Re: pinging same host on the internet from two different LAN stations
Well FYI, the very same problem appear on czech openbsd mailing list. Reader did complain that one windows station could ping through pf openbsd firewall, but the second could not (see this http://openbsd.cz/pipermail/users/2005-July/001051.html, in czech language however you could clearly spot port 512 used for icmp ping in state table. Petr R. On 7/28/05, Melameth, Daniel D. [EMAIL PROTECTED] wrote: Pejman Moghadam wrote: Melameth, Daniel D. wrote : FWIW, while I haven't looked into this in detail, it appears Windows clients always use the same ICMP ID--512... I think this is right, beacuse of this state entry : self icmp 192.168.1.18:512 - 1.2.3.4:512 - 192.9.9.3:512 0:0 but i have not any problem with windows clients when i use ipfw in freebsd or even iptables in linux. why same ICMP ID(512) is so important for PF? how can i deal with that ? I don't know the specifics of any other these packet filters and haven't looked at any code, but I'd speculate that ipfw and iptables are proxying these ICMP IDs in some capacity similar to the way TCP ports are proxied and pf is just using the ICMP ID that is provided by the client. Then again, I could be very wrong. Danny
Re: Stalled connections [LONG]
Martin Lexa [EMAIL PROTECTED] wrote: Side question, how can I filter on enc0? tcpdump -i enc0 icmp, for example, isn't working. Probably with -E option... ? tcpdump -i enc0 proto 1 ( works for me on xl0 interface so I hope it will work on enc0 as well). Petr R.
sequence number check in pf
Hi Gurus,
I had a disscusion with friend of mine who does use Linux ( and
therefore iptables ) for his firewall. I wonder, why is so
important for firewall to check for valid sequence number range
for whole life of connection ? As I do understand, iptables does
it only for handshake time and after connection enters ESTABLISHED
state it checks only for {source,destination} and {IP address,
port}. Pf on the other hand checks for valid sequence number all
the time.
If I send packet with invalid seq. number (with other atributes
valid) to host behind firewall and firewall don't check it ie.
let it through, destination host will drop it anyway doesn't it?
So in case of pf, pf will drop packet before it reach host, in
case of firewall that doesn't do check on seq. numbers,
destination host will drop it. Yes, nasty and not valid packets
will enter my network, taking resources from my server etc., but
is there anything else that I missed ?
I red lots of papers about TCP hijacking, IP spoofing and packet
injection, but I still somehow do not understand, how seq.
number check on firewall in whole connection's lifetime could help.
I could imagine only one situation - sending RST with valid
addresses and ports could change state on the firewall but host
will drop it, so firewall will close the connection (after some time)
but it still will look like established on both hosts.
Could someone put more light on it ?
Thanks a lot
Petr Ruzicka
Gigabit firewall
Hi, considering new MP support in OpenBSD, does it somehow help for high-speed firewalling ? Thanks Petr R.
Re: web interface?
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: James Cammarata writes: ...This of course has many inherent risks so it's definitely just a thought right now, but Cisco does it and I'll be damned if they do something we can't do ;) Just becuase Cisco is doing doesn't mean they are doing it right, or that it should be done. For example, my first question would be, does it have to be a web interface? If a security minded IT Manager is going to have to take many extra steps to make sure the thing is locked down or not use it at all, they'll most likely choose the latter, no? No, you would be suprised. I have spoken to a lot of IT managers, CSO etc. and they would choose former. No matter what I say, no matter what I do and use, lots of them will choose gui/html over ssh/vi... Some people just do like nice and colorful GUIs and prefer them to clean, simle and secure. Regards Petr R.
Re: PF stream size
Henning Brauer [EMAIL PROTECTED] wrote: * Ed White [EMAIL PROTECTED] [2004-01-23 20:34]: What is the opinion of PF developers here in ml ? don't like. limiting bytes per state is useless. bytes total and the like are not pf's business, it's the business of some daemon that removes/changes the rules once a certain limit is reached. but we could add an editor to pfctl so you don't have to use an external one, and intergrate cron, and... I could use separate script that would use some parsing and use it to add certain rules to certain tables. However, I could launch that script from cron every 1 minute (minimum). In that time lots of data could be transfered. However, there could be situation where I need to block that host right now, right after limit is reached. I do not know pf internals but I could not do this functionality with awk script, do I ? May be separate daemon which could somehow constantly monitor limits and kills connections (and add rules) right away, but as I said I do not know pf internals. Petr
