Re: NAT (interface) = round-robin between IPv4/IPv6 addresses?
On Friday 04 January 2008 12:17, Henning Brauer wrote: I noticed that with the following NAT rule: nat on sis1 from 10.2.2.0/28 to any - (sis1) static-port I get the following output: # pfctl -sn nat on sis1 inet from 10.2.2.0/28 to any - (sis1) round-robin static-port My question is simple: is that round-robin actually used? If it really means that PF sees 2 or more IPs, what are these IPs? it just says that pf will doround roubin _if_ there is more than one ip. The problem is that I actually see two IPs: one IPv4 and one IPv6. Would pf do round robin using one IPv4 and one IPv6? At the moment I solved this way: nat on sis1 from 10.2.2.0/28 to any - (sis1:0) static-port I get the following output: # pfctl -sn nat on sis1 inet from 10.2.2.0/28 to any - (sis1:0) static-port
NAT (interface) = round-robin between IPv4/IPv6 addresses?
Happy new year everybody, I have a quick question. I am using OpenBSD 4.2-stable. I noticed that with the following NAT rule: nat on sis1 from 10.2.2.0/28 to any - (sis1) static-port I get the following output: # pfctl -sn nat on sis1 inet from 10.2.2.0/28 to any - (sis1) round-robin static-port This is the interface: sis1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr xx:xx:xx:xx:xx:xx groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 ::xxx:::xxx%sis1 prefixlen 64 scopeid 0x2 inet zz.zz.zz.zz netmask 0xff00 broadcast zz.zz.zz.zzz My question is simple: is that round-robin actually used? If it really means that PF sees 2 or more IPs, what are these IPs? Thanks.
OpenCON 2007 // free tutorials
Hello everyone, OpenCON is a free entrance conference fully dedicated to OpenBSD. http://www.opencon.org/ I just want to inform you that this year we are going to have one day dedicated to free tutorials. In particular you might appreciate the tutorial about PF by Peter Hansteen. Peter is the author of a known howto available online: http://home.nuug.no/~peter/pf/ and he is writing The book of PF for NoStarch: http://nostarch.com/pf.htm Also, you might be interested in the tutorial by Felix Kronlage about VPN Technologies available on OpenBSD. Felix is an OpenBSD developer. Then, let me name the talk about hoststated(8) preinspection by Reyk Floeter. Reyk is an OpenBSD developer too. And yes, we are going to celebrate the 8th birthday of OpenSSH with a party on saturday evening %) Registration is easy and free, just click here: http://www.opencon.org/attendants/new P.S. We got some great sponsors already, but we are looking for a few more. Don't miss this chance!
Re: OpenCON 2007 // Call for Papers
On Tuesday 02 October 2007 22:59, Peter GILMAN wrote: OpenCON is the only conference fully dedicated to OpenBSD. Last year edition was a great success and featured also the party for OpenBSD 10th birthday, with project leader Theo de Raadt and a lot of developers. More info here: http://2006.opencon.org/ you might want to update the website for 2007... Yes, the old url was placed so that you could see some resources from last year, and decide if it was an interesting event. As someone might have already guessed, the url for the current year event is: http://www.opencon.org You can click on it.
OpenCON 2007 // Call for Papers
Dear ladies and gentlemen, OpenCON is the only conference fully dedicated to OpenBSD. Last year edition was a great success and featured also the party for OpenBSD 10th birthday, with project leader Theo de Raadt and a lot of developers. More info here: http://2006.opencon.org/ The OpenCON program committee is inviting speakers to submit innovative, original, and interesting talks on apps, architecture, implementation, performance and security of OpenBSD. Speeches and slides must be in english. Topics of interest for OpenCON 2007 include, but are not limited to: - kernel hacking - embedded application development and deployment - device drivers - security and safe coding practices - system administration: techniques and tools of trade - operational and economic aspects The extended abstract should explain clearly what are the topics and the aims of the speech. Submissions accompanied by a non-disclosure agreement will be rejected. Authors of accepted submissions have to provide a full paper for publication in the conference proceedings and allow the organizers to publish the results in the printed proceedings and on the conference web site. To submit your proposal fill in the dedicated form: http://www.opencon.org/papers/new As usual the conference will be in Venice, and this year we plan to have one additional day for tutorials: 30 November 2007 - tutorial day 1-2 December 2007 - conference See you there? P.S. We are still looking for sponsors. HELP! Please spread the word among your friends, OpenBSD friendly companies, ISPs that offers OpenBSD servers for rent or hosting, and any big company that you think should sponsor the event. Don't wait, do it now :)
OpenCON 2007 // Call for Sponsors
Dear ladies and gentlemen, OpenCON is the only conference fully dedicated to OpenBSD. Last year edition was a great success and featured also the party for OpenBSD 10th birthday, with project leader Theo de Raadt and a lot of developers. http://www.opencon.org/06/register-stat.php http://gallery.guly.org/main.php?g2_itemId=10182 We would like to be able to meet your expectations and go beyong them this year too! As usual the conference will be in Venice, and this year we plan to have one additional day for tutorials: 30 November 2007 - tutorial day 1-2 December 2007 - conference We organized previous editions of the conference with a FREE ENTRANCE policy, and to do so this year too we are looking for SPONSORS. Sponsors: we would be happy to discuss any type of agreement, such as distribution of merchandising, appearance of your logo, t-shirts, and everything you may imagine. Obviously we can provide a valid EU receipt for your tax duties. Just write an email to ed()bsd.it with OpenCON in the subject line and tell us about your ideas! Please spread the word among your friends, OpenBSD friendly companies, ISPs that offers OpenBSD servers for rent or hosting, and any big company that you think should sponsor the event. Don't wait, do it now :) Thanks!
idea // shaping *download* bandwidth
Hello, in January I had an idea to shape download bandwidth, and I exchanged some emails with various developers (Mike Frantzen, for example). People asks how to limit *download* bandwith without dropping packets already passed via the pipe to the firewall itself. The point is limiting the data sent by the sender. I think we could take advantage of the existing feature that Daniel added to prioritize ACKs, and work on those ACKs based on sequence numbers. These numbers are strictly related to the data received by the receiver, so acting on them we should be able to limit (reduce) the number of pps sent by the sender. So, in the end, dropping ACKs from the receiver instead of dropping data from the sender. This would happen locally without saturating the (expensive) pipe to the internet. How does it sound?
Re: idea // shaping *download* bandwidth
On Tuesday 02 May 2006 14:24, Terje Elde wrote: If you drop the ACKs, there'll be a retransmit anyway. So only thing you'd really change is that the TCP packet would arrive a little bit sooner, which could make a minor (probably not noticeable) difference for interactive stuff, such as SSH. Then again, ssh isn't really what you're likely to throttle anyway. You play with the window size too...
Re: viewing pf rules in tcpdump output
On Sun, 15 Jan 2006 17:20:25 +
Karl O. Pinc [EMAIL PROTECTED] wrote:
Sorry, pasted from the wrong window. This is the correct script.
On 01/15/2006 06:28:21 AM, ed wrote:
Another question, how do you associate the rule number to line in
pf.conf, without doing the obvious mental exercise, with many rules
it can be a chore.
awk 'BEGIN { c = 1; n = 1 } ;
{ printf %5d %s\n, c, $0; } ;
/^[:space:]*((pass)|(block)|(scrub)|((no[:space:]+)scrub))/
{ n += 1; } ;
! /\\$/ { c = n; } ' /etc/pf.conf
Karl [EMAIL PROTECTED]
Free Software: You don't pay back, you pay forward.
-- Robert A. Heinlein
Thanks very much for the three answers, I already knew of the pftop
program, but the other two were new to me.
pfctl vvs rules does seem to the easiest solution. Thanks people.
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
:%s/Open Source/Free Software/g
Re: viewing pf rules in tcpdump output
On Sat, 14 Jan 2006 21:18:29 -0500 (EST) Peter [EMAIL PROTECTED] wrote: Question: Why does tcpdump show pf rules when I use the pflog0 interface in combination with the -e switch (link layer)? It's a fantastic feature but it seems like an odd way to arrive at it. rule 0/(match) [uid 0, pid 14885] pass out on fxp0: esp 192.168.1.1 192.168.2.213 spi 0x1 Another question, how do you associate the rule number to line in pf.conf, without doing the obvious mental exercise, with many rules it can be a chore. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net :%s/Open Source/Free Software/g
Re: graphing pf stats
On Mon, 2 Jan 2006 13:56:21 -0700 Bob DeBolt [EMAIL PROTECTED] wrote: pfstat works well, it may be a nice starting point for you or it may do everything you want. If there's time I'll look at making a plugin for monitoring programs. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net :%s/Open Source/Free Software/g
Re: Will pf write to a file
On Sun, 01 Jan 2006 11:32:46 +0100 Cédric Berger [EMAIL PROTECTED] wrote: /* clear two address */ # pfctl -t bruteforce -T? 1.2.3.4 5.6.7.8 c /* clear all */ # pfctl -t bruteforce -Ts | pfctl -t bruteforce -T? -f - I guess the hardest part would be to find a suitable word/letter for '?'... suggestion? C I don't remember seeing c in the man, please disregard if it's already used. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net :%s/Open Source/Free Software/g
Re: pf/carp/pfsync on two OpenBSD 3.8 firewalls
On Thu, 29 Dec 2005 14:41:38 +0100 Marcin Miksowski [EMAIL PROTECTED] wrote: Is there any solution to resolve my problems with carp? If there is necessary to show You more informations on my current configuration I will do everything what I only can. From experience CARP can behave odly if you have differing configurations, neither knows which should be master, try and avoid having differences between the primary and secondary CARP boxes. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net :%s/Open Source/Free Software/g
pf failover state problem
(Also posted on misc@ - some one here may have experience of this
problem)
I have the following pf.conf on two identical firewalls, which combine
two external ISP connections to a single RFC1819 network, providing
complete failover if the ISP drops off the edge of the world.
However, I notice that when I force the firewall to fail over that the
states do not appear to function any longer, new states can be
established just fine though. I am wondering if this is related to the
tagging, or that the firewall has no default gateway, but neither seem
to be definite causes.
(As most of the rules repeat I have cut the config to just three IP
addresses).
int_network=172.22.96.0/24
int_if=bge0
ext_network1=12.22.96.0/24
ext_if1=dc0
ext_gw1=12.22.96.1
ext_network2=94.143.189.0/24
ext_if2=dc1
ext_gw2=94.143.189.1
pri_network=192.168.250.0/24
pri_if=xl0
int_carp0=carp0
ext_carp1=carp1
ext_carp2=carp2
outboundports={ 20,21,22,25,43,53,80,443,,11500,6:65535 }
mailports={ 25 }
webports={ 80, 443 }
webmailports={ 25,80,110,143,443 }
dnsports={ 53 }
webftpports={ 20,21,80,443,6:65535 }
fdlports={ 25,80,11000 }
table abuse_src
set limit states 10
scrub in
nat on $ext_if2 inet proto { tcp,icmp,udp } from 172.22.96.15 to any -\
94.143.189.15
nat on $ext_if2 inet proto { tcp,icmp,udp } from 172.22.96.16 to any -\
94.143.189.16
nat on $ext_if2 inet proto { tcp,icmp,udp } from 172.22.96.17 to any -\
94.143.189.17
rdr on $ext_if1 proto tcp from any to 212.22.96.15 port $webports - \
172.22.96.15
rdr on $ext_if2 proto tcp from any to 194.143.189.15 port $webports - \
172.22.96.15
rdr on $ext_if1 proto tcp from any to 212.22.96.17 port $webports - \
172.22.96.17
rdr on $ext_if2 proto tcp from any to 194.143.189.17 port $webports - \
172.22.96.17
block drop log all
block quick on { $ext_if1, $ext_if2 } from abuse_src
pass out keep state
pass in log on $ext_if1 proto { tcp } from any to 172.22.96.15 port \
$webports tag EXT_IF1 keep state
pass in log on $ext_if2 proto { tcp } from any to 172.22.96.15 port \
$webports tag EXT_IF2 keep state
pass in log on $ext_if1 proto { tcp } from any to 172.22.96.17 port \
$webports tag EXT_IF1 keep state
pass in log on $ext_if2 proto { tcp } from any to 172.22.96.17 port \
$webports tag EXT_IF2 keep state p
pass in log on $int_if route-to { ( $ext_carp2 $ext_gw2 ) } proto { \
tcp, udp } from $int_network to !$int_network port $outboundports keep \
state
pass in log on $int_if route-to { ( $ext_carp2 $ext_gw2 ) } proto icmp \
from $int_network to !$int_network keep state
pass out log on $int_if reply-to ( $ext_carp1 $ext_gw1 ) tagged EXT_IF1\
keep state pass out log on $int_if reply-to ( $ext_carp2 $ext_gw2 ) \
tagged EXT_IF2 keep state
pass out log on { $ext_if1, $ext_carp1 } route-to ( $ext_carp2 $ext_gw2\
) from { $ext_if2, $ext_carp2 } to any
pass out log on { $ext_if2, $ext_carp2 } route-to ( $ext_carp1 $ext_gw1\
) from { $ext_if1, $ext_carp1 } to any
###
### carp/pfsync specific, must be here like this in order for the
failover to work pass quick on $pri_if proto pfsync
pass quick on { $ext_if1, $ext_if2, $int_if } proto carp keep state
###
### private interface, this is the emergency rule to contact the other
### box should the private/public interface be blocked for some reason,
### we should have this as a reserve
pass quick on $pri_if from $pri_network
pass quick on { lo }
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
:%s/Open Source/Free Software/g
Re: pf won't pass some port 53 traffic even when asked nicely to
On Mon, 19 Dec 2005 23:29:08 + Karl O. Pinc [EMAIL PROTECTED] wrote: Would it be because dns sometimes talks UDP? (I forget the details.) Contrary to other people's views on this list I prefer DNS to talk UDP. It's quicker for one thing as the query takes place in fewer bytes. If UDP is not possible then the protocol should retry in TCP, IIRC. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net :%s/Open Source/Free Software/g
Re: Syntax errors in pf.conf
On Sat, 10 Dec 2005 16:43:50 -0500
Forrest Aldrich [EMAIL PROTECTED] wrote:
I had that before (with braces {}) and got a syntax error on these
lines as well, FYI.
ed wrote:
On Fri, 09 Dec 2005 16:14:25 -0500
Forrest Aldrich [EMAIL PROTECTED] wrote:
rdr on $ext_if proto tcp from !geoip, !spammers, !abuse any \
port { $tcp_services } tag INET_DMZ - $server
rdr on $ext_if proto tcp from { !geoip , !spammers, !abuse }
to \ any port { $tcp_services } tag INET_DMZ - $server
rdr on $ext_if proto tcp from !abuse any \
port 80 tag INET_DMZ - $server
rdr on $ext_if proto tcp from !abuse any \
port 443 tag INET_DMZ - $server
Please don't top post.
What does $ext_if/$tcp_services/$server expand to?
Chances are, one of those is missing a {}.
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
A TCP/IP stack was the worst feature windows ever got
~~
~~
:wq
Re: Syntax errors in pf.conf
On Fri, 09 Dec 2005 16:14:25 -0500
Forrest Aldrich [EMAIL PROTECTED] wrote:
rdr on $ext_if proto tcp from !geoip, !spammers, !abuse any \
port { $tcp_services } tag INET_DMZ - $server
rdr on $ext_if proto tcp from { !geoip , !spammers, !abuse } to \
any port { $tcp_services } tag INET_DMZ - $server
rdr on $ext_if proto tcp from !abuse any \
port 80 tag INET_DMZ - $server
rdr on $ext_if proto tcp from !abuse any \
port 443 tag INET_DMZ - $server
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
A TCP/IP stack was the worst feature windows ever got
~~
~~
:wq
carp
Hello, Has anyone written scripts to ensure that preempt fail over fails over all the carp interfaces to backup upon one becoming backup, I have found often that a single interface will become backup leaving the remaining interfaces as master, which obviously messes things up. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net A TCP/IP stack was the worst feature windows ever got ~~ ~~ :wq
Re: rdr process order
On Wed, 30 Nov 2005 11:13:52 +0100
Adrian Rudin [EMAIL PROTECTED] wrote:
#1
rdr pass on $lan_if proto { tcp } from $lan_nets to \
212.212.212.212 - 192.168.2.10
#2
rdr pass on $lan_if proto tcp from any to any port www - \
127.0.0.1 port 3128
I want the usual web traffic to be redirected through the proxy (rdr
#2). The exception is one external ip wich should be redirected to
another internal ip in my dmz (line #1).
How do i tell pf to process rdr #1 first? Because it dosen't
rdr pass on $lan_if proto tcp from { $lan_nets, !w.x.y.z } - a.b.c.d
should do the trick.
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
A TCP/IP stack was the worst feature windows ever got
~~
~~
:wq
Re: please publish SPF records
On Thu, 3 Nov 2005 15:30:12 +0100 Henning Brauer [EMAIL PROTECTED] wrote: it is broken no matter what and deserves to be ignored at least, or better yet, actively faught. It's not entirely broken though. Many of the dumber ebay scams get denied before my mailbox, and that makes it worth using spf alone - just as a junk filter. I'm not going to praise it as a final solution to spam and scam. DK is worth a look too, but it's added components to a mail server. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net A TCP/IP stack was the worst feature windows ever got ~~ ~~ :wq
Re: please publish SPF records
On Wed, 02 Nov 2005 20:38:22 +0100 Vincent Immler [EMAIL PROTECTED] wrote: thanks in advance ;-) SPF can be very broken with mail lists. You're better off using RBL/greylisting to block out spam. Or better still, use v.immler-pf as your sending mail, and messages from senders other than pf@benzedrine.cx gets trashcanned. I'm sure if you know about SPF then you know all the various anti-spam tactics. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net A TCP/IP stack was the worst feature windows ever got ~~ ~~ :wq
pf rocks
Hello, I'd just like to say, pf rocks. I have big changes to make to a rather important firewall, things probably wont work for a while and it might look as though I don't know what I'm doing at the time, but never the less, pf still rocks. Well done chaps. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net A TCP/IP stack was the worst feature windows ever got ~~ ~~ :wq
Re: ICMP redirect
On Wed, 12 Oct 2005 20:11:03 +0200 Daniel Hartmeier [EMAIL PROTECTED] wrote: On Fri, Oct 07, 2005 at 07:10:04PM +0100, ed wrote: Can ICMP packets be redirected using rdr to a RFC1918 host? I gave it a couple of shots and did not get anywhere, as I can't see any mentions of it it working in either books or on the web I thought I'd ask here. Yes, you can redirect ICMP queries (like echo request aka ping) like this: rdr pass on $ext_if inet proto icmp from any to $ext_if - 10.1.2.3 This does not apply to ICMP errors (like time exceeded or fragmentation needed), as these are considered to be part of the TCP/UDP connection they refer to. If you redirect a TCP connection to a LAN host, ICMP errors relating to that connection will be redirected automatically. Thanks, I'm sure I tried something very similar to that, either the ISP dropped them or I did something wrong. -- Regards, Ed http://www.usenix.org.uk
ICMP redirect
Hello, I've a weird problem, perhaps there is no possible solution. Can ICMP packets be redirected using rdr to a RFC1918 host? I gave it a couple of shots and did not get anywhere, as I can't see any mentions of it it working in either books or on the web I thought I'd ask here. Thanks. -- Regards, Ed http://www.usenix.org.uk
Re: no NAT, all public ip address
On Mon, 03 Oct 2005 23:19:30 -0500 Neil [EMAIL PROTECTED] wrote: Hey guys, What will I change in pf.conf if I'm not going to use NAT anymore? It's because, the current setup of the servers including the firewall uses publicly routable addresses and there is no NAT. I still wanted to have failover that maintains existing states/connections even if one firewall goes down or cables get disconnected. Humm as far as I know a router does not have a state table as such, it merely routes, as opposed to NAT. With NAT the FW indexes the source port+address with a destination port+address, which yields a state. When the FW sees another packet which matches either socket (port/address) it will forward accordingly. To use your pf.conf for a routed network you would need to remote the nat/rdr lines, and alter the .conf so that you have network and IP address entries that are routeable, and to the best of my knowledge it should work as expected, but I do not think there is a state table when you don't use NAT, but it should not hurt to leave that setup in it's running configuration. -- Regards, Ed http://www.usenix.org.uk
Re: no NAT, all public ip address
On Tue, 04 Oct 2005 17:02:08 -0500 Neil [EMAIL PROTECTED] wrote: So are you saying that failover will still work on a route setup? Can't see why not. The failover is concerned with the gateway and external IP addresses so that your routed and external networks talk to the CARP interfaces and not physical interfaces. As far as I know there is no state table that has to be synced. -- Regards, Ed http://www.usenix.org.uk
Re: CARP and switches
On Thu, 29 Sep 2005 16:26:21 -0400 (EDT) Charles Sprickman [EMAIL PROTECTED] wrote: The question that was posed was along the lines of how does a standard ethernet switch handle carp?. The questioner wasn't too clear and I'm not sure Jason really knew exactly what the guy was asking. So I'll ask it here in the hopes of understanding how this works. I will try and answer your question with questions as I do not have a full answer. How does a switch handle a broadcast address on CIDR subnets? All CARP interface boxes will claim to be using the same IP address, check out the ARP table, they should all have the same MAC. -- Regards, Ed
Re: pf load balancing
On Wed, 21 Sep 2005 17:05:23 -0300 Lucas [EMAIL PROTECTED] wrote: i'm working with 3 gateways and want to load balance between them. after a failure with layer 2 (carp arpbalance) balancing, i tried to do it with pf. the most logical way to do it is with a machine before the gateways distributing the load. there's a way to do it without adding a new machine (and a new point of failure) to the set? Look into the route-to keyword -- http://www.usenix.org.uk - http://irc.is-cool.net
Re: rdr pass, max-src-conn
On Thu, 8 Sep 2005 14:40:51 +0200 Daniel Hartmeier [EMAIL PROTECTED] wrote: host1$ pfctl -t abuse_src -Ts | ssh host2 pfctl -t abuse_src -Ta -f - Thanks very much, I had not thought about scripting it at all. -- http://edd.link9.net - http://irc.is-cool.net
rdr pass, max-src-conn
Hello,
I am having troubles with some rdr rules. How should I specify:
rdr pass on $ext_if proto tcp from any to 1.2.3.4 port 80 - 10.10.10.10
with
pass in on $ext_if proto tcp from any to $range port {80,3389} keep
state ( max-src-conn 3, max-src-conn-rate 2/5, overload abuse_src
flush global )
I split the rdr pass into two separate rules,
rdr on $ext_if proto tcp from any to 1.2.3.4 port 80 - 10.10.10.10
pass on $ext_if proto tcp from any to 1.2.3.4 port {80,3389}
Yet this does not get tagged for the abuse_src table, and in some cases
it will be tagged, but connections remain open and can be established
also. (I do have a block quick drop from abuse_src rule too).
Can someone suggest how this should be specified so that the pass and
rdr work together?
--
http://edd.link9.net - http://irc.is-cool.net
Re: rdr pass, max-src-conn
On Wed, 7 Sep 2005 20:25:54 +0200
Daniel Hartmeier [EMAIL PROTECTED] wrote:
rdr on $ext_if proto tcp from any to 1.2.3.4 port 80 - 10.10.10.10
pass on $ext_if proto tcp from any to 1.2.3.4 port {80,3389}
Packets will have their destination address replaced with 10.10.10.10
when filter rules are evaluated (translation always happens first).
So the pass rule needs to be to 10.10.10.10 instead of to 1.2.3.4.
Thanks I'll give this a go. Is there much chance of the two rules being
combined to a single rdr pass ( max-src-conn etc ) in the future?
--
http://edd.link9.net - http://irc.is-cool.net
Re: rdr pass, max-src-conn
On Wed, 07 Sep 2005 14:19:06 -0400
Roy Morris [EMAIL PROTECTED] wrote:
ed wrote:
pass in on $ext_if proto tcp from any to $range port {80,3389} keep
state ( max-src-conn 3, max-src-conn-rate 2/5, overload abuse_src
flush global )
Thanks Roy and Daniel for your answers. I have another question now
(sorry), how can I sync the table abuse_src with pfsync? It's great
that addresses which violate a connection rate limit are stored in a
table but it would be very nice if this could be carried over both
hosts, since I hope one of the boxes will be online at any given time
then the list could be stored indefinitely.
--
http://edd.link9.net - http://irc.is-cool.net
Re: help
On Tue, 6 Sep 2005 17:56:40 +0200 [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have an important question: it's possible to define a filter that have as srcaddr or dstaddr all ip-address different from a host or a subnet? this does not make a whole lot of sense. you could however make a filter rule like this: pass in on $interface from 10.10.10.0/24 to any pf filters at layer 3, which means it's above the ethernet layer, unless it's a bridge, but it's still a layer 3 bridge all the same. i do not think you can filter packets based on their subnet mask. you certainly cant filter on host name, why would you want to? a dns attack is not too hard, there are many bugs in bind. -- http://edd.link9.net - http://irc.is-cool.net
pf versions
Hello,
On an openbsd 3.7 install the following rule will work yet not on a 3.6,
is there a difference in the way the rule should be declared, or if pf
can be upgraded, how should I do this?
ext_if=xl0
ext_network=1.2.3.4/5
pass in on $ext_if proto tcp from any to $ext_network port {22,3389}
keep state ( max-src-conn 3, max-src-conn-rate 2/5, overload abuse_src
flush global )
--
http://edd.link9.net - http://irc.is-cool.net
Re: macro doesnt expand CIDR
On Mon, 29 Aug 2005 06:38:48 -0300 Gustavo A. Baratto [EMAIL PROTECTED] wrote: I understand that I could write the rule with the ips harcoded in it, but I assume this doesnt change the fact that macros are not expanding CIDR addresses, and this maybe a bug. I was trying more to warn about this rather strange behaviour than to find an alternative solution. I think the bug is that the rules are defined with a mixture of strings. You could try defining it all in quotes, which is the only way I have ever defined it really, then the CIDR notation should be expanded. If not, then yes, it probably is a bug, and you could try `sendbug`. -- http://edd.link9.net - http://irc.is-cool.net
Re: Problem with NAT and FTP server
On Thu, 14 Jul 2005 22:42:49 -0400 [EMAIL PROTECTED] wrote: In my configuration there is a problem providing publicly-accessible anonymous FTP service. The config works for a small number of clients, but most cannot access my server and use any command that requires a data connection. I have been playing around with sftp (sftponlyc), which is a jailed chroot for users. This allows a rather interesting setup, but you can do away with the hassle of FTP by telling the clients to use winscp for example. -- http://edd.link9.net - http://irc.is-cool.net - http://www.usenix.org.uk
3.7 change log
Hello, Does any one know where I should look for the 3.7 change log? And is there an update for the book Building Firewalls with OpenBSD and PF, 2nd edition to take these improvements/changes onboard? -- http://edd.link9.net - http://irc.is-cool.net pgpRdYbVArAXs.pgp Description: PGP signature
Re: PF, Bridge, and IP on bridged interface [more]
On Tuesday 15 March 2005 12:19, Henning Brauer wrote: So, I guess that leaves the question, can one change the ethernet address of a NIC with ifconfig on OpenBSD? no. Yet. http://marc.theaimsgroup.com/?l=openbsd-techm=111073781926839w=2
Re: Traffic Monitoring, IP
On Sat, 1 Jan 2005 09:53:44 +0100 Miroslav Kubik [EMAIL PROTECTED] wrote: OK, you´re right I appreciate Daniel´s work very much. It was only a little joke and at the same time I tryed to show you that everything isn´t only a matter of money. One friend of mine is a doctor and his payment is 900 USD. He works more than 200 hours a month and saves lives. Dou you really think that he do it for money? I just wrote my wish about PFSTAT, I think it´s quite normal, but I have never seen an answer: Send me some money: so far. The .mil use computer systems, I'm sure with failover/CARP systems in place, perhaps not on i386, but of some sort, and if incorrectly designed could cost lives (have you seen War Games?). p.s. Happy new year Happy new year p.s. [after playing out all possible outcomes for Global Thermonuclear War] Joshua: Greetings, Professor Falken.
CARP again, again
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello again, sorry to bother you all again. I have a question, we have two DSL connections, and I plan on using two boxes, which are carped. But, I'd like to do this in a fashion such that I can failover to a different connection when the primary one becomes unusable. Would anyone have experience of doing this, and how exactly does one determine that the connection has failed? Does it base the failure on link status or on IP untouchables? To illustrate what I am thinking here is a picture: .--. .--. | internet cloud 1 | | internet cloud 1 | `--' `--' 83.146.4.1/24 | | 65.10.5.1/24 `-' | .. | switch | `' | .-. | | .--. | carp0 83.146.4.3carp1 65.10.5.3 | `--' | | .---. .--. | fw01 | | fw02 | | fxp0 83.146.4.1 |--| fxp0 83.146.4.2 | | fxp0 alias 65.10.5.2 | | fxp0 alias 65.10.5.3 | `---' `--' | | ... What I have thought is that I may be able to alias the second connection on the external interfaces, and make a carp for that. - -- /-- _| | Regards. Please note, my PGP key ID has changed. |-- / | | If you are planning on sending me something encrypted \__ \_| | please update your keyring. Debian/OpenBSD. 53C9FC6C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBy0ajjtZArFPJ/GwRAoQWAJ48CzruBi/b6ThV7p9gsbJdtweeSACfSBWT V2GIznEIHogkkcZm6ZgzpzY= =r3MZ -END PGP SIGNATURE-
Re: pf port knocking
On Friday 17 December 2004 15:45, Roy Morris wrote: change your ssh port to like 30222 or something .. That's dumb. Choose a port 1024.
Re: pf port knocking
On Friday 17 December 2004 06:11, A wrote: Further, jasper is the only machine that is externally accessible via SSH (the only other open ports are domain, web and mail on other servers). I need to leave SSH open as a number of people work remotely and tunnel through it to some of the services on the internal network. Try to reduce the access with options like OS-fingerprinting, src-IP, src-port.
Re: CARP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 17 Dec 2004 18:47:47 + Ryan McBride [EMAIL PROTECTED] wrote: $ ifconfig -a $ sysctl net.inet.carp $ netstat -sp carp Thankyou I will provide this with my next post. - -- /-- _| | Regards. Please note, my PGP key ID has changed. |-- / | | If you are planning on sending me something encrypted \__ \_| | please update your keyring. Debian/OpenBSD. 53C9FC6C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBwzMGjtZArFPJ/GwRAh+ZAJ0ZyTyKhNeKCEnIrO5uWYotP3lbSwCfY42u UhR4kuTw7P0ksK+fQ4mmBkA= =KzSf -END PGP SIGNATURE-
Re: CARP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 15 Dec 2004 07:33:51 -0500 Jason Dixon [EMAIL PROTECTED] wrote: Sorry for this lengthy reply, I hope you all can forgive me for this, but as I am but a beginner with PF/CARP I hope we can avoid hostility. I have two boxes, with similar configs, on IP addresses 10.10.1.131 and 10.10.1.134, both /16. [snip] What is working and what isn't? What is the output of ifconfig -a on each box? Basically I do not know what I had done wrong in my PF. I ventured a different approach, so I added a third interface to each box, giving me a cross over for pfsync to run on, so I then had lo0, xl0, fxp0, and sis0/dc0 interfaces, so to save getting things wrong, i used the following rule for all interfaces: pass in quick on interface all keep state pass out quick on interface all keep state Woah and behold, things began to look promising as I was able to ping various devices. After one day of head scratching and things not routing well I noticed some odd ARP packets, a few hours later I realised that I had connected the cross over cable between the wrong interfaces, then wow! Things actually started to work, all except of course the mirroring of state table. Pfsync was not running: ifconfig pfsync0 up Things are nearly fully functional for me now, however, I don't seem to have perfect throughput when a box is shot in the head, sometimes things work OK for the client, and some times they don't and connections either lag to the point of timeout, or just drop and cant get re-established. Sorry if I sound like a Loinux whiny, I'm almost there, just need a few more pointers. 1) If I reduce advskew to something like 10 on machine A and 12 on machine b, would that increase the stability of the firewalls? 2) Why does it seem that when the master returns from me issuing a reboot does the connection for the client appear to get shaky again? - -- /-- _| | Regards. Please note, my PGP key ID has changed. |-- / | | If you are planning on sending me something encrypted \__ \_| | please update your keyring. Debian/OpenBSD. 53C9FC6C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBwghdjtZArFPJ/GwRAu2LAJ9JhfN5KyDkitwcG4LYRFyNMsTTwQCbBE7I fNYABQeZXtQJyfnZiGVNXTg= =rJfZ -END PGP SIGNATURE-
Re: CARP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sun, 12 Dec 2004 10:54:28 -0500
Jason Dixon [EMAIL PROTECTED] wrote:
On Dec 12, 2004, at 8:54 AM, ed wrote:
Anyway, I have a /etc/pf.conf file which was originally for a single
firewall, which worked for a normal layout with two interfaces. I am
now
attempting to do the following:
[snip]
The two boxes have two interfaces, although most documentation
suggests using a third interface with cross over, which I don't
currently have.
It's not a requirement; I've sent pfsync traffic across the int_if,
but it's not ideal.
My existing firewall script allows access to 83.146.42.164 and
83.146.42.165, should I be treating incoming packets as packets for
83.146.42.163/4, or 83.146.42.165?
You can filter on all of them. The real address on each interface
still allows dedicated access to each firewall. However, when
filtering traffic across CARP virtual interfaces, remember that you
filter on the PHYSICAL interface (fxp0), not on the virtual interface
(carp0).
Is it possible to provide two CARP interfaces over the fxp0 like I
have,
and if I do, will it work as intended?
Yes, I've done many CARP interfaces using aliases on a single physical
interface.
Needless to say, what I am trying to has not worked.
Without providing your configuration (hostname.*, pf.conf), it's
impossible to help you. It would also help to know what
troubleshooting you've already tried and what errors/failures you're
encountered.
Sorry for this lengthy reply, I hope you all can forgive me for this,
but as I am but a beginner with PF/CARP I hope we can avoid hostility.
I have two boxes, with similar configs, on IP addresses 10.10.1.131 and
10.10.1.134, both /16.
- 10.10.1.131
cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.27 2004/03/02 20:13:55 cedric Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# -( pf.conf )-
# Written by Ed Neville for @UK PLC.
# Takes a /28 and distrubutes to NATed clients
# Forwards on ports 22 (ssh), 25 (mail), 80 (web), 110 (pop), 113 (auth)
# and 143 (IMAP)
# FTP sesame can provide outgoing FTP, from NAT computers in either
# ACTIVE or PASSIVE transfer. Not tested.
# FTP sesame SHOULD give FTP access to computers in DMZ, tested and does
# not work using config example 2.
# BINAT to computers where FTP is required.
# based on some work in the post of
# http://archives.neohapsis.com/archives/openbsd/2004-01/0417.html
# macro definitions
loif=lo0
ext_if={ dc0,carp1 }
int_if={ fxp0,carp0 }
IP=83.146.42.171
# External Addresses
BIP1=83.146.42.163
BIP2=83.146.42.164
CARP0=83.146.42.172
# Internal Address
LAN=10.10.0.0/16
# External NATs
MAIL0=192.168.1.32
WEB0=10.10.1.250
NS0=192.168.1.33
FTP0=192.168.1.38
SSH0=10.10.1.250
#tcp_services = { 22, 25, 80, 110, 113, 143 }
# Services
FTP=21
SSH=22
MAIL=25
WEB=80
POP=110
IMAP=143
NS=53
#table spamd persist
#table spamd-white persist
scrub in
# nat rules
#binat on $ext_if proto {tcp, icmp, udp} from $NS0 to any - $BIP1
# rdr on $ext_if inet proto tcp from any to $BIP1 port $MAIL - $MAIL0
port $MAIL nat on $ext_if from $LAN to any - $CARP0
# blocking rules
# block all
block log all
block drop in quick on $ext_if from $LAN to any
block drop out quick on $ext_if from any to $LAN
pass in on $ext_if proto tcp from any to $MAIL0 port $MAIL flags S/SA
synproxy state
pass in on $ext_if proto tcp from any to $WEB0 port $WEB flags S/SA
synproxy state pass in on $ext_if proto tcp from any to $IP port $SSH
flags S/SA synproxy state pass in on $ext_if proto tcp from any to $FTP0
port $FTP flags S/SA pass in on $ext_if proto tcp from any to $NS0 port
$NS flags S/SA synproxy state pass in on $ext_if proto udp from any to
$NS0 port$NS keep state
pass in on $ext_if proto tcp from any to $FTP0 port { 1:65535 } flags
S/SAFR synproxy state
# let internal traffic out
pass in quick on lo0 all
pass out quick on lo0 all
#pass in on $int_if from $int_if:network to any keep state
#pass out on $int_if from any to $int_if:network keep state
pass in on $int_if from $LAN to any keep state
pass out on $int_if from any to $LAN keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto {udp, icmp} all keep state
pass in proto carp keep state
pass quick proto pfsync
# for i in `ls /etc/hostname.*` ; do echo $i ; cat $i ; done ;
/etc/hostname.carp0
inet 10.10.5.1 255.255.0.0 10.10.255.255 vhid 1 pass 3Waster
/etc/hostname.carp1
inet 83.146.42.172 255.255.255.240 83.146.42.175 vhid 2 pass 3Waster
/etc/hostname.dc0
inet 83.146.42.171 255.255.255.240 NONE
/etc/hostname.fxp0
#inet 10.10.1.251 255.255.0.0 NONE
#dhcp NONE NONE NONE
inet 10.10.1.131 255.255.0.0 NONE
/etc/hostname.pfsync
up syncif fxp0
- --- 10.10.1.134 -
cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.27 2004/03/02 20:13:55 cedric Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax
CARP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello All, I am, once again having trouble understanding CARP/pf. It is a shame this is not covered in Building Firewalls with OpenBSD and PF, by J.A. or in Absolute OpenBSD, they both cover PF very well, but not CARP. Anyway, I have a /etc/pf.conf file which was originally for a single firewall, which worked for a normal layout with two interfaces. I am now attempting to do the following: switch | +-+--+ || +---+ | CARP0 10.10.5.1/24| +---+ || fxp0: 10.10.3.31/24 fxp0: 10.10.3.32/24 obsd0obsd1 sis0: 83.146.42.163/28 sis0: 83.146.42.164/28 || +---+ | CARP1 83.146.42.165/24| +---+ || +-+--+ | switch The two boxes have two interfaces, although most documentation suggests using a third interface with cross over, which I don't currently have. My existing firewall script allows access to 83.146.42.164 and 83.146.42.165, should I be treating incoming packets as packets for 83.146.42.163/4, or 83.146.42.165? Is it possible to provide two CARP interfaces over the fxp0 like I have, and if I do, will it work as intended? Needless to say, what I am trying to has not worked. - -- /-- _| | Regards. Please note, my PGP key ID has changed. |-- / | | If you are planning on sending me something encrypted \__ \_| | please update your keyring. Debian/OpenBSD. 53C9FC6C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBvE1+jtZArFPJ/GwRAl6NAJ41NpAbp619uTKmpY+TVUpGe526JgCdFqtB PN25i6+2YGLlIHsHemuLyMM= =A/v2 -END PGP SIGNATURE-
Re: pf sync
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 19 Nov 2004 13:20:11 -0800 Sean [EMAIL PROTECTED] wrote: Linux had been around for quite awhile in 1998. I remember using trying in vain to get my Diamond graphics adaptec to work with X in Redhat 5.2... Never used RH, I was using SuSE 5, and wordperfect back then, now http://linux.corel.com doesnt exist so I use oo.org. - -- Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and LSD. Don't think this a coincidence. Can't cross chasm in small jumps PGP KeyID 04EDACDA A0F3 44E9 C367 C6C1 C891 4C71 69AF 3CF5 04ED ACDA -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBnni4aa889QTtrNoRAixRAJ9t3OrxqTwFj6olFtDkwhhjGKQ3kACbBZ4/ rW8k8JXfVVWhNg8+MWI1IM0= =NkCY -END PGP SIGNATURE-
pf sync
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello All, I have been given a spec to produce a set of redundant firewalls for three DSL connections. These have to be three pairs of firewalls, two for each connection. However, I have done a couple of basic pf firewall configurations, but I do not know anything about pfsync, despite reading Absolute OpenBSD and Building Firewalls with OpenBSD and PF 2nd edt. Can someone possible point me in the direction of some pfsync examples? - -- Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and LSD. Don't think this a coincidence. Can't cross chasm in small jumps PGP KeyID 04EDACDA A0F3 44E9 C367 C6C1 C891 4C71 69AF 3CF5 04ED ACDA -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBnSjKaa889QTtrNoRAj7bAJ9nsTYVWM1qIr3X4r6jjndydVtb5QCeOOB1 k3Ga/JJA/DyY6NcGYWu5NTM= =1LZF -END PGP SIGNATURE-
3.6 is on the ftp sites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and LSD. Don't think this a coincidence. Can't cross chasm in small jumps PGP KeyID 04EDACDA A0F3 44E9 C367 C6C1 C891 4C71 69AF 3CF5 04ED ACDA -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBhOmBaa889QTtrNoRAip9AJ4lUYNF8DAzlVqydW9WhIGQ9XoesACg6nYk 5RqM2clFpsMVx7nbZsS2riQ= =i55p -END PGP SIGNATURE-
FTP to nat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I have a slight problem. I have a web server on 192.168.1.38, with 83.146.42.163:80 rdr to that address. There is a PF box between 192.168.1.0/24 and 83.146.42.160/28. I cannot use passive FTP to connect to 192.168.1.38 as the client attempts to connect directly to the RFC1918 address. Using active FTP also attempts a connection to RFC1918 space. Does anyone know how I can set this up? I believe ftp-proxy is just for clients in the private space which need to talk to the outside FTP servers. Is it possible to run a FTP server in RFC1918 space and if so, should I BINAT the whole address, and even then, will it work? Is this question too trivial for this list. Thanks in advance. - -- Ed. Debian 3. OpenBSD 3.5. You can not cross a chasm in two small jumps. PGP KeyID 04EDACDA A0F3 44E9 C367 C6C1 C891 4C71 69AF 3CF5 04ED ACDA -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBfqu+aa889QTtrNoRAlv0AKD0+4h1QhSLVEE7e4HIdc9FSUberwCguJez HkxX6zlLomwnSiKtCHb4rSc= =2p/E -END PGP SIGNATURE-
Re: Top 10 reasons IPTABLES is better than PF
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 21 Oct 2004 10:37:56 -0700 Jeff Simmons [EMAIL PROTECTED] wrote: Well, someone DID mention porting PF to Linux. (Just for grins, take a look at the Linux QOS/traffic shaping subsystem, and then imagine getting PF to interface with THAT.) Thats not my concern. I just want the same firewall interface and stability, I don't care if not having the same under the hood makes me a bad person or if I have the duck the flames for saying so. modprobe vmware-openbsd I've said all Im going to say on the subject. - -- Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and LSD. Don't think this a coincidence. Can't cross chasm in small jumps PGP KeyID 04EDACDA A0F3 44E9 C367 C6C1 C891 4C71 69AF 3CF5 04ED ACDA -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBeWS+aa889QTtrNoRAgMhAKDfeR1BOz4HBCzfKdtZj1IVyxCpMwCcCumy 28J3e4KtZUeK0ok2V6mGzJA= =Sn5B -END PGP SIGNATURE-
Re: Linux port of pf
On Tue, 19 Oct 2004 18:47:00 -0200 Douglas Santos [EMAIL PROTECTED] wrote: Why not to use it on OpenBSD? Because I like to apt-get some parts of my life! Its nothing personal, I just prefer debian on my workstation and OpenBSD on my firewall. -- Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and LSD. Don't think this a coincidence. Can't cross chasm in small jumps PGP KeyID 04EDACDA A0F3 44E9 C367 C6C1 C891 4C71 69AF 3CF5 04ED ACDA
Re: Linux port of pf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 19 Oct 2004 15:14:26 -0700 Sean [EMAIL PROTECTED] wrote: Has anyone ported pf for use on linux kernels? I like the firewall somuch I want to use it on the debian systems. Why not to use it on OpenBSD? That's a very helpful comment, Douglas. Anyway, to address the original posters question, the only systems I've seen pf ported to are FreeBSD and NetBSD. There was some talk about porting pf to linux 2.6 on a security list early this year, but I've haven't seen anything since. I don't suppose you know which list that was and if anything more than talk came of it? I am a little frustrated in using iptables. Come to think of it, do you know if there is a pf - iptables conversion script? - -- Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and LSD. Don't think this a coincidence. Can't cross chasm in small jumps PGP KeyID 04EDACDA A0F3 44E9 C367 C6C1 C891 4C71 69AF 3CF5 04ED ACDA -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBdZiuaa889QTtrNoRAm6SAKCoE38k1R4f3nI/rEH+qkFgsjIojACg+owI iVcWnZJLwp+G3N7e3O0wwYg= =Mh/f -END PGP SIGNATURE-
Re: Linux port of pf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 20 Oct 2004 11:58:05 -0700 Dylan Martin [EMAIL PROTECTED] wrote: That said, I use OpemBSD with PF for my firewall and I only use iptables on servers that need to live outside my firewall for some weird reason. So please don't hit me for giving iptables advice on the pf mailing list... Thank you for your advice. I will see if that can save my bacon until I can figure out some of the stuff that I don't know about BSD. - -- Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and LSD. Don't think this a coincidence. Can't cross chasm in small jumps PGP KeyID 04EDACDA A0F3 44E9 C367 C6C1 C891 4C71 69AF 3CF5 04ED ACDA -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBdtK+aa889QTtrNoRAsneAJ9EQ1WqH2ThLm62ktlUtduQszvOWQCg1rGi uBcrTcRChC5xATsYOXnQPF8= =xdaA -END PGP SIGNATURE-
Re: Linux port of pf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 20 Oct 2004 13:46:23 -0500 Michael Clark [EMAIL PROTECTED] wrote: Whats so hard about 'portupgrade gaim' or 'pkg_add -r gaim' ? Nothing is hard about that command other than having to wait an age for the maintainer to get the port out. But, then again, why are we running gaim on a machine that is a firewall... I am not running gaim on my firewall, but I do want to run a firewall on my workstations. I don't think it is any harder, its just a matter of how you do it. =) Its not harder. Its just a matter of timing and administration required if the UNIX like system doesn't have the package available. - -- Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and LSD. Don't think this a coincidence. Can't cross chasm in small jumps PGP KeyID 04EDACDA A0F3 44E9 C367 C6C1 C891 4C71 69AF 3CF5 04ED ACDA -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBdtNLaa889QTtrNoRAnNTAJwJ/t4fxpguPCHmlN8B6UeKXHyjJACg90h9 YXXsnKbkFFgsDHMe9L4/NPU= =gMxi -END PGP SIGNATURE-
FIN_WAIT_2:FIN_WAIT_2
Hi,
playing with pftop and src-track I discovered that every connection from my
home network to my OpenBSD 3.5-stable server on the internet doesn't get
closed. PF always shows the FIN_WAIT_2:FIN_WAIT_2 status.
This means that if I use telnet to any open port and then I close the
connection PF will keep the connection in FIN_WAIT_2 status until the time
limit expires. This is a behaviour that you don't note without the src-track
option because the server will keep accepting new connections...
I tried multiple software (telnet, mail clients and various browsers) from
both FreeBSD and OpenBSD workstations. My home firewall is running OpenBSD
3.6 with a 2 lines ruleset:
pass out on quick all keep state
block in quick all
The strange thing is that other connections to the server from other hosts on
the internet doesn't get closed too! PF will always put them in one of these
two status: TIME_WAIT:TIME_WAIT or FIN_WAIT_2:FIN_WAIT_2.
I have the little suspect that the FIN_WAIT_2:FIN_WAIT_2 happens if both of
the peers (my server and the host) are protected by PF. While
TIME_WAIT:TIME_WAIT happens when the host isn't protected by PF.
This is my PF ruleset on the server:
table Spoof { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
0.0.0.0/8 }
pass out quick on lo0 all keep state
pass in quick on lo0 all keep state
block in quick on fxp0 inet proto tcp from Spoof
block out quick on fxp0 inet from any to Spoof
block in quick on fxp0 inet6 all
pass out quick on fxp0 inet from (fxp0) to any keep state
pass in quick on fxp0 inet proto tcp from any to (fxp0) port 25 flags S/SAFR
keep state (source-track rule, max-src-nodes 20, max-src-states 2)
pass in quick on fxp0 inet proto tcp from any to (fxp0) port 80 flags S/SAFR
keep state (source-track rule, max-src-nodes 50, max-src-states 10)
max-src-states 2)
block in quick all
..
Any clue ?
Ed
Re: FIN_WAIT_2:FIN_WAIT_2
On Saturday 25 September 2004 15:30, Mike Frantzen wrote: This means that if I use telnet to any open port and then I close the connection PF will keep the connection in FIN_WAIT_2 status until the time limit expires. TCP goes into a 2msl time wait state after the connection closes in case a segment got delayed in the network. That is how TCP works. This explains the TIME_WAIT:TIME_WAIT status, but what about FIN_WAIT_2 ? Ed
PF tables states
This is a message from an interesting thread on [EMAIL PROTECTED] http://marc.theaimsgroup.com/?l=openbsd-miscm=109422765506037w=2 In short the question is: why doesn't PF kill all the states associated with the tables entries when you flush a table ? Ed
Re: PF --- spamd
On Thursday 02 September 2004 16:21, Ed White wrote: /var/db/spamd is always empty. Any clue ? Since I've not found a solution I've posted the problem on [EMAIL PROTECTED] Ed
Re: Fwd: Re: Things pf can't do?
On Thursday 20 May 2004 22:05, Jeff Simmons wrote: Actually, it's a breath of fresh air compared to other filters I've worked with. *cough* iptables *cough* LOL One of Linus' stated goals for the 2.7 kernel is to improve iptables so that it's up to the level of OpenBSD's pf. Jeff, could you tell me some url to find that Linus's mail ? Thanks. Ed
Re: PF --- spamd
On Thursday 02 September 2004 07:56, Peter Hessler wrote: :I wanted to test spamd with greylisting, but it seems that the interaction :with PF is broken. In short spamd doesn't add anything to /var/db/spamd so :I'll never get my IP added to spamd-white What does `ps aux | grep spamd` say? Mine says: $ps aux | grep spamd _spamd5408 0.0 0.2 8788 632 ?? IsSun01PM1:15.88 spamd: (pf spamd-white update) (spamd) _spamd 892 0.0 1.6 9044 4124 ?? S Sun01PM0:12.37 /usr/libexec/spamd -g _spamd 17732 0.0 0.2 8784 568 ?? I Sun01PM0:01.79 spamd: (/var/db/spamd update) (spamd) # ps auxw | grep spam _spamd 142 0.0 0.4 8528 576 ?? Is 1:59PM0:00.03 spamd: (pf spamd-white update) (spamd) _spamd 18655 0.0 3.0 8660 3908 ?? I 1:59PM0:00.10 /usr/libexec/spamd -g _spamd 32539 0.0 0.3 8404 352 ?? I 1:59PM0:00.00 spamd: (/var/db/spamd update) (spamd) root 30894 0.0 0.3 100 360 ?? Is 1:59PM0:00.01 /usr/libexec/spamlogd # top -n 50 | grep spam 18655 _spamd 20 8660K 3908K idle select 0:00 0.00% spamd 142 _spamd100 8488K 536K sleepnanosl 0:00 0.00% spamd 30894 root -60 100K 360K idle piperd 0:00 0.00% spamlogd 32539 _spamd-60 8404K 352K idle piperd 0:00 0.00% spamd # pfctl -sn rdr pass inet proto tcp from spamd to any port = smtp - 127.0.0.1 port 8025 rdr pass inet proto tcp from ! spamd-white to any port = smtp - 127.0.0.1 port 8025 # netstat -an Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp0 0 10.0.0.2.25*.*LISTEN tcp0 0 127.0.0.1.8026 *.*LISTEN tcp0 0 *.8025 *.*LISTEN Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) udp0 0 *.514 *.* Active UNIX domain sockets AddressType Recv-Q Send-Q Inode Conn RefsNextref Addr 0xd3ac5194 dgram 0 00x0 0xd0a723400x0 0xd0a97100 0xd3ac5004 stream 0 0 0xd3b501080x00x00x0 tabs/.sock 0xd3ba1e10 dgram 0 00x0 0xd0a723400x0 0xd0a97440 0xd3ba1ed8 dgram 0 00x0 0xd0a723400x0 0xd0a97000 0xd3ba1d48 stream 0 0 0xd3b52af80x00x00x0 /var/run/apmdev 0xd3ba1c80 stream 0 00x0 0xd0a720c00x00x0 0xd3ba1bb8 stream 0 00x0 0xd0a977000x00x0 0xd3ba1af0 dgram 0 00x0 0xd0a723400x0 0xd0a97e00 0xd3ba1640 dgram 0 00x0 0xd0a723400x0 0xd0a723c0 0xd3ba1578 dgram 0 00x0 0xd0a723400x00x0 0xd3ba14b0 stream 0 00x0 0xd0a368c00x00x0 0xd3ba13e8 stream 0 00x0 0xd0a721000x00x0 0xd3ba1320 stream 0 00x0 0xd0a724800x00x0 0xd3ba1258 stream 0 00x0 0xd0a724400x00x0 0xd3ba1190 dgram 0 0 0xd3b676440x00x00x0 /var/empty/dev/log 0xd3ba10c8 dgram 0 0 0xd3b675800x0 0xd0a97ec00x0 /dev/log /var/db/spamd is always empty. Any clue ? Ed
PF --- spamd
Hi, I'm playing with OpenBSD 3.6-beta. I wanted to test spamd with greylisting, but it seems that the interaction with PF is broken. In short spamd doesn't add anything to /var/db/spamd so I'll never get my IP added to spamd-white --- pf.conf - table spamd persist table spamd-white persist rdr pass inet proto tcp from spamd to any port smtp - 127.0.0.1 port 8025 rdr pass inet proto tcp from !spamd-white to any port smtp - 127.0.0.1 port 8025 -- rc.conf --- spamd_flags= spamd_grey=YES Is this a bug ? Ed
Re: preventing state runaway
On Wednesday 25 August 2004 14:02, Ed White wrote: limiting the # of states a single source node can create is also a good idea, but less so to protect the firewall, more to protect the internet from machines gone nuts, that got hit by a worm or whatever. I've looked though my copy of Jacek's fine book but could not find any reference to this. Is it new in 3.5 or have I simply missed it? It's older. Ops, I've misunderstood... source tracking appeared in 3.5 by McBride. Ed
Re: preventing state runaway
On Monday 23 August 2004 19:04, Jeff Wilson wrote: Once again I am awed by and indebted to this list. Thanks for the prompt response! That will not help you to solve the problem. It will only cause some troubles to valid connection states. You should use src-ip-tracking limiting the number of connections for each IP. Then you could make a quick math to know the maximum number of states that your ruleset could create and then install enough RAM. Ed
Re: your mail
Hello Rod, You may remember me from that BINAT problem a while back. I got it sorted. I didn't have the external IP addresses aliased on the NAT box. All sorted now. I had assumed that as the box was on the edge of the network range that it would pick hook onto those IPs. Still doesn't matter. Thanks for the help. I sent the problems fix to the list, don't know if you read it. -- Ed. BSc (Hons) Comp / Inet Tech. IEng. Debian 3.
Re: NAT question
On Sat, 10 Jul 2004 11:40:45 +1000 (EST) A [EMAIL PROTECTED] wrote: nat pass on interface [external_if] from any to \ 83.146.42.163 port 25 - 192.168.0.20 Almost forgot. To the outside world, does 192.168.0.20 appear as 83.146.42.163, as this is for mail, it requires incoming and outgoing connections.
Re: NAT question
On Sat, 10 Jul 2004 11:40:45 +1000 (EST) A [EMAIL PROTECTED] wrote: You would clone the ethernet card on the OpenBSD firewall to have the extra addresses and then redirect based on the IP and the port number. So for each address I want snated i would need to do: ifconfig fxp0 83.146.42.163 netmask 255.255.255.240 alias on the firewall first... then just port forward...
NAT question
I have been given this as a spec for the network layout: --- | 217.205.140.x/32 +---+ |netgear adsl router| +-+-+ | 83.146.42.160/28 | | 83.146.42.161 +---+---+ | openbsd firewall box | +---+---+ | 192.168.0.0/24 | +---+-++--+ | | | | | +---++ +---++ | | |192.168.0.21/24 | |192.168.0.22/24 | | | |83.146.42.163:80| |83.146.42.163:21| | | ++ ++ | | | +---++ +++ |192.168.0.20/24 | |192.168.0.0/24 | |83.146.42.163:25| |nat 83.146.42.162| ++ +-+ The leaf nodes on 192.168.0.0/24 which have the address 83.146.42.163:x are specific port numbers which should go to the LAN IP. Part of the reason for this is to make better use of the /28 IP space. However, I have no idea how to implement this in pf, can someone help me please?
Absent Interfaces Handling
Hi, I've read that since 3.5 PF can load rules for absent interfaces. After some tests I've found that sometimes it works and sometimes it doesn't. Can anyone tell me which interfaces are compatible ? Ed Example 1: desktop with only rl0 .. pass in on rl0 all pass in on fxp0 all .. NOT loaded Example 2: laptop without interfaces .. pass in on rl0 all pass in on fxp0 all pass in on dc0 all pass in on an0 all pass in on wi0 all .. loaded OK Example 3: laptop without interfaces .. pass in on sis0 all .. NOT loaded
limit ruleset reload
Hi, thanks to jknight@ I've understood that PF doesn't restore default values when loading a ruleset that doesn't set a limit. ---pf1.conf- pass in quick inet keep state (source-track global, max-src-states 3) -- # pfctl -f pf1.conf ; pfctl -s all .. src-nodes hard limit 1 .. Now pf2 set a lower limit ---pf2.conf- set limit src-nodes 2000 pass in quick inet keep state (source-track global, max-src-states 3) -- # pfctl -f pf1.conf ; pfctl -s all .. src-nodes hard limit 2000 .. Again pf1 ---pf1.conf- pass in quick inet keep state (source-track global, max-src-states 3) -- # pfctl -f pf1.conf ; pfctl -s all .. src-nodes hard limit 2000--- why not 1 ? .. Is this a bug or a feature ? ;-) Ed
IP source tracking doc ?
Hi, reading PF FAQ and pf.conf man page I haven't found any detailed help about source-track options. Playing with custom pf.conf I've understood that source-track rule and source-track global permit to manage in a different way all the src IP states, however I'd like to receive some confirms. 1) pass in quick inet proto tcp to port 25 keep state \ (source-track rule, max-src-nodes 100, max-src-states 2) This means that a max number of 100 IPs could connect and that each of them could have a max number of 2 active connections to this port. Right ? 2) set limit src-nodes 3000 pass in quick inet proto tcp to port 80 keep state \ (source-track global, max-src-states 5) pass in quick inet proto tcp to port 443 keep state \ (source-track global, max-src-states 2) This means that a max number of 3000 IPs could connect and that each one of them could have a max number of 5 active connections to port 80 and a max number of 2 active connections to port 443. Right ? Thanks. Ed P.S. PF FAQ has completely omitted this argument and also has wrong default values for the limit section... it seems...
tagging keep state
Hi, I've played with tagging and I've found something that's not clear to me. block in on dc0 tag LAN pass in inet proto tcp to port 80 keep state If I send a SYN to port 80 passing across the dc0 interface the packet will be tagged LAN and then it will create a state with the second and last-matching rule. However I'd like to know if every packet that belongs to that connection (matches the state) will be marked with LAN tag. Thanks. Ed
Re: tagging keep state
On Monday 31 May 2004 15:40, Matthijs Bomhoff wrote: the rest of the packets in that connection will be passed because they match the state table entry, they will not be run through the firewall rules again as the first packet passed and created the state for the rest of the connection. I know ;-) To answer your question: I don't think they are tagged as well, but even if they were, you could not really make use of the tag, as the packets are not passed through the ruleset. It's important to know. Example: on rl0 we have created a state and so for this interface the ruleset is not evaluated. However when the packet goes to rl1 (suppose this is the external interface) the fact that packets come tagged or not is important for ruleset evaluation. Think at a second interface: would those packets come with a TAG ? Ed
:peer
Hi, can anyone show me some output numbers with the :peer modifier ? Is there a way to see the current IP address from a rule like this ? block in quick on rl0 inet from (rl0) to any (Using pfctl not ifconfig) Thanks. Ed
spamd grey-listing innovation
Hi, I've noticed that most spam that I receive is directed to old/nonexistent mail addresses. Sadly my mail server reply with an error message and so keep wasting precious bandwidth. I think that adding a new file containing only valid addresses could be an useful innovation. The trick is that spamd would add the grey-listing triplet to its database only if the destination address is present in the upsaid file (/etc/spamd.addresses ?). This will permit to save a lot of bandwidth and to move some load from the mail server to the firewall. Who likes it ? Ed
PF espionage attempt blanketed
OpenBSD secret agents have blanketed an attempt to infiltrate a covert ops among project developers. Ryan McBride, that's the name of the infiltrated, had the duty to insert copyrighted code in the PF main code, so that SCO, the company run by his uncle Darl McBride, could claim rights on the whole PF code. Thanks to our preferred secret agent ! [ http://www.openbsd.it/images/tshirt-15.jpg ] 003 - Ed
runtime rdr
Hi, someone asked me how to add a rdr rule on the fly. They are coding a well-known network manipulation utility and needed to apply the following redirection from the software itself. They used the following command with Linux: iptables -t nat -A PREROUTING -p tcp --destination-port 6969 -j REDIRECT --to-port 9090 I said them that PF doesn't support adding rules by command line, so they should use kernel IOCTL. Any other idea ? Ed
Re: runtime rdr
On Tuesday 23 March 2004 19:59, Henning Brauer wrote: I said them that PF doesn't support adding rules by command line, so they should use kernel IOCTL. wrong. echo rdr on $someif proto tcp to port 6969 - 127.0.0.1 port 9090 \ | pfctl -a someanchor:someruleset -f - You need to modify the ruleset. In fact you need an anchor... They want to add a rdr when the tool is started and remove it before stopping the tool. Something automagical and that doesn't need user complicity. Ed
Re: PF/spamd oddity
On Thursday 18 March 2004 16:02, Jason Dixon wrote: No, it adds a pass rule to the ruleset. Doesn't bypass anything. Not according to pf.conf (5): If the pass modifier is given, packets matching the translation rule are passed without inspecting the filter rules Is this taken out of context? Check this... http://marc.theaimsgroup.com/?l=openbsd-pfm=105716719422418w=2 If I'm not wrong rdr pass was introduced in 3.4 to solve this. Ed
Re: Brige, Traffic Shaping and FTP
On Monday 01 March 2004 22:22, Henning Brauer wrote: the only place to solve this is obviously writing a proxy. wether that is in kernel or not doesn't change a shit. well, except for the tiny detail that a security problem in your userland proxy doesn't give the attacker remote root... and it easier to write too. Henning, I don't understood if you're talking about the same thing I proposed... I don't want any proxy or application level software in the kernel. I said that PF could support an extension of keep state and I called it permit state, because it permits traffic in the opposite direction (from server to client) until the state created is in the table. The only security problem is related to application that binds on the client. In fact the server could talk with client... However this can be easily solved with the help of tagging. Should I post a step by step example ? Ed
[idea] permit state
Hi, I had an idea... At the moment PF needs the help of a proxy to accept connections that start from an external source. This means that we use ftp-proxy (for active ftp) to analyze the control connection (from the client to the server) to accept the data connection started by the server. Q: How could we solve this with PF itself ? A: Introducing the new feature permit state 8-) We accept a connection from the destination of the packet that matched the permit state rule. This option is keep state on steroid. Example: pass out inet proto tcp from $user to $server port 21 permit state PF already checks every packet with the state table, so it should be easy to add an option to be verified. If a packet matches a permit state rule it will be passed. As soon as the permit state is removed from the table those packets would not match any state and so the ruleset will be evaluated. Until the state created by the above rule is in the table, PF will behave like if the following rule had been added. pass in inet proto tcp from $server to $user Some features - active ftp without proxy - multiplayer games without special ruleset for every server - h.323 and other protocol without proxy - compatible with NAT - mergeable with other options like restriction for ports number, number of concurrent connections and most of today PF features w00t ! Ed
PF profiling auditing
Hi, I would like to know what tools were used to test PF behaviour correctness, to improve performance, to find bottle necks and to check its security. Any test suite is appreciated. Thanks. Ed
Re: PF stream size
On Wednesday 21 January 2004 16:56, Armin Wolfermann wrote: This is a first cut at this idea. It implements a per-state traffic limit like this: pass in proto tcp from any to any port = 25 \ flags S/SA keep state (bytes 10) This could be easily extended to per-rule or per-source-ip limits. I just didn't want to invent too many keywords. Opinions? Ideas? I've not tested it yet, but I'm going to make it soon. What is the opinion of PF developers here in ml ? Ed
PF stream size
ehm... I would like to know if there is any plan to limit the number of bytes a TCP connection can transfer. The idea is to drop/close the connection after $SIZE bytes have been transferred. Why ? 1) Hosting/housing can limit file sizes (need to remove the support for resumed download on the server) 2) Good for SPAM. (Every IP from blacklists could be allowed to send only small mails, instead of +100Kb attachments) 3) qmail cannot be exploited 8-) Please note also that it could be extended to disable a rule after $SIZE is exceeded. This is good for Housing/Hosting who want to sell X Gb of bandwidth for each IP. With a single rule like this: pass in quick on $gw_ext inet from any to $housing_1 keep state max-size 10Gb When PF finds that the counter of this rule has exceeded the 10Gb limit, it should disable/remove that rule. If the client pays for more bandwidth, the administrator could reactivate that rule. Ed
Re: What is the smallest sensible size for a table? and pfauth like system
On Thursday 15 January 2004 04:54, Russell Fulton wrote: At the moment I a regenerating the whole pf.conf file whenever there are changes in the database, I then use ssh to copy the file to the firewall and use pfctl -f to load it. As soon as I have some time I plan to just load the deltas using pfctl (or a custom C program using the ioctls) to update just the tables and rules that have changed. This would be easier although probably not by much if everything was table based. Probably you already knows that you can manipulate tables with pfctl -T. We are also looking at moving many of our 'standard' machines to dynamic table whereby they will have to log in to a 'service' which will open up their access through the firewall and inform our traffic meter which user is on the particular IP, this will pave the way for allowing increased usage of dynamic IP addresses. Rather like pfauth but we will write a custom daemon to run on the firewall. This can be usefull. Maybe. http://www.piout.net/phpauthpf.html A form simply ask the user for a login and a password. Then the php script try to authenticate the user with active directory using ldap. If the user is correctly identified, it search for the groups he is in. If he is in the allowed group it adds the ip in the auth table so pf will let the user go to internet then it changes the page with google.com and it opens a little popup. This popup will refresh every 100 seconds. When it refreshes, it writes the time to a file. The script checkips.sh is executed regularily so when the file are not updated, it will delete the ip in the auth table and kill the states. Ed
Re: bridge, but when ?
On Wednesday 07 January 2004 00:27, Trevor Talbot wrote: On Tuesday, Jan 6, 2004, at 09:59 US/Pacific, Ed White wrote: I was playing with a 3-if firewall with static IP 10.* when I got a simple doubt: when is supposed to be used the bridge feature ? When you want a switch (smart hub) instead of a router. Yeah, you're right. So what are the advantages of a bridge for a classic 3-if firewall ? I read somewhere that it speeds things up. Is it right ? If so, why it isn't advised on the FAQ to use it when there are 2+ if ? Thanks. Ed
bridge, but when ?
Hi, I was playing with a 3-if firewall with static IP 10.* when I got a simple doubt: when is supposed to be used the bridge feature ? Everytime you have 2 or more interface ? Only for IPless/invisible firewall ? This doubt could sounds strange, but the fact is that most (every except IPless ?) setup can be done without it. Thanks. Ed
dhcpd authpf
Hi, I would like to know if anyone has ever thought to modify dhcpd to talk with PF. The idea is similar to authpf behaviour: activating some rules when a client get the IP. This should permit to know which internal IPs are active and can pass across the gateway (maybe NAT to internet) without accepting by default every internat IPs to go out. Thanks. Ed
Re: ftp-proxy ALTQ
On Thursday 06 November 2003 12:05, Henning Brauer wrote: I'm wondering if there's a way to let ftp-proxy set the priority queue for every state it creates. this boils down to create an opportunity for userland apps to set mbug tags, either generalized or specialized for altq and/or tagging. we thought about doing this through socket options, but it's not really nice. Is there any news ? Ed
Re: 3.4 upgrade
On Wednesday 31 December 2003 21:08, Dom De Vitto wrote: I don't recall there EVER being a non-backward compatible change to PF - can anyone correct me on this? Checkout this previous thread: http://marc.theaimsgroup.com/?t=1094632r=1w=2 Ed
Daily Changelog
Hi, reading http://cvs.openbsd.org/plus.html I found some interesting lines... + Preserve the debug flag when enabling pf(4). + Reorganise pf(4) state searches for a 30% memory saving. + Add locking and write-filtering to bpf(4), so programs running as non-root can hold bpf descriptors without being able to write whatever they like at the link layer or issue dangerous ioctl(2)s. + Don't try to send incomplete IPv4 fragments in the ENOBUFS case. Note that this is a behaviour change from 4.4BSD and applies to output from bridge(4) and pf(4) as well as vanilla IP output. + Fix several kernel networking off-by-ones w.r.t. PRC_NCMDS. + Reorder the pf(4) statistics counter code and fix some miscount bugs. Can anyone let me know some details and if anything affects -stable ? Thanks. Ed
ftp-proxy ALTQ
Hi, I'm wondering if there's a way to let ftp-proxy set the priority queue for every state it creates. I would like to be able to have ftp downloads at full speed until I start using higher priority queues. The idea is that my ftp downloads should drop speed if I browse the web or check mailbox, but soon restart to get the whole bandwidth when I finished. The problem is that _passive_ ftp download tcp connections have not fixed points: no IP and no ports. Thanks. Ed
Re: pf with any l7 patches or ability?
On Thursday 06 November 2003 17:09, Daniel Hartmeier wrote: If someone shows me how to do it correctly, that might even convince me to try to implement it in pf. But what I've seen so far were horrible kludges in the sense that I can immediately predict a dozen ways it will raise false alarms or be easily circumvented by a moderately clever tool. What I'd want is a scheme that I myself could trust. The real point is: what do we need ? Something that binds together a protocol (HTTP) and a port (tcp 80) ? Something that stops an exploit ? Something that choose what to do reading application level data ? (like forwarding streams based on HTTP Hostname field) Something that transparently modifies application level data ? (like removing mail attachments) Each problem has a solution, but it's not true that the solution to every problem is the same ;-) Ed
Re: RFC#12 - PF version
On Monday 20 October 2003 18:55, Ed White wrote: Request to introduce a public revision number to PF and pfctl. This is the answer Theo sent me some minutes ago: Incorrect. pf became incompatible way more than that. No, most software does not have a version number. Wunderbar! Ed
rdr pass
Hi, I'm wondering if it's possible to define a user/group for rdr pass rules on 3.4. Suppose this only-one-ruleset rdr pass on $if proto tcp from any to $if port 21 - $if port 8021 Note: same interface, simply change the port. If I'm not wrong rdr pass should create a state entry, so the client will be able to talk to/receive from server port 21. Is the only way to get it working this 2 lines ruleset ? rdr on $if proto tcp from any to $if port 21 - $if port 8021 pass in quick on $if proto tcp from any to $if port 8021 keep state user $ftp-u group $ftp-g Thanks. Ed
High availability and load balancing!
Hi, I've just read this and I would like to share the news with PF fans. Quoting from http://www.deadly.org/article.php3?sid=20031018101733 Common Address Redundancy Protocol Allows multiple hosts to share an IP address, providing high availability and load balancing. Original and complete post by Ryan McBride (mcbride@) available at http://marc.theaimsgroup.com/?l=openbsd-miscm=106642790513590w=2 Enjoy ! Ed
Re: deep packet inspection
On Tuesday 30 September 2003 06:23, [EMAIL PROTECTED] wrote: What are possible ways of implementing payload inspection in kernel? How is it possible to pass data from kernel-space to user-space(with kernel being initiator of that transfer)? This is pretty funny, I'm writing something like that... However I'm using an atypical way as usual ;-P Ed
PF debugging
Hi, I'm looking for tips tricks to write patches for PF. The biggest problem is debugging a live kernel. How do you do ? VMWare ? Ed
Re: Divert socket
On Thursday 25 September 2003 19:42, Daniel Carneiro wrote: Is there something like the IPFW divert socket for the PF? Or some other way that PF can send packets to a userland program? Double Burp ! http://marc.theaimsgroup.com/?l=openbsd-pfm=106327905718110w=2 Ed
syn-proxy application-level-proxy
Hi, I'm planning to write a small application proxy and I think it could be good to protect it with syn-proxy, however this will create a lot of overhead on the firewall. client -tcp- syn-proxy -tcp- proxy -tcp- server Has anyone ever thought to introduce a hook inside syn-proxy ? A way for syn-proxy to pass the data to a filter (application level), but still manage the tcp connection. Something like this: 1) client [SYN] - syn-proxy 2) syn-proxy [SYN/ACK] - client 3) client [ACK] - syn-proxy 4) client [GET / ... ] - syn-proxy 5) syn-proxy [GET / ... ] - application proxy 6) application proxy [ok] - syn-proxy 7) syn-proxy [SYN] - server 8) server [SYN/ACK] - syn-proxy 9) syn-proxy [ACK] - server 10) syn-proxy [GET / ... ] - server In the end will have syn-proxy to manage the tcp connection, while application-proxy talk only with syn-proxy and can change the data, block the connection or redirect (for example by hostname like apache vhost). client -tcp- syn-proxy (- application filter) -tcp- server Any chance to add this to the 3.4-current ideas queue ? ;-) Ed
