Failover bridge(4) with RSTP
I'm attempting to setup a failover bridge(4) configuration with RSTP for rapid failover. At this point I'm still tweaking the bridges and switches. We're using a Foundry LS648 for this test, so we don't have Cisco's unplinkFast extension at our disposal. We have two VLANs configured on the switch, each with 802.1w enabled and functioning normally. Plugged into each VLAN is a single client and one interface from each firewall. 10.20.0.2 - vlan200 - bridge0 - vlan300 - 10.20.0.3 Regardless of whether I use rstp (default) or stp (+ ifpriority/ifcost) on the bridges, it always takes ~5 minutes to failover. I noticed that with stp enabled on the physical interfaces, the switch would immediately show the correct bridge as the forwarding root. With the default rstp, the switch shows all ports as designated forwarding. I've also tried disabling learning on the internal interfaces and adding static entries for 10.20.0.3, but this has no effect on the recovery time. Any suggestions on getting a rapid failover working? Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
NetFlow Dashboard
NetFlow Dashboard is a BSD-licensed project that provides a web interface for near real-time analysis of NetFlow traffic. It's designed to aggregate network accounting data in such a way as to allow easy diagnosis of traffic anomalies. It is not intended to replace off-the-shelf utilities that measure bandwidth usage. It's a decent PHB tool, but it has a long ways to go. I've been twiddling with this thing for a while and am now comfortable enough with it to release it to the wild. It runs fine in the default OpenBSD httpd(8) chroot using mod_perl. I plan to throw together an OpenBSD port this weekend. In the meantime, feel free to checkout a copy and try it out. I welcome user feedback and bug reports. http://www.netflowdashboard.com/ http://trac.netflowdashboard.com/netflowdashboard/wiki/InstallNotes Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: super simple pf.conf that doesn't work as expected.
On Wed, Nov 26, 2008 at 12:52:47PM -0600, Patric wrote:
My current pf.conf
__
ext_if = xl2
int_if = xl1
localnet = $int_if:network
nat on $ext_if from $localnet to any - ($ext_if)
pass from { lo0, $localnet } to any keep state
__
this is pretty much the most basic natting pf.conf described in The
Book of PF and I can't pass any traffic through it at all, pftop shows
nothing, and I am starting to doubt my sanity, any help is greatly
appreciated.
Did you enable net.inet.ip.forwarding? Is pf actually enabled? You're
not giving us much detail as far as your troubleshooting.
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
Re: super simple pf.conf that doesn't work as expected.
On Wed, Nov 26, 2008 at 04:16:30PM -0600, Patric wrote:
On Wed, 2008-11-26 at 14:37 -0500, Jason Dixon wrote:
On Wed, Nov 26, 2008 at 12:52:47PM -0600, Patric wrote:
My current pf.conf
__
ext_if = xl2
int_if = xl1
localnet = $int_if:network
nat on $ext_if from $localnet to any - ($ext_if)
pass from { lo0, $localnet } to any keep state
__
this is pretty much the most basic natting pf.conf described in The
Book of PF and I can't pass any traffic through it at all, pftop shows
nothing, and I am starting to doubt my sanity, any help is greatly
appreciated.
Did you enable net.inet.ip.forwarding? Is pf actually enabled? You're
not giving us much detail as far as your troubleshooting.
# grep net.ip.forwarding /etc/sysctl.conf
net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4
packets
# grep pf /etc/rc.conf.local
pf=YES
pf_rules=/etc/pf.conf #
pflog_enable=YES
pflog_logfile=/var/log/pflog
# uptime
9:50AM up 2 mins, 1 user, load averages: 0.30, 0.25, 0.11
# pfctl -e
pfctl: pf already enabled
What sort of tcpdump troubleshooting have you tried?
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
NYCBSDCon 2008 BoF (Sat, October 11 2008)
There will be a PF BoF session at this year's NYCBSDCon. The BoF will take place during the lunch break, in the main presentation room of the Davis auditorium. http://www.nycbsdcon.org/2008/schedule.html -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Reality check
On Wed, Sep 10, 2008 at 05:37:24PM +1000, Rod Whitworth wrote: I'm suffering from sleep deprivation today so benzedrine.cx sounds inviting ;-) Anyway a friend has a problem and I'd like a check on the sanity of my hazy proposed solution. All addresses are fictitious. X has a webserver which has address 1.2.3.4 He wants to change his hosting to another provider where a new server will be given address 5.6.7.8 The time of changeover is not entirely under X's control but the domain's DNS is. X would like all traffic to proceed to/from 1.2.3.4 until 5.6.7.8 is ready and then switch with absolutely minimal downtime. Of course.. My foggy brain says that it should be possible to use a box running pf to route requests arriving on one external interface (say 9.8.7.6) out another one (we have enough spare IPs on separate netblocks) to 1.2.3.4 until cut-over time and then pf.conf swaps to sending it to 5.6.7.8. If we put 9.8.7.6 into the DNS as the webserver address we should be able to transparently route the traffic to whichever real webserver we wish .. I think. Then when all is stable we swap the DNS records to point to 5.6.7.8 and when no more traffic is seen to pass through our black box router we dispense with it. Will this scheme work? Do I need to use binat? (all addresses are global) does it matter if the webserver answers client requests and the traffic does not come back via the black box? This is silly. Just lower your DNS TTL and change your records whenever the new box is up and ready for traffic. Once your TTL has expired (old one + new one) then you're guaranteed all requests are hitting the new server. Watching logs (as another reply suggested) doesn't work because you never know when that last request will hit (unless you're managing your TTL). -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Reality check
On Sep 10, 2008, at 7:51 AM, Fredrik Widlund [EMAIL PROTECTED] wrote: Though some ISPs override DNS TTL, and the Microsoft IE browser itself also does this. If it is business critical then a PF router can indeed easily do this to catch the few cases where the old server is still being used. This exists no matter what you do. Routing through an additional firewall/proxy, assuming both websites are live, does nothing to help. -J. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Dixon Sent: den 10 september 2008 13:14 To: Fubar Cc: PF List Subject: Re: Reality check On Wed, Sep 10, 2008 at 05:37:24PM +1000, Rod Whitworth wrote: I'm suffering from sleep deprivation today so benzedrine.cx sounds inviting ;-) Anyway a friend has a problem and I'd like a check on the sanity of my hazy proposed solution. All addresses are fictitious. X has a webserver which has address 1.2.3.4 He wants to change his hosting to another provider where a new server will be given address 5.6.7.8 The time of changeover is not entirely under X's control but the domain's DNS is. X would like all traffic to proceed to/from 1.2.3.4 until 5.6.7.8 is ready and then switch with absolutely minimal downtime. Of course.. My foggy brain says that it should be possible to use a box running pf to route requests arriving on one external interface (say 9.8.7.6) out another one (we have enough spare IPs on separate netblocks) to 1.2.3.4 until cut-over time and then pf.conf swaps to sending it to 5.6.7.8. If we put 9.8.7.6 into the DNS as the webserver address we should be able to transparently route the traffic to whichever real webserver we wish .. I think. Then when all is stable we swap the DNS records to point to 5.6.7.8 and when no more traffic is seen to pass through our black box router we dispense with it. Will this scheme work? Do I need to use binat? (all addresses are global) does it matter if the webserver answers client requests and the traffic does not come back via the black box? This is silly. Just lower your DNS TTL and change your records whenever the new box is up and ready for traffic. Once your TTL has expired (old one + new one) then you're guaranteed all requests are hitting the new server. Watching logs (as another reply suggested) doesn't work because you never know when that last request will hit (unless you're managing your TTL). -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: how two server can see each other on the net with same fw/lan
On Mon, Sep 08, 2008 at 06:45:16PM +0200, [EMAIL PROTECTED] wrote: The reflection method is indeed what you want. You're only binat'g if the traffic makes it outbound. The idea with reflection is to intercept the packets destined for the external hostname and redirect them on the internal interface to the intended server. So you would have a binat rule for traffic out to the internet, and rdr/no-nat/nat rules for traffic to your own servers. thanks jason i'm happy the mail arrive to the list, even so late ;) (i think it was lost) i do that and it seems to work rdr on $if_int proto tcp from $int_net to publicIP port 80 - \ privateIP nat on $if_int inet from privateIP2 to any - publicIP2 You're missing the no-nat rule. This shouldn't break the reflection traffic but might cause adverse effects for other connections originating from your firewall. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: how two server can see each other on the net with same fw/lan
On Fri, Sep 05, 2008 at 06:55:38PM +0200, [EMAIL PROTECTED] wrote: hi everybody, my work now is to change a linux firewall with iptables to freebsd/pf/carp (they choose freebsd i can't say anything to change that execpt if in a new version of pf on openbsd i can resolve the problem below) i migrate 6500 lines of iptables with no problem in ten day there is 400 servers to filter and maybe more in the new datacenter (1400/1700) the firewall do nat ! they have something like this: iptables -t nat -I PREROUTING -d pub ip -j DNAT --to priv ip the idea behind is that two server on the same lan behind the firewall could be seen each other like they are on internet in different place, they use webservices and they already deal with that. the first contact the second not on the lan but through the firewall with public address. the firewall must be in production next week, they just told me this new thing they want this morning (and it was not in the first part i migrate) and i finish the last three hours i must do on this project. if i didn't win ;) they stay with iptables. i try some idea http://www.openbsd.org/faq/pf/rdr.html but most of what i do for the server is binat and not rdr. i can't deal with netcat for such a project , pftpx is already a bit dirty for them instead of conntrack thank you for your help The reflection method is indeed what you want. You're only binat'g if the traffic makes it outbound. The idea with reflection is to intercept the packets destined for the external hostname and redirect them on the internal interface to the intended server. So you would have a binat rule for traffic out to the internet, and rdr/no-nat/nat rules for traffic to your own servers. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Routing VPNs through a second interface.
On Wed, Aug 20, 2008 at 07:02:28AM -0700, Jeff Simmons wrote: Hello all. We have a OpenBSD firewall/vpn server with two external T1s. The first T1 is our main Internet connection and is set as the default gateway, the second is exclusively for VPNs. We are having trouble routing the VPNs through the second T1. At present, the VPNs are all set up between the second address and the remote address: ike passive esp from $lan_net to $remote_lan_net peer $remote_gw_addr ike passive esp from $T1-2_addr to $remote_gw_addr On the firewall, we have the following: pass in quick on $T1-2_if reply-to ($T1-2_if $T1-2_gw) proto 50 from any to $T1-2_addr keep state pass in quick on $T1-2_if reply-to ($T1-2_if $T1-2_gw) proto udp from any to $T1-2_addr port 500 This seems to work, but can be fairly unstable, with two (of six) of the VPN connections coming up and going down unpredictably. This may have nothing to do with the pf ruleset, but I would still ask: is there a better way to do this? Add a static route for $remote_gw_addr through the appropriate gateway? -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Problem with carp group failover
On Thu, Aug 07, 2008 at 12:40:37PM -0700, Wadner Cadet wrote: Hi, I am experiencing an issue with my two OpenBSD firewalls. I have two carp interfaces (carp1 and carp2). On carp2, there are 6 ip aliases (external ip addresses). The two carp interfaces belong to the same carp group. When one carp interface fails, the other carp interface is not shifted to fail, which means carp does not fail over as a group. This created a big problem, one carp interface is master and the other one is backup on the same host. Any help will be highly appreciated. It sounds like you don't have net.inet.carp.preempt enabled. We need more information (read: configs) to help you. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: SMTP sessions start (loose state match) but then abruptly get blocked
On Thu, Aug 07, 2008 at 02:31:50PM -0600, Dale Carstensen wrote: I'm trying to migrate between upstream providers, and that involves changing the IP addresses. I'm using an OpenBSD 4.3 host with 4 NIC ports as the initial router to accomplish this. On the mail server, I assigned two public addresses, the old and new ones, and announced both in DNS. Now when SMTP delivery is attempted through the pf scheme, the prompt for EHLO/HELO always gets through, then maybe the actual EHLO does. Sometimes it gets through MAIL, RCPT and DATA, but never gets to the final . after the message content. If I disable pf, it works! All the other needed NAT, filtering, etc., obviously doesn't, though. I thought these rules would cover it, but somehow they don't: We need to see your entire ruleset. Guessing sucks. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Weird delay on reponses to incoming connections
On Mon, Jul 28, 2008 at 05:28:58PM -0500, Fred Newtz wrote: I have two machines setup on OpenBSD with PF, Carp and pfsync. They are acting as a NAT device between the internet and a few servers located at my colocation facility. I am not trying to do anything too fancy here, I just want some basic protection. The problem I am having is that when a new connection is started, there is a huge delay while I am waiting for a response from one of my machines. For example: I try to ssh into a web server. It takes about 20 seconds for the password prompt to appear. But when I am inside the network and ssh from one machine to another the password prompt opens immediately. When I visit one of my web pages the first page seems to load properly, but when a link is clicked, there is a long delay and then the page loads quickly after the long delay. Alas, I'm too tired to review your ruleset, but I don't think it matters anyways. Delays of the variety you've described scream DNS. Check your resolvers and your authoritative nameservers to make sure everything operates as expected. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Firewall and the best PF throughput
On Tue, 14 Aug 2007 12:04:33 -0700, [EMAIL PROTECTED] wrote: Hello, What could be the throughput that a firewall working with OpenBSD 4.1 and PF can reach with 2 and with 4 interfaces fast ethernet ??? This question boggles my mind. The theoretical maximum is whatever standards your hardware is specified to handle, but of course that's not possible. The answer would rely on a seemingly infinite number of parameters (cpu, memory [state/frag limits], driver quality [irq handling], packet size, switch capacity/performance, physical cabling, etc). P.S. The one absolute I can answer for you is to bypass 4.1 and use -current. There were numerous PF performance advances made at c2k7. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: bringing pf (4) to OS X via Network Kernel Extension (NKE)
On Oct 31, 2006, at 5:52 AM, Ryan McBride wrote: On Mon, Oct 30, 2006 at 01:41:48AM -0500, Joseph Gorse wrote: I'm posting my intention to port pf (4) (http://www.freebsd.org/cgi/ man.cgi?query=pfsektion=4) to an NKE for use as a replacement or complement to the current ipfw2 that is available in current Mac OS X. FreeBSD version will be interesting to from the perspective of a porting effort, because you'll see what portability gunk they've added. But you'll probably want to at least have look at the OpenBSD version. The FreeBSD port of PF lags somewhat behind ours, and there is a fair bit of active development currently being done. However, OpenBSD has traditionally made no particular effort to ensure that PF is portable across the BSDs, and some of PFs more advanced features depend on on features in other parts of the kernel. I'm not familiar with the OS X kernel, so I can't say how hard it's going to be to wedge the PF bits in there, but you may not be able to support everything without significant buy-in and assistance from other OS X developpers. I've posted my intentions in the darwin-dev list as well, asking advice about Apple's NKE. I am soliciting any advice you have before I undertake this task. It seems sane enough to me to want kernelland pf where my only current options ipfw2 with userland natd for NAT and throttled for QoS. Seems sane to me as well, and it would be nice to see the BSD standard for packet filtering available on OSX as well. Are you thinking of porting CARP and pfsync as well? For what it's worth, I had a conversation with Jordan Hubbard at OSCON '05. After seeing the demo we were running at the BSD booth, he mentioned that Apple was looking at porting CARP to OS X. I've seen nothing in the Leopard preview pages to suggest it's on the horizon. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Traffic actually sent out of queues
On Aug 27, 2006, at 7:55 AM, Federico Giannici wrote: I'm setting up a firewall with queues and I'd like to know how much traffic of a given class was ACTUALLY sent out of an interface (i.e. not dropped by a queue). I mark the classes by means of labels. I have a couple of questions: 1) Let's assume that every queue contains the traffic of only a single class. What is the amount of traffic sent OUT of the queue? In the statistics showed by pfctl -vs queue there are two values: one is the amount of dropped traffic, and the other? The amount of passed traffic. Is it the traffic sent OUT, or is the traffic sent INTO the queue (so I have to subtract the amount of the dropped one)? Huh? 2) If the queues contain the traffic of more than a class, is there a way to know the amount of traffic that actually was sent out (not dropped by a queue) for every single class? The statistics showed by pfctl -vs labels count the traffic ENTERED in the queue, even for pass OUT rules? If a packet matches a rule (or an existing state that matches a rule) that uses the queue keyword, that packet gets assigned to the queue. Any passed packets (or dropped packets) that are assigned to a queue count towards the passed pkts/bytes and dropped pkts/bytes statistics shown by pfctl -vsq. Perhaps I don't understand your question. The answer seems simple enough. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: pf.conf defaults for options
On May 5, 2006, at 2:35 PM, Gustavo A. Baratto wrote: Hi all... Is there any easy way to find out what the defaults are for the options? Things like timeout, limit, debug, etc have no default values explicited in man page for pf.conf (openbsd 3.9) Any pointers? man 8 pfctl pfctl -st pfctl -sm http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfvar.h etc... Thanks a lot ;) No problem. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: pf.conf defaults for options
On May 5, 2006, at 6:21 PM, Gustavo A. Barato wrote: Thanks for answers... Correct me if I'm wrong, but I guess pfctl -st, and pfctl -sm don't actually show the out-of-box defaults, right? They show the current values... True that I could find out the defaults by loading pf with an empty ruleset (or flushing the rules maybe?) and execute those commands, but this is a production FW that I have not built myself, and I cannot just flush the rules for no reason. So, maybe a feature request would be an option in pfctl to show all the defaults. I wish I was savvy enough in C to write that myself. Or you could just look in the source like I suggested... http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfvar.h -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
QoS with Multiple VLANs + HTTP Proxy
I have a site with an OpenBSD firewall pair routing 12 internal VLANs (11 client networks, 1 DMZ). All of the client HTTP traffic is redirected to a Squid proxy on the DMZ. I'm using altq with cbq for queuing all of the outbound traffic, but I can't seem to wrap my head around a good way of queueing while using the proxy. With the current ruleset, clients are properly assigned to the http_out queue, but then the connection from the proxy is going to duplicate their traffic in altq. Even if don't queue outbound traffic from the proxy, the packets are going to be counted towards the default queue, skewing my totals. Has anyone come up with an effective QoS design for dealing with proxies handling multiple networks? (Note: I would post the ruleset, but it's over 600 lines long.) Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: carp bug?
On Jan 27, 2006, at 10:48 AM, Karl O. Pinc wrote: On 01/26/2006 04:49:28 PM, Jon Simola wrote: Try adding carpdev into your hostname files, and in my experience creating the carp and adding the IP address to it in seperate commands works better, ala: # cat /etc/hostname.em0 inet 10.0.3.4 255.255.252.0 NONE # cat /etc/hostname.carp8 carpdev em0 vhid 8 pass bloogh advbase 200 advskew 1 inet 10.0.0.8 255.255.252.0 up I'm curious as to what difference it makes. None, from my experience. Sounds like misinformation to me. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: setting up pfsync and carp
On Jan 5, 2006, at 3:18 PM, Kilaru Sambaiah wrote: unease. Carp interface can have aliases? Is it a good idea? What is the best way to go about it? Yes. $ cat /etc/hostname.carp0 inet 10.0.0.2 255.255.255.0 10.0.0.255 carpdev em0 vhid 1 pass foo inet alias 10.0.0.3 255.255.255.0 10.0.0.255 carpdev em0 vhid 1 pass foo inet alias 10.0.0.4 255.255.255.0 10.0.0.255 carpdev em0 vhid 1 pass foo -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
PF not keeping state
I'm taking a stab at the dark here that someone can think of something silly that I've overlooked. I've been working on a fairly complex ruleset for a network of 10 vlans, all with CARP interfaces. I finally realized after much chagrin that the old adage of always filter on the physical interface doesn't necessarily apply when you've got vlan (4) and carp (4) involved. After changing all of my nat/binat translations to act on vlan0 (external) and my filter rules to also filter on the vlan interfaces, almost everything is working. For some reason, I have one vlan that simply refuses to pass traffic *correctly*. I can confirm that the packets are being filtered by the correct rules both inbound on the internal interface and outbound on the external (pass in/out log ... keep state). I can also vouch that the states are being created. However, for some reason, it seems as though the system refuses to honor the returning packets. For ping, it sees a few echo replies before issuing a host unreachable. For tcp, it acts as though the packets were lost and simply retransmits. The only thing I can think of right now is that perhaps it's because I'm filtering in all directions on all interfaces, even though the state policy is left as floating. I don't think this is relevant, however, since this behavior only happens on a single network. For the time being, I'm going to avoid posting the pf.conf. I know this is a faux pas, but I'm terribly embarrassed to let anyone see it at this point. Once I've re-introduced the anchors, perhaps. :) Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: PF will not redirect to internal boxes
On Nov 30, 2005, at 10:31 AM, Elijah Savage wrote: I am trying to redirect web and mail service to a internal server on the local lan this is my entire pf.conf below and I just can't figure out for the life of me why this does not work. I did a fresh install from 3.6 to 3.8 on a sparc 20 and I am starting to believe something did not go right with the install though it went on cleanly. I would appreciate greatly someone giving me a sanity check. My internal clients can get out through the firewall to the net. I have took out all the fancy altq stuff I had in 3.6 and dumbed it down as much as possible to what you see below. I believe you are referring to Reflection. http://www.openbsd.org/faq/pf/rdr.html#reflect -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: PF will not redirect to internal boxes
On Nov 30, 2005, at 1:05 PM, Elijah Savage wrote: Anthony Oteri wrote: I was just having this problem last night and just found the solution in the pf faq you may want to look here. http://www.openbsd.org/faq/pf/rdr.html#reflect The bottom of this page describes 3 seperate approaches for doing what you want to do. On 11/30/05, Elijah Savage [EMAIL PROTECTED] wrote: I think you misunderstood I can get out through the firewall and the mail can be sent to internet host, but internet host can't reach the internal host as my ruleset has exactly waht the pf.faq has in it for redirection that was the first page I hit when this did not work. But I will give Peter's suggestion a try. It sounds like you didn't read the link Anthony and I provided. It explains that when you redirect as you are, that the destination address changes (to the internal server), but the source address stays the same (your client). When the server receives the SYN and attempts to ACK the connection, it does NOT send the packet back through the firewall; it sees the client as existing on the same LAN, so it attempts direct delivery to the client. The client, not recognizing any connections from internal server, discards the packet. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: mailing list archive broken
On Oct 11, 2005, at 3:38 AM, Travis H. wrote: FYI, this archive: http://www.benzedrine.cx/pf/ Has not been archiving since 12 Apr 2005. Don't need it. http://marc.theaimsgroup.com/?l=openbsd-pfr=1w=2 -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: pf/carp for redundant production use
On Sep 26, 2005, at 1:31 AM, Neil wrote: Hi Jason, I would like to try your #1 suggestion but unfortunately, I don't know where to start. What are the programs I need? What configuration? Is there any existing sample configuration on a link that I can follow? Thanks for explaining this in very detail. Please stop top-posting. Always start at the man pages; there is an example given (man 4 carp). There is a similar configuration in my NYC BSD Con slides (http://www.dixongroup.net/NYCBSDCON/); see the Advanced Example. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: pf/carp for redundant production use
On Sep 25, 2005, at 8:30 AM, Neil wrote: Yep, the same behavior when the master dies. The solution that the person in #pf told me is use routing but I don't know how to implement. He told me that it's an issue in pf's NAT. Bullshit. Ok, here is the layman's description of the problem and the practical solution(s) to it. I'd love to be able to explain why interfaces recovering from INIT don't reclaim MASTER faster than they do (approx 30 seconds in my tests), but I don't understand the code-level logistics of everything. Hint: This is only a problem using single CARP hosts with preemption. PROBLEM: With a simple CARP design using a single CARP host on each segment and preemption enabled, failover occurs as expected in the case of any system offline condition (server crashes, admin reboots, etc). If a single interface goes from MASTER to INIT state (cable gets pulled, cable goes bad, card goes bad, etc), the 2nd interface on that system will go into BACKUP mode as expected. Traffic will route across the new MASTER, and will continue to do so while the failed system is in an INIT/BACKUP state. However, if the failed interface returns from INIT to an available mode (we plug the cable in), we notice that the 2nd interface reclaims MASTER almost immediately, but the restored interface does not. It becomes a BACKUP host, which leaves us with a routing impossibility: BACKUP MASTER carp0 carp0 | | host1 host2 | | carp1 carp1 MASTER BACKUP Any internal clients will attempt to send traffic through the new gateway (host1), although neither system has any way of routing the traffic properly (not without some hokey static routes bypassing the CARP hosts). NOTE: I have found that the original MASTER does indeed return to the correct state, approximately 30 seconds later. This is reproducible, but YMMV. SOLUTION: 1) If you really are concerned about a partial system failure (unplugged cable, bad card, etc), then scrap the single CARP host/ segment design and use arpbalance with multiple CARP hosts. The same partial-failure test using 2 CARP hosts on each segment with arpbalance resulted in a perfect failover and recovery with no packet loss. 2) This is not tested, but I suspect that you should be able to use the new interface grouping features in 3.8 to simply assign multiple physical interfaces to the same group. Even if one fails, the other *should* maintain the MASTER state and avoid any partial failure consequences. I'd love to hear from other users or developers that have tried the grouping feature in this sort of scenario. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: pf/carp for redundant production use
On Sep 26, 2005, at 11:07 AM, Chad M Stewart wrote: On Sep 25, 2005, at 9:39 PM, Jason Dixon wrote: On Sep 25, 2005, at 8:30 AM, Neil wrote: Yep, the same behavior when the master dies. The solution that the person in #pf told me is use routing but I don't know how to implement. He told me that it's an issue in pf's NAT. 2) This is not tested, but I suspect that you should be able to use the new interface grouping features in 3.8 to simply assign multiple physical interfaces to the same group. Even if one fails, the other *should* maintain the MASTER state and avoid any partial failure consequences. I'd love to hear from other users or developers that have tried the grouping feature in this sort of scenario. Can you share where one might read more about the interface grouping features of 3.8? Sorry, I meant to refer to the new trunking features (man 4 trunk). -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Regarding Problems with Porting pf
On Sep 8, 2005, at 6:30 AM, arun kumarn wrote: Hi I am planning to Port your packet Filter to Linux M/C. While going through some material i come across following sentence like Performance of OpenBSD Packet filter firewall is fast, since it integrated with OpenBSD IP stack. With this it avoids the overhead of other firewalls that are implemented as user level programs . Just i want to know weather It is sufficient to port the Code what you had written by little modification ?? or else weather i need to port entire IP stack of OpenBSD and the code what you had written?? LOL, that's a good one. Linus, quit playing around. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: failover with CARP
On Jul 25, 2005, at 3:12 AM, peceka wrote: Hi, i need to design for my servers some fileover technics. Searching the net i've found some articles about pf+carp. All articles write how to use it, but i didn't see any opinions from users who has entered such solutions. Can you tell something about your expirience of using this? It works great. To make more failover of my servers i'm thinking about something like that: router | FW#1FW#2 | | WEB#1 WEB#2 FW#1 and FW#2 - mirrors; public IPs - OpenBSD (pf+CARP). WEB#1 and WEB#2 - mirrors; private IPs - FreeBSD (without CARP). So if one of FW#? goes down all works. But how to make everything working when one of WEB#? goes down? I think about some scripts which runs on FWs and testing avalability of services on WEBs and when one of WEBs goes down scripts update rdr rules. What do you think about it? Or mabye run CARP on WEB#1 and WEB#2 too? Yes. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: single box Newbie ques
On Jul 23, 2005, at 2:44 AM, Gene wrote: I have installed Obsd 3.5 on my 2nd hd and configured ppp but I am unable to find any pf conf examples which deal with only one computer. (no network card) Is there a macro name to use that does not point to a nic? I guess what I'm asking is , can pf be used w/o a network to harden my desktop? PF doesn't point to a nic. It filters network interfaces, such as ppp0. ;-) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Newbie question.
On Jun 21, 2005, at 10:00 PM, Jason Opperisano wrote:
priv_nets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
!192.168.2.0/24 }
i'm certainly missing something here, as i am somewhat new-ish to pf
(long time with ipf, though)...
the above macro definition of priv_nets will create the rules:
block drop in quick on ep0 inet from 127.0.0.0/8 to any
block drop in quick on ep0 inet from 192.168.0.0/16 to any
block drop in quick on ep0 inet from 172.16.0.0/12 to any
block drop in quick on ep0 inet from 10.0.0.0/8 to any
block drop in quick on ep0 inet from ! 192.168.2.0/24 to any
where the second rule will drop traffic from 192.168.2.0/24, and the
fifth rule will effectively drop all other traffic.
Duh, thanks for catching that. I shot from the hip while running out
the door for a meeting. :-P
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
Re: Newbie question.
On Jun 21, 2005, at 6:24 PM, Bill Swisher wrote:
After reading over the pf-faq.pdf file I have, at this time, one
question. The home/small office example assumes that the internet
lives off of ep0. In my case this is partially true. What really
is there is a router running on the network 192.168.2.* (my internal
network is the standard 192.168.1.*) and if I use the command block
drop in quick on $ext if from $priv_nets and it's corresponding
output block I'd pretty much be sitting deaf and mute, as far as the
rest of the computing world goes near as I can figure.
I like that router! It does the PPoE for me, along with minimal
blocking. I don't want to toss it.
Anyone have a way around this?
priv_nets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
!192.168.2.0/24 }
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
Re: Keep state + bridge weirdness
On Jun 6, 2005, at 3:00 PM, Kelley Reynolds wrote: On Jun 6, 2005, at 9:27 AM, Jason Dixon wrote: Sorry, missed your comment before about only having that one rule. Well, I'm sure that the rule you've posted will cause you headaches since it's filtering on all interfaces. Try the following rule: pass on rl0 keep state This should create the necessary states, both inbound and outbound, for all traffic. The rule you've attempted not only filters and keeps state on *all* interfaces, but it neglects inbound traffic Man, how I wish that would've worked. Same problem.. FTP dies at 96K. That number has to be significant for something, it's the same every time. You mention that this happens whether the FTP server is on the other side of the bridge or not. Please describe the tests you've performed and where each host resides with regards to the topology. Also, have you tested this with other protocols like scp? -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Keep state + bridge weirdness
On Jun 3, 2005, at 6:19 PM, Kelley Reynolds wrote: Having an odd problem... a bridge configured such that one of the interfaces has an IP works fantastically, until pf is enabled with the following rule (and only the following rule) pass out keep state then repeatably, things start to break. Now, when FTPing from one machine to another (whether they are both on the inside of the bridge or not), the transfer will stop after 96k. Every time. If I take off the keep state rule, the transfer will work just fine. Now, on the bottom of 'man bridge', it says that a bridge should only keep state on one interface, so I tried lots of variations of the keep state rule to limit it to one interface, incoming, outgoing, didn't matter. This is on OpenBSD 3.7 with two rl NICs, but this problem also occurred on 3.6. Any ideas? Not until you post the output of ifconfig -A and your /etc/pf.conf. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Keep state + bridge weirdness
On Jun 6, 2005, at 8:18 AM, Kelley Reynolds wrote: On Jun 6, 2005, at 6:21 AM, Jason Dixon wrote: On Jun 3, 2005, at 6:19 PM, Kelley Reynolds wrote: Having an odd problem... a bridge configured such that one of the interfaces has an IP works fantastically, until pf is enabled with the following rule (and only the following rule) pass out keep state then repeatably, things start to break. Now, when FTPing from one machine to another (whether they are both on the inside of the bridge or not), the transfer will stop after 96k. Every time. If I take off the keep state rule, the transfer will work just fine. Now, on the bottom of 'man bridge', it says that a bridge should only keep state on one interface, so I tried lots of variations of the keep state rule to limit it to one interface, incoming, outgoing, didn't matter. This is on OpenBSD 3.7 with two rl NICs, but this problem also occurred on 3.6. Any ideas? That single rule is the pf.conf, but I'll do it again. Contents of pf.conf (in their entirety, including a commented rule I tried without success): pass out keep state # pass out on rl0 keep state Sorry, missed your comment before about only having that one rule. Well, I'm sure that the rule you've posted will cause you headaches since it's filtering on all interfaces. Try the following rule: pass on rl0 keep state This should create the necessary states, both inbound and outbound, for all traffic. The rule you've attempted not only filters and keeps state on *all* interfaces, but it neglects inbound traffic. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: filter string
On Jun 1, 2005, at 1:48 PM, Rogério Moura wrote: Hello!! I like to know if PF can block packets by the content (type patch-o-magic string of IPTABLES), because my network have connections of skype and messenger, this programs use ports that are allowed in the firewall, type 80, 443 and I not know how block this programs can anybody help me? http://www.squid-cache.org Use a proxy to normalize the traffic. IIRC, Skype requires UDP packets for the voice packets. Simply block udp/80 and allow tcp/80 and tcp/443 through the proxy. HTH. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
[SOLVED] Re: Pfctl for non-root users
On Apr 11, 2005, at 5:05 AM, Lars Hansson wrote: On Mon, 11 Apr 2005 00:11:40 -0400 Jason Dixon [EMAIL PROTECTED] wrote: Is the ability to run pfctl (via sudo) as a non-root user still broken? Huh? I have NEVER had any problems running pfctl via sudo. Ever. Shit. I was stupid enough to actually forget to run the sudo. Sorry for wasting your time. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Per Packet Loadbalancing
On May 15, 2005, at 2:27 PM, Manon Goo wrote: Hello, I have posted this question to misc@openbsd.org before. Perhaps this is a better place to ask this question. I have a problem activating per packet loadbalancing with a keep state rule, I am getting per session loadbalancing. snip CARP + arpbalance does per-packet load balancing at L2. man 4 carp -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Per Packet Loadbalancing
On May 17, 2005, at 9:20 AM, Manon Goo wrote: --On 17. Mai 2005 06:37:02 -0400 Jason Dixon [EMAIL PROTECTED] wrote: snip CARP + arpbalance does per-packet load balancing at L2. This will not help me because my problem is with outbound traffic. So setup CARP + arpbalance on your internal interfaces. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Per Packet Loadbalancing
On May 17, 2005, at 11:49 AM, Manon Goo wrote: Let me clarify my setup: OpenBSD-Box DSLGW DSLGW DSLGW DSLGW DSLGW DSLGW CiscoATM Router Internet The Inbound traffic is dirtributed by the CiscoATM Router. The packtes are routed round robin through my DSLGWs. This is solved. everything is working fine here. No Problems. The Upsream is my Problem. The BSD Box should distribute my outbound traffic via the different DSLGWs. Ah, ok. Thanks for clarifying. No, I think you're stuck with the per-session pool behavior you're currently seeing. To be quite honest though, given a long enough curve, won't it all theoretically balance out? -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Why start with block?
On May 5, 2005, at 8:43 AM, Jonathan Camenisch wrote: I will say one word in my own defense - even if it has no practical point (since I intend to try to do things in a standard pf way). It really seems less readable to me to mix quick and non-quick rules. So don't... nobody's telling you to use quick. When there's a mixture, you have to read and comprehend a non-linear sequence. But with the way that pf works, I wouldn't want to throw away quick altogether, just because I don't want pf reading the whole file for every packet (well, minus skipped rules). It doesn't. PF uses a method called skip steps to only compare against rules that are relevant. Quit trying to over-engineer, PF is plenty fast enough. When you need to filter 10Gbps, come back to me and we'll hash it out. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: how to setup load balancing with 2 proxy?
On May 2, 2005, at 10:02 PM, eca lionhart wrote: hi... i have something problems in setup load balancing.How to setup load balancing in squid?with 2 proxy.can you help me?.thanks Assuming you're looking to do transparent proxying, I imagine you could use simply use the basic structure as demonstrated in Daniel's transparent squid paper (http://www.benzedrine.cx/transquid.html). However, rather than installing and redirecting to squid on the local machine, I would install two squid machines in the DMZ and redirect traffic there. Use CARP on the proxy systems to load balance and provide failover. HTH. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
SysAdmin - Failover Firewalls with OpenBSD and CARP
As reported on the OpenBSD Journal last week, the May issue of SysAdmin has an article entitled Failover Firewalls with OpenBSD and CARP. I've worked with the publishers to get it released online for non-subscribers, and they've generously responded. If anyone has any corrections or suggestions on future revisions (I'll post it on my own site in 3 months), please let me know off-list. http://www.samag.com/documents/s=9658/sam0505e/ Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: questions about daniel hartmeier's pf.conf example ...
On Apr 25, 2005, at 4:17 AM, alex wilkinson wrote: Hi all, I am following daniel hartmeier's example pf.conf [http://www.benzedrine.cx/pf.conf]. Something that I notice is that daniel allows all outgoing TCP and UDP traffic regardless of where it is going. Question: Isn't this a bad thing ? I would have thought it is best practice to only allow incomming and outgoing connections _explicitly_. With the reason being some OS upload information to base camp (redmond) for statistical analsyis. It just confirms what we probably already suspected; Daniel doesn't run any Windows systems. P.S. Your paranoia isn't wrong, it just doesn't apply to all circumstances. Many people filter outbound (including yours truly), but others do not. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Pfctl for non-root users
Is the ability to run pfctl (via sudo) as a non-root user still broken? I've tested this on a 3.6 -release system, and /dev/pf is still unavailable for non-root users. I searched the archives and found mention of this about a year ago, but nothing else since. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Pfctl for non-root users
On Apr 11, 2005, at 5:13 AM, Peter N. M. Hansteen wrote: Jason Dixon [EMAIL PROTECTED] writes: Is the ability to run pfctl (via sudo) as a non-root user still broken? I've tested this on a 3.6 -release system, and /dev/pf is still unavailable for non-root users. [EMAIL PROTECTED]:~$ ls -l /dev/pf crw--- 1 root wheel 73, 0 Oct 19 00:02 /dev/pf It certainly looks like being a member of wheel is a distinct advantage, at least. What kinds of operations did you have in mind? # su - hatchet $ pfctl -vsr pfctl: /dev/pf: Permission denied $ whoami hatchet $ groups hatchet wheel Would eg a sensible authpf setup help achieve what you want to do? It has nothing to do with my question. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: load-balancing + TCP proxy = TCP Multiplex?
On Apr 8, 2005, at 8:28 AM, Siddhartha Jain wrote: Hi, Can I do load-balancing + TCP proxying to do something like TCP multiplexing (a la NetScaler)? Or, is there some other tool/plugin that I can use with pf to achieve the same results? I have no idea what NetScaler does, but I suspect you can do whatever it is you're trying to do using PF and some other userland applications (Squid, PythonDirector, etc). Perhaps we could better answer your question if you could describe what it is you're actually trying to do, not the products you're comparing against. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: pf and bridging
On Apr 3, 2005, at 6:58 PM, Russell Fulton wrote: Hi, We have pf running on a bridge . I am seeing packets being dropped by pf between two machines that are on the same side of the bridge. Am I correct in assuming that this is expected and that what is happening is that the packets hit pf before they get to the bridge where they would be discarded anyway? I.e. the filtering takes place at the interface. This doesn't make any sense. If the hosts are both on the same segment, they should be attempting direct delivery on the LAN. Why would they pass traffic through the bridge at all? If I don't want to see this stuff in the log then I guess I should put a another rule before my generic 'block log' to 'block quick' (with no log) for the addresses concerned. You better give serious thought before putting in a block quick, unless it's known bad traffic. If it's known bad traffic, then why are you asking if they should be blocked in the first place? -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Anchors with tables
On Mar 27, 2005, at 1:31 PM, Jason Opperisano wrote: It appears that pfctl assumes that anchors only contain filter rules. Have I stumbled over a bug in either pf.conf (5) or pfctl, or am I doing/assuming something wrong? dunno if this is a remotely useful response, but the snippets of file you provided work fine here (on both 3.6-release and the latest snapshot): Strange, considering Theo confirmed the bug in pf.conf (5). I ran a patch by Daniel who confirmed it, and have submitted it to [EMAIL PROTECTED] --- src/share/man/man5/pf.conf.5Tue Mar 1 13:10:44 2005 +++ src/share/man/man5/pf.conf.5Sun Mar 27 08:16:01 2005 @@ -2213,7 +2213,7 @@ attachment points. An .Ar anchor -is a container that can hold rules, address tables, and other anchors. +is a container that can hold rules and other anchors. .Pp An .Ar anchor -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Anchors with tables
On Mar 27, 2005, at 1:05 PM, Cedric Berger wrote: Jason Dixon wrote: Looking at pf.conf (5), it claims that anchors can hold rules, address tables, and other anchors. Do you have the possibility to check if that was working on 3.5? I wouldn't be surprised if there was new bugs in that area in 3.6. Theo already replied off-list to tell me that the pf.conf (5) is wrong. I'm waiting for Daniel's feedback before I submit my patch to [EMAIL PROTECTED] I might have a spare box later this afternoon, but it's spoken for at this moment. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Anchors with tables
Looking at pf.conf (5), it claims that anchors can hold rules, address
tables, and other anchors. Unfortunately, neither the man page nor
the PF User's Guide give an example of using an anchor to hold address
tables. I've tried this on 3.6 -release, and it does not appear to
work:
snip /etc/pf.conf
ext_if=fxp1
int_if=fxp0
pfsync_if=xl0
anchor pf_labels_tables
load anchor pf_labels_tables from /etc/pf_labels_tables.anchor
/snip
# cat /etc/pf_labels_tables.anchor
table site1_in { 10.0.0.101 }
table site2_in { 10.0.0.102 }
table site3_in { 10.0.0.103 }
table site4_in { 10.0.0.104 }
table site5_in { 10.0.0.105 }
table site1_out { 192.168.0.31 }
table site2_out { 192.168.0.32 }
table site3_out { 192.168.0.33 }
table site4_out { 192.168.0.34 }
table site5_out { 192.168.0.35 }
# pfctl -nf /etc/pf.conf
/etc/pf.conf:17: Rules must be in order: options, normalization,
queueing, translation, filtering
/etc/pf.conf:18: Rules must be in order: options, normalization,
queueing, translation, filtering
/etc/pf.conf:20: Rules must be in order: options, normalization,
queueing, translation, filtering
/etc/pf.conf:22: Rules must be in order: options, normalization,
queueing, translation, filtering
/etc/pf.conf:23: Rules must be in order: options, normalization,
queueing, translation, filtering
/etc/pf.conf:24: Rules must be in order: options, normalization,
queueing, translation, filtering
/etc/pf.conf:25: Rules must be in order: options, normalization,
queueing, translation, filtering
/etc/pf.conf:26: Rules must be in order: options, normalization,
queueing, translation, filtering
It appears that pfctl assumes that anchors only contain filter rules.
Have I stumbled over a bug in either pf.conf (5) or pfctl, or am I
doing/assuming something wrong?
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
Re: CARP Failover
On Mar 8, 2005, at 9:40 AM, Amir S Mesry wrote: Jason, I think you missed the OT part of my post. I was just asking the status of it, not saying it was or wasn't needed. From your post, I take it there are no plans whatsoever to include it, and indirect answer, but I got the answer. You didn't capitalize the T in Ot, so it looked like a typo of Ok. :) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: CARP Failover
On Mar 7, 2005, at 1:54 PM, Amir S Mesry wrote: Ot, but what is the status of Ifstated being included by default in the install? What does this have to do with the rest of the thread? As has been discussed numerous times on this list, ifstated is not necessary for proper operation of failover CARP firewalls. If you want ifstated, it's a very simple cvs checkout, make make install. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: CARP Failover
On Mar 6, 2005, at 6:17 PM, Per-Olov Sjöholm wrote: A running ssh or telnet session will just freeze for a second or so and then continue when a failover happens. When it comes to ftp I think you have a problem if you use any userland proxies. Ftpsesame is good in this respect. It grabs packets off bpf and loads a quick pass rule into a pf anchor. No userland stuff is touched. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: pf monitoring as shown in samag.com
On Jan 27, 2005, at 4:17 PM, Kenneth Oncinian wrote: Hi List, Anyone using this pf traffic monitoring? http://www.samag.com/documents/s=9053/sam0403j/0403j.htm If so, can you please let me know how it was done? I do not know perl and thus don't have any idea with the perl part mentioned in the document. If you don't know Perl, then it's not going to be of much use to you. Randal was giving an example of how to use Perl to graph statistics based on labels. It's not a project, it's an example. But quite honestly, even if you didn't know Perl, everything is there in the article to show you how. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: pf efficiency
On Jan 20, 2005, at 4:13 PM, MauroTablo' wrote: Hi all. My Openbsd+pf based firewall has about 90 forward filtering rules, for tcp packets (about 30 rules), udp datagram (about 40 rules) and icmp messages (about 20 rules). Every rule looks like: block in proto xxx from any to yyy port = zzz, where xxx is the protocol type. Suppose that a transit tcp packet comes into my firewall. The question is: pf confronts the TCP packet with all my 90 rules, or it confronts the packet ONLY WITH those rules (about 30) written for tcp packets (proto tcp)? In other words, is there a function in pf that looks up to the protocol type of a transit packet and decides which rules to confront the packet with? PF uses a method referred to as skip steps which is just an easy way of referring to the algorithms which only select those filters that are relevant to the packet being analyzed. I can't seem to find any reference to it in the man pages or PF FAQ, but I found a good explanation from the following document. I believe the information regarding skip steps is still accurate, but I'll have to defer to the developers: http://www.inebriated.demon.nl/pf-howto/pf-howto.txt -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: OFF Topic Might not belong on the list PF anf VPN to Cisco
On Dec 30, 2004, at 9:37 AM, Elijah Savage wrote: Has anyone on the list ever used openbsd as a Firewall and also a VPN gateway. I have been trying to find how to's or some sort of documentation on this, especially with using one with Cisco Devices. Basically using it as a VPN hub to a few Cisco Routers. If anyone can point me to any documentation or make some recommendations it sure would be greatly appreeciated. I'm sure many of us have done this many times over. If you have a specific concern between versions (i.e. Cisco model X vs. OpenBSD 3.6 -current), you should clarify it. The man pages are sufficient for the firewalling concepts. If you need more information on setting up the VPN, you might want to refer to one of the OpenBSD books (http://www.openbsd.org/books.html), as faq13.html was tossed in the CVS attic some time ago. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: OFF Topic Might not belong on the list PF anf VPN to Cisco
On Dec 30, 2004, at 11:44 AM, Elijah Savage wrote: Jason, Thank you for the reply but I do not think you understand the question. It is not OpenBSD vs Cisco as your reply states. I am looking for get started info on making Cisco talk to OpenBSD via IPSEC vpn tunnels. My OpenBSD firewal has been up and running sometime. I have the absolute OpenBSD book and it does not address IPSEC Betwwen OpenBSD and Cisco. Again, you're being vague. If that book doesn't address your issues, then clarify what issues you're talking about. We can't help if you can't explain your problem (or concern) accurately. What have you tried? What is not working for you? What errors have you experienced? Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: OFF Topic Might not belong on the list PF anf VPN to Cisco
On Dec 30, 2004, at 4:52 PM, Elijah Savage wrote: I want to clear this up a bit. I am not looking for some one to provide me with config files or say here is what you need to do I can do that on my own. What I am looking for is real world experience and I figured it would be no better place to find that than here with you experts. I figured someone would say yeah I have done this and I chose openbsd and openvpn connected to Cisco 1700's 1800's 2600's etc etc or whtever the case may be and then to say here is what I think about my setup thus far it has been stable, it sucks etc etc. That's all I am looking for, I apologize for being vague but I thought I was clear but obviously my communcation skills are off a bit :) Multiple folks have already replied claiming this has been done. I see no need for everyone who's ever worked with Cisco and OpenBSD VPNs to respond to your query with exact specifics. Rather, it is YOU who needs to expound on what you're looking for. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Traffic Monitoring, IP
On Dec 30, 2004, at 6:54 PM, Miroslav Kubik wrote: OK, but you should know that my idea how to improve PFSTAT isn´t free of charge. It costs 600 USD. Your time costs 600 USD, my idea 600 USD. So you can improve PFSTAT without any money :)) You should know that the work Daniel has already donated to PF and the OpenBSD project is worth thousands of dollars. Would you like to pay by check now, or should they bill your credit card? P.S. Shut up and code. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: CARP again, again
On Dec 23, 2004, at 5:28 PM, ed wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello again, sorry to bother you all again. I have a question, we have two DSL connections, and I plan on using two boxes, which are carped. But, I'd like to do this in a fashion such that I can failover to a different connection when the primary one becomes unusable. Would anyone have experience of doing this, and how exactly does one determine that the connection has failed? Does it base the failure on link status or on IP untouchables? CARP really has nothing to do with this. CARP is a link-layer protocol which allows one box to assume the virtual interface when another becomes unavailable on the same local segment. Since each box will still see each other as alive when your route goes down, they'll operate as usual. Your problem is a network-layer issue. Attack it just like you might with one box connected to dual gateways, since that's exactly what you're emulating. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: CARP
On Dec 17, 2004, at 1:47 PM, Ryan McBride wrote: I suggest larger advskew differences. You can only go as high as the size of your segment (256-1 for /24, for example). If you're only using 2 firewalls, I suggest advskews of 0 and 100. This isn't documented anywhere, and is only based on my own experience, so YMMV. If by not documented you mean explicitly ignoring the examples in the carp(4) manpage, then you're correct :-) I do. :) The advskew range doesn't depend on the network segment. It's an 8 bit number in the CARP packet and the legal values are 1-255. Keep the value below 240 unless you really know what you're doing. I overextended myself with that piece of logic. I remember it being capped at 255, but inappropriately associated it with the mask. Sorry for any confusion caused, I fucking hate it when people give wrong answers on list. :-P -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: (why can't)/(does) carp work on bridges ?
On Dec 16, 2004, at 10:18 AM, Joel CARNAT wrote: I wanted to do CARPing on interfaces which were part on bridges. According to my readings and testing (it's been 1 week I'm trying to have it working ;), it seems you can't enable carp on an interface that is bridged to some other... I believe you can, so long as your interface has an IP assigned to it. An IP is needed, but you will not be routing- don't let it confuse you. You're still bridging all packets between the external segment and the protected segment. I haven't tried it myself (yet), so caveat emptor. Is is really true (or did I miss a bit of configuration) ? And, if so, why ? What makes it impossible ? Actually, Ryan McBride recently posted a diff to -current to allow CARP interfaces to bind to the physical interface (without IP) using the carpdev keyword. http://marc.theaimsgroup.com/?l=openbsd-techm=110229937028512w=2 -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: CARP
On Dec 16, 2004, at 5:12 PM, ed wrote: Things are nearly fully functional for me now, however, I don't seem to have perfect throughput when a box is shot in the head, sometimes things work OK for the client, and some times they don't and connections either lag to the point of timeout, or just drop and cant get re-established. There is probably a good reason for this, but might be hard to determine a) for an experienced user without access to your network, or b) for an inexperienced user *with* access to your network. ;-) I suggest monitoring your interfaces continually (while true; do ifconfig -a | grep carp; sleep 1; clear; done) while you recreate your problems. It wouldn't hurt to also monitor your pfsync traffic for hiccups. I usually experience ~3 seconds of packet loss during a failover. Recovery is always instantaneous (no loss). Regardless, I've yet to lose any TCP connections. I'd suggest you try to isolate the questionable behavior. Sorry if I sound like a Loinux whiny, I'm almost there, just need a few more pointers. 1) If I reduce advskew to something like 10 on machine A and 12 on machine b, would that increase the stability of the firewalls? I suggest larger advskew differences. You can only go as high as the size of your segment (256-1 for /24, for example). If you're only using 2 firewalls, I suggest advskews of 0 and 100. This isn't documented anywhere, and is only based on my own experience, so YMMV. 2) Why does it seem that when the master returns from me issuing a reboot does the connection for the client appear to get shaky again? No clue, you're not providing anything but anecdotal evidence. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: CARP
On Dec 14, 2004, at 4:02 PM, ed wrote: Sorry for this lengthy reply, I hope you all can forgive me for this, but as I am but a beginner with PF/CARP I hope we can avoid hostility. I have two boxes, with similar configs, on IP addresses 10.10.1.131 and 10.10.1.134, both /16. [snip] What is working and what isn't? What is the output of ifconfig -a on each box? -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: CARP
On Dec 12, 2004, at 8:54 AM, ed wrote: Anyway, I have a /etc/pf.conf file which was originally for a single firewall, which worked for a normal layout with two interfaces. I am now attempting to do the following: [snip] The two boxes have two interfaces, although most documentation suggests using a third interface with cross over, which I don't currently have. It's not a requirement; I've sent pfsync traffic across the int_if, but it's not ideal. My existing firewall script allows access to 83.146.42.164 and 83.146.42.165, should I be treating incoming packets as packets for 83.146.42.163/4, or 83.146.42.165? You can filter on all of them. The real address on each interface still allows dedicated access to each firewall. However, when filtering traffic across CARP virtual interfaces, remember that you filter on the PHYSICAL interface (fxp0), not on the virtual interface (carp0). Is it possible to provide two CARP interfaces over the fxp0 like I have, and if I do, will it work as intended? Yes, I've done many CARP interfaces using aliases on a single physical interface. Needless to say, what I am trying to has not worked. Without providing your configuration (hostname.*, pf.conf), it's impossible to help you. It would also help to know what troubleshooting you've already tried and what errors/failures you're encountered. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: newbie advice question - pf in front of multiple comps...
On Dec 1, 2004, at 10:59 AM, b h wrote: however, someone at my work wants me to install a firewall at a colo site - in front of say, six machines, all with public internet routable addresses... so - I know this is likely a really stupid question, but how do I manage this? does the firewall have a bunch of aliased IP addresses and rdr respectively to private addresses behind? is bgp (I know nothing about yet) something that I need/should be using? You want a bridge. It operates at layer 2, so there's no translation occurring. http://www.openbsd.org/faq/faq6.html#Bridge Pay special attention to the section Filtering on a bridge. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: newbie advice question - pf in front of multiple comps...
On Dec 1, 2004, at 11:43 AM, b h wrote: okay, ignore most of my question - I'm sorry I didn't figure this before posting (another recent msg on misc got me to look at this) - looks like binat is what I want. Your original message said the protected servers would have publicly routable addresses, hence the bridge. If you're using RFC1918 addresses instead, then yes, you want binat. But I'm still confused how the firewall gets these packets to begin with - is the firewall supposed to have aliased all the external address? You can alias them if they're on the same public interface as your primary address, or you can have them on a dedicated interface. If you're going to have more than one IP per interface, you'll need aliases. ie, doing binat similar to the following... xx.xx.xx.3 - 10.10.10.3 xx.xx.xx.4 - 10.10.10.4 http://www.openbsd.org/faq/pf/nat.html#binat and the firewall will have (in hostname.fxp0 for ex.) inet xx.xx.xx.3 0xff00 NONE inet alias xx.xx.xx.4 0xff00 NONE http://www.openbsd.org/faq/faq6.html#Setup Please read the FAQ and manpages. They are quite good, and would have answered all of your questions. We're here to help, but you need to try and help yourself too. :) HTH. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: PF question
On Nov 25, 2004, at 8:55 PM, William Gan wrote: I have a question regarding PF Internet - FW - Local Area Network | | IDS Is there a way of forwarding an incoming packets from the internet to two separate interface? The IDS has no IP address.. It only listen to incoming packets. man pf.conf, search for dup-to. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: PF question
Gah, this is the 2nd time in a week I've cc'd the wrong list. Sorry. -J. On Nov 25, 2004, at 10:01 PM, Jason Dixon wrote: On Nov 25, 2004, at 8:55 PM, William Gan wrote: I have a question regarding PF Internet - FW - Local Area Network | | IDS Is there a way of forwarding an incoming packets from the internet to two separate interface? The IDS has no IP address.. It only listen to incoming packets. man pf.conf, search for dup-to. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: States
On Nov 19, 2004, at 6:32 AM, Sergi Toledo wrote: Hi I've been looking for the maximum number of states that pf is able to handle, but I can't find the correct .c or .h file. Which one is it? I suppose these states are stored in memory. Am I wrong? Thanks in advance Sergio There is no hard limit in the source. They are limited only by your available memory, but can be capped using set limit states in pf.conf. The general rule is 1k states per 1MB of memory. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: States
Sorry, redirected to pf@ by accident. -J. On Nov 19, 2004, at 6:51 AM, Jason Dixon wrote: On Nov 19, 2004, at 6:32 AM, Sergi Toledo wrote: Hi I've been looking for the maximum number of states that pf is able to handle, but I can't find the correct .c or .h file. Which one is it? I suppose these states are stored in memory. Am I wrong? Thanks in advance Sergio There is no hard limit in the source. They are limited only by your available memory, but can be capped using set limit states in pf.conf. The general rule is 1k states per 1MB of memory. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Linux port of pf
On Oct 20, 2004, at 2:58 PM, Dylan Martin wrote: That said, I use OpemBSD with PF for my firewall and I only use iptables on servers that need to live outside my firewall for some weird reason. So please don't hit me for giving iptables advice on the pf mailing list... Maybe it's just me, but why would you need to have machines outside your firewall, yet still need to run iptables on them? If it has something to do with IP allocation, why not just add one more segment to the firewall and create a bridge? I'm not trying to suggest that you don't complement your security by running firewalls on the linux hosts, but it would be in your best interests to take advantage of PF wherever possible (IMHO). -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: FTP clients behind PF can connect to ftp serves but cannot list files why?
On Sep 29, 2004, at 5:10 AM, Siju George wrote: configured OpenBSD 3.5 PF as said in the FAQ. For the clients behind my PF firewall to access ftp servers I put this line in the pf.conf file rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1:8021 I also have the following line uncommented from /etc/inetd.conf 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy Now the FTP clients behind the PF firewall cant connect to the ftp servers on the internet username is authenticated successfully. but listing of files is not possible. As pleasant as you are Siju, it's quickly becoming apparent that you lack necessary training for becoming a qualified Systems Administrator. I suggest you unplug your ethernet cable immediately and poweroff your systems. Of course, should you neglect to follow my advice, you should at least run the following from your terminal and watch as you attempt your ftp sessions. This assumes that you're logging and pflog0 is up. Basic troubleshooting skills like this are necessary for becoming part of the OpenBSD community. tcpdump -nettti pflog0 Thanks, -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: How do I change my firewall ports to stealth mode?
On Sep 28, 2004, at 2:13 AM, Siju George wrote: I changed the block-policy from return to drop. Now my ports except 113 are showing up as stealthed while twsting from http://www.grc.com/x/ne.dll?rh1dkyd2 The Port 113 was opened because the PF FAQ asked to open it for SMTP Auth/Ident (TCP port 113): used by some services such as SMTP and IRC. ICMP Echo Requests: the ICMP packet type used by ping(8). Now ask yourself- what's the point of dropping packets (woo, I'm in stealth mode, woo...), when a simple 1-1024 portscan will reveal you thanks to port 113 accepting connections (or sending resets, not sure if your identd is actually running)? Why wouldn't you rather just deny all and avoid behaving like a doof? -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: blocking gnutella
On Sep 15, 2004, at 12:23 PM, Brent Bolin wrote: [EMAIL PROTECTED] (Jason Dixon) wrote in message news:DCB03664-06A3-11D9-933E I think this thread is still germane: http://marc.theaimsgroup.com/?l=openbsd-pfm=104592911709710w=2 Don't try to block it. Its a port hopper. Instead make it painfull for the users that use it. Altq is your friend. Isn't that what I just said (in the link)? -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: blocking gnutella
On Sep 14, 2004, at 3:33 PM, Bryan Irvine wrote:
I can't seem to get gnutella to break.
gnutella = { 6346 6348 8436 }
block out quick proto { udp tcp } from any to any port $gnutella
block in quick proto { udp tcp } from any to any port $gnutella
pftop still shows connection on 6346 though, ideas?
I think this thread is still germane:
http://marc.theaimsgroup.com/?l=openbsd-pfm=104592911709710w=2
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
Re: matching ports that are actually open
On Sep 1, 2004, at 5:10 PM, Matthijs Bomhoff wrote: What I would like to do, is something like the following (just an example) : rdr proto tcp to (dc0) port 80 ! open - 10.0.2.2 port 80 i.e. redirect connections to the local webserver to some other host when the local webserver is not listening. if I understand the pf.conf(5) man page, user/group is only applicable for packet filtering, not for redirection etc. Any suggestions for such a thing? It sounds like you're trying to get fancy with load-balancing. If that's the case, why don't you simply rdr to a local load balancer (python director springs to mind) and let it handle the application issues? Let _it_ deal with whether a server is alive or not; PF is a _packet_filter_, not an application proxy/LB device. Well, not in the truest sense, anyways. :) -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
OpenBSD Flashdist/pflogd/cron issue
Hi folks- Just got my new 4501, having a great time using Chris' flashdist and nsh on it. I've made some minor changes to include cron/crontab, in order to have pf use syslogd (http://www.openbsd.org/faq/pf/logging.html#syslog) for remote logging. However, it seems I'm having some problems getting the pflogger to execute its part correctly. The system has no problem logging via pflogd; it also manages (via root's crontab) to write the temporary file out to the pflogger user's home. However, it doesn't want to logger those files as dictated in the pfl2sysl script. I've found that by killing cron and restarting it manually (it's usually started in rc), that this seems to fix it. I've compared the permissions of /var/cron/* before and after, and don't see any differences. Any ideas what I'm missing here? Thanks in advance, -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: Things pf can't do?
On May 19, 2004, at 4:09 PM, Dave Anderson wrote: pf is complicated enough that it definitely takes a while to wrap one's mind around the whole thing. Actually, it's a breath of fresh air compared to other filters I've worked with. If this is your first firewall system, I can understand why it might be a lot to take in. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: PF/spamd oddity
On Mar 18, 2004, at 3:28 AM, Ray wrote: Try: rdr pass on $ext_if inet proto tcp from spamd to ($ext_if) port smtp - 127.0.0.1 port 8025 Thanks, that works. Looking at pf.conf (5), it appears that rdr pass is just a feature to bypass the normal filtering rule. I don't see why my mine would've failed. I'm running 3.4 -stable. Any ideas? -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: PF/spamd oddity
On Mar 18, 2004, at 9:56 AM, Peter Hessler wrote: On Thu, 18 Mar 2004 06:27:39 -0500 Jason Dixon [EMAIL PROTECTED] wrote: :Thanks, that works. Looking at pf.conf (5), it appears that rdr pass :is just a feature to bypass the normal filtering rule. I don't see why :my mine would've failed. I'm running 3.4 -stable. Any ideas? No, it adds a pass rule to the ruleset. Doesn't bypass anything. Not according to pf.conf (5): If the pass modifier is given, packets matching the translation rule are passed without inspecting the filter rules Is this taken out of context? -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: PF/spamd oddity
On Mar 18, 2004, at 11:10 AM, Daniel Hartmeier wrote: Because you only had pass in log on lo0 inet proto tcp from spamd to 127.0.0.1 port 8025 ^^ but you have to allow it to pass in on the external interface as well. For some strange reason I was getting confused with the whole translate before filtering thing, applying logic where none applied. ;-) Thanks, -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
PF/spamd oddity
Perhaps I simply need some sleep, but I'm confused as to why my test
isn't working as expected. I'm trying to test a connection from a
spamd entry (my other box, 192.168.0.58) to my new mailserver
(192.168.0.53). I have the requisite spamd table, rdr to localhost,
and pass on loopback entries in pf.conf. I've rebooted to make
_absolutely_ certain that everything is kosher. Nevertheless, the
connection is simply being blocked/reset by my generic block rule,
rather than being allowed to pass through to spamd on 127.0.0.1:8025.
The connection:
-bash-2.05b# telnet 192.168.0.53 25
Trying 192.168.0.53...
telnet: connect to address 192.168.0.53: Connection refused
The mailserver's pflogd output:
-bash-2.05b# tcpdump -nettti pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0
Mar 17 22:55:07.085464 rule 1/0(match): block in on fxp0:
192.168.0.58.9877 127.0.0.1.8025: S 1441947101:1441947101(0) win
16384 mss 1460,nop,nop,sackOK,[|tcp] (DF) [tos 0x10]
The PF ruleset:
# OpenBSD: pf.rules 2004/03/16 dixon
# Variables
ext_if=fxp0
dingle=192.168.0.53
tcp_in={ ssh, pop3s, imaps, smtp, http, https, hatchet }
#udp_in={ }
tcp_out={ ssh, smtp }
udp_out={ domain, ntp }
table spamd persist
### Set Options ###
set limit { frags 32000, states 65000 }
set loginterface $ext_if
set optimization aggressive
set block-policy return
### Packet Normalization ###
scrub in all
scrub out all random-id no-df
### Translation ###
rdr on $ext_if inet proto tcp from spamd to ($ext_if) port smtp -
127.0.0.1 port 8025
### Start Filter Rules
# basic block-all with return and logging
block log on $ext_if
block log on $ext_if proto tcp
block log on $ext_if proto udp
block log on $ext_if proto icmp
# block various noisy traffic without logging
block in quick on $ext_if proto igmp all
block in quick proto udp from any to any port snmp-trap
block in quick on $ext_if from 255.255.255.255/32 to any
block in quick on $ext_if from any to 255.255.255.255/32
block quick on $ext_if proto { tcp, udp } from any to any port { 135,
137, 138, 139, 445 }
block in quick on $ext_if from any to 224.0.0.1 # IGMP noise
# allow localhost
pass on lo0 all keep state
pass in log on lo0 inet proto tcp from spamd to 127.0.0.1 port 8025 #
testing
# allow certain icmp connections
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
# allow certain udp connections
pass out on $ext_if inet proto udp from ($ext_if) to any port $udp_out
keep state
#pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_in
keep state
# allow certain tcp connections
pass out on $ext_if inet proto tcp from ($ext_if) to any port $tcp_out
keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_in
flags S/SA synproxy state
# END of pf.rules
Thanks,
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
Re: Something like pfstat for multiple interfaces
On Feb 20, 2004, at 12:11 PM, Brent Bolin wrote: Does anybody know of a way to capture statistics on multiple interfaces running pf Recently ran into a product called Hatchet that has a nice html interface to view pf statistics of log files block, pass etc... It can also display graphs produced by pfstat. However it looks like pfstat does not have an option for specific interfaces. Actually, it does. The set loginterface option in pf.conf determines which interface to collect packet/byte counts for. The statistics are sent to pf (4), which is read by either pfctl or pfstat. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: microsoft vpn broken
On Feb 14, 2004, at 5:35 AM, Octavian Hornoiu wrote: I searched the web for rule information on how to use PF to forward Microsoft vpn information from the firewall to the internal box that handles it. All I found was information on doing this procedure for the older versions of pf when the nat sections were still split from the main file. I have tried using the rules I know from ipfilter on freebsd to forward port 0 with gre and all that but I cannot seem to get pf to accept the ruleset without it complaining about syntax. How is this accomplished via the newer pf? Forwarding Microsoft vpn information doesn't tell us a lot. I suggest you search the archives for L2TP or PPTP, depending on your needs. There's plenty of information there. I personally have PPTP GRE tunnels running through my firewall as we speak. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
IPv6 entries in pflog
I'm attempting to add IPv6 support in Hatchet (http://www.dixongroup.net/hatchet/), but I'm a little clueless when it comes to IPv6 address formatting. I've read through the IPv6 Addressing Architecture draft (http://www.ietf.org/internet-drafts/draft-ietf-ipv6-addr-arch-v4-00.txt), but that seemed to create more confusion than I started with. I've seen icmp6 entries in my IPv4-only firewall that represent an address with 6 - 16bit hex values. I've also had an IPv6 user submit examples from their log which shows only 5 - 16bit hex values. Obviously, after looking at the draft, I can see there are a LOT of shorthand methods for representing IPv6 addresses. I'm wondering, though, if PF/pflogd has chosen to represent these addresses in a standard, predictable format, or if it's simply dumping the address information as it finds it? I'm only a Perl hacker, so I'm having a heck of a time matching regex for all the possible IPv6 permutations. Thanks, -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: IPv6 entries in pflog
On Tue, 2004-01-27 at 11:18, Daniel Hartmeier wrote: On Tue, Jan 27, 2004 at 11:03:03AM -0500, Jason Dixon wrote: I'm wondering, though, if PF/pflogd has chosen to represent these addresses in a standard, predictable format, or if it's simply dumping the address information as it finds it? I'm only a Perl hacker, so I'm having a heck of a time matching regex for all the possible IPv6 permutations. If you mean the text representation (like the string 2001:470:1f01:::2b), that's always in the same format when printed by pfctl, as it comes from inet_ntop(3), plus the /mask part, which can be 0-128 for IPv6. The inet_ntop man page also contains a description of the formatting rules (like how many digits, all-zero values, etc.), see the section Yes, that's what I meant. Unfortunately, it doesn't make it any simpler than I'd hoped. :) A text representation of an IPv6 address can still be logged as anything from :: to x:x:x:x:x:x:x:x, as far as I understand. Is it possible for a mixed representation (x:x:x:x:x:x:a.b.c.d) to be logged by PF? I guess that would depend on the environment. Thanks, -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: IPv6 entries in pflog
On Tue, 2004-01-27 at 11:40, Daniel Hartmeier wrote: On Tue, Jan 27, 2004 at 11:27:24AM -0500, Jason Dixon wrote: A text representation of an IPv6 address can still be logged as anything from :: to x:x:x:x:x:x:x:x, as far as I understand. Is it possible for a mixed representation (x:x:x:x:x:x:a.b.c.d) to be logged by PF? I guess that would depend on the environment. Yes, that's possible, see /usr/src/lib/libc/net/inet_ntop.c's inet_ntop6(). Can't you just use getaddrinfo(3) to convert the strings to the binary representation (128-bit, network byte order)? No, I'm not dealing with the packets. Hatchet is just a script which parses the pflog output, treating it as ascii. The problem is in extracting the IPv6 address from the text stream. If I already had the address, the battle would be won. :) -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: Block Kazaa
On Mon, 2004-01-19 at 11:06, Rodrigo Resende dos Santos wrote: Hi, I need block kazaa using pf, as I make this, with com cbq? You need to block it or throttle it? PF does filtering, ALTQ (cbq) handles QoS. I suggest you search the archives. In particular, this might help you out: http://marc.theaimsgroup.com/?l=openbsd-pfm=105637568926390w=2 -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
pflog headers
I'm trying to find some common ground for certain udp packets. Aside from ServFail packets et. al., would it be safe to assume that any packets with a '?' found after the destination IP in pflog output would reflect a DNS packet? Can anyone think of an exception to this? Thanks, -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
New Project - PF Logviewer
I've released version 0.1 of Hatchet, a logfile parser and viewer for OpenBSD's PF. Currently, the primary features are log viewing and bandwidth utilization graphs (using pfstat). Planned features include more advanced reporting statistics, skinning, and centralized regex updates. Developed and tested under a 3.3 snapshot. http://www.dixongroup.net/hatchet/ Released under the BSD license. Please direct any questions, comments, etc. to my email (off-list). Thanks, -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: newbie help
On Fri, 2004-01-02 at 15:22, stan wrote: I'm trying to build an OpenBSD mcahine to reoace an aging OpenBSD machine thta I use as a firewall between my local network, and the internet. I atach via a cablemodem. I've got a pf.conf modifed from one of the faq examples, and it mostly works. What doesn't work if outbound ftp. I can ftp out from the firewall itself, but not from the machines inside the network. You haven't mentioned if you're trying to get passive or active FTP to work. I suggest you search the archives for ftp-proxy and review the following document for hints. http://www.deadly.org/article.php3?sid=20020130012631 On another note, have you bothered to dump pflog0 to see which packets are being blocked? -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: newbie help
On Sat, 2004-01-03 at 10:57, Can Erkin Acar wrote: Perhaps you need to give a thought to how things work instead of blindly following arbitrary instructions? OpenBSD documentation (FAQ and manual pages) contain everything you need. Just learn to read and understand them. It's obvious by now he has no desire to learn. He seeks only to have others do his work for him. At this point, many of us here and on misc@ know his machine better than HE does. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: newbie help
On Sat, 2004-01-03 at 14:07, stan wrote: Thanks for the helpful reply. If you know it so well, I geuss you just aren't smart enough to figure out why I'm geting ftp errors in my messages file, cause if you were, I certain you would have to show off just how smart you are. We (myself and others) have given you more than sufficient assistance in getting this working. Pissing folks off only makes it harder on yourself. Feel free to send me an approved purchase order and your login information, and I'll fix it FOR you. Or learn how OpenBSD/PF work and fix it your damn self. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: newbie help
On Sat, 2004-01-03 at 14:59, stan wrote: I'm certain that you consider yourself superior to most other people in the world. Nope, just another ordinary guy that understands how to ask questions properly on mailing list. I think you need to consider how you deal with others. When a coleauge asks ne about something I know more about then them, I try to teach them, and tech them where to learn more, but I almost alwasy give them enough information to acheive thier imediate goal. We've given you plenty of information to resolve this. The fact that you're wasting time on the list giving others socialogical advice proves you have no clue. I found over the years that results in them coming back and asking intelegent questions. Ah, the irony. Of I jsut told them to look it up in the manual, I wouold not have acomplished spreeading the knowledge nearly as well. Think about it. I probably would, if I could understand what you're trying to say. Your grammar, typos, and inability to form a coherent sentence leave me speechless. I suggest you kill this thread, focus on your technical issues, and quit wasting everyone's time. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: the zen of pf
On Fri, 2003-12-19 at 10:33, Henning Brauer wrote: huh? why would you NAT on the internal interface? well, admitted, I never use NAT, but...;2C Reflection would be one example. ;-) -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
[Fwd: RE: NAT Traversal Patent]
Talk about a slow reply... -J. -Forwarded Message- From: Dawna Hoerle (LCA) [EMAIL PROTECTED] To: Jason Dixon [EMAIL PROTECTED] Subject: RE: NAT Traversal Patent Date: 06 Nov 2003 10:35:20 -0800 Thank you for your inquiry and my sincere apologies for the late response. At this time, Microsoft is not able to identify details of the unpublished patent application(s) that cover this Internet Draft. As you may know, patent applications are confidential until they become published pending patent applications. Accordingly, the IETF IPR policy requires identification of specific patent information only if the patents are granted or published pending patent applications. We plan to update our disclosure to the IETF for NAT-T when the patent application(s) is/are published with the following information: Patent, Serial, Publication, Registration, or Application/File number(s), and the date(s) granted or applied for. If you have any further questions about our disclosure for NAT-T or any other IETF Internet Draft, please let me know. Dawna Dawna M. Hoerle | Paralegal | Law Corporate Affairs -Original Message- From: Jason Dixon [mailto:[EMAIL PROTECTED] Sent: Monday, August 18, 2003 10:45 AM To: Dawna Hoerle (LCA) Subject: NAT Traversal Patent Dear Ms. Hoerle: It has come to my attention that Microsoft has asserted patent rights over the IETF NAT-T specification, as per the following document: http://www.ietf.org/ietf/IPR/MICROSOFT-NAT-Traversal.txt Perhaps you would be so kind as to forward the details of said patent applications that cover this technology? Thank you, -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: VPN query...
On Fri, 2003-09-19 at 15:42, tefol tefol wrote: How do I specify the encap interfaces in pf.conf? man 4 enc I need to to setup security policies, don't I ? It would be in your best interests. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
