Re: No WAF detected

On Wed, Dec 4, 2019 at 11:58 PM Kihaguru Gathura <pqscript@gmail.com> wrote:

>
> >> Which is a better way to implement a WAF on OpenBSD using the base
>> utilities?
>> >
>> > relayd configured in certain ways might be considered as a WAF.
>>
>
> All methods and all other security headers and path filters are coded in
> the web application which had always been detected as a custom WAF until
> two weeks ago.
>
> I have now included relayd and a re-test passes all other requirements but
> does not detect a WAF (please find sample configurations and test report
> below).
>
> Any hint highly appreciated
>
> Thank you,
>
> Kihaguru.
>
>
>
>
> ----------------------------------------------------------------------------------------------------------
>
> # $OpenBSD: relayd.conf,v 1.5 2018/05/06 20:56:55 benno Exp $
> #
> # Relay and protocol
> #
> http protocol httpp {
> match response header remove "Server"
>
> pass
> block path "/cgi-bin/index.cgi" value "*command=*"
> }
>
> relay httpr {
> # Listen on localhost, accept diverted connections from
> pf(4)
> listen on 127.0.0.1 port 8080
> protocol httpp
>
> # Forward to the original target host
> forward to destination
> }
>
> http protocol httpsp {
> match response header remove "Server"
>
> pass
> block path "/cgi-bin/index.cgi" value "*command=*"
>
> tls keypair example.com
> tls keypair example.net
> tls keypair example.org
> }
>
> relay httpsr {
> # Listen on localhost, accept diverted connections from
> pf(4)
> listen on 127.0.0.1 port 8443 tls
> protocol httpsp
>
> # Forward to the original target host
> forward with tls to destination
> }
>
> ---------------------------------------------------------------------------------------------------------
>
> and pf.conf now reconfigured to divert to relayd
>
>
> ---------------------------------------------------------------------------------------------------------
> # $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
> #
> # See pf.conf(5) and /etc/examples/pf.conf
>
> # don't filter on the loopback interface
> set skip on lo
>
> # scrub incoming packets
> match in all scrub (no-df)
>
> # set up a default deny policy
> block all
>
> # activate spoofing protection for all interfaces
> block in quick from urpf-failed
>
> pass in on bge0 from 192.168.0.0/24 to 192.168.0.254
> pass out on bge0 from 192.168.0.254 to 192.168.0.0/24
>
>
> pass in on egress proto tcp from any to egress port 4 modulate state
> pass in on bge0 inet proto tcp to port 80 \
> divert-to 127.0.0.1 port 8080
> pass in on bge0 inet proto tcp to port 443 \
> divert-to 127.0.0.1 port 8443
> pass out on egress proto tcp from any to any port smtp modulate state
>
> -----------------------------------------------------------------------------------------------------------------
>
> PCI-DSS requirement 6.6 "WAF" remains a challenge.
>
>
> [image: image.png]
>