Re: Firewall setup
May I suggest relaying these more basic questions to @rookies mail-list? I think it would be great if we could have this channel reactivated, dedicated to help folks like Karel learn how to navigate more basic stuff, and keep misc@ for intermediary / advanced users inquiries. On Wed, 17 Apr 2024 at 1:30 AM Daniel Ouellet wrote: > > On 4/16/24 10:27 AM, Karel Lucas wrote: > > First and most importantly, I would like to apologize to anyone who was > > disturbed by my conversation. It is not my intention to offend people. I > > may be curt, but that's not because it's in my character. In daily life > > I work with electronics and computers and am much less familiar with > > networks. I don't need this knowledge for what I do in daily life. It is > > therefore difficult for me to estimate what is important to link back to > > this mailing list. So if I am curt, please try to remember that it is > > not intentional, but a matter of lack of knowledge. Again, I don't want > > to hurt anyone. > > Hi Karel, > > I think you may be missing the point that everyone try to explained to > you. OpenBSD is a mailing list that have very think skin compare to any > others. You need to be very rude to offend people here unless you are > one that fell you have rights to other people free times. > > You got some VERY knowledgeable people answering you. If I was you I > would fell lucky for their time, believe me. I have been on this list > from OpenBSD 2.7. A few decades ago... > > Now you say you don't have the network know how to do this, sure > everyone start somewhere. You say you don't needs this either in your > daily job and keep asking others to point you at the page in the PF > book, etc. > > Remember they are NOT the one in needs to know, you are, so make the > effort please. Many will hold your hands gladly IF you show willingness > to do your share. > > Even the site have basic start example here: > > https://www.openbsd.org/faq/pf/index.html > > And even some of them could be simple too, but they are provided as > example to show what's possible. Up to the reader to start there and go > where they want too... > > Now to the point, it was told to you to start simple and explained what > you want to do. > > Here you say you have no special needs, etc. > > So why in gods name would you want to do a bridge setup? > > KISS principle apply! > > And it was asked as well to explained your setup. NOT what you think it > should be or how it is connected, what interface does what, etc. > > What do you want to do, plain and simple. > > Here you say that "The internal network consists mainly of regular > clients, so no email, web or name servers", so no needs for bridge, or > DMZ, etc. > > Also looks like you use private IP's so yes NAT is needed obviously. > > Now if you want multiple networks, WHY? > > Any reason for it? I see none if you don't have hosting services. > > You say it could be possible, sure it can, I can have multiple vlan and > domains routing, configure a specific IPMI DMZ for my servers > configuration, add ssh keys for wireless access with time base access > and limit, and kids restrictions, etc. But I wouldn't do that until I > get my basin system going and know why. > > Amy be I don't have kids so why do that part of the setup, but may be I > have wireless and friends coming over and they obviously all/may be want > fast internet access on my wireless, but I don't what them to have > access to ANY of my devices from their phones that might compromise my > network, so I would have a guess wireless access to to outside world > ONLY. But if I have no friends, then why would I want that? Etc... > > Sure may be you have wireless that you want to isolate from others hard > wire computers, etc. You have NAS, may be you want to isolate it form > wireless, or some specific computers, kids access restricted may be, etc. > > But no where did you ever describe what is it that you want... > > May be before you start building a house, you need to know what you want > in it, etc. > > Same thing here. > > Start small and then go from there. > > Why? Doing incremental setup help understand your setup and why you do it. > > Then down the line when you make changes or want to add something to it, > when your pf configuration is clean, you will know where to add it and > what it does. > > Look to me that if your setup have NO special needs, no hosting services > that needs to be reach form the Internet, then only thing you need is a > VERY simple NAT setup, on two interfaces and that's it. > > It's not because you have 4 interfaces that you need to use 4 interfaces... > > Start be defining what is it that you want and FORGET ABOUT interface 1, > and then 2 for admin, and 3 for nas, etc. > > What is it that you want to do and go from there. > > Define your needs and then address them ONE by ONE. > > Fix one, test and then go to the next one. > > And FORGET ABOUT BRIDGE SETUP PLEASE!!! > > You have absolutely
Re: Firewall setup
On 4/16/24 10:27 AM, Karel Lucas wrote: First and most importantly, I would like to apologize to anyone who was disturbed by my conversation. It is not my intention to offend people. I may be curt, but that's not because it's in my character. In daily life I work with electronics and computers and am much less familiar with networks. I don't need this knowledge for what I do in daily life. It is therefore difficult for me to estimate what is important to link back to this mailing list. So if I am curt, please try to remember that it is not intentional, but a matter of lack of knowledge. Again, I don't want to hurt anyone. Hi Karel, I think you may be missing the point that everyone try to explained to you. OpenBSD is a mailing list that have very think skin compare to any others. You need to be very rude to offend people here unless you are one that fell you have rights to other people free times. You got some VERY knowledgeable people answering you. If I was you I would fell lucky for their time, believe me. I have been on this list from OpenBSD 2.7. A few decades ago... Now you say you don't have the network know how to do this, sure everyone start somewhere. You say you don't needs this either in your daily job and keep asking others to point you at the page in the PF book, etc. Remember they are NOT the one in needs to know, you are, so make the effort please. Many will hold your hands gladly IF you show willingness to do your share. Even the site have basic start example here: https://www.openbsd.org/faq/pf/index.html And even some of them could be simple too, but they are provided as example to show what's possible. Up to the reader to start there and go where they want too... Now to the point, it was told to you to start simple and explained what you want to do. Here you say you have no special needs, etc. So why in gods name would you want to do a bridge setup? KISS principle apply! And it was asked as well to explained your setup. NOT what you think it should be or how it is connected, what interface does what, etc. What do you want to do, plain and simple. Here you say that "The internal network consists mainly of regular clients, so no email, web or name servers", so no needs for bridge, or DMZ, etc. Also looks like you use private IP's so yes NAT is needed obviously. Now if you want multiple networks, WHY? Any reason for it? I see none if you don't have hosting services. You say it could be possible, sure it can, I can have multiple vlan and domains routing, configure a specific IPMI DMZ for my servers configuration, add ssh keys for wireless access with time base access and limit, and kids restrictions, etc. But I wouldn't do that until I get my basin system going and know why. Amy be I don't have kids so why do that part of the setup, but may be I have wireless and friends coming over and they obviously all/may be want fast internet access on my wireless, but I don't what them to have access to ANY of my devices from their phones that might compromise my network, so I would have a guess wireless access to to outside world ONLY. But if I have no friends, then why would I want that? Etc... Sure may be you have wireless that you want to isolate from others hard wire computers, etc. You have NAS, may be you want to isolate it form wireless, or some specific computers, kids access restricted may be, etc. But no where did you ever describe what is it that you want... May be before you start building a house, you need to know what you want in it, etc. Same thing here. Start small and then go from there. Why? Doing incremental setup help understand your setup and why you do it. Then down the line when you make changes or want to add something to it, when your pf configuration is clean, you will know where to add it and what it does. Look to me that if your setup have NO special needs, no hosting services that needs to be reach form the Internet, then only thing you need is a VERY simple NAT setup, on two interfaces and that's it. It's not because you have 4 interfaces that you need to use 4 interfaces... Start be defining what is it that you want and FORGET ABOUT interface 1, and then 2 for admin, and 3 for nas, etc. What is it that you want to do and go from there. Define your needs and then address them ONE by ONE. Fix one, test and then go to the next one. And FORGET ABOUT BRIDGE SETUP PLEASE!!! You have absolutely NO need for this with what you say so far in any of your communications. Example of thinking. I see you try to use MANY macros, do you really need that? It's suppose to be to make things simpler to understand and cleaner to read, not more complex. The key of a decent firewall is first to know what is it that you want to do and look to me you still do not know that yet. I would even say and said for many decades, a good firewall NOT only stop incoming traffic, but also
Re: Firewall setup
This is my dmesg, if anyone is interested: OpenBSD 7.4 (GENERIC.MP) #3: Wed Feb 28 06:23:33 MST 2024 r...@syspatch-74-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4047122432 (3859MB) avail mem = 3904729088 (3723MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.3 @ 0x74c77000 (117 entries) bios0: vendor American Megatrends International, LLC. version "JK4LV105" date 08/31/2022 bios0: Default string Default string efi0 at bios0: UEFI 2.7 efi0: American Megatrends rev 0x50013 acpi0 at bios0: ACPI 6.2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP MCFG FIDT SSDT SSDT SSDT HPET APIC PRAM SSDT SSDT NHLT LPIT SSDT SSDT DBGP DBG2 DMAR SSDT TPM2 WSMT FPDT acpi0: wakeup devices PEGP(S4) PEGP(S4) PEGP(S4) PEGP(S4) SIO1(S3) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 acpimcfg0: addr 0xc000, bus 0-255 acpihpet0 at acpi0: 1920 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2893.74 MHz, 06-9c-00, patch 2424 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 38MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.2.2.1.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2893.74 MHz, 06-9c-00, patch 2424 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2793.96 MHz, 06-9c-00, patch 2424 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2793.95 MHz, 06-9c-00, patch 2424 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu3: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins acpiprt0 at acpi0: bus 0 (PC00) acpiprt1 at acpi0: bus -1 (RP01) acpiprt2 at acpi0: bus -1 (RP02) acpiprt3 at acpi0: bus 1 (RP03) acpiprt4 at acpi0: bus -1 (RP04) acpiprt5 at acpi0: bus 2 (RP05) acpiprt6 at acpi0: bus 3 (RP06) acpiprt7 at acpi0: bus 4 (RP07) acpiprt8 at acpi0: bus 5 (RP08) acpiprt9 at acpi0: bus -1 (RP09) acpiprt10 at acpi0: bus -1 (RP10) acpiprt11 at acpi0: bus -1 (RP11) acpiprt12 at
Re: Firewall setup
First and most importantly, I would like to apologize to anyone who was disturbed by my conversation. It is not my intention to offend people. I may be curt, but that's not because it's in my character. In daily life I work with electronics and computers and am much less familiar with networks. I don't need this knowledge for what I do in daily life. It is therefore difficult for me to estimate what is important to link back to this mailing list. So if I am curt, please try to remember that it is not intentional, but a matter of lack of knowledge. Again, I don't want to hurt anyone. Second, the firewall. This is set up as a bridge with the following hardware: https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image=1. The Ethernet connections ETH1 ... ETH4 are translated by OpenBSD to igc0 ... igc3. Connection igc0 is the input that goes to the ISDN modem, and igc1 and igc2 are the two outputs that go to the internal network. These two connections are more flexible for the underlying network. This makes it possible to connect two different networks, if desired, albeit with one and the same IP range (192.168.2.0/24), or two different networks, if so configured. So two possibilities (which is best?). So there is no need to use two connections at the same time, although this should be possible. Finally, connection igc3. This is given the IP address 192.168.2.252, because it is intended for remote administration, including upgrades. This connection will therefore not be part of the firewall bridge, and will therefore not appear in pf.conf. The internal network consists mainly of regular clients, so no email, web or name servers. These clients will work with Linux, mac OSX, or OpenBSD, but not Windows, but there will be a small file server or NAS. This file server or NAS is only intended for the clients in the network and has no connection to the internet. For now it is important to get ping and traceroute working properly, after which work on normal internet traffic can be started. What I'm wondering is whether I need NAT for my firewall configuration. This is my plan for my firewall. It seems to me that there are much more difficult configurations than this one. I hope there are still people who are willing to help me. Op 16-04-2024 om 07:24 schreef Peter N. M. Hansteen: I give up. The obviously incomplete, hand edited ifconfig output shows three interfaces that are (or appear to be, judging from the excerpts that we are given) not configured with IP addresses, two of which have a link, while the last does not. For reasons unknown these three are joined in a three-way bridge. >From the tiny crumbs of information you have deigned to reveal to us, it is not at all clear what it is you are trying to achieve. That this configuration does not do anything useful is however no surprise at all. Once you can describe what it is your Rube Goldberg contraption is supposed to do, competent people here might offer some advice on how to make things work properly. Until that happens, I for one will simply ignore anything from that source.
Re: Firewall setup
On Tue, Apr 16, 2024 at 12:01:38AM +0200, Karel Lucas wrote: > > Op 15-04-2024 om 22:20 schreef Peter N. M. Hansteen: > > On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote: > > > This gives the following error messages when booting: > > > no IP address found for igc1:network > > > /etc/pf.conf:41: could not parse host specification > > > no IP address found for igc2:network > > > /etc/pf.conf:42: could not parse host specification > > This sounds to me like those interfaces either do not exist or > > have not been correctly configured. > > > > Are those interfaces configured, as in do they have IP addresses? > > > > the output of ifconfig igc1 and ifconfig igc2 will show you. > > > Output from ifconfig igc0: > igc0: flags=8b43 > mtu 1500 > lladdr 7c:2b:e1:13:dd:f4 > index 1 priority 0 llprio 3 > media: Ethernet autoselect (1000baseT full-duplex) > sratus: active > > Output from ifconfig igc1: > igc1: flags=8b43 > mtu 1500 > lladdr 7c:2b:e1:13:dd:f5 > index 2 priority 0 llprio 3 > media: Ethernet autoselect (1000baseT full-duplex) > sratus: active > > Output from ifconfig igc2: > igc2: flags=8b43 > mtu 1500 > lladdr 7c:2b:e1:13:dd:f6 > index 3 priority 0 llprio 3 > media: Ethernet autoselect (none) > status: no carrier > > /etc/hostname.bridge0: > add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip igc2 > up > > /etc/hostname.igc0: > up > > /etc/hostname.igc1: > up > > /etc/hostname.igc2: > up > Either Stuart is right, and you are trying to put up some weird firewall, or Diana is right, and you are way out of your depth and need to learn some of the basics of IPv4 networking. Or they are both right. Any other way, Peter is also right: you have been giving us information piecemeal, and not only this doesn't help you to solve your problems, it can be frustrating for the rest of us, because you've (involuntarily) been wasting our time, chasing the wrong problem. Your issues seem to be broader than just configuring PF. Incidentally, this is also an example on why copying/pasting stuff into your machine is often a bad idea. You need to understand what you are putting in there, bit by bit. Otherwise either it will fail immediately (as in your case) or it will fail later on the first time you try to tweak it. And with a firewall being key in network security, you'll really want to get it right. There is no harm in not knowing things, no one is born knowing what a routing table is, we've all had to start somewhere (I hope you don't find this patronizing, that's really not the point). And, as you've just seen, despite this mailing list having a reputation of being unfriendly, you've got plenty of people willing to help. There are just a few steps you need to take _on your own_ first. Peter's book is great for PF, as is the PF user's guide [1]. For the networking bits you can also take a look at the respective chapters on Michael W. Lucas' "Absolute OpenBSD" [2]. Palmer and Nazario's "Secure architectures with OpenBSD" also helped me a lot with system administration in general, back in the day. Others might have other suggestions, I'm sure there's a ton of stuff out there. [1] https://www.openbsd.org/faq/pf/index.html [2] https://www.michaelwlucas.com/os/ao2e --
Re: Firewall setup
I give up. The obviously incomplete, hand edited ifconfig output shows three interfaces that are (or appear to be, judging from the excerpts that we are given) not configured with IP addresses, two of which have a link, while the last does not. For reasons unknown these three are joined in a three-way bridge. >From the tiny crumbs of information you have deigned to reveal to us, it is not at all clear what it is you are trying to achieve. That this configuration does not do anything useful is however no surprise at all. Once you can describe what it is your Rube Goldberg contraption is supposed to do, competent people here might offer some advice on how to make things work properly. Until that happens, I for one will simply ignore anything from that source. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
On 2024-04-15, Karel Lucas wrote: > /etc/hostname.bridge0: > add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip > igc2 up bridging with PF is an advanced topic, please get familiar with PF on a standard routed firewall first -- Please keep replies on the mailing list.
Re: Firewall setup
Op 15-04-2024 om 22:20 schreef Peter N. M. Hansteen: On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote: This gives the following error messages when booting: no IP address found for igc1:network /etc/pf.conf:41: could not parse host specification no IP address found for igc2:network /etc/pf.conf:42: could not parse host specification This sounds to me like those interfaces either do not exist or have not been correctly configured. Are those interfaces configured, as in do they have IP addresses? the output of ifconfig igc1 and ifconfig igc2 will show you. Output from ifconfig igc0: igc0: flags=8b43 mtu 1500 lladdr 7c:2b:e1:13:dd:f4 index 1 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex) sratus: active Output from ifconfig igc1: igc1: flags=8b43 mtu 1500 lladdr 7c:2b:e1:13:dd:f5 index 2 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex) sratus: active Output from ifconfig igc2: igc2: flags=8b43 mtu 1500 lladdr 7c:2b:e1:13:dd:f6 index 3 priority 0 llprio 3 media: Ethernet autoselect (none) status: no carrier /etc/hostname.bridge0: add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip igc2 up /etc/hostname.igc0: up /etc/hostname.igc1: up /etc/hostname.igc2: up
Re: Firewall setup
That's a possibility I hadn't thought of yet. But how do I do that, and on which page can I find that in your book? Op 15-04-2024 om 22:17 schreef Peter N. M. Hansteen: The other option - if your network layout is such that it makes sense to treat them to the same rule criteria - would be to make an interface group with both interfaces as members, then use the interface group name in your rules.
Re: Firewall setup
Op 14-04-2024 om 21:57 schreef Jens Kaiser: Hello Karel, if you want to start simply, then I would recommend to remove all marcos from your pf.conf which are not referenced. You can add them later if needed. As already state by others, there is a syntax error in marco martians. If there are syntax errors in pf.conf, the rules are not loaded at all. These have now been resolved, sse below. Also correct the syntax errors in the rules "Letting ping through". The key word "on" without interfacename, -group or keyword any looks incorrect. Give it a parameter or remove it. As far as I can see there are no errors in the ping rules. the key words "on", "group" or "any" do not appear there. Moreover, I have copied these rules, except the key words "log", exactly from Peter Hansteen's book (The book of PF), just like the rules of the martians. Please check your current running configuration with > pfctl -sr It prints out all currently active rules. If something behaves too wired, it can help to proof that the ruleset in /etc/pf.conf is the same as we assume to be active in the kernel. Because of the syntax errors I would guest that this is not true in your case. After correcting some errors, I reloaded pf.conf and found no errors. Here I give the output of pfctl -sr: match in all scrub (no-df max-mss 1440) block return in all block return in quick on igc0 inet from any to <__automatic_628bc734_1> pass log inet proto icmp all icmp-type echoreq pass log inet proto icmp all icmp-type echorep pass log inet proto icmp all icmp-type unreach pass log inet6 proto ipv6-icmp all icmp6-type echoreq pass log inet6 proto ipv6-icmp all icmp6-type echorep pass log inet6 proto ipv6-icmp all icmp6-type unreach pass out all flags S/SA /etc/pf.conf: ext_if = igc0 # The interface to the outside world int_if = "{ igc1, igc2 }" # The interfaces to the private hosts # localnet = "192.168.2.0/24" # Hosts on the screened LAN # tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" # udp_services = "{ domain, ntp }" # email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, echorep, unreach }" icmp6_types = "{ echoreq, echorep, unreach }" # nameservers = "{ 195.121.1.34, 195.121.1.66 }" # client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, }" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" # Options: set block-policy return set skip on lo # Normalize packets: match in all scrub ( no-df max-mss 1440 ) block in all # block stateless traffic block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log inet proto icmp icmp-type $icmp_types pass log inet6 proto icmp6 icmp6-type $icmp6_types pass out all
Re: Firewall setup
On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote: > This gives the following error messages when booting: > no IP address found for igc1:network > /etc/pf.conf:41: could not parse host specification > no IP address found for igc2:network > /etc/pf.conf:42: could not parse host specification This sounds to me like those interfaces either do not exist or have not been correctly configured. Are those interfaces configured, as in do they have IP addresses? the output of ifconfig igc1 and ifconfig igc2 will show you. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
On Mon, Apr 15, 2024 at 10:01:59PM +0200, Karel Lucas wrote: > They both give a syntax error by booting. > > Op 14-04-2024 om 17:45 schreef Zé Loff: > > pass in on $int_if proto udp to port 53 > > pass in on $int_if proto udp to $nameservers port 53 You're not giving us a lot to work with here. Off the top of my head, seeing that your int_if macro is a list of two interfaces, that may well be your problem (or one of them). The rule syntax is not really intended to deal with a list of interfaces following 'on'. It is likely more useful to treat the two interfaces separately. The other option - if your network layout is such that it makes sense to treat them to the same rule criteria - would be to make an interface group with both interfaces as members, then use the interface group name in your rules. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
This gives the following error messages when booting: no IP address found for igc1:network /etc/pf.conf:41: could not parse host specification no IP address found for igc2:network /etc/pf.conf:42: could not parse host specification Op 14-04-2024 om 19:59 schreef Peter N. M. Hansteen: On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote: Hi all, Everything about PF is all very confusing to me at the moment, so any help is appreciated. So let's start simple and then proceed step by step. I want to continue with ping so that I can test the connection to the internet. This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. As others have stated, I have a problem with using DNS servers on the internet. The PF ruleset needs to be adjusted for this, but it is still not clear to me how to do that. What else do I need to get ping to work correctly? To get started simply, I created a new pf.conf file, see below. I'd put this somewhere after your block rules: pass inet proto { tcp, udp } from igc1:network to port $client_out pass inet proto { tcp, udp } from igc2:network to port $client_out - that way you will actually use the macro. But the macro sitll references the invalid service nportntp (you probably want ntp instead), and I would think that the services "446, cvspserver, 2628, 5999, 8000, 8080" are unlikely to be useful unless you *know* you need to pass traffic for those.
Re: Firewall setup
They both give a syntax error by booting. Op 14-04-2024 om 17:45 schreef Zé Loff: pass in on $int_if proto udp to port 53 pass in on $int_if proto udp to $nameservers port 53
Re: Firewall setup
I'm a long time network engineer/firewall admin/make things work on our network when it is broken. First, ICMP Echo Request ( "ping" ) works, you proved that when you sent an Echo Request to a host using it's IP address. The fact that DNS host resolution fails has nothing to do with ICMP Echo Request. You WILL want to get DNS name resolution working in order to use hostnames, unless you want to keep everything in a static host file. In order to create a functioning firewall you need a good understanding of ip tcp/ip ports and protocols. To see what I'm talking about do an Internet search for 5 tuple firewall. You will need this knowledge for any system using statefull firewall, not just PF. Others are trying to help you write a functioning PF conf, however I think you need to learn how to fish before embarking on a deep sea fishing excursion. 73 diana On April 14, 2024 9:09:01 AM MDT, Karel Lucas wrote: >Hi all, > >Everything about PF is all very confusing to me at the moment, so any help is >appreciated. So let's start simple and then proceed step by step. I want to >continue with ping so that I can test the connection to the internet. This >works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 >www.apple.com. As others have stated, I have a problem with using DNS servers >on the internet. The PF ruleset needs to be adjusted for this, but it is still >not clear to me how to do that. What else do I need to get ping to work >correctly? To get started simply, I created a new pf.conf file, see below. > > >/etc/pf.conf: > >ext_if = igc0 # The interface to the outside world >int_if = "{ igc1, igc2 }" # The interfaces to the private hosts >localnet = "192.168.2.0/24" # Hosts on the screened LAN > >tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" >udp_services = "{ domain, ntp }" >email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" >icmp_types = "{ echoreq, unreach }" >icmp6_types = "{ echoreq, unreach }" >nameservers = "{ 195.121.1.34, 195.121.1.66 }" >client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ > 446, cvspserver, 2628, 5999, 8000, 8080 }" >martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ > 0.0.0.0/8, 240.0.0.0/4 }" > ># Options: >set block-policy return > >set skip on lo > >block log all # block stateless traffic > ># Normalize packets: >match in all scrub ( no-df max-mss 1440 ) > >block in quick on $ext_if from $martians to any >block out quick on $ext_if from any to $martians > ># Letting ping through: >pass log on inet proto icmp icmp-type $icmp_types >pass log on inet6 proto icmp6 icmp6-type $icmp6_types > >pass out all > >
Re: Firewall setup
> On Apr 14, 2024, at 08:09, Karel Lucas wrote: > > Hi all, Hi. > So let's start simple and then proceed step by step. I want to continue with > ping so that I can test the connection to the internet. This works: ping -c > 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. As others > have stated, I have a problem with using DNS servers on the internet. Does DNS resolution work without PF being enabled? If you want to “start simple”, don’t enable PF (or disable it, or use the default ruleset that OpenBSD ships with) and make sure everything works. Sean
Re: Firewall setup
Hello Karel, if you want to start simply, then I would recommend to remove all marcos from your pf.conf which are not referenced. You can add them later if needed. As already state by others, there is a syntax error in marco martians. If there are syntax errors in pf.conf, the rules are not loaded at all. Also correct the syntax errors in the rules "Letting ping through". The key word "on" without interfacename, -group or keyword any looks incorrect. Give it a parameter or remove it. After changing pf.conf, first check it with > pfctl -nf /etc/pf.conf before loading it. If no errors occur, simply update the ruleset in the kernel with > pftl -f /etc/pf.conf and test your changes. Keep in mind that reloading the ruleset does not affect the states of allready estblished connections. Please check your current running configuration with > pfctl -sr It prints out all currently active rules. If something behaves too wired, it can help to proof that the ruleset in /etc/pf.conf is the same as we assume to be active in the kernel. Because of the syntax errors I would guest that this is not true in your case. Try get IPv4 running first. If that goal is reached you have more experience and can go further adding IPv6, which is different in case of ICMP. If you don't have a static IPv6 address configuration, then the rules in your pf.conf are far too restrictive to get an autonconfigured IPv6 address, managed (DHCP6) or not (SLAAC). Jens Am 14.04.2024 um 17:09 schrieb Karel Lucas: Hi all, Everything about PF is all very confusing to me at the moment, so any help is appreciated. So let's start simple and then proceed step by step. I want to continue with ping so that I can test the connection to the internet. This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. As others haveo you get rid of the first syntax error yourstated, I have a problem with using DNS servers on the internet. The PF ruleset needs to be adjusted for this, but it is still not clear to me how to do that. What else do I need to get ping to work correctly? To get started simply, I created a new pf.conf file, see below. /etc/pf.conf: ext_if = igc0 # The interface to the outside world int_if = "{ igc1, igc2 }" # The interfaces to the private hosts localnet = "192.168.2.0/24" # Hosts on the screened LAN tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" # Options: set block-policy return set skip on lo block log all # block stateless traffic # Normalize packets: match in all scrub ( no-df max-mss 1440 ) block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types pass out all
Re: Firewall setup
On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote: > Hi all, > > Everything about PF is all very confusing to me at the moment, so any help > is appreciated. So let's start simple and then proceed step by step. I want > to continue with ping so that I can test the connection to the internet. > This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 > www.apple.com. As others have stated, I have a problem with using DNS > servers on the internet. The PF ruleset needs to be adjusted for this, but > it is still not clear to me how to do that. What else do I need to get ping > to work correctly? To get started simply, I created a new pf.conf file, see > below. I'd put this somewhere after your block rules: pass inet proto { tcp, udp } from igc1:network to port $client_out pass inet proto { tcp, udp } from igc2:network to port $client_out - that way you will actually use the macro. But the macro sitll references the invalid service nportntp (you probably want ntp instead), and I would think that the services "446, cvspserver, 2628, 5999, 8000, 8080" are unlikely to be useful unless you *know* you need to pass traffic for those. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
There is a typo on the second line of the martians definition (spurious comma and space). Michael > On Apr 14, 2024, at 11:09, Karel Lucas wrote: > > Hi all, > > Everything about PF is all very confusing to me at the moment, so any help is > appreciated. So let's start simple and then proceed step by step. I want to > continue with ping so that I can test the connection to the internet. This > works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 > www.apple.com. As others have stated, I have a problem with using DNS servers > on the internet. The PF ruleset needs to be adjusted for this, but it is > still not clear to me how to do that. What else do I need to get ping to work > correctly? To get started simply, I created a new pf.conf file, see below. > > > /etc/pf.conf: > > ext_if = igc0 # The interface to the outside > world > int_if = "{ igc1, igc2 }"# The interfaces to the private hosts > localnet = "192.168.2.0/24" # Hosts on the screened LAN > > tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" > udp_services = "{ domain, ntp }" > email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" > icmp_types = "{ echoreq, unreach }" > icmp6_types = "{ echoreq, unreach }" > nameservers = "{ 195.121.1.34, 195.121.1.66 }" > client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ > 446, cvspserver, 2628, 5999, 8000, 8080 }" > martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ > 0.0.0.0/8, 240.0.0.0/4 }" > > # Options: > set block-policy return > > set skip on lo > > block log all# block stateless traffic > > # Normalize packets: > match in all scrub ( no-df max-mss 1440 ) > > block in quick on $ext_if from $martians to any > block out quick on $ext_if from any to $martians > > # Letting ping through: > pass log on inet proto icmp icmp-type $icmp_types > pass log on inet6 proto icmp6 icmp6-type $icmp6_types > > pass out all > >
Re: Firewall setup
On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote: > Hi all, > > Everything about PF is all very confusing to me at the moment, so any help > is appreciated. So let's start simple and then proceed step by step. I want > to continue with ping so that I can test the connection to the internet. > This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 > www.apple.com. As others have stated, I have a problem with using DNS > servers on the internet. The PF ruleset needs to be adjusted for this, but > it is still not clear to me how to do that. What else do I need to get ping > to work correctly? You are blocking everything by default, with the "block log all" on top of your ruleset. This means that _everything_ needs to be explicitely allowed in and out of your firewall. If you want to resolve hostnames, you need to allow DNS requests (i.e. traffic _to_ UDP port 53) to enter and leave the firewall. So if a machine on your LAN needs to make a DNS request, you need something like pass in on $int_if proto udp to port 53 You have a $nameservers macro, which suggests you want to allow traffic to only those two, so you could rewrite the above rule as pass in on $int_if proto udp to $nameservers port 53 But then you need to make sure every machine on your LAN uses those IPs as resolvers, otherwise they'll try to query other DNS servers and fail. As I said on a reply to your other thread, you will probably need to use NAT on your egress traffic. I personally prefer to keep the most general rules at the top, and then to the specifics, so I would move "pass out all" next to "block log all", but it's a matter of taste. > To get started simply, I created a new pf.conf file, see > below. > > > /etc/pf.conf: > > ext_if = igc0 # The interface to the outside > world > int_if = "{ igc1, igc2 }" # The interfaces to the private > hosts > localnet = "192.168.2.0/24" # Hosts on the screened LAN > > tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" > udp_services = "{ domain, ntp }" > email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" > icmp_types = "{ echoreq, unreach }" > icmp6_types = "{ echoreq, unreach }" > nameservers = "{ 195.121.1.34, 195.121.1.66 }" > client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ > 446, cvspserver, 2628, 5999, 8000, 8080 }" > martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ > 0.0.0.0/8, 240.0.0.0/4 }" > > # Options: > set block-policy return > > set skip on lo > > block log all # block stateless traffic > > # Normalize packets: > match in all scrub ( no-df max-mss 1440 ) > > block in quick on $ext_if from $martians to any > block out quick on $ext_if from any to $martians > > # Letting ping through: > pass log on inet proto icmp icmp-type $icmp_types > pass log on inet6 proto icmp6 icmp6-type $icmp6_types > > pass out all > > --
Firewall setup
Hi all, Everything about PF is all very confusing to me at the moment, so any help is appreciated. So let's start simple and then proceed step by step. I want to continue with ping so that I can test the connection to the internet. This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. As others have stated, I have a problem with using DNS servers on the internet. The PF ruleset needs to be adjusted for this, but it is still not clear to me how to do that. What else do I need to get ping to work correctly? To get started simply, I created a new pf.conf file, see below. /etc/pf.conf: ext_if = igc0 # The interface to the outside world int_if = "{ igc1, igc2 }" # The interfaces to the private hosts localnet = "192.168.2.0/24" # Hosts on the screened LAN tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" # Options: set block-policy return set skip on lo block log all # block stateless traffic # Normalize packets: match in all scrub ( no-df max-mss 1440 ) block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types pass out all
active-active firewall setup
I've setup successfully a pair of 4.7-current obsd load balanced firewall/routers I'd like some clarification on the manual page of carp(4). from carp(4): If IP balancing is being used on a firewall, it is recommended to config- ure the carpnodes in a symmetrical manner. This is achieved by simply using the same carpnodes list on all sides of the firewall. Does the manual mean (A) (fw1-carp0) 1:0,2:100 - 1:100,2:0 (fw2-carp0) (fw1-carp1) 3:0,4:100 - 3:100,4:0 (fw2-carp1) or (B) (fw1-carp0) 1:0,2:100 - 1:0,2:100 (fw2-carp0) (fw1-carp1) 3:0,4:100 - 3:0,4:100 (fw2-carp1) It seems to me that the manual is referring to the (B) pattern. However for me only the (A) pattern works. Just to be sure that I'm not doing something wrong here which works by accident. I'm using ip-stealth. There is a window of time, when one of the firewalls boots, where the Virtual MAC address appears on the switch. When it timeouts (I've set 60 seconds on the switch) it does not appear again and everything works. Is there a way I can prevent this or does it have to do with the switch? It's an HP 2810-48G. There might also be a chance of ip-unicast to work but my inner test client/router has problem with that. The outer interfaces works fine. This way I see 4 VMACs on the switch which stay there (2 of them are mystery cause they do not appear in any of the firewalls). Which setup (unicast vs stealth) do you use for Cisco's and HP switches? And last, how do your firewalls themselves access the internet (cvs updates) or have internal DNS. It seems only one of the two (at the same time) can access the internet (direct) which seems logical. Do you create some sort of access VLAN for DNS? I could do the DNS (internal) that way, but if the obsd take my outer IP then how could both of them access internet? regards, Giannis
Re: Routing errors in dual pf/carp firewall setup (no route to host)
On 11/9/06, Chad M Stewart [EMAIL PROTECTED] wrote: Can you send the output of netstat -rn? Maybe that'll help myself and others a little more. -Chad Of course - sorry I forgot to do this in the first place. Looking at this output it's clear I need to add some routes - but I don't know what to add or where to add it. Also, the networks my CARP interfaces sit on don't seem to be visible (carp0 is on a different subnet than the fxp0 interfaces (the carpdevs) on the firewalls). It seems clear that I need some sort of a default route so that information to the internet is passed out via carp0 on fxp0 on each server from the 1.2.3.102 CARP IP to the ISP's gateway at 1.2.3.101. I also need routes to carry information out on fxp1 on each server to the shared internal carp1 interface (5.6.7.249), and then to my router at 5.6.7.250, so that it can route the traffic out to 5.6.7.0/26 and 5.6.7.64/27. I know that the router is not required, but I need it for non-technical reasons (read: managers.) What should I have in the /etc/mygate file? Should I have anything? What routes do I need to add, and what file do I add them to so that they persist when the router restarts? I've included the original email I sent to misc@ after the output of 'netstat -rn', so that the addresses make sense. Thanks for your help - it is greatly appreciated! fw1: netstat -rn ** Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface 10.10.10/24link#1 UC 00 - xl0 10.20.20/24link#2 UC 00 - fxp0 127/8 127.0.0.1 UGRS00 33224 lo0 127.0.0.1 127.0.0.1 UH 10 33224 lo0 5.6.7.248/29 link#3 UC 00 - fxp1 224/4 127.0.0.1 URS 00 33224 lo0 Internet6: DestinationGateway FlagsRefs UseMtu Interface ::/104 ::1UGRS 00 - lo0 ::/96 ::1UGRS 00 - lo0 ::1::1UH 120 33224 lo0 ::127.0.0.0/104::1UGRS 00 - lo0 ::224.0.0.0/100::1UGRS 00 - lo0 ::255.0.0.0/104::1UGRS 00 - lo0 :::0.0.0.0/96 ::1UGRS 00 - lo0 2002::/24 ::1UGRS 00 - lo0 2002:7f00::/24 ::1UGRS 00 - lo0 2002:e000::/20 ::1UGRS 00 - lo0 2002:ff00::/24 ::1UGRS 00 - lo0 fe80::/10 ::1UGRS 00 - lo0 fe80::%xl0/64 link#1 UC 00 - xl0 fe80::201:2ff:feed:c128%xl000:01:02:ed:c1:28 UHL 00 - lo0 fe80::%fxp0/64 link#2 UC 00 - fxp0 fe80::202:55ff:fefa:a298%fxp0 00:02:55:fa:a2:98 UHL 00 - lo0 fe80::%fxp1/64 link#3 UC 00 - fxp1 fe80::202:55ff:fefa:a299%fxp1 00:02:55:fa:a2:99 UHL 00 - lo0 fe80::%lo0/64 fe80::1%lo0U 00 - lo0 fe80::1%lo0link#7 UHL 00 - lo0 fec0::/10 ::1UGRS 00 - lo0 ff01::/32 ::1UC 00 - lo0 ff02::%xl0/32 link#1 UC 00 - xl0 ff02::%fxp0/32 link#2 UC 00 - fxp0 ff02::%fxp1/32 link#3 UC 00 - fxp1 ff02::%lo0/32 ::1UC 00 - lo0 fw2: netstat -rn ** Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface 10.10.10/24link#1 UC 00 - xl0 10.20.20/24link#2 UC 00 - fxp0 127/8 127.0.0.1 UGRS0
Re: Routing errors in dual pf/carp firewall setup (no route to host)
Can you send the output of netstat -rn? Maybe that'll help myself and others a little more. -Chad
Routing errors in dual pf/carp firewall setup (no route to host)
Good day all, I have read all available documentation, but can not seem to find the solution to my problem. If anyone has any advice, or can point me towards a good resource, it would be appreciated. I am sorry if the answer is obvious and I have missed it. Where I work we have a small network (class C) which has always been subnetted by our Cisco 2621 router. While I am not able to replace the Cisco router for non-technical reasons, I am able to install a pair of OpenBSD 4.0 boxes to act as redundant firewalls. The setup of carp, pfsync and pf was simple enough thanks to the excellent documentation, however I am encountering routing errors with my current setup, and would appreciate some help. Here's a brief diagram of my network. *** ** Internet ** *** | | *** ** ISP Router: 1.2.3.101 ** *** | | *** ** carp0: 1.2.3.102 **---\ *** | || || *** *** ** fw1 ** pfsync0** fw1 ** ** fxp0: 10.20.20.100** 10.10.10.0/24 ** fxp0: 10.20.20.200** ** fxp1: 5.6.7.251 **--** fxp1: 5.6.7.252 ** ** xl0: 10.10.10.100 ** ** xl0: 10.10.10.200 ** *** *** || || *** | ** carp1: 5.6.7.249 **---/ *** | | * ** Local Router (2621) ** ** External: 5.6.7.250 ** ** Internal: 5.6.7.1/26** ** Internal: 5.6.7.64/27 ** * Our ISP provides us with a our own class C network, 5.6.7.0/24 for the purpose of this explaination. Our ISP routes our class C to us down a /30 - we'll call it 1.2.3.100/30. Our Cisco 2621's external interface was previously set to 1.2.3.102, and it was able to route our class C, which was subnetted into two chunks - 5.6.7.0/26 and 5.6.7.64/27. I partitioned a new chunk of the class C for the internal IPs of the firewalls, 5.6.7.248/29. I set all of this up, created a pair of 3 port vlans (one for each carp interface) and powered it up. Everything seems to work, except for I get routing errors - ie, no route to host. I can't even seem to ping across the 10.10.10.0/24 network (which is just a simple crossover cable between the firewalls). Here is the output of all relevant configuration files. I am unsure about what the contents of mygate should be. I'm also pretty sure I need some route add statements, but I don't know what they should be or where to put them. Once again, if anyone can help it would be greatly appreciated. Thanks! fw1: hostname.fxp0 ** inet 10.20.20.100 255.255.255.0 NONE fw1: hostname.fxp1 ** inet 5.6.7.251 255.255.255.248 NONE fw1: hostname.xl0 ** inet 10.10.10.100 255.255.255.0 NONE fw1: hostname.pfsync0 ** up syncdev xl0 fw1: hostname.carp0 ** inet 1.2.3.102 255.255.255.252 vhid 1 carpdev fxp0 pass ** fw1: hostname.carp1 ** inet 5.6.7.249 255.255.255.248 vhid 2 carpdev fxp1 pass ** fw1: mygate ** 1.2.3.101 fw1: pf.conf ** ExtIf = fxp0 IntIf = fxp1 SyncIf = xl0 pass on $SyncIf proto pfsync pass out on $ExtIf proto carp keep state pass out on $IntIf proto carp keep state pass in all pass out all fw1: sysctl.conf ** -- snip -- net.inet.ip.forwarding=1 -- snip -- fw1: rc.conf ** -- snip -- pf=YES pf_rules=/etc/pf.conf -- snip -- fw2: hostname.fxp0 ** inet 10.20.20.200 255.255.255.0 NONE fw2: hostname.fxp1 ** inet 5.6.7.252 255.255.255.248 NONE fw2: hostname.xl0 ** inet 10.10.10.200 255.255.255.0 NONE fw2: hostname.pfsync0 ** up syncdev xl0 fw2: hostname.carp0 ** inet 1.2.3.102 255.255.255.252 vhid 1 carpdev fxp0 pass ** fw2: hostname.carp1 ** inet 5.6.7.249 255.255.255.248 vhid 2 carpdev fxp1 pass ** fw2: mygate ** 1.2.3.101 fw2: pf.conf ** ExtIf = fxp0 IntIf = fxp1 SyncIf = xl0 pass on $SyncIf proto pfsync pass out on $ExtIf proto carp keep state pass out on $IntIf proto carp keep state pass in all pass out all fw2: sysctl.conf ** -- snip -- net.inet.ip.forwarding=1 -- snip -- fw2: rc.conf
fault tolerant bridging firewall setup
I'm attempting to get a bridging firewall setup going... with two servers rigged as a fault tolerant pair. CARP of course won't work in this setup... as I'm not sharing an IP. So... I'm using spanning tree protocol. so... graphically: Firewall A Host -- switch |switch -- Internet Firewall B I'm using pfsync between A B on a dedicated interface... and when I have pf enabled on both, I do see the states synchronized. But for now I have pf disabled as I'm having a problem I haven't been able to put my finger on yet. If I start a ping on Host, the pings are going through A, as spanning tree has the internet side port on B in blocking state. pings are happening fine. Now I pull the ethernet from A to the internet... pings stop of course... I can watch host B (via brconfig) go from blocking to listening, to learning, to forwarding. Block for 20 or so seconds, then listening for 15 or so seconds, then learning for 15 or so seconds... then forwarding. Once forwarding is working, I can use a different virtual console on the host to ping a different host.. that's working fine. BUT the original ping still doesn't being responding again (or a separate new ping to the same IP) for 7 minutes. Since the address learning (which when things recover I can see changes) had a 4 minute timeout I thought it would be that... but shortening it, or adding -learn to the two bridge interfaces on the two firwewalls doesn't help. The switchover time can be made faster... by power cycling the two switches on each side of the firewall pairs after the interface goes into forward. This drops the switchover time to about 1.5 minutes. Even tcpdump -i internal interface on the B firewall won't show the pings... Part of this is the layer 2 learning that is going on in the two switches... currently for staging these are two non managed switches. In production the firewalls will bridge two VLANs on a large Cisco switch. And the currently plan was to have spanning tree turned off on the Cisco switch... letting the firewalls manage spanning tree amongst themselves. 7 minutes is not an acceptable failover time for existing connections. Anyone ever do anything like this before ? I'm guessing that some custom configuration is going to be required on the Cisco switch ports to decrease this switchover time to something more acceptable... More host tuning/etc may be required as well.. So.. here's the config info... fxp0 has an IP fxp1 has no IP the bridge is fxp0 and fxp0, and here is the contents of the bridgename.bridge0 file: on Firewall A on Firewall B --- - blocknonip fxp0 blocknonip fxp0 blocknonip fxp1 blocknonip fxp1 add fxp0add fxp0 add fxp1add fxp1 ifpriority fxp0 2 ifpriority fxp0 2 ifpriority fxp1 4 ifproirity fxp1 4 ifcost fxp0 2 ifcost fxp0 2 ifcost fxp1 2 ifcost fxp1 2 stp fxp0stp fxp0 stp fxp1stp fxp1 timeout 30 timeout 30 up up Any suggestions ? Can this be made to work, or do I have to move to a routed firewall configuration and use CARP/PFSYNC ?? (wanted bridged firewalls for the 'transparency' and realtive ease of insertion into an existing network. Thanks, -- Curt