[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-misc
Subject: Re: PF divert-packet reinjection
From: Stuart Henderson <stu () spacehopper ! org>
Date: 2020-11-24 11:54:22
Message-ID: slrnrrpt3e.2o9.stu () naiad ! spacehopper ! org
[Download RAW message or body]
On 2020-11-23, Szél Gábor <gabor.szel@wantax.eu> wrote:
> Dear @misc
>
> We test OpenBSD with Suricata in IPS mode.
> IPS mode requires PF divert-packet.
>
> simple rule to divert:
> pass in log quick on $xxxx_if proto tcp from !<ADMINIPs> to any
> divert-packet port 700
>
> At first look everything is good!
> The packet goes to suricata, suricata check packet, if packet is "bad",
> throw away.
> But, not working good!
>
> if suricata does not drop packet, packet does not reinjected to PF!
> After divert-packet rule, any rule nothing works.
>
> a simple example:
> pass in log quick on $xxxx_if proto tcp from !<ADMINIPs> to any
> divert-packet port 700
> block log all
>
> I'm trying to connect to host with SSH, divert to suricata is okay, and
> SSH connect is successful.
> Why? Next rule is block all!
>
> i thought apples wouldn't reinject packets, so i made a simple test:
> https://man.openbsd.org/divert.4 - example C code
>
> If i replaced suricate with example C code, the situation is the same!
> I see the packet in example log, and SSH connection is successfully.
> I think PF divert-packet does not reinject packets to PF.
This is all exactly as described in the divert(4) manual;
Writing to a divert socket can be achieved using sendto(2) and it will skip
pf(4) filters to avoid loops. Note that this means that a reinjected
inbound packet will also not run through the pf out rules after being
forwarded. A diverted packet that is not reinjected into the kernel stack
is lost.
> Is there a solution for this?
Block packets first, then pass any remaining packets with divert-to?
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic