RPFCD(1) OpenBSD Reference Manual RPFCD(1) NAME rpfcd - remote packet filter control daemon SYNOPSIS rpfcd [-VD] [-p port] DESCRIPTION rpfcd allows remote control and monitoring of OpenBSD packet filter. It communicates with clients using RPFC protocol running on top of SSL (Se- cure Socket Layer). Protocol is designed to be relativly forgiving and easy to use. rpfcd goal is to provide a common framework for pf control and monitor- ing. Instead of running pfctl/tcpdump/pflogd, writing ad-hoc parsing scripts, sending the results by mail, rpfcd will provide the same and much more via a transparent server-client interface. Together with a de- cent CLI/GUI client, pf firewall monitoring becomes rather easy. This is especially interesting if you have several pf firewalls to control and monitor. The options are as follows: -D Become a daemon and run in background. -p port Listen for client requests on port instead of default port 2620/tcp. -V Show version, protocol and OpenSSL version. DESIGN rpfcd runs as a daemon listening for client requests on a specific port (default 2620/tcp). Communication is done using a protocol called RPFCP running on top of SSL. See below for an informal definition of RPFCP. Control of pf is done using /dev/pf and ioctl(2) interface combination. rpfcd uses fork(2) to spawn children that actually deal with client re- quests. Since /dev/pf is only readable by uid 0 (in default OpenBSD set- up) children open /dev/pf (O_RDONLY mode), chroot(2) to /var/empty and drop privileges immediately after. Design will have to be slightly revised if any of the 'insecure' options, like writing to /etc/pf.conf are implemented. PROTOCOL Communication with rpfcd is done in a single/multi line request/response way. Messages have the following format: Request: "PrefixMajorMinorCodeMsg\r\n" Response: "PrefixMajorMinorCodeLenMsg\r\n" PREFIX, fixed value "RPFCP" (5A) MAJOR, protocol major value (2N) MINOR, protocol minor value (2N) CODE, request/response code (2N) LEN, MSG length including terminating "\r\n" (3N) MSG, optional message (vAN) Current protocol version is 0100 (i.e. 1.0). Maximum request/response messages size is 1024 bytes per line. Protocol fields are formatted in the following way: xN, x number of digit(s) xA, x number of character(s) vN, variable number of digit(s) vA, variable number of character(s) mvAN, multi-line variable number or character(s) and number(s) REQUEST CODES rpfcd currently support 9 different request codes. Each code is defined and explained below. Authenticate (101) Send authentication credentials (i.e. username and password). Before clients can send requests to they have to authenticate by providing a valid set of credentials. Request message: 2Nusernamepassword Response message: NULL 2N is the length of the supplied username. Rest of the message is the password. Disconnect (102) Disconnect from the server. Clients should send this code to indicate the end of a session with a server. Request message: NULL Response message: NULL Show pf uptime (111) Return the time elapsed since pf(4) has been enabled. Request message: NULL Response time: days;hours;minutes;seconds; (single line) Show state tables statistics (112) Return state table statistics, i.e. number of current entries, searches, inserts and removals. Request message: NULL Response message: current entries;searches;inserts;removals; (single line) Show current pool memory hard limits (113) Return limits (if any) for maximal number of state and fragmentation en- tries. Request message: NULL Response message: states limit;fragmentation limit; (single line) If no limit is set (for either number of states or fragmentations), 0 (zero) is returned. Show counter statistics (114) Return counter statistics, i.e. number of different packet types going through pf(4). Request message: NULL Response message: match;bad-offset;fragment;short;normalize; Response type: single line Show global timeout values (115) Return current global timeout values defined for pf(4). Request message: NULL Response message: tcp.first;tcp.opening;tcp.established;\ tcp.closing;tcp.finwait;tcp.closed;udp.first;udp.single; \ udp.multiple;icmp.first;icmp.error;other.first; \ other.single;other.multiple;frag;interval; (single line) Show pf status (116) Return pf(4) status. Request message: NULL Response message: status; (single line) Where status is either 1 (enabled) or 0 (disabled). Show loaded filter rules (117) Return a list of currently loaded filter rules similar to the output of 'pfctl -sr'. Request message: NULL Response message: @{0-n} rule (multi-line) RESPONSE CODES rpfcd currently supports 10 distinct response codes. Each code is defined and explained below. No error (300) Indicates no error in a request/response. Multi-line data begin (301) Beginning of a multi-line response. Server will send this code at the be- gining of a multi-line response message. Client should keep on reading the response until they see a multi-line end code comming from the serv- er. Multi-line data end (302) End of multi-line response. Server will send this code at the end of mul- ti-line response to indicate to the client that it has finished sending the data. Protocol violation (400) Indicated a protocol violation from the client. This usually means that the client is sending malformed requests. Unknown request (401) Protocol is not violated, however the requested code is not known/imple- mented. Authentication failed (402) Supplied user credentials do not match any of the entries in the users file. Authentication required (403) Client did not authenticate to the server. PF query failed (500) Server falied to execute a given query on pf(4). This probably indicates an internal error of some kind. PF access denied (501) Access to pf(4) (i.e. /dev/pf) was denied. This means that the server does not have permission to access the device. PF disabled (502) Indicated that the packet filter is disabled. SECURITY rpfcd was from the begining designed with security in mind. Besides try- ing to follow the best coding practices (avoiding buffer overflows, race conditions etc.), rpfcd uses SSL (Secure Socket Layer) to protect the communication between the server and the clients. rpfcd runs as unprivileged user (per default) in a chroot jail. If rpfcd is compromised, the attacker will only be able to get an unpriviliged shell and be chroot'ed in /var/empty jail. User authentication is done using SHA-1 cryptographic one-way function. Password submitted by client is run through SHA-1 function. If the client supplied username and the password match the coresponding ones stored in the rpfcd users file, the authentication is successful, and the client can start sending the requests. USERS rpfcd uses it's own users database (located in /etc/rpfcd/rpfcd.users). Users database is a simple flat-file with the following format: user:hash\n Where user is the username and hash is a 160 bit SHA-1 hash of the corre- sponding password. To add a new user, do the following: sha1 -s "mypass" | awk {'print "myuser:"$4'} >>/etc/rpfcd/rpfcd.users This will add a user called 'myuser' with the password 'mypass' to /etc/rpfcd/rpfcd.users. To remove a given user, simply delete the entry from /etc/rpfcd/rpfcd.users. BUGS Probably several. AUTHOR Srebrenko Sehic SEE ALSO pf(4), pfctl(8) OpenBSD 3.2 August 1, 2002 4