Re: trouble with new rdr syntax

2010-10-03 Thread Peter GILMAN 

Marcus Larsson k...@mindwipe.org wrote:

 On Tue, Sep 21, 2010 at 10:25:11PM -0400, Peter GILMAN wrote:
 
  can anybody see what i'm missing?  i'd love to score some points
  for openbsd at my job (and i'll fall back to 4.6 if i have to) but
  i'd really love to get this working with 4.7.  any insight would be
  much appreciated.
 
 Hi
 
 You need to allow the traffic out on em1 (I assume traffic to
 $dsan01_grp_ip goes out via that interface).
 
 pass out on $int_if inet proto tcp from any to $dsan01_grp_ip
 port 80

no; according to the man page for pf.conf, if no rule matches the
packet, the default action is to pass the packet.  in other words, all
traffic is allowed by default unless it's explicitly blocked, and my
ruleset does not block any traffic on em1 (in fact, my ruleset has
no rules for em1 at all; the macro is redundant).  traffic is already
allowed out on em1 and does not need a rule to allow it.

thank you anyway for writing.

-

since i wasn't able to make this work, the effort at my job was
abandoned.  i doubt they will let me try openbsd any more.

it's a shame.  somehow, daniel's pf always worked exactly as documented
but ever since henning improved it i can't make it work any more...

Re: trouble with new rdr syntax

2010-10-03 Thread Peter GILMAN 

Stuart Henderson s...@spacehopper.org wrote:

 On 2010/10/03 14:24, Peter GILMAN wrote:
  
  Marcus Larsson k...@mindwipe.org wrote:
  
   On Tue, Sep 21, 2010 at 10:25:11PM -0400, Peter GILMAN wrote:
   
can anybody see what i'm missing?  i'd love to score some points
for openbsd at my job (and i'll fall back to 4.6 if i have to)
but i'd really love to get this working with 4.7.  any insight
would be much appreciated.
   
   Hi
   
   You need to allow the traffic out on em1 (I assume traffic to
   $dsan01_grp_ip goes out via that interface).
   
   pass out on $int_if inet proto tcp from any to $dsan01_grp_ip
   port 80
  
  no; according to the man page for pf.conf, if no rule matches the
  packet, the default action is to pass the packet.
 
 this is true, but note that the implicit pass rule does _not_ keep
 state.
 

very good observation; thank you.

trouble with new rdr syntax

2010-09-21 Thread Peter GILMAN 



i finally convinced my boss to let me try openbsd in production.  it's
meant to be a bastion/gateway between our corporate LAN and an isolated
subnet for a new project.

my problem is the new rdr syntax.  i need to forward port 80 from the
corporate net into the isolated LAN so that we can access the
browser-based management GUI for the equallogic SAN gear there.  i've
done this at home for years with the old pf syntax, but i can't get it
going at work with 4.7.

i have net.inet.ip.forwarding=1 set in sysctl.conf.  my pf.conf follows:




# /etc/pf.conf
# openbsd 4.7 / uswal1-bastion01



# lists  macros

# interface definitions
ext_if=em0
int_if=em1

# the equallogic administrative group ip address for group dsan01
dsan01_grp_ip=10.4.25.20



# tables



# options

# don't touch loopback traffic
set skip on lo

# let's be a good network citizen (return ICMP)
set block-policy return

# enable logging on the external interface
set loginterface fxp0



# normalization



# queueing



# match rules


##f#
# filtering (last match unless quick is used)

###
# rules for $ext_if inbound

# block all outside traffic by default
block in log (all) on $ext_if all

# allow icmp (ping, pmtud)
pass in on $ext_if inet proto icmp all

# allow ssh
pass in log (all) on $ext_if inet proto tcp from any to $ext_if port 22

# allow http and forward it to the equallogic group ip address
pass in log (all) on $ext_if inet proto tcp from any to $ext_if port 80
rdr-to $dsan01_grp_ip



# rules for $ext_if outbound

# allow replies to traffic originating inside
pass out log (all) on $ext_if all keep state



can anybody see what i'm missing?  i'd love to score some points
for openbsd at my job (and i'll fall back to 4.6 if i have to) but i'd
really love to get this working with 4.7.  any insight would be much
appreciated.

thanks,

peter gilman

Re: A PF Certification - what do you think?

2008-07-10 Thread Peter GILMAN 

Ken Gunderson [EMAIL PROTECTED] wrote:

 Look what's happened to
 FreeBSD - damned near unusable these days.

funny - after using openbsd everywhere for years, i finally had to
switch to freebsd on my laptop (tp a31) because things that had worked
fine on previous versions of openbsd stopped working in 4.3...  (i
still use openbsd on my gateway/firewall and servers, though.)

and that's *my* 2 rappen.

Re: OpenCON 2007 // Call for Papers

2007-10-02 Thread Peter GILMAN 

Ed wrote:

 Dear ladies and gentlemen,
 
 OpenCON is the only conference fully dedicated to OpenBSD. Last year
 edition was a great success and featured also the party for OpenBSD
 10th birthday, with project leader Theo de Raadt and a lot of
 developers. More info here: http://2006.opencon.org/

you might want to update the website for 2007...


pete gilman
-- 
i bought a box of animal crackers and it said on it, 'do not eat if
seal is broken.'  so i opened up the box, and sure enough...
- brian kiley

Re: Traffic Monitoring, IP

2005-01-01 Thread Peter GILMAN 

Peter Matulis [EMAIL PROTECTED] wrote:

|  You should know that the work Daniel has already donated to PF and
|  the OpenBSD project is worth thousands of dollars.
| 
| Tens of thousands I would say.

and at current exchange rates, that should be just about enough for a
bratwurst and a can of beer at the bahnhof.

Re: pf port knocking

2004-12-17 Thread Peter GILMAN 

Ed White [EMAIL PROTECTED] wrote:

| On Friday 17 December 2004 15:45, Roy Morris wrote:
|  change your ssh port to like 30222 or something ..
| 
| That's dumb.

why?


Choose a port  1024.

why?

Re: Is having a GUI on an OpenBSD firewall a serious mistake?

2004-10-10 Thread Peter GILMAN 

Russell Fulton [EMAIL PROTECTED] wrote:

| On Sat, 2004-10-09 at 19:24, Siju George wrote:
| 
|  I ''ve read some articles on hardening OpenBSD and also received
|  suggestions. They tell me it is not a good Idea to install a GUI or
|  compiler on an OpenBSD machine that acts as a firewall.
| 
| Gui applications (particularly web based ones which are the easiest to
| write) tend to be complex and insecure, this is a good reason to keep
| them off the firewall itself.
| 
| We have a home grown web based network management system which
| includes the ability to do most of the configuration necessary for pf
| in our environment.  This app runs on another system and we use ssh to
| download pf.conf to the firewalls.  THis is a reasonable compromise.


on the other hand, i'd personally rather have an openbsd firewall with a
gui than a windows based one...


reminds me of an old andy capp cartoon: a guy walks into a bar looking
for someone to complete a football team:

guy: who's the best football player in the place?

andy capp (obviously very drunk): me, when i'm sober.

guy: all right then, who's the *second* best football player in the
place?

andy capp: me, when i'm drunk!


best firewall: openbsd without a gui

second best firewall: openbsd with a gui


just my 2 rubles


cheers,

pete g