pfstat queries

2004-04-14 Thread Russell Fulton 
Hi,
is there any docs that describe which numbers are which in the output
from pfstat -q ?

I observe that most are zero and when I try and plot the byte counts
etc. they come out as zeros.  

What do I have to do to get these stats?

-- 
Russell Fulton/~\  The ASCII
Network Security Officer  \ /  Ribbon Campaign
The University of Auckland X   Against HTML
New Zealand   / \  Email!

Re: pfstat queries

2004-04-14 Thread Daniel Hartmeier 
On Wed, Apr 14, 2004 at 02:56:25PM +1200, Russell Fulton wrote:

   is there any docs that describe which numbers are which in the output
 from pfstat -q ?

The numbers are the same that pfctl -si prints, should become obvious
when you compare the two, but see below.

 I observe that most are zero and when I try and plot the byte counts
 etc. they come out as zeros.  
 
 What do I have to do to get these stats?

You probably didn't use 'set loginterface' to specify what interface to
gather the counters for. In that case, the counters remain zero, and
pfctl -si omits the interface specific part of the output. Add the 'set
loginterface' option to pf.conf and try again. Let it run for a couple
of minutes, then re-run pfctl -si and pfstat -q, and compare outputs.
Should make clear what each number of pfstat -q output refers to, if
not, ask again :)

Daniel

carp / ip aliases

2004-04-14 Thread Tobias Wigand 
hi,

i am thinking of to replacing my single firewall setup with a failover 
pair using carp/pfsync. right now it´s one box with 3 nics 
(internal/external/dmz). i am natting the dmz hosts on the external 
interface 1:1, thus have a lot of ip aliases on the external interface. 
so, is it possible to give the carp interface aliases? if it is, whats 
the syntax?

cheers
tobias

Re: carp / ip aliases

2004-04-14 Thread Ryan McBride 
On Wed, Apr 14, 2004 at 09:34:06AM +0200, Tobias Wigand wrote:
 i am thinking of to replacing my single firewall setup with a failover 
 pair using carp/pfsync. right now it?s one box with 3 nics 
 (internal/external/dmz). i am natting the dmz hosts on the external 
 interface 1:1, thus have a lot of ip aliases on the external interface. 
 so, is it possible to give the carp interface aliases? if it is, whats 
 the syntax?

Yes, just add them as if the carp interface was your physical interface.

/etc/hostname.carp0:
inet 192.168.6.1 255.255.255.0
inet alias 192.168.6.2 255.255.255.0
inet alias 192.168.6.3 255.255.255.0
inet alias 192.168.6.4 255.255.255.0

synflood defenses

2004-04-14 Thread Russell Fulton 
Hi All,
We have recently had a few outbound synfloods (from machines infected
by one of the numerous 'bots').  An unfortunate side effect of this is
that the state tables in pf eventually fill up and no legit new
connections are accepted.

I currently have  set optimization conservative and I am guessing that
this is not helping.

I have also looked at the synpoxy state setting, but as I understand it
this protects end hosts from synfloods and will have no affect on the
state table usage.

I have lots of memory on the firewalls and one thing that has occurred
to me is that I could set the state table size much higher and have a
monitor that pages someone when it goes above some reasonable limit.

Another possibility is to tweak set timeout tcp.opening, what would be a
reasonable value? -- the default seems to be 15minutes. 

H... would be nice to have this setting depend on the number of
current states -- i.e. we time out non established sessions more
aggressively when the state table is nearly full. There does not seem to
be anyway of modifying the timeouts on the fly, i.e. with pfctl so I
can't do this from a script. 

Any other suggestions?  (Please tell me I've missed the obvious again ;)

I really need that book!  (yes it is on order and amazon say they have
shipped it). 
-- 
Russell Fulton/~\  The ASCII
Network Security Officer  \ /  Ribbon Campaign
The University of Auckland X   Against HTML
New Zealand   / \  Email!

more questions on timeouts

2004-04-14 Thread Russell Fulton 
quoting pf.conf(5):
   tcp.first
 The state after the first packet.
   tcp.opening
 The state before the destination host ever sends a packet.

I must be thick because I don't get the distinction between these two states.

Does it work this way?

src sends SYN = tcp.first
dst sends SYN+ACK = tcp.opening
src send ACK+data = tcp.established

which seems logical to me.

If so then it is not clear from the manpage.

I.e which timeout should I tweak to protect against synfloods?

An hour seems way too long to keep state for a SYN.

-- 
Russell Fulton/~\  The ASCII
Network Security Officer  \ /  Ribbon Campaign
The University of Auckland X   Against HTML
New Zealand   / \  Email!

problems with altq.

2004-04-14 Thread Maxime Labelle 
Hi,

altq is just not working with these rules:

altq on $OUT bandwidth 100% cbq queue { qo_def, qo_limit }
 queue qo_def cbq(default)
 queue qo_limit bandwidth 150Kb
altq on $IN bandwidth 100% cbq queue { qi_def, qi_limit }
 queue qi_def cbq(default)
 queue qi_limit bandwidth 150Kb
pass out quick on $IN inet proto {tcp,udp} from any to any port 1024 
keep state queue qi_limit
pass out quick on $OUT inet proto {tcp,udp} from any to any port 1024 
keep state queue qo_limit

It must be a syntax problem but I just cant figure out where !
AND
Stats shows that the packets are being queued but I can download/upload 
at speeds way higher than 150Kbits/s. ugh?

:)

--
Maxime Labelle - [EMAIL PROTECTED]

viewing an anchor's table

2004-04-14 Thread matthew zeier 

Can't seem to figure out how to view an anchor's tables.

I have:

anchor zeier
load anchor zeier:default from /opt/pf/zeier.pf


And zeier.pf has:

table zeier-hosts {   \
207.38.45.0/29  \
}


caf4# pfctl -a zeier -sT
zeier-hosts

caf4# pfctl -a zeier -t zeier-hosts -Ts
pfctl: Table does not exist.


What's the right syntax?


--
matthew zeier, Sr. Network Engineer  | Nothing in life is to be feared.  
InteleNet Communications, Inc.   |  It is only to be understood.
(949) 784-7904   |   - Marie Curie