okay, it's only gnutella (file sharing), but apart from that, I just want to know. :-) Thanks, Gr, Pieter Verberne
Re: pf redirect through socks tunnel?
Em 30-01-2014 16:16, Pieter Verberne escreveu: On 2014-01-30 18:02, Pieter Verberne wrote: When I use a client, which is behind a pf firewall, I use this redirect rule: pass in on $ext_if proto {tcp, udp} from any to any port 12345 rdr-to 10.1.2.3 Now I have a client that is connected via a socks5 SSH tunnel to the pf firewall. Can I still have a pf redirect to this client? I'm sorry my mail is not clear. I have two machines. One is an OpenBSD machine with pf configured. I call this machine lilium. The other machine is a Windows client, let's call this machine bob. On bob I'm using a gnutella client which is listening to tcp and udp port 13648. When bob is connected to the same LAN as lilium, I'm using the following pf.conf line on lilium to make gnutella work: pass in on $ext_if proto {tcp, udp} from any to any port 13648 rdr-to 10.0.0.18 On the LAN bob has ip address 10.0.0.18 . Now somethimes, I'm at a remote location and I'm using putty to create a SSH/SOCKS5 tunnel to lilium. I still want to be able to use my gnutella client through this SOCKS5 proxy, however, the redirect rule does not work (ofcourse). How should I solve this? Can I actually do this with SOCKS, or should I start thinking about some VPN solution? It would be cool if I can do it with SOCKS. Okay, it's only gnutella (file sharing), but apart from that, I just want to know. :-) Thanks, Gr, Pieter Verberne You can use the VPN functionality of OpenSSH and do this. But as far as I could understand your situation, your redirect will work only for tcp based connections if you make a reverse ssh tunnel. But not for udp. My suggestion is to go for the VPN solution. There are plenty of options in OpenBSD, both on base and in packages. I myself use OpenVPN. But don't be biased by me and see what's is best for your case. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: pf redirect through socks tunnel?
On Fri, Jan 31, 2014 at 4:02 AM, Pieter Verberne pieterverbe...@xs4all.nl wrote: Hi there, When I use a client, which is behind a pf firewall, I use this redirect rule: pass in on $ext_if proto {tcp, udp} from any to any port 12345 rdr-to 10.1.2.3 Now I have a client that is connected via a socks5 SSH tunnel to the pf firewall. Can I still have a pf redirect to this client? I wrote code to do this for PF some time back based on work by Luca Barbieri for the same functionality on Linux: https://bugzilla.mindrot.org/show_bug.cgi?id=1295 I suspect the patch will have bitrotted since then. The other gotcha is that it needed to be run as root to open the PF device to look up the NAT states. That could potentially be mitigated by a setuid helper program, but from memory it needed write access for the DIOCNATLOOK ioctl, so it'd still be potentially dangerous. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.