Re: Scrub reassemble tcp
the entire scrubbing idea is pretty much abandoned these days. it was a hot topic in the early 2000s (for everybody, not just us). no, don't use tcp reassemble. * Evaldas Auryla evaldas.aur...@edqm.eu [2014-11-21 18:20]: On 2014-11-14 14:54, Henning Brauer wrote: Is anyone using reassemble tcp with scrub ? Been using this for years without problems, you just didn't notice the problems or didn't hit them. Reassemble tcp isn't 100%, unfortunately, and never was. No changes in ages either. Well, nobody raised a hand, so let's say I didn't notice. hitting it more often now isn't too surprising given the increasing use of windows scaling etc. I see, so would you recommend to not use it ? As a workaround I tried declaring second scrub line targeting this specific system with to IP.. syntax, and pf accepted it, but then it seems to be ignored. Thanks!
Re: Scrub reassemble tcp
* Evaldas Auryla evaldas.aur...@edqm.eu [2014-11-13 19:30]: Is anyone using reassemble tcp with scrub ? Been using this for years without problems, you just didn't notice the problems or didn't hit them. Reassemble tcp isn't 100%, unfortunately, and never was. No changes in ages either. hitting it more often now isn't too surprising given the increasing use of windows scaling etc. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, AG Hamburg HRB 128289, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, VMs/PVS, Application Hosting
Re: rule def/(short) in tcpdump -e
* Axel Rau axel@chaos1.de [2014-10-20 12:30]: what does rule def/(short) [uid 0, pid 0] pass in mean in the tcpdumped pflog? def: matched the implicit default rule short: the reason why the packet was dropped - it was shorter than it should have been, aka pbly truncated (or malicious). grep for PFRES_SHORT in sys/net/pf*.c for the exact cases. when you see packets being dropped referring to the default rule taht means as much as pf dropped it for non-rule based reasons, i. e. too short packets and the like, that usually happens before ruleset eval. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, AG Hamburg HRB 128289, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, VMs/PVS, Application Hosting
Re: Problem with carp and inet alias
* Sebastian John ba...@fukz.de [2013-11-19 19:00]: try to use the correct network mask in alias configuration: inet alias 200.200.200.163 255.255.255.240 try to not give wrong advice. all-ones netmask is EXACTLY the right thing here. probably even for the first (main) address, unless carpdev is unnumbered. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, AG Hamburg HRB 128289, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting pgp07t8jYq4FG.pgp Description: PGP signature
Re: Configuration for discarding specific fragments
* mark.lati...@gmail.com mark.lati...@gmail.com [2013-09-01 08:01]: Is it possible to reassemble so fragments and not others nope; all or nothing. or is the best app= roach to deploy a screening router/another PF to filter but not reassemble = in addition to the PF reassembling and scrubbing? i think you're mostly fighting ghosts here, esp with the extremely tiny share of fragments we see in real world traffic these days. the reassembly isn't completely dumb, it should be able to protect itself from the cache being filled with junk. if there is still a way we might have to amend these smarts. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, AG Hamburg HRB 128289, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: I want to filter some/all inbound traffic twice
* Cameron Simpson c...@zip.com.au [2013-04-05 11:01]: On 05Apr2013 08:45, Daniel Hartmeier dan...@benzedrine.cx wrote: | If you need NAT, you have to do that on the external interface, and it | requires (implies, even) creating states. I was imagining NATing on an internal virtual interface to a private address on some kind of internal virtual interface; this might keep the necessary state without being the outmost layer. NAT can be applied in any direction and on any interface on recent openbsd, so that won't stop you. the manoage has the caveats for the respective unnatural direction. you might get away with 2 routing domains. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: Enforcing asymmetric TCP MSS?
* Eric Lee ele...@gmail.com [2011-05-10 10:30]: I'm trying to use scrub max-mss rules to create asymmetric MSS's. Is this supported? So far, I haven't got it to work (hence my post here). The machine is running OpenBSD 4.9 with 2 network cards. I have been trying things like: match out on $ext proto tcp scrub(max-mss 1000) flags S/SA match in on $ext proto tcp scrub(max-mss 500) flags SA/SA that doesn't work because only one of those two rules ever matches a given connection, from then on the state decides. using two match rules on different interfaces should work i think. the only other option is stateless, but that is stupid for many many reasons. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: Suggestion for a new feature, port code
we will never let that shit even remotely close to our tree. period. * Johan Söderberg johan.s.u...@gmail.com [2011-03-04 15:00]: In my mind this is not security by obscurity, no more than one-time passwords. The ports can be compared to the keys of a keyboard when typing a password. As with passwords, the implementation is not a secret. The port that is protected is not hidden, it is locked. It adds security and do not add attack vectors as it is implemented as a simple ruleset for pf, protecting sshd. It can also be combined with authpf. Why waste energy on spammed logs with scans and attacks, banning and luring with honeypots on the outside? Why give sshd unnecessary exposure as it may have weaknesses? http://en.wikipedia.org/wiki/Security_through_obscurity http://stackoverflow.com/questions/4486171/isnt-a-password-a-form-of-security- through-obscurity http://security.stackexchange.com/questions/1194/port-knocking-is-it-a-good-idea -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: Pfctl -s info and more
* Patrick Lamaiziere patf...@davenulle.org [2011-01-17 17:30]: Hello, (PF on openbsd 4.8) I've got two small questions about the stats returned by pfctl -s info There are several state-mismatch. What does it mean? state-mismatch 79715 3.3/s you received that mnay packets that failed to match a state entry even tho they should. That is the case with tcp and sequence number out of window. Same for the normalize counter, I don't have any scrub rule and I don't know why some packets are normalized? normalize 7103 0.3/s IPvShit jumbograms are dropped with the normalize counter increased wether scrubbing is there or not. fragments go to the reassembler (which might drop some, increasing the normalize counter) unless you set reassemble to no (defaults to yes). -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: PF messing with my PPPoE test or am I just confused...?
* Jonathan Rogers thatseattle...@gmail.com [2011-01-04 02:30]: If I had the option of installing a more recent OS I would have done that, and I would not have posted the question. v3.8 help was explicitly asked for. A reply of form well, on a higher version of the OS there are other ways to do it is (a) obvious and (b) completely unhelpful in this context. you are on your own, then. the supported releases right now are 4.7 and 4.8, period. as if anyone remembers details from a release 5 years ago. and... why bother. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: pf, synproxy, max-src-conn, FIN_WAIT_2
* Nerius Landys lan...@nerius.com [2010-10-26 01:30]: I'm using synproxy to limit the number simultaneous TCP connection to a certain application no, you are not. synproxy has NOTHING to do with limiting the # of connections. that is a generic function of the state keeping code. During the time when a large download is happening using wget, the pf state table will have ESTABLISHED:ESTABLISHED. If wget was in the process of performing a large download and I hit Ctrl+C (or kill it), the state table will have TIME_WAIT:TIME_WAIT. If wget successfully finishes downloading something, I will see FIN_WAIT_2:FIN_WAIT_2 in the state table. welcome to tcp If there is a way to not count the FIN_WAIT_2:FIN_WAIT_2 towards my max-src-conn, please do tell! no, and that would be counterproductive. I'm sure you'll see for yourself why if you think about it for a second. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: synproxy and RST (non-listener)
* Ryan McBride mcbr...@openbsd.org [2010-10-23 11:56]: On Sat, Oct 23, 2010 at 02:51:11AM +0300, Nerius Landys wrote: Thanks for the reply. But I don't _completely_ understand. I don't know too much about operating system calls, but let's say that I have a program that is bound to TCP port 8080 on my local machine (same machine that is running the pf in question). Let's say I launch another program that tries to listen on this port as well. Of course it will fail with cannot bind to port or something like that. So there _is_ something the operating system tells us regarding a port being bound on the local system, and this [presumably] does not require any packets to be sent. Could we do a similar check before completing a handshake with a client via synproxy? Yes, in the case where the synproxy rule is protecting connections to a local machine, in theory PF could be modified to check whether there is a service listening on that port. It would be a lot of code for not much benefit, though. last not least because something listening does not necessarily imply will accept a connection. To be 100% clear, the simplest solution to the synproxy problem you've described is this: Don't use synproxy if you aren't sure that there will be a service listening on the port. I'd go further - synproxy isn't there for everyday use, but as a temporarily measure when you're under attack and the synproxy shortcoming are the smaller problem. and for your subscription issues - I strongly believe the right mailing list is m...@openbsd.org anyway.
Re: synproxy and RST (non-listener)
* Nerius Landys lan...@nerius.com [2010-10-20 22:30]: Is there a way to get synproxy to send the RST (I _think_ that's what it is called) when no service is running on that port? Or is this a feature? Or is there a reason it behaves this way? Intentional, bug, oversight, or missing modifier to my rule? Hrm I think, after doing a little bit more research, I understand why this isn't possible. Maybe you can tell me if I'm right. Seems that synproxy completes a TCP connect handshake completely with the client before even sending anything to the actual service it's proxying. This is the whole purpose of synproxy. So, it has a completed handshake, the client thinks he's connected, and pf tries to connect to the underlying service, but receives an RST or whatnot, which means the service isn't running. It's probably too late to send an RST to the client at this point, so pf just lets the connection from the client hang. that's about right I suppose there's not way to get around this problem... right. Maybe ask the operating system if the port is bound before completing the handshake with the client, otherwise send RST to the client? askin before isn't possible. you do not know that the backend will accept a connection based on a previous connection being accepted. and doing a check before replying with a syn defeats the prupose anyway. sending an RST back if the backend doesn't accept the connection, well, we could do that, but it still doesn't solve anything - clients treat established connection terminated very differently then connection not accepted. there is no way to solve this. synproxy is not for everyday use. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: pf protection against spoofed [source addr] packets
* Nerius Landys lan...@nerius.com [2010-10-20 08:46]: 1. Why can't I spoof a source address of 127.0.0.1? we have some special protection for 127.0.0.1 in the stack 2. What specific rules would you recommend for preventing spoofed packets people spend too much time on this. make sure nobody spoofs your own IPs (or, more precise, any IP you do access control with) and be done with it. really, spoofing has to be fought at the source, you can't layer. so you want to make sure only packets with your own IPs as src leave your network. By the way I'm using FreeBSD 8.0 and 7.1. as in, ancient and crippled pf. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: pfsync and policy routing states patch(OpenBSDv46 stable) - version2
* Romey Valadez romey.vala...@gmail.com [2010-01-21 01:38]: I sent this patch to t...@openbsd.org mail list This patch apply to OpenBSD v4.6 -stable as I told you before, patches to 4.6 are useless. especially given this stuff changed a lot in -current. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: Restricting source with dDNS (dynamic DNS)
* Alvaro Mantilla Gimenez alv...@dydnetworks.com [2009-12-19 12:00]: It would be awesome if pf could implement some port knocking features over my dead body -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: [4.5] Unable to connect using IPSEC over IPv6
* Helmut Schneider jumpe...@gmx.de [2009-12-18 08:30]: Henning Brauer wrote: * Stuart Henderson s...@spacehopper.org [2009-12-16 16:00]: On 2009/12/16 13:27, Helmut Schneider wrote: [...] Dec 15 13:34:23.640235 rule 11/(match) block in on bge0: $SERVER $CLIENT: frag (0|1448) 500 500: isakmp v1.0 exchange ID_PROT encrypted cookie: 583b9e29ae2a701f-f2257c7575eb8336 msgid: len: 1596 Dec 15 13:34:23.640245 rule 11/(match) block in on bge0: $SERVER $CLIENT: frag (1448|156) Same with 4.6. With pass quick log inet6 the connection is successful. Is the packet incorrectly parsed?! The fact that the unfragmented packet is passed would confirm that. PF doesn't support IPv6 fragments yet. yet. hah. hah in the sense of It's cooking or in the sense of Are you kidding? http://www.mail-archive.com/m...@openbsd.org/msg84332.html pp. raised hopes. nobody is actively working on anything in that direction afaik. chances are the hole v6 mess is declared obsolete before we get into this mess (heh, mess on top of mess, get dirty). all hail ipv4/64! -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: [4.5] Unable to connect using IPSEC over IPv6
* Stuart Henderson s...@spacehopper.org [2009-12-16 16:00]: On 2009/12/16 13:27, Helmut Schneider wrote: [...] Dec 15 13:34:23.640235 rule 11/(match) block in on bge0: $SERVER $CLIENT: frag (0|1448) 500 500: isakmp v1.0 exchange ID_PROT encrypted cookie: 583b9e29ae2a701f-f2257c7575eb8336 msgid: len: 1596 Dec 15 13:34:23.640245 rule 11/(match) block in on bge0: $SERVER $CLIENT: frag (1448|156) Same with 4.6. With pass quick log inet6 the connection is successful. Is the packet incorrectly parsed?! The fact that the unfragmented packet is passed would confirm that. PF doesn't support IPv6 fragments yet. yet. hah. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: Brutes rules with UDP?
* Jordi Espasa Clofent jordi.esp...@opengea.org [2009-11-24 17:32]: # SSH brutes protection pass quick on $bridge inet proto tcp from any to $vlan10 port 22 keep state \ (max-src-conn 20, max-src-conn-rate 3/12, \ overload ssh_brutes flush global) with success. No problem, all works fine. I wonder if I can apply this type of rule to UDP connections (I try to protect some busy DNS servers) no, there's no way to avoid spoofed requests with UDP. if someone sends a bunch of UDP packets spoofed from $BIG_ISP_RESOLVER's IP address, their legitimate requests will be blocked. I don't understand your response, Stuart. I wonder if the mentioned rule (using max-src-conn and max-src-rate) is also applicable to UDP-oriented connections as DNS is. no, ^^ quite clear isn't it? the tcp one works based on completed 3way handshakes. now think about it. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: pf configuration subleties
* Daniel Malament dani...@bluetiger.net [2009-09-12 23:04]: 1) The big one is what I would call the 'double state problem'. It seems to me that the big disadvantage of a default-deny ruleset is that because explicit pass rules are required on all interfaces, traffic passing through the firewall machine needs state on all interfaces. This isn't a problem for most applications, but it seems like it would be a memory issue for large routers. there's no memory problem really. you will have memory bandwidth / bus bandwidth / interface bandwidth maxed out long before memory for the states becomes an issue. i am not aware of a _single_ case of state table size problem in at least 5 years (in the early days the pools used had limitations that actually made that a bit problematic, but that is long solved). you want default deny and double states... really. not bored enough to write that down again tho. and if you don't like the double states you can still set skip on one of the interfaces. but understand the consequences. pass on $int_if no state ugh. stateless = slow. 2) The other (shorter) question: If I want one of my internal networks to be able to access the internet, but not be able to access my other internal networks, is --- table non_local { 0.0.0.0/0 !$int_net1 !$int_net2 } block all pass in on $int_net3 from any to non_local [etc] --- better or worse in speed and resources than --- block all pass in on $int_net3 block in on $int_net3 from any to $int_net1:network block in on $int_net3 from any to $int_net2:network [etc] --- won't make a difference that matters. with just 3 entries they are probably about the same, the more entries the more advantage for the table. but then the optimizer will make that a table anyway (exceptions apply) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: What's the progress of in-kernel proxy for pf NAT?
* hu st hust...@yahoo.com [2009-07-23 12:35]: Hi listers, I found many in-kernel proxy resources in ipfilter package(ip_fil4.1.32), such as ftp/pptp/h323/netbios/irc/rpc etc. Could these code be used by pf? pf purposefully does not use in-kernel proxies. wrong design. AFAIK pf has only a ftp-proxy anchor. it has userland helpers for the most relevant protocols. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Does OpenBSD 4.4 PF ALTQ supports HFSC?
* Pui Edylie em...@edylie.net [2009-01-25 12:33]: From the website http://www.openbsd.org/faq/pf/queueing.html It says it only supports FIFO, CBQ and PRIOQ thatis outdated then, HFSC werks. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Using state table with a transparent firewall
* Federico Giannici giann...@neomedia.it [2008-12-25 21:31]: 1) To be as transparent as possible, we should use the flags any keyword, because with the default flags S/SA keyword the connections already established would not match the pass rule and would be blocked. Am I right? yup 2) As we use different queue names for inside and outside traffic, every pass rule have a on interface parameter and specific from e to parameters. In this situation we should use the set state-policy if-bound option. Am I right? no, changes nothing in taht situation 3) In practice, we will have two separate states, one for inside and one for outside packets. In this situation, should we use the sloppy option? no Or does the server sees every packet, so there is no problem with normal states tracking? yes -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: PF, packet sizes and icmp replies
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2008-11-18 20:02]: Admin-generated icmp codes: With IPFW we could return icmp code 1 then user tried to connect to closed ports (especially with SMTP port for spammers) . With PF we could block only by silent drop, or ICMP unreachable. It's not enough. wrong. block return sends an RST for the connection in question for tcp. which is exactly the stack behaviour for closed ports. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: urpf-failed vs. multiple routing tables?
* Max Laier [EMAIL PROTECTED] [2008-05-01 11:33]: wouldn't it make sense to add a rtableid to urpf-failed? totally. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: block-policy return ignored with ipv6?
* Daniel Hartmeier [EMAIL PROTECTED] [2008-02-14 16:37]: On Tue, Feb 12, 2008 at 07:40:14PM +0100, Helmut Schneider wrote: Is that expected? No, it's a bug introduced with pf.c 1.534 after 4.1 was released. http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c.diff?r1=1.533r2=1.534f=h For IPv6 TCP, calling pf_check_proto_cksum() with AF_INET will always fail. No RST will be generated, the 'proto-cksum' counter in pfctl -si output will increase instead. Henning? this works, tested by Helmut, ok? Index: pf.c === RCS file: /cvs/src/sys/net/pf.c,v retrieving revision 1.565 diff -u -p -r1.565 pf.c --- pf.c22 Nov 2007 02:01:46 - 1.565 +++ pf.c15 Feb 2008 14:20:09 - @@ -3240,10 +3240,22 @@ pf_test_rule(struct pf_rule **rm, struct (r-rule_flag PFRULE_RETURN)) !(th-th_flags TH_RST)) { u_int32_tack = ntohl(th-th_seq) + pd-p_len; - struct ip *h = mtod(m, struct ip *); + int len = 0; + struct ip *h4; + struct ip6_hdr *h6; - if (pf_check_proto_cksum(m, off, - ntohs(h-ip_len) - off, IPPROTO_TCP, AF_INET)) + switch (af) { + case AF_INET: + h4 = mtod(m, struct ip *); + len = ntohs(h4-ip_len) - off; + break; + case AF_INET6: + h6 = mtod(m, struct ip6_hdr *); + len = ntohs(h6-ip6_plen) - (off - sizeof(*h6)); + break; + } + + if (pf_check_proto_cksum(m, off, len, IPPROTO_TCP, af)) REASON_SET(reason, PFRES_PROTCKSUM); else { if (th-th_flags TH_SYN)
Re: block-policy return ignored with ipv6?
* Daniel Hartmeier [EMAIL PROTECTED] [2008-02-14 16:37]: On Tue, Feb 12, 2008 at 07:40:14PM +0100, Helmut Schneider wrote: Is that expected? No, it's a bug introduced with pf.c 1.534 after 4.1 was released. http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c.diff?r1=1.533r2=1.534f=h For IPv6 TCP, calling pf_check_proto_cksum() with AF_INET will always fail. No RST will be generated, the 'proto-cksum' counter in pfctl -si output will increase instead. Henning? looks like I screwed that a bit... this enough to fix it? Index: pf.c === RCS file: /cvs/src/sys/net/pf.c,v retrieving revision 1.565 diff -u -p -r1.565 pf.c --- pf.c22 Nov 2007 02:01:46 - 1.565 +++ pf.c14 Feb 2008 15:57:20 - @@ -3243,7 +3243,7 @@ pf_test_rule(struct pf_rule **rm, struct struct ip *h = mtod(m, struct ip *); if (pf_check_proto_cksum(m, off, - ntohs(h-ip_len) - off, IPPROTO_TCP, AF_INET)) + ntohs(h-ip_len) - off, IPPROTO_TCP, pd-af)) REASON_SET(reason, PFRES_PROTCKSUM); else { if (th-th_flags TH_SYN)
Re: NAT (interface) = round-robin between IPv4/IPv6 addresses?
* Ed White [EMAIL PROTECTED] [2008-01-04 07:32]: Happy new year everybody, I have a quick question. I am using OpenBSD 4.2-stable. I noticed that with the following NAT rule: nat on sis1 from 10.2.2.0/28 to any - (sis1) static-port I get the following output: # pfctl -sn nat on sis1 inet from 10.2.2.0/28 to any - (sis1) round-robin static-port This is the interface: sis1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr xx:xx:xx:xx:xx:xx groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 ::xxx:::xxx%sis1 prefixlen 64 scopeid 0x2 inet zz.zz.zz.zz netmask 0xff00 broadcast zz.zz.zz.zzz My question is simple: is that round-robin actually used? If it really means that PF sees 2 or more IPs, what are these IPs? it just says that pf will doround roubin _if_ there is more than one ip. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: NAT (interface) = round-robin between IPv4/IPv6 addresses?
* Ed White [EMAIL PROTECTED] [2008-01-04 17:01]: On Friday 04 January 2008 12:17, Henning Brauer wrote: I noticed that with the following NAT rule: nat on sis1 from 10.2.2.0/28 to any - (sis1) static-port I get the following output: # pfctl -sn nat on sis1 inet from 10.2.2.0/28 to any - (sis1) round-robin static-port My question is simple: is that round-robin actually used? If it really means that PF sees 2 or more IPs, what are these IPs? it just says that pf will doround roubin _if_ there is more than one ip. The problem is that I actually see two IPs: one IPv4 and one IPv6. Would pf do round robin using one IPv4 and one IPv6? of course not. pf does not translate between different address families. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Packets slip through PF while ruleset is reloaded?
* Henrik Johansen [EMAIL PROTECTED] [2008-01-02 13:32]: Hi list, We had an ICMP flood against one of our servers this weekend and I noticed something strange. Whenever I ran '/sbin/pfctl -Fr -f /etc/pf.conf' ICMP packets started to slip through for a second and a couple of states related to those ICMP packets were created. The only time ICMP packets got through the firewall was when I reloaded the ruleset. The box in question is running OpenBSD 4.1-STABLE and the ruleset in question is using a default deny policy. Is that expected behaviour ? when you're using -Fr, yes. you should not do so. ruleset reload is atomic when you leave the manual flush out. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: PF and multiple CPUs
* Jordi Espasa Clofent [EMAIL PROTECTED] [2007-12-20 13:03]: Hi all, I've read about this tipic in this present list and in the misc@ list. Currently I'm making performance test in a box which has a pair of Quad-Core Intel Xeon processor L5320. If I use bsd kernel ¿only a 1 Core of the first CPU is used? If I use a bsd.mp kernel ¿always pf performance decrease? Sincerely, nowadays is hard to find out a simple-CPU in servers environment. so just run the uniprocessor kernel on them, no problem, other cores will idle just fine. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Need more performance (FreeBSD or OpenBSD)
* Florin Andrei [EMAIL PROTECTED] [2007-11-06 07:45]: Does the em driver do interrupt mitigation ? I would like to know the answer to that question myself. sure it does. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Can pf benefit from multiple cpus?
* pf user [EMAIL PROTECTED] [2007-10-26 22:03]: Henning Brauer wrote: * Russell Fulton [EMAIL PROTECTED] [2007-10-25 07:36]: Subject says it all: Can pf benefit from multiple cpus? no. But pf is said to benefit from a larger L2 cache*, my limited research of reasonably priced CPUs for firewall machines finds that the latest crop of Intel CPUs have huge honking L2 caches to presumably overcome some other deficiency... For instance, the Q6600 has 2 x 4MB L2 caches, the new 5400 series to be announced in November are supposed to have 12MB of L2 cache. All of them are only available as dual or quad cores though. So is L2 cache still an important factor in pf performance with all the changes that are coming in 4.2 - the rule optimizing and the memory improvements and late checksumming and things of this nature? well. this statement is not by me, but obviously, having as much as possible of the state table and mbuf + mbuf cluster space in cache of course helps. I bet it helps enourmusly. But how much cache you need ofr that, or where more doesn't make a difference any more, not only depends on your specific application (state table size, pps rates), I don't even have a half-clear idea about what amounts of cache we really talk :) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Still dealing with pf performance issues
* Russell Fulton [EMAIL PROTECTED] [2007-10-25 07:44]: I note that memory counter is going up at a rate of 0.1/s. My understanding is that this counter is stepped when pf fails to get memory for a state entry but we are no where near the state limit: it goes up when pf cannot get memory for something, or something that is somewhat related to memory. grep for PFRES_MEMORY in /usr/src/sys/net. actually, I take that partially back. in 4.2, all PFRES_MEMORY are caused by pool_get failures, except one which is a failing m_copym (and thus a memory error too). the state limit is not too related to that. you can see memory shortage way below your set state limit. I'd say chances are good that 4.2 solves that for you. I bet most of tehse are from memory allocations for pf tags. They are not allocated in 4.2 any more. Even more of a worry is the congestion counter is at 0.6/s and worse it that is not necessarily a problem. if net.inet.ip.ifq.maxlen is at 50 on your box, 4.2 will solve that too :) (ok. you can just bump it manually too. 4.2 defaults to 256) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: linux/iptables/proxy arp to pf/redundant firewall
* Russell Fulton [EMAIL PROTECTED] [2007-10-25 10:09]: Henning Brauer wrote: so get a little transfer net and make your upstream adjust his routes otherwise you need a bridge indeed, but you really want to avoid that if you have a chance to go for regular routed with carp etc. we also run redundant bridges -- we have two physical paths to our ISP only one of which is ever in use. We have bridges on both these link and use pfsync to share state. The network uses STP to fail the traffic between the links. Works well for us. I have never said it does not work. Heck, bridge (r)stp on OpenBSD are probably better than on most OSes out there. BUT: I hate bridges. They make debugging really darn hard, and come with their own set of problems. (r)stp you cannot run in any remotely secure fashion without filters on the switches (to be honest, you need the same for carp, but there it isn't THAT a disaster because carp uses some crypto, (r)stp does not) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Can pf benefit from multiple cpus?
no. * rmkml [EMAIL PROTECTED] [2007-10-26 13:44]: Hi, maybe it is possible run PF nat on 1 cpu, PF fw on 2 cpu, and for example irq network card on 3 cpu and qos on 4 cpu ? Best Regards Rmkml On Fri, 26 Oct 2007, Henning Brauer wrote: Date: Fri, 26 Oct 2007 13:06:04 +0200 From: Henning Brauer [EMAIL PROTECTED] To: pf@benzedrine.cx Subject: Re: Can pf benefit from multiple cpus? * Russell Fulton [EMAIL PROTECTED] [2007-10-25 07:36]: Subject says it all: Can pf benefit from multiple cpus? no. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: linux/iptables/proxy arp to pf/redundant firewall
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2007-10-24 13:06]: Selon Peter N. M. Hansteen [EMAIL PROTECTED]: [EMAIL PROTECTED] writes: i was thinking at a bridge firewall with openbsd, and maybe carp to be redundant but carp is not working with bridge I'd think really hard about why you would want to make it a bridge then. Bridges generally makes it harder to debug and as you say it takes your main redundancy feature off the table. Why not just a carp/pfsync setup? cause i'm in the same subnet so get a little transfer net and make your upstream adjust his routes otherwise you need a bridge indeed, but you really want to avoid that if you have a chance to go for regular routed with carp etc. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: monitoring performance indicators on pf
* Russell Fulton [EMAIL PROTECTED] [2007-10-17 07:43]: On the monitoring front I have rediscovered symon which I installed when we first moved to pf years ago but which did not survive an OS upgrade some time in the past. for monitoring, I use and suggest: -symon -keeping an eye on daily outputs (I actually parse them automagically, but then, you don't want way over a hundred of these per day to read manually) -use /etc/daily.local if you wanna keep an eye on more things -log monitoring. this is very important. I use logsurfer from ports and have *.* |/usr/local/sbin/logsurfer -d /somewhere -s in my syslog.conf on the logserver. -of course, external montoriing, like, ping probes etc - e. g. nagios a subset might do. I have even more :) One more question: I take it that unintentionally 'dropped packets' will show up in the interface stats rather then in any pf counters (which is where I was looking for them)?So symon will show these. well, those dropped at that stage, yes :) in practice, it is good enough to monitor these, and once in a while checking net.inet.ip.ifq.drops and the congestion counter in pfctl -si. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: monitoring performance indicators on pf
* Russell Fulton [EMAIL PROTECTED] [2007-10-16 10:03]: * Is there any tuning that we can do to improve performance of pf yes. install 4.2. seriously, it more than doubles pf performance. I have heard reports that pf actually performs better on FreeBSD because some of the NIC drivers are better -- any truth in that? certainly not -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Real-world production experiences with pf please...
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2007-05-04 09:12]: Hi, I have some time to come up with a new firewall/router/vpn solution for our datacentre, and I'm considering a shiny new server with OpenBSD and pf instead of a costly PIX. On the part of our network that I'm doing this for we might see maximum 20Mbit/s unencrypted traffic. Is anyone using an OpenBSD/pf solution in a production environment like this? What hardware are you using? How's it holding up? :-) for breakfast, yeah. with reasonable network cards and a reasonable ruleset pretty much any system made in the last, what, make it 2 years, should able to do several hundred MBit/s. the max I have going thru an OpenBSD box at a customer is in the 750 MBit/s range (and that doesn't max out the machine), but that is without pf and a carefully hand-crafted kernel. with pf, not sure where i have the biggest install... there's certainly customers in the 50 MBit/s range where the machines mostly idle. usually performance is just not a problem, so I don't look at these numbers to closely... our own machines with very big rulesets and pretty mean traffic pattern seldom exceed 50% cpu use either, but desperately need to be upgraded just because of their age (they are in the 1 ghz range) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Classification of CPU usage in PF
* Federico Giannici [EMAIL PROTECTED] [2006-10-08 20:11]: Henning Brauer wrote: * Federico Giannici [EMAIL PROTECTED] [2006-10-08 16:21]: I'm trying to re-phrase this question too: is the PF code executed during the NIC interrupts? not really, it is executed in soft int context Hummm... Just to be sure, I'm re-re-phrasing it: in which of the four CPU states shown by top it is assigned (interrupt, system, nice, user)? int And I presume that the same applies to ALTQ. Do it? yup, although altq runs way later -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Request for feature: queue assignment for back packets (Was: ACKs queueing)
* Federico Giannici [EMAIL PROTECTED] [2006-10-08 20:32]: I solved my case in a good way, but I'm currently not using states. I think that a general, intuitive and efficient solution could be useful. The problem: queue assignment of back packets of TCP flows when keep state is used and queues are used in both directions. Currently the only solution seems to be to (almost) replicate the same rules for both interfaces (in and out). So the same rules are evaluated two time: more use of CPU and more rules to maintain. this is untrue, you can just create queues with the same names on both interfaces. queue assignment does not have to happen on the interface where the queue lives. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Request for feature: queue assignment for back packets (Was: ACKs queueing)
* Federico Giannici [EMAIL PROTECTED] [2006-10-09 12:51]: Henning Brauer wrote: * Federico Giannici [EMAIL PROTECTED] [2006-10-08 20:32]: I solved my case in a good way, but I'm currently not using states. I think that a general, intuitive and efficient solution could be useful. The problem: queue assignment of back packets of TCP flows when keep state is used and queues are used in both directions. Currently the only solution seems to be to (almost) replicate the same rules for both interfaces (in and out). So the same rules are evaluated two time: more use of CPU and more rules to maintain. this is untrue, you can just create queues with the same names on both interfaces. queue assignment does not have to happen on the interface where the queue lives. That's really interesting. And now the on _interface_ parameter of the queue command start to make sense... well, let me explain (again. I did this before, must be in the archives). when a rule matches that has a queue assignment, the packet gets tagged with the queue name (not really the name, but that is what it comes down to). the packet then travels through the system like it always does. when it hits the outboind queuing stage (i. e. queueing on the interface where it will leave the machine), the altq routines check for the tag. if it is not there, the packet goes to teh default queue. if the tag is there, altq checks wether a queue with that name exists. if yes, the packet is queued there, otherwise it is put into the default queue. you see, it is not like the packets gets put into a queue when a pf rule assigns it. it happens way later. and thus your cas eis already covered. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Classification of CPU usage in PF
* Federico Giannici [EMAIL PROTECTED] [2006-10-08 16:21]: I'm trying to re-phrase this question too: is the PF code executed during the NIC interrupts? not really, it is executed in soft int context -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Using BGP to multihome on links of different bandwidth
* Alex Thurlow [EMAIL PROTECTED] [2006-07-26 06:11]: New to the list, and with a question I can't seem to find an answer to anywhere else. A little preface - I have recently switched jobs, so I am in a new network situation. There are some upcoming changes, and I wish to switch from our current Linux router to OpenBSD-pf. We currently have 2 links that are shared via BGP. One is an OC-12, and the other is 100Mb ethernet. The reason we have lines of unmatched speed is that we could get the 100Mb cheap and are wanting to test the usefulness of multihoming. Under just a normal BGP setup, our 100Mb line would be saturated as it attempted to send traffic there based on routing distance. Because of this, there are IPtables rules that count how many pps are going on the 100Mb line, and if there are over a certain amount, they mangle the packets and send them over the OC-12 instead. In this way, we are able to share these 2 lines of differing bandwidth. I would just play with local-preference based on source AS for a few big ASes to move them to the OC-12 line and do that until the usage is somewhat balanced. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: pfctl rtlabel expansion
* sfp [EMAIL PROTECTED] [2006-07-06 08:22]: Using bgpd to apply labels to prefixes using rtlabel. Given the pf.conf statement: pass in on $int_if02 from route test to any keep state How can I see the (rt)labelled prefixes that are actually being acted upon using pfctl? you cannot. When the same statement is (pf)labelled, pfctl fails to expand the prefixes as well. I cannot parse that sentence ;( Eg pass in on $int_if02 from route test to any keep state label V115PERMIT:$proto:$srcaddr:$dstaddr:$dstport [EMAIL PROTECTED] ~]# pfctl -sl V115PERMIT:ip:?:any: 2 37 6334 21 2781 16 3553 I would prefer not to use a table in pf as prefixes are not removed when they are withdrawn by bgpd. so you want to label teh routes, and be able to see the route label in the pf label for accounting purposes? Outside of pf, the man pages for route(8) netstat(1) do not indicate flags for displaying the kernel routing table based on the label alone. I may have missed it. In the absence of route show synxtax, is there a valid wildcard for 'route get'? no. you can't get a list of prefixes by label right now. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: pfctl rtlabel expansion
* sfp [EMAIL PROTECTED] [2006-07-06 17:32]: Henning Brauer [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] * sfp [EMAIL PROTECTED] [2006-07-06 08:22]: Using bgpd to apply labels to prefixes using rtlabel. Given the pf.conf statement: pass in on $int_if02 from route test to any keep state How can I see the (rt)labelled prefixes that are actually being acted upon using pfctl? you cannot. Hmmm When the same statement is (pf)labelled, pfctl fails to expand the prefixes as well. I cannot parse that sentence ;( Sorry if that was ambiguous. If a packet that is identified using 'from route test' is subsequently labelled in pf with 'label V115PERMIT:$proto:$srcaddr:$dstaddr:$dstport', there is still no way to tell which prefix that packet originated from; as evidenced by pfctl -sl: V115PERMIT:ip:?:any: 2 37 6334 21 2781 16 3553 Is this normal, or have I made a syntactical error? the rule label macros are expanded at ruleset load time, so the information in tehm is pretty static. pass in on $int_if02 from route test to any keep state label V115PERMIT:$proto:$srcaddr:$dstaddr:$dstport [EMAIL PROTECTED] ~]# pfctl -sl V115PERMIT:ip:?:any: 2 37 6334 21 2781 16 3553 I would prefer not to use a table in pf as prefixes are not removed when they are withdrawn by bgpd. so you want to label teh routes, and be able to see the route label in the pf label for accounting purposes? No. I want to be able to make certain that pf is filtering on prefixes that are valid according to bgpd, and that prefixes that have been withdrawn by the bgp process are no longer going to be permitted in the ruleset. While it's true that pf won't necessarily see such packets since the box wouldn't have a route, it makes troubleshooting more difficult, particularly in the reverse case of dropped packets. How do I know that a prefix is being acted on? pf cannot tell me. It's not that I don't trust pf's mechanisms, but this seems to be a bit of a shortcoming - not being able to identify which prefixes 'from route label' actually refers to. that doesn't make sense, sorry. when you have a rule that refers to a route label pf does a route lookup for the src or dst IP on the routing table, looks for the label and if it is there see if there's a match, then moves on. since the routing table and the packet flows are highly dynamic there pretty much is no way of manually verifying pf does things correctly, you have to trust it here. btw, in your case, a block in from no-route block out to no-route should suffice. Outside of pf, the man pages for route(8) netstat(1) do not indicate flags for displaying the kernel routing table based on the label alone. I may have missed it. In the absence of route show synxtax, is there a valid wildcard for 'route get'? no. you can't get a list of prefixes by label right now. Cool. Is support for this planned in the near or distant future? The 3.7 release notes (http://www.openbsd.org/plus37.html) make mention of route(8) being able to show labels: Display route labels with route(8)'s show command. Are these not the same labels, or is the above referring to something else (route get?). No mention in 3.8 or 3.9 release notes. I'm running 3.9. route show shows labels. you cannot use a label as filter criteria for which routes to display right now. it would make sense tho. I have no plans to implement this in the near future, but a patch would be welcome :) Thx for the info nice work on OpenBGPD Henning. as always, we're looking for more success stories for http://www.openbgpd.org/users.html ;) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: PF inadequacy: queue download
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2006-05-01 02:50]: I don't think time spent developing PF or ALTQ could be better spent developing something other than download queueing. it's nice that you think so. now, let me tell you some news: it does not matter what you think. what matters is what we think, the ones that write the code. when we see a clean, well written diff that implements this and makes sense, we might incorporate that. maybe you could get one of us to code that if you fund him to do that (let me tell you beforehands that you're looking at a 4 digit number for sure). endless whining here will make sure we'll never implement it unless we have a reallyt urgent need. since we hadn't had that in the past, what, 4 years, it's kinda unlikely that changes. I'll summarize again for you. pick one: 1) submit a diff 2) pay a developer to do it 3) get over it note that continue whining on the mailing lists and annoy developers enough so that they eventually might unsubscribe is not on the list. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: PF and load
* Per-Olov Sj?holm [EMAIL PROTECTED] [2006-04-05 21:50]: Henning Brauer wrote: * Per-Olov Sj?holm [EMAIL PROTECTED] [2006-03-31 18:11]: Can PF make use of SMP? no. So a faster cpu (not another cpu) is the only way if we will see to much cpu usage caused by interrupts then... ? (if we already have quality nics and hopefully an optimized ruleset) faster single CPU, better NICs, improvements in the software :) Or are there other things to start to look at if the interrupt usage is high? Are there for example better nics than our dual gig intel nics? yes, sk(4) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: PF and label expansion limitations
* Per-Olov Sj?holm [EMAIL PROTECTED] [2006-04-06 00:31]: The PF rule... pass in quick on $EXTERNAL_INT inet from any to $COLOC_IPS_1 label TEST:$dstaddr# keep state Gives a label like TEST:65.45.128.128/25# 230 3099 1511793 1370 148914 1729 1362879 Is there an easy way to do expansion of $COLOC_IPS_1 so that the single rule above give labels like... TEST:65.45.128.128/1# 230 3099 1511793 1370 148914 1729 1362879 TEST:65.45.128.128/2# 230 3099 1511793 1370 148914 1729 1362879 TEST:65.45.128.128/3# 230 3099 1511793 1370 148914 1729 1362879 TEST:65.45.128.128/4# 230 3099 1511793 1370 148914 1729 1362879 TEST:65.45.128.128/n# 230 3099 1511793 1370 148914 1729 1362879 TEST:65.45.128.128/n+1# 230 3099 1511793 1370 148914 1729 1362879 TEST:65.45.128.128/254# 230 3099 1511793 1370 148914 1729 1362879 This so we could measure each customers dedicated server statistics. If not. Anybody with a good suggestion? I know I can add all IPs separately to pf.conf to have these inividual labels. But that is the last option. It would be really nice if we could do label expansion of an IP block instead.. Possible today or eventual feature request? not possible today, and not easily to be done at all. I think that we need to go to better netflow support for accounting purposes. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: PF and load
* Per-Olov Sj?holm [EMAIL PROTECTED] [2006-03-31 18:11]: Can PF make use of SMP? no. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: PF not keeping state
* Kevin [EMAIL PROTECTED] [2005-12-19 10:30]: With the complexities and such introduced by CARP and the VLANs, it sounds like you might want to try something like: set state-policy if-bound this is extremely bad advice. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: please publish SPF records
* ed [EMAIL PROTECTED] [2005-11-02 22:47]: On Wed, 02 Nov 2005 20:38:22 +0100 Vincent Immler [EMAIL PROTECTED] wrote: thanks in advance ;-) SPF can be very broken with mail lists. it is broken no matter what and deserves to be ignored at least, or better yet, actively faught. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: please publish SPF records
* ed [EMAIL PROTECTED] [2005-11-03 19:38]: On Thu, 3 Nov 2005 15:30:12 +0100 Henning Brauer [EMAIL PROTECTED] wrote: it is broken no matter what and deserves to be ignored at least, or better yet, actively faught. It's not entirely broken though. no. it is even worse. DK is worth a look too, but it's added components to a mail server. DomainKeys (as in, the original proposal) actually makes a lot of sense and does solve the problem it claims to solve without the gigantic colliteral damage that makes spf worse than useless.
Re: CARP and switches
* Charles Sprickman [EMAIL PROTECTED] [2005-09-29 22:51]: The design seems to assume that one MAC address can only exist on one port at a time, correct? no, not at all. There have been so-called multicast MAC addresses from the stone age on, and that is what carp uses. besides, switches work exactly the other way around. they have a list of mac addresses, and a list of ports associated with each. look for the broadcast mac address entries for example: (output from an extreme networks switch, slightly obfuscated, lots of other addresses and other vlans cut) swi010:2 # show fdb Index Mac Vlan Age Flags Port List --- 0f000-fdf: ff:ff:ff:ff:ff:ffDefault(0001) s m CPU 0f020-fd9: ff:ff:ff:ff:ff:ff somevlan(0003) s m CPU,29, 49, 17, 45, 14, 25, 15, 13, 16, 23, 20, 26 0f030-fd7: ff:ff:ff:ff:ff:ffanother(0002) s m CPU,28, 29, 49, 19, 39, 37, 24, 22, 21, 46 0f040-fdd: ff:ff:ff:ff:ff:ff yetanother(0005) s m CPU,49, 38, 18, 48 0f050-fdb: ff:ff:ff:ff:ff:fffoo(0004) s m CPU,29, 49, 2, 12, 7, 8, 6, 9, 4, 5, 3, 1, 11 same goes for the switch's own MAC addresses, and - yes, multicast addrs. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: benefits of 'set state-policy if-bound'
whoa, get some things straight here. an if-bound state policy provides no benefits whatsover, unless you absolutely need (usually: certain rules only) states to be bound to interfaces because you are doing weird things with route-to and stuff. leave it off unless you need it. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: Label-based accounting and keeping state won't mix.
* Sven Ingebrigt Ulland [EMAIL PROTECTED] [2005-08-03 09:23]: On Tue, Aug 02, 2005 at 10:27:57PM +0200, Henning Brauer wrote: * Tihomir Koychev [EMAIL PROTECTED] [2005-08-02 12:11]: there is patch in current http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/pfctl/pfctl.c which allow counting in/out packets + in/out bytes from labels. that is ENTIRELY unrelated to the OPs question. and the pfctl part is, well, only a part of it, and the smaller one. However unrelated, I think it might have been what I was actually looking for. I gave up trying to patch all the individual files, and upgraded to the 3.7 snapshot as of 20th july. Now I'm a happy hippo fiddling with all the counters I could ever want. It's your work, right, Henning? yeah. entirely hacked on a ferry ride on canada's west coast :) Good job. thanks -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: Label-based accounting and keeping state won't mix.
* Tihomir Koychev [EMAIL PROTECTED] [2005-08-02 12:11]: Does this mean that basic label-based IP accounting won't mix with keeping state at all? no, states have a pointer back to the rule that created it and update the stats on it. there is patch in current http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/pfctl/pfctl.c which allow counting in/out packets + in/out bytes from labels. that is ENTIRELY unrelated to the OPs question. and the pfctl part is, well, only a part of it, and the smaller one. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: 400Mbps PF based firewall, which hardware?
* Rob [EMAIL PROTECTED] [2005-07-09 13:48]: Henning Brauer wrote: * Gustavo A. Baratto [EMAIL PROTECTED] [2005-07-08 17:34]: Aparently gigabit intel NICs are the best out there, but this is just what I've heard. sk is far better. It looks like from the study quoted on the sk website: http://www.syskonnect.com/syskonnect/performance/gig-over-copper.htm that the 3Com 3c996BT outperforms the sk at 1500 MTU for most of their tests. Another comparison: http://www.accs.com/p_and_p/GigaBit/ the 3com seems to be a bge - not exactly first choice, to put it nicely. I don't get what syskonnect they tested, I am not certain this even is an sk. nontheless these test are completely irrelevant. this is not redhat 7.3, and the driver has a great share in performance. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: 400Mbps PF based firewall, which hardware?
* Gustavo A. Baratto [EMAIL PROTECTED] [2005-07-08 17:34]: Aparently gigabit intel NICs are the best out there, but this is just what I've heard. sk is far better. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: Newbie question.
* Kelley Reynolds [EMAIL PROTECTED] [2005-06-22 15:24]: One thing to note on a semi-related topic is that when specifying subnets in tables, as of 3.7-RELEASE, subnets that weren't /24 (or probably /16 or /8) didn't work. I highly doubt that (and it is the first time I hear this)
Re: Fwd: Re: pf stopped working i think... WORKS. specifying loopback device lo no longer works in pf.conf though
* j knight [EMAIL PROTECTED] [2005-06-08 18:01]: b h wrote: pass quick on lo all used to work before the hackathon. pass quick on lo0 all I'm not sure if I just missed it or if you didn't mention it, but I didn't realize you were running -current. There's lots of work ongoing in -current on interface groups. Henning is doing some neat stuff; it's going to be really cool when he's finished. Until quite recently, the interface family group didn't exist. You're probably running a snapshot where that's the case. You should be good to go with a recent -current. atually, the interface family groups have been there for a long time... more or less. they are now there for cloned interfaces like tun, ppp, vlan and the like, but not for hardware interfaces like sk, em etc where they just don't make sense. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: keep state is not keeping state - for one rule
* Jon Hart [EMAIL PROTECTED] [2005-05-04 14:35]: but you should definitely be specifying which combination of TCP flags can create the initial state here. Try flags S/SA as a start. no, this is bad advice and certainly not related to the problem. this whole flags filtering is mostly masturbation. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: Feature request - setting TOS
* Kimi Ostro [EMAIL PROTECTED] [2005-04-17 17:37]: On 4/15/05, Henning Brauer [EMAIL PROTECTED] wrote: last time we looked into that we didn't come up with a good keyword if memory serves, and the usefullness was a bit questionable. I have no strong opinion here, but without the right keyword this is not going to fly no matter what. Do we really need keywords for anything other than the most common TOS's? nah, I think we have that already for filtering on tos (or was it numeric only? I had to check). not sure wether pass in on $some_if keep state set-tos 0x10 would be any good maybe set tos doesn't fit well with the current grammar either
Re: Feature request - setting TOS
* Steven Philip Schubiger [EMAIL PROTECTED] [2005-04-15 10:51]: On 13 Apr, Lars Hansson wrote: : Naturally TOS is only really usefull on your own network. If you have a : fairly large internal network, say a campus of some sort, being able to : mark packets with TOS and also assign packets to queues depending on : TOS value can come in very handy. Could the usability of such an addition be confirmed by familiar developers, before we step further? last time we looked into that we didn't come up with a good keyword if memory serves, and the usefullness was a bit questionable. I have no strong opinion here, but without the right keyword this is not going to fly no matter what. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: Pfctl for non-root users
* Jason Dixon [EMAIL PROTECTED] [2005-04-11 11:06]: Is the ability to run pfctl (via sudo) as a non-root user still broken? that was never broken. I've tested this on a 3.6 -release system, and /dev/pf is still unavailable for non-root users. and that was always the case and likely will not change. I searched the archives and found mention of this about a year ago, but nothing else since. you probably found that pfctl -n was broken for a bit as non-root user Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: Pfctl for non-root users
* Matt Rowley [EMAIL PROTECTED] [2005-04-11 14:05]: I don't believe it's ever been possible to run pfctl as non-root it is possible and desirable to run pfctl -n as non-root. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: PF and IP Precedence
* John Merriam [EMAIL PROTECTED] [2005-03-24 16:31]: What exactly does PF think 'lowdelay' is though? IPTOS_LOWDELAY of course, dunno the numeric value tho I found buried in the pf.conf man page that I should be able to specify a TOS value using something like: pass out on IF inet proto tcp from any to any tos 0xYY keep state queue QUEUE where YY is, I assume, the hexadecimal TOS byte. with that you can limit the whole rule to matching those indeed If PF gives priority to packets based on thier IP precedence/DSCP value automaticly that is not what I said -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: PF and IP Precedence
* John Merriam [EMAIL PROTECTED] [2005-03-23 17:50]: Hello. I'm using PF on FreeBSD 5.3. I would like to know how PF handles precedence information in IP packets. I'm referring to the header data described in RFC 1812 sections 5.3.2 and 5.3.3 (part of TOS byte). I guess the first question would be, does PF handle precedence automatically? If not, can prioritization based on IP precedence be achieved with ALTQ or some other mechanism? yes, you can specify two queues per rule, one we call priority queue, and packets with precedence set to lowdelay go to said prio queue. it's not like the manpage wouldn't document that of course Packets can be assigned to queues based on filter rules by using the queue keyword. Normally only one queue is specified; when a second one is specified it will instead be used for packets which have a TOS of lowdelay and for TCP ACKs with no data payload. To continue the previous example, the examples below would specify the four referenced queues, plus a few child queues. Interactive ssh(1) ses- sions get priority over bulk transfers like scp(1) and sftp(1). The queues may then be referenced by filtering rules (see PACKET FILTERING below). queue std bandwidth 10% cbq(default) queue http bandwidth 60% priority 2 cbq(borrow red) \ { employees, developers } queue developers bandwidth 75% cbq(borrow) queue employees bandwidth 15% queue mail bandwidth 10% priority 0 cbq(borrow ecn) queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk } queue ssh_interactive priority 7 queue ssh_bulk priority 0 block return out on dc0 inet all queue std pass out on dc0 inet proto tcp from $developerhosts to any port 80 \ keep state queue developers pass out on dc0 inet proto tcp from $employeehosts to any port 80 \ keep state queue employees pass out on dc0 inet proto tcp from any to any port 22 \ keep state queue(ssh_bulk, ssh_interactive) pass out on dc0 inet proto tcp from any to any port 25 \ keep state queue mail -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: State/queue question
* Kelley Reynolds [EMAIL PROTECTED] [2005-03-21 19:40]: This has come up a few times on the list, and I was wondering how difficult it would be to alter the pf syntax so that a stateful rule on a firewall could apply queues on two interfaces so that bidirectional queueing can be done while tracking state? I believe (and please correct me if I'm wrong) that to get bi-directional queueing, one must have a seperate rule per interface and not keep state since that would be a single rule (this limiting the state-associated packets to a single queue, one interface or the other) huh? you should create state and just create queues by the same names n different interfaces, it'll Just Work -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: pf vs ASIC firewalls
* Greg Hennessy [EMAIL PROTECTED] [2005-03-17 19:31]: On 17 Mar 2005 03:58:26 -0800, [EMAIL PROTECTED] (Henning Brauer) wrote: All of that said, I wonder if there isn't some way to implement something vaguely PF-ish in an FPGA that would allow more control over the rulesets than an off-the-shelf ASIC. there likely is... I mean, state table and state table lookups in hardware, hand off ruleset processing to the main CPU, that would rock. If done right. Be interesting to see if that was possible using commodity offload hardware such as that found in http://www.nvidia.com/object/feature_activearmor.html well that is just marketing bullshit as far as i can tell -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: PF, Bridge, and IP on bridged interface [more]
* Sean Kamath [EMAIL PROTECTED] [2005-03-15 06:40]: So, I guess that leaves the question, can one change the ethernet address of a NIC with ifconfig on OpenBSD? no. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: Good HFSC explanation
* John Ricardo [EMAIL PROTECTED] [2005-03-11 06:02]: Thanks for the answer. Can you shed any light on my other question, namely (quoting myself): So with fully-specified service curves, does HFSC as implemented here in fact superimpose CBQ-style hierarchical priorities ontop, or do the service curve specifications somehow mean that also giving priority doesn't makes sense? priority still makes sense. priority mostly influences latency, the service curve specifications throughput. of course they are not really independent from each other. hfsc with only the linkshare sc defined is like cbq. the realtime sc set a lower limit, and the upperlimit sc ... well, guess. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: Good HFSC explanation
* John Ricardo [EMAIL PROTECTED] [2005-03-05 11:22]: If you have specified the 3 service curves, the bandwidth keyword is redundant and/or unnecessary? true. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: macros and anchors SOLVED
* Peter Huncar [EMAIL PROTECTED] [2005-02-02 22:20]: Is it planned to include the 'include keyword' ;o) into the next release? it is believed that anchors and the load anchor statement solve that more elegantly. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: Is there any plan to add the time based filtering feature in PF
* Siju George [EMAIL PROTECTED] [2005-01-28 10:50]: I would like to know if there is any plan among PF developers to add the feature to filter traffic based on time. no. cron. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: First time user comments
* Peter Fraser [EMAIL PROTECTED] [2005-01-21 00:54]: Could the syntax error message, give the position in the line that the error occurred, or at least the token that caused it. no - that is not how parsers work. syntax error actually says it didn't match any production from the grammar. if we don't know what production it should have matches, how should we tell which part didn't? that is just not how parsers work, sorry. I believe that not supplying a on interface means the statement applies to all interfaces. yes. It would be nice if there is only one interface type on the computer to define a macro automatically for them, I suggest $id0 $id1 etc. That way pf config files could be more portable, particularly in the case of a server machine that only has one interface. that will be solved by interface groups. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: Using DNS names in pf.conf?
* Kevin [EMAIL PROTECTED] [2005-01-19 21:41]: Are there any gotchas I should know about when using dns names in pf.conf, specifically in tables used as destinations for permit rules? well, if DNS is not available by the time pfctl tries to load your pf.conf you're pretty much screwed. and pf is enabled very early at boot. try it out, and most importantly, get clear about the external dependencies you introduce and their consequences. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: Re[3]: feature suggest: ability to load/add _inverted_ table file
* Ilya A. Kovalenko [EMAIL PROTECTED] [2004-12-22 02:06]: More correct shorter diff, against -current (21.12) give it up. it will not go in ever.
Re: feature suggest: ability to load/add _inverted_ table file
* Ilya A. Kovalenko [EMAIL PROTECTED] [2004-12-22 02:20]: Here is diff (against 3.6-stable), that implements loading list to table in inverted form, by rule like this: table private file priv_nets.tab file-inv pub_hosts.tab Unfortunately, it demands more changes, than I expected :(, so I don't think that it has a chance to be accepted. correct. I'll veto any change for this, no matter how leightweight it is. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: feature suggest: ability to load/add _inverted_ table file
* Ilya A. Kovalenko [EMAIL PROTECTED] [2004-12-20 08:01]: I suggest to add pfctl(8) feature. Feature to load/add address list from file onto table in INVERTED form (i.e. replacing A.B.C.D - ! A.B.C.D vice versa) from table rule (sth. like file-inverted name) and command line (sth. like -T add-inverted/load-inverted). It is quite simple to implement (I think/believe), but make tables more more flexible. Later, I can post related code diff. I don't see the point. awk/sed/.. etc are your friends. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: rc order with pf and dhclient
* Mark Rosenstand [EMAIL PROTECTED] [2004-12-15 14:02]: Of course I'd like pf to start before the interfaces are brought up. How should I do that without blocking the dhcp traffic? dhclient uses bpf whihc is outside of pf - pf cannot block its traffic. the default order is well thought through and there for a reason... -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: SSH from admin machine
* messmate [EMAIL PROTECTED] [2004-11-10 04:42]: On Mon, 8 Nov 2004 18:39:53 +0100 Henning Brauer [EMAIL PROTECTED] wrote: * [EMAIL PROTECTED] [EMAIL PROTECTED] [2004-11-07 19:59]: On Sun, 7 Nov 2004, messmate wrote: pass in quick on $internal proto tcp from $TRUST_IP to any port = 22 flags S keep state remove the = sign pass in quick on $internal proto tcp from $TRUST_IP to any port 22 why do people keep posting bullshit answers like that? can't you at least TRY his rule before spreading misinformation? it is not about you personally, but far too often we see lies posted here, because the poster didn't bother to verify his answer. This is not helping anybody - the opposite is true. ??? Who's spreading misinformation ?? well, the guy I replied to perhaps... But WHERE can i get a recent documentation about PF ?? oh, hmm, let me think about that, you could google for some howto? maybe somebody has written one. manpages? what's dat?
Re: SSH from admin machine
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2004-11-07 19:59]: On Sun, 7 Nov 2004, messmate wrote: pass in quick on $internal proto tcp from $TRUST_IP to any port = 22 flags S keep state remove the = sign pass in quick on $internal proto tcp from $TRUST_IP to any port 22 why do people keep posting bullshit answers like that? can't you at least TRY his rule before spreading misinformation? it is not about you personally, but far too often we see lies posted here, because the poster didn't bother to verify his answer. This is not helping anybody - the opposite is true.
Re: Keep State
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2004-10-18 10:50]: On So, 17 Okt 2004, Oliver Humpage wrote: State only works on the interface on which it was created. You will need another keep state rule on the external interface allowing packets out. pf.conf(5) says that state is floating by default. direction is still part of the state key.
Re: rdr with tagging
* Danilo Kempf [EMAIL PROTECTED] [2004-10-12 10:36]: Andy Wettstein wrote: I think I rule like this would work: rdr on $wireless_if proto tcp tagged ! WIFI from any to any \ port www - ($wireless_if) but I get a syntax error when I try to load the ruleset. So I wonder if I can use the tagged keyword with rdr, and if I can't what are the alternatives? From man pf.conf rdr-rule = [ no ] rdr [ pass ] [ on ifspec ] [ af ] [ protospec ] hosts [ tag string ] [ - ( redirhost | { redirhost-list } ) [ portspec ] [ pooltype ] ] So you can't use 'tagged' here. I think from the pf point of view it wouldn't make too much sense anyway, because rdr happens before anything else -- so there actually can't exist any rule which would have already tagged the packet. sure it can, from bridge or another interface. I basically just forgot tagged on rdr/nat rules. maybe i find a little time after that other pf diff is out of my tree... should be trivial to add. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: blocking DHCP requests
* Ed White [EMAIL PROTECTED] [2004-10-04 18:32]: On Sunday 03 October 2004 01:10, Camiel Dobbelaar wrote: dhcpd (like tcpdump) uses bpf/libpcap, which gets a copy of the network data before pf does. This means you cannot use pf to filter what gets to dhcpd. Quoting from here: http://www.onlamp.com/lpt/a/4839 Federico: If I'm not wrong, tools that use raw access to network data bypass PF because the filtering happens after. How can this be solved? Is this a behavior you want to change? HB: This is not true. It is true that bpf is outside pf. This is actually very good for debugging. We might add a possibility for bpf-based tools to request to be hooked in before pf. It might be useful for the dhcp programs. But then, that is not a real-world problem ??? I have privilege revoked dhcpd and dhcrelay so that they don't run as root anymore, and canacar@ helped out with bpf write filters (we have read filters already) and lock the bpf device so that no changes in those filters are possible anymore. Especially for dhcpd that means that one very worrysome piece of code is now locked away that nicely that you don't have to worry much anymore. And of course besides the privdrop and bpf security work, we cleaned that mess up big time... The most worrysome of those programs is now dhclient which is scary, huge and still runs as root ??? even given we cut about half of its code out already. I have it running privilege separated on my machine already... RM: I don't see this as a problem, and don't think that this will be changed. CEA: This is by design, and I do not want/see this behavior changing. We have introduced bpf security extensions to solve this problem on a case-by-case basis. We are going through every program in the tree and modify them to use the security extensions and drop/separate privileges. At some point we may also start looking at critical applications in the ports tree. Who's right ? if you bothered to read what you posted you'd see that all of camiel, Ryan, Can and me say the same. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: pf pauses in sending traffic
* Claudio Jeker [EMAIL PROTECTED] [2004-09-14 14:02]: I think you got hit by a fxp bug that was fixed after 3.5. The problem was that somehow the fxp card did no longer generate an interrupt and so the watchdog timer reseted the card after 20 seconds. This only happened on havily loaded links (many interrupts). this required THAT a high load that I somehow doubt this is what is seen here. bob myself triggered that while synflooding a box for testing something in pf, and we were sending a LOT of SYNs ;) -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: is amd64 a good choice ?
* Mipam [EMAIL PROTECTED] [2004-09-02 15:52]: On Thu, 2 Sep 2004, Ryan McBride wrote: On Wed, Sep 01, 2004 at 03:09:49PM +0200, Henning Brauer wrote: You are speculating, and you don't really knwo what you are talking about here... sorry, no GigE chipset interrupts per packet. I beleive re(4) does, at least with the OpenBSD driver. But if you are using this cheap, low-end gigabit chipset for your high-performance firewall you are very, very silly. and if there should be one ditch it and use something better. Like em(4) or sk(4). Thanks for the answers. I wasn't using realtek stuff in the machines here. A bought not too expensive intel 82541GI nics and they work just fine. The thing which confused me is that intel's specs for this card didnt include interrupt mitigation and for the server model (82545, PWLA8490MT) it did. Anyway, both cards perform well, the link below has a comparison between the 3COM / Marvell 940, Broadcom BCM5705, Intel 82547EI / CSA, Realtek RTL8110S, Intel 82541GI. pretty useless, only driver + hardware is interesting, not hardware alone. a good NIC for which we have no docs and no help from the vendor will likely suck hairy moose balls... Another thing is that most servers from dell and compaq these days come by default with broadcom card onboard. :-( bges are pretty acceptable too.
Re: is amd64 a good choice ?
* Mipam [EMAIL PROTECTED] [2004-09-01 12:48]: On Wed, 1 Sep 2004, Alain wrote: We're working on an openbsd/pf based GigE firewall. I would like to know if amd64 is a good architecture choice ? Will it be better than i386 ? In the pf developer interview, 64 bit architecture is recommended, but they don't really explain why. I wonder, because when threading will be supported and smp will be present in OpenBSD, HT will prove usefull as well. Of course it will require a rewrite of the network stack from running under the single Giant kernel lock to permitting it to run in a fully parallel manner on multiple CPUs (as is being done in fbsd). Maybe pf need changing too at that time? I utterly do not believe in that. for first, what problem are you trying to solve please? I have yet to see the real worl situation where CPU usage from the network stack is a problem. second, all the locking is not free in terms of performance either. you want us to go the freebsd 5 route and give up on uniprocessor performance? I certainly don't. What will be faster, 64 bits architecture or multiple threads on multiple cpu's? I completely fail to see where a single amd64 CPU should not be sufficient for a pf firewall, as long as no proxies enter the game. If proxies enter the game you have active userland processes, they can benefit from the 2nd CPU. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: is amd64 a good choice ?
* Alain [EMAIL PROTECTED] [2004-09-01 16:04]: Can you give me your opinion about the choice between amd64 and i386 for an openbsd/pf firewall ? buy an amd64. you can still run that in i386 mode should something go wrong in amd64 mode, what I don't expect to happen at all.
Re: preventing state runaway
* Ed White [EMAIL PROTECTED] [2004-08-24 12:30]: On Tuesday 24 August 2004 00:10, Csillag Tamas wrote: AFAIK Openbsd 3.5 only use 64Mb memory for pf ruleset and state table someone posted here a link to the (unofficial?) patch, that changes that. Search in the archives for: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_table.c.diff?r1=1.47r 2=1.48 and I think this patch is for tables. It permit tables to use 768MB instead of 64MB. how about forgetting about this patchy patchy I dunno what I am doing but it might work? how about using 3.6 instead? snapshots are out there. it has shitloads of improvememts in that area. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: Moving an existing TCP connection to a different queue
* Ken Simpson [EMAIL PROTECTED] [2004-08-20 22:28]: Is there way in pf to move a particular TCP connection from one queue to another -- while the connection is still live? I don't imagine it would be really difficult; isn't it just a case of changing an entry in the state table? no, the state entry has a pointer back to the rule that caused its creation, and the queue ID to use is taken from the rule. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: How slow can you make a queue go?
* Ken Simpson [EMAIL PROTECTED] [2004-08-20 22:28]: I recently tried to set up a 10 bit per second queue and got the following error: pfctl: queue bandwidth must be larger than 5.59Kb My pf.conf looked like this: # Set up a default and slow queue. altq on $ext_if bandwidth 100Mb cbq queue { dflt, slow } queue dflt bandwidth 99Mb cbq(default) queue slow bandwidth 10b #... pass in on $ext_if proto tcp from any os {Windows XP} \ to any keep state queue slow Is there any hard and fast reason why the queue can't go slower than 5.59Kb? timer resolution. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: How slow can you make a queue go?
* Ken Simpson [EMAIL PROTECTED] [2004-08-21 12:17]: Is there any hard and fast reason why the queue can't go slower than 5.59Kb? timer resolution. So then perhaps I should have asked: Is there a way to make a connection move more slowly than 5.59Kbps using pf? yes, queue on an interface which is slower by itself :) And if not, how could that feature be added to pf? it has nothing to do with pf, we currently do not have higher resolution timers than to do 5.59Kbps on a 100 MBit/s interface easily available in the kernel.
Re: Moving an existing TCP connection to a different queue
* Ken Simpson [EMAIL PROTECTED] [2004-08-21 12:17]: Henning Brauer [20/08/04 22:35 +0200]: * Ken Simpson [EMAIL PROTECTED] [2004-08-20 22:28]: Is there way in pf to move a particular TCP connection from one queue to another -- while the connection is still live? I don't imagine it would be really difficult; isn't it just a case of changing an entry in the state table? no, the state entry has a pointer back to the rule that caused its creation, and the queue ID to use is taken from the rule. So then could you change that pointer to point at a different rule? horrid! I expect that to break in a 1000 ways. Where is the state table defined in the source? /usr/src/sys/net/pf.c, pfvar.h and pf_* - most state table stuff is in pf.c -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: DHCP pf and bridges
* Jason Opperisano [EMAIL PROTECTED] [2004-08-12 13:52]: i'm not an expert on this--but i've seen it posted multiple times on openbsd-misc that your cannot bridge with a wireless nic. bridging to a wi(4) in AP mode works just fine. bridging to a wi (and other drivers) in client or ad-hoc mode does not. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: PF '$if:network' syntax with more than one interface IP.
* Per-Olov Sjöholm [EMAIL PROTECTED] [2004-08-04 15:20]: But I also assumed that I should be able to use $if:1 as well when I have a inet alias in my hostname.fxp1 file. as aliases are just that, aliases, without a special hirarchy or order or such, this cannot possibly work. Which of the, say, 10 aliases is the omne referred to with fxp0:1? That cannot work. and, well, come on. you want a specific IP, so use that in your ruleset. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: pf macro syntax problems
* Russell Sutherland [EMAIL PROTECTED] [2004-06-30 07:02]: * Francis A. Vidal ([EMAIL PROTECTED]) [29 Jun 2004 21:47]: I think you're missing a comma in between $host1 and $host2. It should be: all_hosts = { $host1, $host2 } The commas do not seem to matter. The issue is that when the variables $host1 and $host2 are of the format: a.b.c.d/N the list syntax given above (with or without the commas) gives a syntax error. parser (actually, lexer) limitation; no good way to solve it found. I explained that like a year ago en detail. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: Diverting packets like IPFW DIVERT
* Ste Jones [EMAIL PROTECTED] [2004-07-03 09:14]: The new filter option in bpf (in current http://archives.neohapsis.com/archives/openbsd/cvs/2004-06/0798.html) allows frames to be passed to userland and dropped in the kernel if they match a bpf filter. please note that that is not fully there yet... callers have to be adjusted. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)