Re: NAT (interface) = round-robin between IPv4/IPv6 addresses?
On Friday 04 January 2008 12:17, Henning Brauer wrote: I noticed that with the following NAT rule: nat on sis1 from 10.2.2.0/28 to any - (sis1) static-port I get the following output: # pfctl -sn nat on sis1 inet from 10.2.2.0/28 to any - (sis1) round-robin static-port My question is simple: is that round-robin actually used? If it really means that PF sees 2 or more IPs, what are these IPs? it just says that pf will doround roubin _if_ there is more than one ip. The problem is that I actually see two IPs: one IPv4 and one IPv6. Would pf do round robin using one IPv4 and one IPv6? At the moment I solved this way: nat on sis1 from 10.2.2.0/28 to any - (sis1:0) static-port I get the following output: # pfctl -sn nat on sis1 inet from 10.2.2.0/28 to any - (sis1:0) static-port
NAT (interface) = round-robin between IPv4/IPv6 addresses?
Happy new year everybody, I have a quick question. I am using OpenBSD 4.2-stable. I noticed that with the following NAT rule: nat on sis1 from 10.2.2.0/28 to any - (sis1) static-port I get the following output: # pfctl -sn nat on sis1 inet from 10.2.2.0/28 to any - (sis1) round-robin static-port This is the interface: sis1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr xx:xx:xx:xx:xx:xx groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 ::xxx:::xxx%sis1 prefixlen 64 scopeid 0x2 inet zz.zz.zz.zz netmask 0xff00 broadcast zz.zz.zz.zzz My question is simple: is that round-robin actually used? If it really means that PF sees 2 or more IPs, what are these IPs? Thanks.
idea // shaping *download* bandwidth
Hello, in January I had an idea to shape download bandwidth, and I exchanged some emails with various developers (Mike Frantzen, for example). People asks how to limit *download* bandwith without dropping packets already passed via the pipe to the firewall itself. The point is limiting the data sent by the sender. I think we could take advantage of the existing feature that Daniel added to prioritize ACKs, and work on those ACKs based on sequence numbers. These numbers are strictly related to the data received by the receiver, so acting on them we should be able to limit (reduce) the number of pps sent by the sender. So, in the end, dropping ACKs from the receiver instead of dropping data from the sender. This would happen locally without saturating the (expensive) pipe to the internet. How does it sound?
Re: idea // shaping *download* bandwidth
On Tuesday 02 May 2006 14:24, Terje Elde wrote: If you drop the ACKs, there'll be a retransmit anyway. So only thing you'd really change is that the TCP packet would arrive a little bit sooner, which could make a minor (probably not noticeable) difference for interactive stuff, such as SSH. Then again, ssh isn't really what you're likely to throttle anyway. You play with the window size too...
Re: PF, Bridge, and IP on bridged interface [more]
On Tuesday 15 March 2005 12:19, Henning Brauer wrote: So, I guess that leaves the question, can one change the ethernet address of a NIC with ifconfig on OpenBSD? no. Yet. http://marc.theaimsgroup.com/?l=openbsd-techm=111073781926839w=2
Re: pf port knocking
On Friday 17 December 2004 15:45, Roy Morris wrote: change your ssh port to like 30222 or something .. That's dumb. Choose a port 1024.
Re: pf port knocking
On Friday 17 December 2004 06:11, A wrote: Further, jasper is the only machine that is externally accessible via SSH (the only other open ports are domain, web and mail on other servers). I need to leave SSH open as a number of people work remotely and tunnel through it to some of the services on the internal network. Try to reduce the access with options like OS-fingerprinting, src-IP, src-port.
FIN_WAIT_2:FIN_WAIT_2
Hi, playing with pftop and src-track I discovered that every connection from my home network to my OpenBSD 3.5-stable server on the internet doesn't get closed. PF always shows the FIN_WAIT_2:FIN_WAIT_2 status. This means that if I use telnet to any open port and then I close the connection PF will keep the connection in FIN_WAIT_2 status until the time limit expires. This is a behaviour that you don't note without the src-track option because the server will keep accepting new connections... I tried multiple software (telnet, mail clients and various browsers) from both FreeBSD and OpenBSD workstations. My home firewall is running OpenBSD 3.6 with a 2 lines ruleset: pass out on quick all keep state block in quick all The strange thing is that other connections to the server from other hosts on the internet doesn't get closed too! PF will always put them in one of these two status: TIME_WAIT:TIME_WAIT or FIN_WAIT_2:FIN_WAIT_2. I have the little suspect that the FIN_WAIT_2:FIN_WAIT_2 happens if both of the peers (my server and the host) are protected by PF. While TIME_WAIT:TIME_WAIT happens when the host isn't protected by PF. This is my PF ruleset on the server: table Spoof { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/8 } pass out quick on lo0 all keep state pass in quick on lo0 all keep state block in quick on fxp0 inet proto tcp from Spoof block out quick on fxp0 inet from any to Spoof block in quick on fxp0 inet6 all pass out quick on fxp0 inet from (fxp0) to any keep state pass in quick on fxp0 inet proto tcp from any to (fxp0) port 25 flags S/SAFR keep state (source-track rule, max-src-nodes 20, max-src-states 2) pass in quick on fxp0 inet proto tcp from any to (fxp0) port 80 flags S/SAFR keep state (source-track rule, max-src-nodes 50, max-src-states 10) max-src-states 2) block in quick all .. Any clue ? Ed
Re: FIN_WAIT_2:FIN_WAIT_2
On Saturday 25 September 2004 15:30, Mike Frantzen wrote: This means that if I use telnet to any open port and then I close the connection PF will keep the connection in FIN_WAIT_2 status until the time limit expires. TCP goes into a 2msl time wait state after the connection closes in case a segment got delayed in the network. That is how TCP works. This explains the TIME_WAIT:TIME_WAIT status, but what about FIN_WAIT_2 ? Ed
PF tables states
This is a message from an interesting thread on [EMAIL PROTECTED] http://marc.theaimsgroup.com/?l=openbsd-miscm=109422765506037w=2 In short the question is: why doesn't PF kill all the states associated with the tables entries when you flush a table ? Ed
Re: PF --- spamd
On Thursday 02 September 2004 16:21, Ed White wrote: /var/db/spamd is always empty. Any clue ? Since I've not found a solution I've posted the problem on [EMAIL PROTECTED] Ed
Re: Fwd: Re: Things pf can't do?
On Thursday 20 May 2004 22:05, Jeff Simmons wrote: Actually, it's a breath of fresh air compared to other filters I've worked with. *cough* iptables *cough* LOL One of Linus' stated goals for the 2.7 kernel is to improve iptables so that it's up to the level of OpenBSD's pf. Jeff, could you tell me some url to find that Linus's mail ? Thanks. Ed
Re: PF --- spamd
On Thursday 02 September 2004 07:56, Peter Hessler wrote: :I wanted to test spamd with greylisting, but it seems that the interaction :with PF is broken. In short spamd doesn't add anything to /var/db/spamd so :I'll never get my IP added to spamd-white What does `ps aux | grep spamd` say? Mine says: $ps aux | grep spamd _spamd5408 0.0 0.2 8788 632 ?? IsSun01PM1:15.88 spamd: (pf spamd-white update) (spamd) _spamd 892 0.0 1.6 9044 4124 ?? S Sun01PM0:12.37 /usr/libexec/spamd -g _spamd 17732 0.0 0.2 8784 568 ?? I Sun01PM0:01.79 spamd: (/var/db/spamd update) (spamd) # ps auxw | grep spam _spamd 142 0.0 0.4 8528 576 ?? Is 1:59PM0:00.03 spamd: (pf spamd-white update) (spamd) _spamd 18655 0.0 3.0 8660 3908 ?? I 1:59PM0:00.10 /usr/libexec/spamd -g _spamd 32539 0.0 0.3 8404 352 ?? I 1:59PM0:00.00 spamd: (/var/db/spamd update) (spamd) root 30894 0.0 0.3 100 360 ?? Is 1:59PM0:00.01 /usr/libexec/spamlogd # top -n 50 | grep spam 18655 _spamd 20 8660K 3908K idle select 0:00 0.00% spamd 142 _spamd100 8488K 536K sleepnanosl 0:00 0.00% spamd 30894 root -60 100K 360K idle piperd 0:00 0.00% spamlogd 32539 _spamd-60 8404K 352K idle piperd 0:00 0.00% spamd # pfctl -sn rdr pass inet proto tcp from spamd to any port = smtp - 127.0.0.1 port 8025 rdr pass inet proto tcp from ! spamd-white to any port = smtp - 127.0.0.1 port 8025 # netstat -an Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp0 0 10.0.0.2.25*.*LISTEN tcp0 0 127.0.0.1.8026 *.*LISTEN tcp0 0 *.8025 *.*LISTEN Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) udp0 0 *.514 *.* Active UNIX domain sockets AddressType Recv-Q Send-Q Inode Conn RefsNextref Addr 0xd3ac5194 dgram 0 00x0 0xd0a723400x0 0xd0a97100 0xd3ac5004 stream 0 0 0xd3b501080x00x00x0 tabs/.sock 0xd3ba1e10 dgram 0 00x0 0xd0a723400x0 0xd0a97440 0xd3ba1ed8 dgram 0 00x0 0xd0a723400x0 0xd0a97000 0xd3ba1d48 stream 0 0 0xd3b52af80x00x00x0 /var/run/apmdev 0xd3ba1c80 stream 0 00x0 0xd0a720c00x00x0 0xd3ba1bb8 stream 0 00x0 0xd0a977000x00x0 0xd3ba1af0 dgram 0 00x0 0xd0a723400x0 0xd0a97e00 0xd3ba1640 dgram 0 00x0 0xd0a723400x0 0xd0a723c0 0xd3ba1578 dgram 0 00x0 0xd0a723400x00x0 0xd3ba14b0 stream 0 00x0 0xd0a368c00x00x0 0xd3ba13e8 stream 0 00x0 0xd0a721000x00x0 0xd3ba1320 stream 0 00x0 0xd0a724800x00x0 0xd3ba1258 stream 0 00x0 0xd0a724400x00x0 0xd3ba1190 dgram 0 0 0xd3b676440x00x00x0 /var/empty/dev/log 0xd3ba10c8 dgram 0 0 0xd3b675800x0 0xd0a97ec00x0 /dev/log /var/db/spamd is always empty. Any clue ? Ed
PF --- spamd
Hi, I'm playing with OpenBSD 3.6-beta. I wanted to test spamd with greylisting, but it seems that the interaction with PF is broken. In short spamd doesn't add anything to /var/db/spamd so I'll never get my IP added to spamd-white --- pf.conf - table spamd persist table spamd-white persist rdr pass inet proto tcp from spamd to any port smtp - 127.0.0.1 port 8025 rdr pass inet proto tcp from !spamd-white to any port smtp - 127.0.0.1 port 8025 -- rc.conf --- spamd_flags= spamd_grey=YES Is this a bug ? Ed
Re: preventing state runaway
On Wednesday 25 August 2004 14:02, Ed White wrote: limiting the # of states a single source node can create is also a good idea, but less so to protect the firewall, more to protect the internet from machines gone nuts, that got hit by a worm or whatever. I've looked though my copy of Jacek's fine book but could not find any reference to this. Is it new in 3.5 or have I simply missed it? It's older. Ops, I've misunderstood... source tracking appeared in 3.5 by McBride. Ed
Re: preventing state runaway
On Monday 23 August 2004 19:04, Jeff Wilson wrote: Once again I am awed by and indebted to this list. Thanks for the prompt response! That will not help you to solve the problem. It will only cause some troubles to valid connection states. You should use src-ip-tracking limiting the number of connections for each IP. Then you could make a quick math to know the maximum number of states that your ruleset could create and then install enough RAM. Ed
Absent Interfaces Handling
Hi, I've read that since 3.5 PF can load rules for absent interfaces. After some tests I've found that sometimes it works and sometimes it doesn't. Can anyone tell me which interfaces are compatible ? Ed Example 1: desktop with only rl0 .. pass in on rl0 all pass in on fxp0 all .. NOT loaded Example 2: laptop without interfaces .. pass in on rl0 all pass in on fxp0 all pass in on dc0 all pass in on an0 all pass in on wi0 all .. loaded OK Example 3: laptop without interfaces .. pass in on sis0 all .. NOT loaded
limit ruleset reload
Hi, thanks to jknight@ I've understood that PF doesn't restore default values when loading a ruleset that doesn't set a limit. ---pf1.conf- pass in quick inet keep state (source-track global, max-src-states 3) -- # pfctl -f pf1.conf ; pfctl -s all .. src-nodes hard limit 1 .. Now pf2 set a lower limit ---pf2.conf- set limit src-nodes 2000 pass in quick inet keep state (source-track global, max-src-states 3) -- # pfctl -f pf1.conf ; pfctl -s all .. src-nodes hard limit 2000 .. Again pf1 ---pf1.conf- pass in quick inet keep state (source-track global, max-src-states 3) -- # pfctl -f pf1.conf ; pfctl -s all .. src-nodes hard limit 2000--- why not 1 ? .. Is this a bug or a feature ? ;-) Ed
IP source tracking doc ?
Hi, reading PF FAQ and pf.conf man page I haven't found any detailed help about source-track options. Playing with custom pf.conf I've understood that source-track rule and source-track global permit to manage in a different way all the src IP states, however I'd like to receive some confirms. 1) pass in quick inet proto tcp to port 25 keep state \ (source-track rule, max-src-nodes 100, max-src-states 2) This means that a max number of 100 IPs could connect and that each of them could have a max number of 2 active connections to this port. Right ? 2) set limit src-nodes 3000 pass in quick inet proto tcp to port 80 keep state \ (source-track global, max-src-states 5) pass in quick inet proto tcp to port 443 keep state \ (source-track global, max-src-states 2) This means that a max number of 3000 IPs could connect and that each one of them could have a max number of 5 active connections to port 80 and a max number of 2 active connections to port 443. Right ? Thanks. Ed P.S. PF FAQ has completely omitted this argument and also has wrong default values for the limit section... it seems...
tagging keep state
Hi, I've played with tagging and I've found something that's not clear to me. block in on dc0 tag LAN pass in inet proto tcp to port 80 keep state If I send a SYN to port 80 passing across the dc0 interface the packet will be tagged LAN and then it will create a state with the second and last-matching rule. However I'd like to know if every packet that belongs to that connection (matches the state) will be marked with LAN tag. Thanks. Ed
Re: tagging keep state
On Monday 31 May 2004 15:40, Matthijs Bomhoff wrote: the rest of the packets in that connection will be passed because they match the state table entry, they will not be run through the firewall rules again as the first packet passed and created the state for the rest of the connection. I know ;-) To answer your question: I don't think they are tagged as well, but even if they were, you could not really make use of the tag, as the packets are not passed through the ruleset. It's important to know. Example: on rl0 we have created a state and so for this interface the ruleset is not evaluated. However when the packet goes to rl1 (suppose this is the external interface) the fact that packets come tagged or not is important for ruleset evaluation. Think at a second interface: would those packets come with a TAG ? Ed
:peer
Hi, can anyone show me some output numbers with the :peer modifier ? Is there a way to see the current IP address from a rule like this ? block in quick on rl0 inet from (rl0) to any (Using pfctl not ifconfig) Thanks. Ed
spamd grey-listing innovation
Hi, I've noticed that most spam that I receive is directed to old/nonexistent mail addresses. Sadly my mail server reply with an error message and so keep wasting precious bandwidth. I think that adding a new file containing only valid addresses could be an useful innovation. The trick is that spamd would add the grey-listing triplet to its database only if the destination address is present in the upsaid file (/etc/spamd.addresses ?). This will permit to save a lot of bandwidth and to move some load from the mail server to the firewall. Who likes it ? Ed
PF espionage attempt blanketed
OpenBSD secret agents have blanketed an attempt to infiltrate a covert ops among project developers. Ryan McBride, that's the name of the infiltrated, had the duty to insert copyrighted code in the PF main code, so that SCO, the company run by his uncle Darl McBride, could claim rights on the whole PF code. Thanks to our preferred secret agent ! [ http://www.openbsd.it/images/tshirt-15.jpg ] 003 - Ed
runtime rdr
Hi, someone asked me how to add a rdr rule on the fly. They are coding a well-known network manipulation utility and needed to apply the following redirection from the software itself. They used the following command with Linux: iptables -t nat -A PREROUTING -p tcp --destination-port 6969 -j REDIRECT --to-port 9090 I said them that PF doesn't support adding rules by command line, so they should use kernel IOCTL. Any other idea ? Ed
Re: runtime rdr
On Tuesday 23 March 2004 19:59, Henning Brauer wrote: I said them that PF doesn't support adding rules by command line, so they should use kernel IOCTL. wrong. echo rdr on $someif proto tcp to port 6969 - 127.0.0.1 port 9090 \ | pfctl -a someanchor:someruleset -f - You need to modify the ruleset. In fact you need an anchor... They want to add a rdr when the tool is started and remove it before stopping the tool. Something automagical and that doesn't need user complicity. Ed
Re: PF/spamd oddity
On Thursday 18 March 2004 16:02, Jason Dixon wrote: No, it adds a pass rule to the ruleset. Doesn't bypass anything. Not according to pf.conf (5): If the pass modifier is given, packets matching the translation rule are passed without inspecting the filter rules Is this taken out of context? Check this... http://marc.theaimsgroup.com/?l=openbsd-pfm=105716719422418w=2 If I'm not wrong rdr pass was introduced in 3.4 to solve this. Ed
Re: Brige, Traffic Shaping and FTP
On Monday 01 March 2004 22:22, Henning Brauer wrote: the only place to solve this is obviously writing a proxy. wether that is in kernel or not doesn't change a shit. well, except for the tiny detail that a security problem in your userland proxy doesn't give the attacker remote root... and it easier to write too. Henning, I don't understood if you're talking about the same thing I proposed... I don't want any proxy or application level software in the kernel. I said that PF could support an extension of keep state and I called it permit state, because it permits traffic in the opposite direction (from server to client) until the state created is in the table. The only security problem is related to application that binds on the client. In fact the server could talk with client... However this can be easily solved with the help of tagging. Should I post a step by step example ? Ed
[idea] permit state
Hi, I had an idea... At the moment PF needs the help of a proxy to accept connections that start from an external source. This means that we use ftp-proxy (for active ftp) to analyze the control connection (from the client to the server) to accept the data connection started by the server. Q: How could we solve this with PF itself ? A: Introducing the new feature permit state 8-) We accept a connection from the destination of the packet that matched the permit state rule. This option is keep state on steroid. Example: pass out inet proto tcp from $user to $server port 21 permit state PF already checks every packet with the state table, so it should be easy to add an option to be verified. If a packet matches a permit state rule it will be passed. As soon as the permit state is removed from the table those packets would not match any state and so the ruleset will be evaluated. Until the state created by the above rule is in the table, PF will behave like if the following rule had been added. pass in inet proto tcp from $server to $user Some features - active ftp without proxy - multiplayer games without special ruleset for every server - h.323 and other protocol without proxy - compatible with NAT - mergeable with other options like restriction for ports number, number of concurrent connections and most of today PF features w00t ! Ed
PF profiling auditing
Hi, I would like to know what tools were used to test PF behaviour correctness, to improve performance, to find bottle necks and to check its security. Any test suite is appreciated. Thanks. Ed
Re: PF stream size
On Wednesday 21 January 2004 16:56, Armin Wolfermann wrote: This is a first cut at this idea. It implements a per-state traffic limit like this: pass in proto tcp from any to any port = 25 \ flags S/SA keep state (bytes 10) This could be easily extended to per-rule or per-source-ip limits. I just didn't want to invent too many keywords. Opinions? Ideas? I've not tested it yet, but I'm going to make it soon. What is the opinion of PF developers here in ml ? Ed
PF stream size
ehm... I would like to know if there is any plan to limit the number of bytes a TCP connection can transfer. The idea is to drop/close the connection after $SIZE bytes have been transferred. Why ? 1) Hosting/housing can limit file sizes (need to remove the support for resumed download on the server) 2) Good for SPAM. (Every IP from blacklists could be allowed to send only small mails, instead of +100Kb attachments) 3) qmail cannot be exploited 8-) Please note also that it could be extended to disable a rule after $SIZE is exceeded. This is good for Housing/Hosting who want to sell X Gb of bandwidth for each IP. With a single rule like this: pass in quick on $gw_ext inet from any to $housing_1 keep state max-size 10Gb When PF finds that the counter of this rule has exceeded the 10Gb limit, it should disable/remove that rule. If the client pays for more bandwidth, the administrator could reactivate that rule. Ed
Re: What is the smallest sensible size for a table? and pfauth like system
On Thursday 15 January 2004 04:54, Russell Fulton wrote: At the moment I a regenerating the whole pf.conf file whenever there are changes in the database, I then use ssh to copy the file to the firewall and use pfctl -f to load it. As soon as I have some time I plan to just load the deltas using pfctl (or a custom C program using the ioctls) to update just the tables and rules that have changed. This would be easier although probably not by much if everything was table based. Probably you already knows that you can manipulate tables with pfctl -T. We are also looking at moving many of our 'standard' machines to dynamic table whereby they will have to log in to a 'service' which will open up their access through the firewall and inform our traffic meter which user is on the particular IP, this will pave the way for allowing increased usage of dynamic IP addresses. Rather like pfauth but we will write a custom daemon to run on the firewall. This can be usefull. Maybe. http://www.piout.net/phpauthpf.html A form simply ask the user for a login and a password. Then the php script try to authenticate the user with active directory using ldap. If the user is correctly identified, it search for the groups he is in. If he is in the allowed group it adds the ip in the auth table so pf will let the user go to internet then it changes the page with google.com and it opens a little popup. This popup will refresh every 100 seconds. When it refreshes, it writes the time to a file. The script checkips.sh is executed regularily so when the file are not updated, it will delete the ip in the auth table and kill the states. Ed
Re: bridge, but when ?
On Wednesday 07 January 2004 00:27, Trevor Talbot wrote: On Tuesday, Jan 6, 2004, at 09:59 US/Pacific, Ed White wrote: I was playing with a 3-if firewall with static IP 10.* when I got a simple doubt: when is supposed to be used the bridge feature ? When you want a switch (smart hub) instead of a router. Yeah, you're right. So what are the advantages of a bridge for a classic 3-if firewall ? I read somewhere that it speeds things up. Is it right ? If so, why it isn't advised on the FAQ to use it when there are 2+ if ? Thanks. Ed
bridge, but when ?
Hi, I was playing with a 3-if firewall with static IP 10.* when I got a simple doubt: when is supposed to be used the bridge feature ? Everytime you have 2 or more interface ? Only for IPless/invisible firewall ? This doubt could sounds strange, but the fact is that most (every except IPless ?) setup can be done without it. Thanks. Ed
dhcpd authpf
Hi, I would like to know if anyone has ever thought to modify dhcpd to talk with PF. The idea is similar to authpf behaviour: activating some rules when a client get the IP. This should permit to know which internal IPs are active and can pass across the gateway (maybe NAT to internet) without accepting by default every internat IPs to go out. Thanks. Ed
Re: ftp-proxy ALTQ
On Thursday 06 November 2003 12:05, Henning Brauer wrote: I'm wondering if there's a way to let ftp-proxy set the priority queue for every state it creates. this boils down to create an opportunity for userland apps to set mbug tags, either generalized or specialized for altq and/or tagging. we thought about doing this through socket options, but it's not really nice. Is there any news ? Ed
Re: 3.4 upgrade
On Wednesday 31 December 2003 21:08, Dom De Vitto wrote: I don't recall there EVER being a non-backward compatible change to PF - can anyone correct me on this? Checkout this previous thread: http://marc.theaimsgroup.com/?t=1094632r=1w=2 Ed
Daily Changelog
Hi, reading http://cvs.openbsd.org/plus.html I found some interesting lines... + Preserve the debug flag when enabling pf(4). + Reorganise pf(4) state searches for a 30% memory saving. + Add locking and write-filtering to bpf(4), so programs running as non-root can hold bpf descriptors without being able to write whatever they like at the link layer or issue dangerous ioctl(2)s. + Don't try to send incomplete IPv4 fragments in the ENOBUFS case. Note that this is a behaviour change from 4.4BSD and applies to output from bridge(4) and pf(4) as well as vanilla IP output. + Fix several kernel networking off-by-ones w.r.t. PRC_NCMDS. + Reorder the pf(4) statistics counter code and fix some miscount bugs. Can anyone let me know some details and if anything affects -stable ? Thanks. Ed
ftp-proxy ALTQ
Hi, I'm wondering if there's a way to let ftp-proxy set the priority queue for every state it creates. I would like to be able to have ftp downloads at full speed until I start using higher priority queues. The idea is that my ftp downloads should drop speed if I browse the web or check mailbox, but soon restart to get the whole bandwidth when I finished. The problem is that _passive_ ftp download tcp connections have not fixed points: no IP and no ports. Thanks. Ed
Re: pf with any l7 patches or ability?
On Thursday 06 November 2003 17:09, Daniel Hartmeier wrote: If someone shows me how to do it correctly, that might even convince me to try to implement it in pf. But what I've seen so far were horrible kludges in the sense that I can immediately predict a dozen ways it will raise false alarms or be easily circumvented by a moderately clever tool. What I'd want is a scheme that I myself could trust. The real point is: what do we need ? Something that binds together a protocol (HTTP) and a port (tcp 80) ? Something that stops an exploit ? Something that choose what to do reading application level data ? (like forwarding streams based on HTTP Hostname field) Something that transparently modifies application level data ? (like removing mail attachments) Each problem has a solution, but it's not true that the solution to every problem is the same ;-) Ed
Re: RFC#12 - PF version
On Monday 20 October 2003 18:55, Ed White wrote: Request to introduce a public revision number to PF and pfctl. This is the answer Theo sent me some minutes ago: Incorrect. pf became incompatible way more than that. No, most software does not have a version number. Wunderbar! Ed
rdr pass
Hi, I'm wondering if it's possible to define a user/group for rdr pass rules on 3.4. Suppose this only-one-ruleset rdr pass on $if proto tcp from any to $if port 21 - $if port 8021 Note: same interface, simply change the port. If I'm not wrong rdr pass should create a state entry, so the client will be able to talk to/receive from server port 21. Is the only way to get it working this 2 lines ruleset ? rdr on $if proto tcp from any to $if port 21 - $if port 8021 pass in quick on $if proto tcp from any to $if port 8021 keep state user $ftp-u group $ftp-g Thanks. Ed
High availability and load balancing!
Hi, I've just read this and I would like to share the news with PF fans. Quoting from http://www.deadly.org/article.php3?sid=20031018101733 Common Address Redundancy Protocol Allows multiple hosts to share an IP address, providing high availability and load balancing. Original and complete post by Ryan McBride (mcbride@) available at http://marc.theaimsgroup.com/?l=openbsd-miscm=106642790513590w=2 Enjoy ! Ed
Re: deep packet inspection
On Tuesday 30 September 2003 06:23, [EMAIL PROTECTED] wrote: What are possible ways of implementing payload inspection in kernel? How is it possible to pass data from kernel-space to user-space(with kernel being initiator of that transfer)? This is pretty funny, I'm writing something like that... However I'm using an atypical way as usual ;-P Ed
PF debugging
Hi, I'm looking for tips tricks to write patches for PF. The biggest problem is debugging a live kernel. How do you do ? VMWare ? Ed
Re: Divert socket
On Thursday 25 September 2003 19:42, Daniel Carneiro wrote: Is there something like the IPFW divert socket for the PF? Or some other way that PF can send packets to a userland program? Double Burp ! http://marc.theaimsgroup.com/?l=openbsd-pfm=106327905718110w=2 Ed
syn-proxy application-level-proxy
Hi, I'm planning to write a small application proxy and I think it could be good to protect it with syn-proxy, however this will create a lot of overhead on the firewall. client -tcp- syn-proxy -tcp- proxy -tcp- server Has anyone ever thought to introduce a hook inside syn-proxy ? A way for syn-proxy to pass the data to a filter (application level), but still manage the tcp connection. Something like this: 1) client [SYN] - syn-proxy 2) syn-proxy [SYN/ACK] - client 3) client [ACK] - syn-proxy 4) client [GET / ... ] - syn-proxy 5) syn-proxy [GET / ... ] - application proxy 6) application proxy [ok] - syn-proxy 7) syn-proxy [SYN] - server 8) server [SYN/ACK] - syn-proxy 9) syn-proxy [ACK] - server 10) syn-proxy [GET / ... ] - server In the end will have syn-proxy to manage the tcp connection, while application-proxy talk only with syn-proxy and can change the data, block the connection or redirect (for example by hostname like apache vhost). client -tcp- syn-proxy (- application filter) -tcp- server Any chance to add this to the 3.4-current ideas queue ? ;-) Ed
Re: syn-proxy application-level-proxy
On Thursday 11 September 2003 15:00, Daniel Hartmeier wrote: Let pf do syn proxy in front of the userland http proxy. That means pf will swallow syn floods and only pass fully established connections on to the http proxy. Or, if that's not what you meant, what did you mean? :) The fact is that I don't want the double tcp connection: client -tcp- syn-proxy -tcp- localhost:proxy -tcp- server What I'm asking for is a option of syn-proxy to pass all the data to a software, module or call it as you want that can speak with syn-proxy and tell something about the data. Just to explain it more easily: 1) syn-proxy get a new valid connection 2) syn-proxy write somewhere in a buffer some received data 3) application-proxy is called to read that buffer 4) application proxy tells what to do to syn-proxy 5) syn-proxy does it So we gain: 1) only 2 tcp connection handled by syn-proxy: client -tcp- syn-proxy -tcp- server 2) possibility to write filter for application protocol without handling the connection (no sockets or other part to rewrite). All clear ? ;-) Ed
future plans
Hi, I'm wondering if anyone is already planning features for 3.4-current. I'm not talking about code, just ideas. Anything planned at Hackathon ? Thanks. Ed P.S. Anyone has a CardBus D-Link DFE-690TXD ? Federico G. Schwindt (fgsch@) created a patch that could be included in 3.4 if someone had the card to test it. Here the original post with the patch: http://marc.theaimsgroup.com/?l=openbsd-techm=106286452818262w=2
Re: PF - tags - bridge
On Friday 05 September 2003 13:03, Henning Brauer wrote: We also modified the matching so that _every_ matching rule sets the tag, not just the last one. This means multiple tags for one packet, right ? Ed
Re: PF - tags - bridge
On Friday 05 September 2003 16:46, Henning Brauer wrote: @1 pass in from 1.1.1.1 tag test @2 pass in from 1.1.1.1 assuming a packet from 1.1.1.1 comes in: the last matchin rule is @2. it does not have a tag statement. but: @1 matched before, and even given it is not last (final) match, the packet gets tagges with the test tag. uhm... why ? Ed
Transparent Network Security Policy Enforcement
Hi, I found this paper about bridges written by Angelos D. Keromytis (angelos@) and Jason L. Wright (jason@) http://www.thought.net/jason/bridgepaper/ I think it could be interesting to have some updates from current developers. Is there any plan to filter on a bridge considering it as one interface (bridge0) ? Any plan for PF to access bridges interfaces to permit MAC based filtering ? This could double the performance... Thanks. Ed
Re: blocking specific sized echo requsts.
On Thursday 28 August 2003 10:28, Trevor Talbot wrote: pf doesn't have any packet/payload length matching abilities. There's an old patch here http://experimental.bug.it/patches/pf-size.patch Ed
Re: Implementing a 'scrub tos' option?
On Monday 11 August 2003 16:01, Hendrik Scholz wrote: Living on a DSL link is hard when it comes to ALTQ configuration on the upstream side. In my (and prob. this is the most common setup) I cannot (legally) take control of the upstream router and its queueing policies. Sorry it's not clear to me the problem. Couldn't you insert a bridge ? BTW filtering on TOS value introduce a good way to filter some ports even if you get a dynamic IP. Example: You want to filter port tcp:22 to avoid the whole internet to get the OpenSSH prompt. Adding a rule like this would make it possible... pass in quick inet proto tcp from $My_ISP_class_B to $eth_ext port 22 tos $key keep state Ed
Re: Implementing a 'scrub tos' option?
On Monday 11 August 2003 18:33, Hendrik Scholz wrote: Where should I install a bridge? LAN--BRIDGE--router I cannot insert anything behind my router but like to modify the telco routers queueing mechanism. I don't know your situation, but putting a bridge there could be invisible for LAN hosts and for the router. Using an IPless setup will let you use the same network topology/configuration. NOTE: Invisible unless you start playing with hping or other tools. Ed
Re: Implementing a 'scrub tos' option?
On Tuesday 12 August 2003 00:08, Damien Miller wrote: You want to filter port tcp:22 to avoid the whole internet to get the OpenSSH prompt. Adding a rule like this would make it possible... pass in quick inet proto tcp from $My_ISP_class_B to $eth_ext port 22 tos $key keep state This is the worst kind of security through obscurity. That's not security at all. That's custom setup, like using sshd on port 31337. Where's gone power of choice ? Ed
Download Bandwith Shaping :: Idea
I got an idea to control the bandwith used to download. Sometimes people used this ml to ask how to shape the download bandwidth and everytime someone said that you can't because you have already received the packets, so why drop them ? Well this is a trick that can work quite good on every type of box: = we assign a few KBytes/s of _upload_ bandwidth to each box = Examples: - Client[no service provided] # to permit heavy mail delivering if from client:any to mailserver:25 queque fast # default connections get shaped if from client:port 1024 queque slow - Server[SMTP and web] # to permit heavy smtp if from server:25 to any queque fast # to permit heavy http if from server:80 to any queque fast # default connections get shaped if from client:port 1024 queque slow I would like people that find a good setup to share them on this ml. Ed
Re: Download Bandwith Shaping :: Idea
On Tuesday 29 July 2003 17:22, Alexey E. Suslikov wrote: slowing down the outgoing tcp acks etc slows down usual downloads tho. Exact. The trick explained works perfectly and does exactly what is described to do. The target was to shape _download_bandwidth_ and it can be done pretty well working on upload filtering rules . the goal of my example is to show, how priorizing of incoming traffic not work :) Wrong. I suggested to work on _upload_ queque for each box. [download queque] internet --- box [upload queque] internet --- box Ed
funny news
Smile for some mins: http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306203 To work around this behavior, obtain firewall software that can filter and block IPv6 traffic. Ed
set timeout and TTL
About pf.conf man page... set timeout interval Interval between purging expired states and fragments. frag Seconds before an unassembled fragment is expired. When a packet matches a stateful connection, the seconds to live for the connection will be updated to that of the proto.modifier which corresponds to the connection state. Each packet which matches this state will reset the TTL (*). Tuning these values may improve the performance of the firewall at the risk of dropping valid idle connections. What does * means ? Ed
Re: fastroute
On Tuesday 03 June 2003 20:09, Sigfred HÃ¥versen wrote: reassemble tcp will raise the TTL of all packets back up to the highest value seen on the connection. Newbie question : In what way is this dangerous? It could confuse a NIDS. However, luckily, this is an option so if the firewall man turn it on, he'll probably talk with the NIDS man. Ed
Re: really basic pf help needed
On Thursday 29 May 2003 23:11, Chris Low wrote: Of course, I'm missing something here... The Win98 box can traceroute/ping/etc. to the BSD box just fine. However, the Win98 box can't see beyond the BSD box, although it does correctly list the BSD box (172.16.0.1) as the first hop. Remember that some things cannot pass through PF until you add rules. I'm talking about IP options used by tracert some times. Also, check that other boxes know that to talk to win98 box [172.16.0.2] they have to send packets to rl0 [DHCP, 192.168.0.x]. You have to add a route. If this was the problem you could consider a full trasparent bridge. Sometimes I saw LAN where packets for answers were going through internet because were using the default gateway... Ed
Re: source limit
On Friday 14 March 2003 11:48, Niki Denev wrote: Something like counting not only the states created by given rule number, but the rules created by given ip address and rule number. Obviously this is 3.4 I've some ideas about it and also other interesting RFC ;-) However I think now it's a bad time to ask features. Let's write them down and forward on May. Bye. Ed
BSDCon Italy 2003
Hi all, I'm proud to announce that BSDCon Italy 2003 will be held during Webbit'03 event (www.webb.it). Nothing really official, we'll try to promote *BSD systems with various workshops in italian language. Details and news are released on http://bsdcon.it I don't know how many people here can speak italian, however this is the list of PF related speeches : - WiFi Gateway with OpenBSD - IPv6 with OpenBSD - OpenBSD VPN - Packets Filtering Maybe we'll see there ;-) Bye. Ed
Daniel Hartmeier Show
w00t! Design and Performance of the OpenBSD Stateful Packet Filter (pf) by Daniel Hartmeier [ http://linuxforum.mmmanager.net/1045982346433661373/view ] Showtime: http://linuxforum.mmmanager.net/1045982346433661373/SMIL.smil Ed
Re: blocking with return-rst and ECN enabled packets
On Thursday 27 February 2003 06:58, Marco Grigull wrote: Wouldn't this create a 'fingerprint'? There are many ways to find out an OpenBSD gateway 8-) Ed
RFC#1 - chmod pf.conf
Request to change /etc/pf.conf default permissions from 755 to 600. This will prevent local user or webscript attacker to read PF ruleset. Note that at the moment this is the only way a normal user could gather information on PF ruleset, infact using pfctl need root permissions to open /dev/pf. Ed # RFC @ hacking.openbsd.it
RFC#3 - magic-jumps
Request to modify PF skip-steps code to upgrade to magic-jumps Currently PF uses skip-steps to move towards rules that couldn't match. It uses to look for the next rule with a different value for the option that didn't match. Example: 1) pass in quick on rl0 inet proto tcp from $ip1 port 80 to any 2) pass in quick on rl0 inet proto udp from $ip1 port 53 to any 3) pass in quick on rl0 inet proto udp from $ip2 port 514 to any 4) pass in quick on rl0 inet proto tcp from $ip2 port 25 to any 5) block in quick on rl0 all Imagine a TCP packet going inside rl0 coming from $ip3. PF evaluates the first rule, all parameters match up to the source address, which doesn't match. So the first rule is found not to match. The second rule is skipped, since it specifies the same mismatching source address and evaluation continues on rule #3. Note that it's impossible for rule #3 to match because on rule #1 PF said that proto tcp was ok, how could it be udp ok now ? This means that PF simply look at the not-matching-parameter. Here magic-jumps play: the trick is jumping to the next rule provided by skip-steps engine only if all parameters on the left are the matchable with the original rule that didn't match. Infact using this added check, PF will jump rule #3 because proto is changed (#1=tcp, #3=udp) and will jump to rule #4. Obviously this is a small example, however magic-jumps could add some speed up even if ruleset aren't exactly skip-step-ordered. Ed # RFC @ hacking.openbsd.it
Re: RFC#3 - magic-jumps
On Thursday 06 February 2003 11:29, Daniel Hartmeier wrote: The question is whether it's worth the additional cost of trying to jump further down. I did benchmarks with other versions, like evaluating all parameters of the rule (not aborting on the first mismatch), then finding the largest skip step among the mismatching ones. But that turned out to be slower on average, due to the cost of finding the highest skip step. Obviously adding checks will slow down the whole thing, but IMHO it's better a higher time for optimizing, that's made before using a ruleset, if it brings better performance every time a packet is evaluated. This will be felt by who doesn't use quick on each line. Ed
Re: RFC#1 - chmod pf.conf
On Thursday 06 February 2003 11:14, jolan wrote: if you have users and a running http daemon with scripts capable of reading system wide files on your firewall, i think you have bigger problems to worry about. I'm not talking about a firewall setup only. Think at a classic webserver with Apache (no chroot) + PHP + MySQL. besides, if your ruleset is well written, what harm can seeing it do? What about if a local user that paid for an account can read your /etc/pf.conf that contains IP based filtering ? If you know which IP the root comes from you can do nasty things. i have a good idea, how about an obfuscated pf.conf contest? However the fact is that I would like OpenBSD to be careful at details like this. If most root/admin manually change this permission, why don't make it by default ? Ed
Re: rdr and TOS
On Monday 03 February 2003 10:53, Kremlyn Vostok wrote: The 'route-to' function may be what you're after. Let us know how it goes :-) I got a kernel panic with this ruleset: HOST=x.x.x.x # Redirect HOST pass out quick on dc0 route-to lo0 inet proto tcp from any to $HOST port 25 keep state pass out quick on dc0 route-to lo0 inet proto tcp from any to $HOST port 80 keep state # Black Hole Host pass out quick all keep state pass out quick on lo0 all pass in quick on lo0 all block in quick inet proto tcp all block in quick inet proto udp all block in quick inet proto icmp all block in quick all After pfctl -f pf.route I tryed telnet x.x.x.x 25 and got kernel panic. Note that savecore said me I haven't enough space to save the core, but it's strange because I have 128 Mb RAM, 200 Mb swap and gigs on /var... What I'm missing ?. Ed
RE: Firewall spotting and networks analisys with a broken CRC
Phrack 60 describes a new technique of detecting firewalls using broken CRC. Interesting reading material. http://www.phrack.org/phrack/60/p60-0x0c.txt I wrote that phile 8-) and sent an advise to Daniel, Henning and Theo. I had no reply, however, I would like to know which solution will be choosed: - add a new scrub-like rule to check the checksum - check the checksum before returning (rst or icmp) - ... Ed
RE: TCP Reflection
My network consists of a dual-homed OBSD firewall, with a web server and clients both on the same internal RFC1918 segment. Since I'm not running any internal DNS, all requests sourced from this network, destined for the internal webserver must traverse outbound, resolve to an external IP, and then attempt to return via NAT. Unfortunately, as I'm sure some have found, this does not work well with [I]PF. ehm... I read a lot of smart answers and usefull solutions, but I want to give my simple tip: Add www.your-web-server.com LAN IP to /etc/hosts of your clients. (You could do this with Win* using C:\WINDOWS\HOSTS.SAM and C:\WINDOWS\LMHOSTS.SAM) Obviously this is boring if you have thousands of clients and/or thousands of domanin names. This reduce the overhead and the need for external connection: if your uplink die you could continue to access your local web server because you _don't_ need dns lookup. Is it too simple ? Ed
RE: pftop (FWD)
I'm not the author. ;-) Please look at the From. Please look at the Cc in the previous mail by Daniel ;-) Ah! So Cc is used for that! ;-P Sorry, I didn't see. Bye. Ed
RE: Support for external files in pf.conf?
The idea being that one can maintain a list of bad hosts in a file like badips.txt or a list of allowed/denied ports etc. that can be created then shared/updated to many computers or programatically manipulated by an IDS system or some other reporting system (dshield, black hole lists, etc). Using IDS to create that list could be cause of DoS. Ed
RE: NAT problems
/etc/nat.conf:18: syntax error pfctl: syntax error in rule file: pf rules not loaded To load PF rules you have to use # pfctl -R /etc/pf.conf To load NAT rules you have to use # pfctl -N /etc/nat.conf --PF.CONF- # Define useful variables ext_if={ dc0 } # External Interface int_if={ dc1 } # Our internal network range 192.168.1.0/24 I think, I'm not sure, that using interfaces name to get all IPs it's a feature of -current So are you using -stable or -current ? Bye. Ed