Re: trouble with new rdr syntax
Marcus Larsson k...@mindwipe.org wrote: On Tue, Sep 21, 2010 at 10:25:11PM -0400, Peter GILMAN wrote: can anybody see what i'm missing? i'd love to score some points for openbsd at my job (and i'll fall back to 4.6 if i have to) but i'd really love to get this working with 4.7. any insight would be much appreciated. Hi You need to allow the traffic out on em1 (I assume traffic to $dsan01_grp_ip goes out via that interface). pass out on $int_if inet proto tcp from any to $dsan01_grp_ip port 80 no; according to the man page for pf.conf, if no rule matches the packet, the default action is to pass the packet. in other words, all traffic is allowed by default unless it's explicitly blocked, and my ruleset does not block any traffic on em1 (in fact, my ruleset has no rules for em1 at all; the macro is redundant). traffic is already allowed out on em1 and does not need a rule to allow it. thank you anyway for writing. - since i wasn't able to make this work, the effort at my job was abandoned. i doubt they will let me try openbsd any more. it's a shame. somehow, daniel's pf always worked exactly as documented but ever since henning improved it i can't make it work any more...
Re: trouble with new rdr syntax
Stuart Henderson s...@spacehopper.org wrote: On 2010/10/03 14:24, Peter GILMAN wrote: Marcus Larsson k...@mindwipe.org wrote: On Tue, Sep 21, 2010 at 10:25:11PM -0400, Peter GILMAN wrote: can anybody see what i'm missing? i'd love to score some points for openbsd at my job (and i'll fall back to 4.6 if i have to) but i'd really love to get this working with 4.7. any insight would be much appreciated. Hi You need to allow the traffic out on em1 (I assume traffic to $dsan01_grp_ip goes out via that interface). pass out on $int_if inet proto tcp from any to $dsan01_grp_ip port 80 no; according to the man page for pf.conf, if no rule matches the packet, the default action is to pass the packet. this is true, but note that the implicit pass rule does _not_ keep state. very good observation; thank you.
trouble with new rdr syntax
i finally convinced my boss to let me try openbsd in production. it's meant to be a bastion/gateway between our corporate LAN and an isolated subnet for a new project. my problem is the new rdr syntax. i need to forward port 80 from the corporate net into the isolated LAN so that we can access the browser-based management GUI for the equallogic SAN gear there. i've done this at home for years with the old pf syntax, but i can't get it going at work with 4.7. i have net.inet.ip.forwarding=1 set in sysctl.conf. my pf.conf follows: # /etc/pf.conf # openbsd 4.7 / uswal1-bastion01 # lists macros # interface definitions ext_if=em0 int_if=em1 # the equallogic administrative group ip address for group dsan01 dsan01_grp_ip=10.4.25.20 # tables # options # don't touch loopback traffic set skip on lo # let's be a good network citizen (return ICMP) set block-policy return # enable logging on the external interface set loginterface fxp0 # normalization # queueing # match rules ##f# # filtering (last match unless quick is used) ### # rules for $ext_if inbound # block all outside traffic by default block in log (all) on $ext_if all # allow icmp (ping, pmtud) pass in on $ext_if inet proto icmp all # allow ssh pass in log (all) on $ext_if inet proto tcp from any to $ext_if port 22 # allow http and forward it to the equallogic group ip address pass in log (all) on $ext_if inet proto tcp from any to $ext_if port 80 rdr-to $dsan01_grp_ip # rules for $ext_if outbound # allow replies to traffic originating inside pass out log (all) on $ext_if all keep state can anybody see what i'm missing? i'd love to score some points for openbsd at my job (and i'll fall back to 4.6 if i have to) but i'd really love to get this working with 4.7. any insight would be much appreciated. thanks, peter gilman
Re: A PF Certification - what do you think?
Ken Gunderson [EMAIL PROTECTED] wrote: Look what's happened to FreeBSD - damned near unusable these days. funny - after using openbsd everywhere for years, i finally had to switch to freebsd on my laptop (tp a31) because things that had worked fine on previous versions of openbsd stopped working in 4.3... (i still use openbsd on my gateway/firewall and servers, though.) and that's *my* 2 rappen.
Re: OpenCON 2007 // Call for Papers
Ed wrote: Dear ladies and gentlemen, OpenCON is the only conference fully dedicated to OpenBSD. Last year edition was a great success and featured also the party for OpenBSD 10th birthday, with project leader Theo de Raadt and a lot of developers. More info here: http://2006.opencon.org/ you might want to update the website for 2007... pete gilman -- i bought a box of animal crackers and it said on it, 'do not eat if seal is broken.' so i opened up the box, and sure enough... - brian kiley
Re: Traffic Monitoring, IP
Peter Matulis [EMAIL PROTECTED] wrote: | You should know that the work Daniel has already donated to PF and | the OpenBSD project is worth thousands of dollars. | | Tens of thousands I would say. and at current exchange rates, that should be just about enough for a bratwurst and a can of beer at the bahnhof.
Re: pf port knocking
Ed White [EMAIL PROTECTED] wrote: | On Friday 17 December 2004 15:45, Roy Morris wrote: | change your ssh port to like 30222 or something .. | | That's dumb. why? Choose a port 1024. why?
Re: Is having a GUI on an OpenBSD firewall a serious mistake?
Russell Fulton [EMAIL PROTECTED] wrote: | On Sat, 2004-10-09 at 19:24, Siju George wrote: | | I ''ve read some articles on hardening OpenBSD and also received | suggestions. They tell me it is not a good Idea to install a GUI or | compiler on an OpenBSD machine that acts as a firewall. | | Gui applications (particularly web based ones which are the easiest to | write) tend to be complex and insecure, this is a good reason to keep | them off the firewall itself. | | We have a home grown web based network management system which | includes the ability to do most of the configuration necessary for pf | in our environment. This app runs on another system and we use ssh to | download pf.conf to the firewalls. THis is a reasonable compromise. on the other hand, i'd personally rather have an openbsd firewall with a gui than a windows based one... reminds me of an old andy capp cartoon: a guy walks into a bar looking for someone to complete a football team: guy: who's the best football player in the place? andy capp (obviously very drunk): me, when i'm sober. guy: all right then, who's the *second* best football player in the place? andy capp: me, when i'm drunk! best firewall: openbsd without a gui second best firewall: openbsd with a gui just my 2 rubles cheers, pete g