Re: Firewall setup
May I suggest relaying these more basic questions to @rookies mail-list? I think it would be great if we could have this channel reactivated, dedicated to help folks like Karel learn how to navigate more basic stuff, and keep misc@ for intermediary / advanced users inquiries. On Wed, 17 Apr 2024 at 1:30 AM Daniel Ouellet wrote: > > On 4/16/24 10:27 AM, Karel Lucas wrote: > > First and most importantly, I would like to apologize to anyone who was > > disturbed by my conversation. It is not my intention to offend people. I > > may be curt, but that's not because it's in my character. In daily life > > I work with electronics and computers and am much less familiar with > > networks. I don't need this knowledge for what I do in daily life. It is > > therefore difficult for me to estimate what is important to link back to > > this mailing list. So if I am curt, please try to remember that it is > > not intentional, but a matter of lack of knowledge. Again, I don't want > > to hurt anyone. > > Hi Karel, > > I think you may be missing the point that everyone try to explained to > you. OpenBSD is a mailing list that have very think skin compare to any > others. You need to be very rude to offend people here unless you are > one that fell you have rights to other people free times. > > You got some VERY knowledgeable people answering you. If I was you I > would fell lucky for their time, believe me. I have been on this list > from OpenBSD 2.7. A few decades ago... > > Now you say you don't have the network know how to do this, sure > everyone start somewhere. You say you don't needs this either in your > daily job and keep asking others to point you at the page in the PF > book, etc. > > Remember they are NOT the one in needs to know, you are, so make the > effort please. Many will hold your hands gladly IF you show willingness > to do your share. > > Even the site have basic start example here: > > https://www.openbsd.org/faq/pf/index.html > > And even some of them could be simple too, but they are provided as > example to show what's possible. Up to the reader to start there and go > where they want too... > > Now to the point, it was told to you to start simple and explained what > you want to do. > > Here you say you have no special needs, etc. > > So why in gods name would you want to do a bridge setup? > > KISS principle apply! > > And it was asked as well to explained your setup. NOT what you think it > should be or how it is connected, what interface does what, etc. > > What do you want to do, plain and simple. > > Here you say that "The internal network consists mainly of regular > clients, so no email, web or name servers", so no needs for bridge, or > DMZ, etc. > > Also looks like you use private IP's so yes NAT is needed obviously. > > Now if you want multiple networks, WHY? > > Any reason for it? I see none if you don't have hosting services. > > You say it could be possible, sure it can, I can have multiple vlan and > domains routing, configure a specific IPMI DMZ for my servers > configuration, add ssh keys for wireless access with time base access > and limit, and kids restrictions, etc. But I wouldn't do that until I > get my basin system going and know why. > > Amy be I don't have kids so why do that part of the setup, but may be I > have wireless and friends coming over and they obviously all/may be want > fast internet access on my wireless, but I don't what them to have > access to ANY of my devices from their phones that might compromise my > network, so I would have a guess wireless access to to outside world > ONLY. But if I have no friends, then why would I want that? Etc... > > Sure may be you have wireless that you want to isolate from others hard > wire computers, etc. You have NAS, may be you want to isolate it form > wireless, or some specific computers, kids access restricted may be, etc. > > But no where did you ever describe what is it that you want... > > May be before you start building a house, you need to know what you want > in it, etc. > > Same thing here. > > Start small and then go from there. > > Why? Doing incremental setup help understand your setup and why you do it. > > Then down the line when you make changes or want to add something to it, > when your pf configuration is clean, you will know where to add it and > what it does. > > Look to me that if your setup have NO special needs, no hosting services > that needs to be reach form the Internet, then only thing you need is a > VERY simple NAT setup, on two interfaces and that's it. > > It's not because you have 4 interfaces that you need to use 4 interfaces... > > Start be defining what is it that you want and FORGET ABOUT interface 1, > and then 2 for admin, and 3 for nas, etc. > > What is it that you want to do and go from there. > > Define your needs and then address them ONE by ONE. > > Fix one, test and then go to the next one. > > And FORGET ABOUT BRIDGE SETUP PLEASE!!! > > You have absolutely
Re: Firewall setup
On 4/16/24 10:27 AM, Karel Lucas wrote: First and most importantly, I would like to apologize to anyone who was disturbed by my conversation. It is not my intention to offend people. I may be curt, but that's not because it's in my character. In daily life I work with electronics and computers and am much less familiar with networks. I don't need this knowledge for what I do in daily life. It is therefore difficult for me to estimate what is important to link back to this mailing list. So if I am curt, please try to remember that it is not intentional, but a matter of lack of knowledge. Again, I don't want to hurt anyone. Hi Karel, I think you may be missing the point that everyone try to explained to you. OpenBSD is a mailing list that have very think skin compare to any others. You need to be very rude to offend people here unless you are one that fell you have rights to other people free times. You got some VERY knowledgeable people answering you. If I was you I would fell lucky for their time, believe me. I have been on this list from OpenBSD 2.7. A few decades ago... Now you say you don't have the network know how to do this, sure everyone start somewhere. You say you don't needs this either in your daily job and keep asking others to point you at the page in the PF book, etc. Remember they are NOT the one in needs to know, you are, so make the effort please. Many will hold your hands gladly IF you show willingness to do your share. Even the site have basic start example here: https://www.openbsd.org/faq/pf/index.html And even some of them could be simple too, but they are provided as example to show what's possible. Up to the reader to start there and go where they want too... Now to the point, it was told to you to start simple and explained what you want to do. Here you say you have no special needs, etc. So why in gods name would you want to do a bridge setup? KISS principle apply! And it was asked as well to explained your setup. NOT what you think it should be or how it is connected, what interface does what, etc. What do you want to do, plain and simple. Here you say that "The internal network consists mainly of regular clients, so no email, web or name servers", so no needs for bridge, or DMZ, etc. Also looks like you use private IP's so yes NAT is needed obviously. Now if you want multiple networks, WHY? Any reason for it? I see none if you don't have hosting services. You say it could be possible, sure it can, I can have multiple vlan and domains routing, configure a specific IPMI DMZ for my servers configuration, add ssh keys for wireless access with time base access and limit, and kids restrictions, etc. But I wouldn't do that until I get my basin system going and know why. Amy be I don't have kids so why do that part of the setup, but may be I have wireless and friends coming over and they obviously all/may be want fast internet access on my wireless, but I don't what them to have access to ANY of my devices from their phones that might compromise my network, so I would have a guess wireless access to to outside world ONLY. But if I have no friends, then why would I want that? Etc... Sure may be you have wireless that you want to isolate from others hard wire computers, etc. You have NAS, may be you want to isolate it form wireless, or some specific computers, kids access restricted may be, etc. But no where did you ever describe what is it that you want... May be before you start building a house, you need to know what you want in it, etc. Same thing here. Start small and then go from there. Why? Doing incremental setup help understand your setup and why you do it. Then down the line when you make changes or want to add something to it, when your pf configuration is clean, you will know where to add it and what it does. Look to me that if your setup have NO special needs, no hosting services that needs to be reach form the Internet, then only thing you need is a VERY simple NAT setup, on two interfaces and that's it. It's not because you have 4 interfaces that you need to use 4 interfaces... Start be defining what is it that you want and FORGET ABOUT interface 1, and then 2 for admin, and 3 for nas, etc. What is it that you want to do and go from there. Define your needs and then address them ONE by ONE. Fix one, test and then go to the next one. And FORGET ABOUT BRIDGE SETUP PLEASE!!! You have absolutely NO need for this with what you say so far in any of your communications. Example of thinking. I see you try to use MANY macros, do you really need that? It's suppose to be to make things simpler to understand and cleaner to read, not more complex. The key of a decent firewall is first to know what is it that you want to do and look to me you still do not know that yet. I would even say and said for many decades, a good firewall NOT only stop incoming traffic, but also
Re: Firewall setup
This is my dmesg, if anyone is interested: OpenBSD 7.4 (GENERIC.MP) #3: Wed Feb 28 06:23:33 MST 2024 r...@syspatch-74-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4047122432 (3859MB) avail mem = 3904729088 (3723MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.3 @ 0x74c77000 (117 entries) bios0: vendor American Megatrends International, LLC. version "JK4LV105" date 08/31/2022 bios0: Default string Default string efi0 at bios0: UEFI 2.7 efi0: American Megatrends rev 0x50013 acpi0 at bios0: ACPI 6.2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP MCFG FIDT SSDT SSDT SSDT HPET APIC PRAM SSDT SSDT NHLT LPIT SSDT SSDT DBGP DBG2 DMAR SSDT TPM2 WSMT FPDT acpi0: wakeup devices PEGP(S4) PEGP(S4) PEGP(S4) PEGP(S4) SIO1(S3) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 acpimcfg0: addr 0xc000, bus 0-255 acpihpet0 at acpi0: 1920 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2893.74 MHz, 06-9c-00, patch 2424 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 38MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.2.2.1.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2893.74 MHz, 06-9c-00, patch 2424 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2793.96 MHz, 06-9c-00, patch 2424 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2793.95 MHz, 06-9c-00, patch 2424 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu3: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins acpiprt0 at acpi0: bus 0 (PC00) acpiprt1 at acpi0: bus -1 (RP01) acpiprt2 at acpi0: bus -1 (RP02) acpiprt3 at acpi0: bus 1 (RP03) acpiprt4 at acpi0: bus -1 (RP04) acpiprt5 at acpi0: bus 2 (RP05) acpiprt6 at acpi0: bus 3 (RP06) acpiprt7 at acpi0: bus 4 (RP07) acpiprt8 at acpi0: bus 5 (RP08) acpiprt9 at acpi0: bus -1 (RP09) acpiprt10 at acpi0: bus -1 (RP10) acpiprt11 at acpi0: bus -1 (RP11) acpiprt12 at
Re: Firewall setup
First and most importantly, I would like to apologize to anyone who was disturbed by my conversation. It is not my intention to offend people. I may be curt, but that's not because it's in my character. In daily life I work with electronics and computers and am much less familiar with networks. I don't need this knowledge for what I do in daily life. It is therefore difficult for me to estimate what is important to link back to this mailing list. So if I am curt, please try to remember that it is not intentional, but a matter of lack of knowledge. Again, I don't want to hurt anyone. Second, the firewall. This is set up as a bridge with the following hardware: https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image=1. The Ethernet connections ETH1 ... ETH4 are translated by OpenBSD to igc0 ... igc3. Connection igc0 is the input that goes to the ISDN modem, and igc1 and igc2 are the two outputs that go to the internal network. These two connections are more flexible for the underlying network. This makes it possible to connect two different networks, if desired, albeit with one and the same IP range (192.168.2.0/24), or two different networks, if so configured. So two possibilities (which is best?). So there is no need to use two connections at the same time, although this should be possible. Finally, connection igc3. This is given the IP address 192.168.2.252, because it is intended for remote administration, including upgrades. This connection will therefore not be part of the firewall bridge, and will therefore not appear in pf.conf. The internal network consists mainly of regular clients, so no email, web or name servers. These clients will work with Linux, mac OSX, or OpenBSD, but not Windows, but there will be a small file server or NAS. This file server or NAS is only intended for the clients in the network and has no connection to the internet. For now it is important to get ping and traceroute working properly, after which work on normal internet traffic can be started. What I'm wondering is whether I need NAT for my firewall configuration. This is my plan for my firewall. It seems to me that there are much more difficult configurations than this one. I hope there are still people who are willing to help me. Op 16-04-2024 om 07:24 schreef Peter N. M. Hansteen: I give up. The obviously incomplete, hand edited ifconfig output shows three interfaces that are (or appear to be, judging from the excerpts that we are given) not configured with IP addresses, two of which have a link, while the last does not. For reasons unknown these three are joined in a three-way bridge. >From the tiny crumbs of information you have deigned to reveal to us, it is not at all clear what it is you are trying to achieve. That this configuration does not do anything useful is however no surprise at all. Once you can describe what it is your Rube Goldberg contraption is supposed to do, competent people here might offer some advice on how to make things work properly. Until that happens, I for one will simply ignore anything from that source.
Re: Firewall setup
On Tue, Apr 16, 2024 at 12:01:38AM +0200, Karel Lucas wrote: > > Op 15-04-2024 om 22:20 schreef Peter N. M. Hansteen: > > On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote: > > > This gives the following error messages when booting: > > > no IP address found for igc1:network > > > /etc/pf.conf:41: could not parse host specification > > > no IP address found for igc2:network > > > /etc/pf.conf:42: could not parse host specification > > This sounds to me like those interfaces either do not exist or > > have not been correctly configured. > > > > Are those interfaces configured, as in do they have IP addresses? > > > > the output of ifconfig igc1 and ifconfig igc2 will show you. > > > Output from ifconfig igc0: > igc0: flags=8b43 > mtu 1500 > lladdr 7c:2b:e1:13:dd:f4 > index 1 priority 0 llprio 3 > media: Ethernet autoselect (1000baseT full-duplex) > sratus: active > > Output from ifconfig igc1: > igc1: flags=8b43 > mtu 1500 > lladdr 7c:2b:e1:13:dd:f5 > index 2 priority 0 llprio 3 > media: Ethernet autoselect (1000baseT full-duplex) > sratus: active > > Output from ifconfig igc2: > igc2: flags=8b43 > mtu 1500 > lladdr 7c:2b:e1:13:dd:f6 > index 3 priority 0 llprio 3 > media: Ethernet autoselect (none) > status: no carrier > > /etc/hostname.bridge0: > add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip igc2 > up > > /etc/hostname.igc0: > up > > /etc/hostname.igc1: > up > > /etc/hostname.igc2: > up > Either Stuart is right, and you are trying to put up some weird firewall, or Diana is right, and you are way out of your depth and need to learn some of the basics of IPv4 networking. Or they are both right. Any other way, Peter is also right: you have been giving us information piecemeal, and not only this doesn't help you to solve your problems, it can be frustrating for the rest of us, because you've (involuntarily) been wasting our time, chasing the wrong problem. Your issues seem to be broader than just configuring PF. Incidentally, this is also an example on why copying/pasting stuff into your machine is often a bad idea. You need to understand what you are putting in there, bit by bit. Otherwise either it will fail immediately (as in your case) or it will fail later on the first time you try to tweak it. And with a firewall being key in network security, you'll really want to get it right. There is no harm in not knowing things, no one is born knowing what a routing table is, we've all had to start somewhere (I hope you don't find this patronizing, that's really not the point). And, as you've just seen, despite this mailing list having a reputation of being unfriendly, you've got plenty of people willing to help. There are just a few steps you need to take _on your own_ first. Peter's book is great for PF, as is the PF user's guide [1]. For the networking bits you can also take a look at the respective chapters on Michael W. Lucas' "Absolute OpenBSD" [2]. Palmer and Nazario's "Secure architectures with OpenBSD" also helped me a lot with system administration in general, back in the day. Others might have other suggestions, I'm sure there's a ton of stuff out there. [1] https://www.openbsd.org/faq/pf/index.html [2] https://www.michaelwlucas.com/os/ao2e --
Re: Firewall setup
I give up. The obviously incomplete, hand edited ifconfig output shows three interfaces that are (or appear to be, judging from the excerpts that we are given) not configured with IP addresses, two of which have a link, while the last does not. For reasons unknown these three are joined in a three-way bridge. >From the tiny crumbs of information you have deigned to reveal to us, it is not at all clear what it is you are trying to achieve. That this configuration does not do anything useful is however no surprise at all. Once you can describe what it is your Rube Goldberg contraption is supposed to do, competent people here might offer some advice on how to make things work properly. Until that happens, I for one will simply ignore anything from that source. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
On 2024-04-15, Karel Lucas wrote: > /etc/hostname.bridge0: > add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip > igc2 up bridging with PF is an advanced topic, please get familiar with PF on a standard routed firewall first -- Please keep replies on the mailing list.
Re: Firewall setup
Op 15-04-2024 om 22:20 schreef Peter N. M. Hansteen: On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote: This gives the following error messages when booting: no IP address found for igc1:network /etc/pf.conf:41: could not parse host specification no IP address found for igc2:network /etc/pf.conf:42: could not parse host specification This sounds to me like those interfaces either do not exist or have not been correctly configured. Are those interfaces configured, as in do they have IP addresses? the output of ifconfig igc1 and ifconfig igc2 will show you. Output from ifconfig igc0: igc0: flags=8b43 mtu 1500 lladdr 7c:2b:e1:13:dd:f4 index 1 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex) sratus: active Output from ifconfig igc1: igc1: flags=8b43 mtu 1500 lladdr 7c:2b:e1:13:dd:f5 index 2 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex) sratus: active Output from ifconfig igc2: igc2: flags=8b43 mtu 1500 lladdr 7c:2b:e1:13:dd:f6 index 3 priority 0 llprio 3 media: Ethernet autoselect (none) status: no carrier /etc/hostname.bridge0: add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip igc2 up /etc/hostname.igc0: up /etc/hostname.igc1: up /etc/hostname.igc2: up
Re: Firewall setup
That's a possibility I hadn't thought of yet. But how do I do that, and on which page can I find that in your book? Op 15-04-2024 om 22:17 schreef Peter N. M. Hansteen: The other option - if your network layout is such that it makes sense to treat them to the same rule criteria - would be to make an interface group with both interfaces as members, then use the interface group name in your rules.
Re: Firewall setup
Op 14-04-2024 om 21:57 schreef Jens Kaiser:
Hello Karel,
if you want to start simply, then I would recommend to remove all marcos
from your pf.conf which are not referenced. You can add them later if
needed. As already state by others, there is a syntax error in marco
martians. If there are syntax errors in pf.conf, the rules are not
loaded at all.
These have now been resolved, sse below.
Also correct the syntax errors in the rules "Letting ping through". The
key word "on" without interfacename, -group or keyword any looks
incorrect. Give it a parameter or remove it.
As far as I can see there are no errors in the ping rules. the key words
"on", "group" or "any" do not appear there. Moreover, I have copied
these rules, except the key words "log", exactly from Peter Hansteen's
book (The book of PF), just like the rules of the martians.
Please check your current running configuration with
> pfctl -sr
It prints out all currently active rules. If something behaves too
wired, it can help to proof that the ruleset in /etc/pf.conf is the same
as we assume to be active in the kernel. Because of the syntax errors I
would guest that this is not true in your case.
After correcting some errors, I reloaded pf.conf and found no errors.
Here I give the output of pfctl -sr:
match in all scrub (no-df max-mss 1440)
block return in all
block return in quick on igc0 inet from any to <__automatic_628bc734_1>
pass log inet proto icmp all icmp-type echoreq
pass log inet proto icmp all icmp-type echorep
pass log inet proto icmp all icmp-type unreach
pass log inet6 proto ipv6-icmp all icmp6-type echoreq
pass log inet6 proto ipv6-icmp all icmp6-type echorep
pass log inet6 proto ipv6-icmp all icmp6-type unreach
pass out all flags S/SA
/etc/pf.conf:
ext_if = igc0 # The interface to the outside
world
int_if = "{ igc1, igc2 }" # The interfaces to the private hosts
# localnet = "192.168.2.0/24" # Hosts on the screened LAN
# tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
# udp_services = "{ domain, ntp }"
# email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
icmp_types = "{ echoreq, echorep, unreach }"
icmp6_types = "{ echoreq, echorep, unreach }"
# nameservers = "{ 195.121.1.34, 195.121.1.66 }"
# client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
# Options:
set block-policy return
set skip on lo
# Normalize packets:
match in all scrub ( no-df max-mss 1440 )
block in all # block stateless traffic
block in quick on $ext_if from $martians to any
block out quick on $ext_if from any to $martians
# Letting ping through:
pass log inet proto icmp icmp-type $icmp_types
pass log inet6 proto icmp6 icmp6-type $icmp6_types
pass out all
Re: Firewall setup
On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote: > This gives the following error messages when booting: > no IP address found for igc1:network > /etc/pf.conf:41: could not parse host specification > no IP address found for igc2:network > /etc/pf.conf:42: could not parse host specification This sounds to me like those interfaces either do not exist or have not been correctly configured. Are those interfaces configured, as in do they have IP addresses? the output of ifconfig igc1 and ifconfig igc2 will show you. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
On Mon, Apr 15, 2024 at 10:01:59PM +0200, Karel Lucas wrote: > They both give a syntax error by booting. > > Op 14-04-2024 om 17:45 schreef Zé Loff: > > pass in on $int_if proto udp to port 53 > > pass in on $int_if proto udp to $nameservers port 53 You're not giving us a lot to work with here. Off the top of my head, seeing that your int_if macro is a list of two interfaces, that may well be your problem (or one of them). The rule syntax is not really intended to deal with a list of interfaces following 'on'. It is likely more useful to treat the two interfaces separately. The other option - if your network layout is such that it makes sense to treat them to the same rule criteria - would be to make an interface group with both interfaces as members, then use the interface group name in your rules. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
This gives the following error messages when booting:
no IP address found for igc1:network
/etc/pf.conf:41: could not parse host specification
no IP address found for igc2:network
/etc/pf.conf:42: could not parse host specification
Op 14-04-2024 om 19:59 schreef Peter N. M. Hansteen:
On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote:
Hi all,
Everything about PF is all very confusing to me at the moment, so any help
is appreciated. So let's start simple and then proceed step by step. I want
to continue with ping so that I can test the connection to the internet.
This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10
www.apple.com. As others have stated, I have a problem with using DNS
servers on the internet. The PF ruleset needs to be adjusted for this, but
it is still not clear to me how to do that. What else do I need to get ping
to work correctly? To get started simply, I created a new pf.conf file, see
below.
I'd put this somewhere after your block rules:
pass inet proto { tcp, udp } from igc1:network to port $client_out
pass inet proto { tcp, udp } from igc2:network to port $client_out
- that way you will actually use the macro. But the macro sitll references
the invalid service nportntp (you probably want ntp instead), and I would
think that the services "446, cvspserver, 2628, 5999, 8000, 8080" are unlikely
to be useful unless you *know* you need to pass traffic for those.
Re: Firewall setup
They both give a syntax error by booting. Op 14-04-2024 om 17:45 schreef Zé Loff: pass in on $int_if proto udp to port 53 pass in on $int_if proto udp to $nameservers port 53
Re: Firewall setup
I'm a long time network engineer/firewall admin/make things work on our network
when it is broken.
First, ICMP Echo Request ( "ping" ) works, you proved that when you sent an
Echo Request to a host using it's IP address. The fact that DNS host
resolution fails has nothing to do with ICMP Echo Request. You WILL want to
get DNS name resolution working in order to use hostnames, unless you want to
keep everything in a static host file.
In order to create a functioning firewall you need a good understanding of ip
tcp/ip ports and protocols. To see what I'm talking about do an Internet
search for 5 tuple firewall.
You will need this knowledge for any system using statefull firewall, not just
PF.
Others are trying to help you write a functioning PF conf, however I think you
need to learn how to fish before embarking on a deep sea fishing excursion.
73
diana
On April 14, 2024 9:09:01 AM MDT, Karel Lucas wrote:
>Hi all,
>
>Everything about PF is all very confusing to me at the moment, so any help is
>appreciated. So let's start simple and then proceed step by step. I want to
>continue with ping so that I can test the connection to the internet. This
>works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10
>www.apple.com. As others have stated, I have a problem with using DNS servers
>on the internet. The PF ruleset needs to be adjusted for this, but it is still
>not clear to me how to do that. What else do I need to get ping to work
>correctly? To get started simply, I created a new pf.conf file, see below.
>
>
>/etc/pf.conf:
>
>ext_if = igc0 # The interface to the outside world
>int_if = "{ igc1, igc2 }" # The interfaces to the private hosts
>localnet = "192.168.2.0/24" # Hosts on the screened LAN
>
>tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
>udp_services = "{ domain, ntp }"
>email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
>icmp_types = "{ echoreq, unreach }"
>icmp6_types = "{ echoreq, unreach }"
>nameservers = "{ 195.121.1.34, 195.121.1.66 }"
>client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
> 446, cvspserver, 2628, 5999, 8000, 8080 }"
>martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
> 0.0.0.0/8, 240.0.0.0/4 }"
>
># Options:
>set block-policy return
>
>set skip on lo
>
>block log all # block stateless traffic
>
># Normalize packets:
>match in all scrub ( no-df max-mss 1440 )
>
>block in quick on $ext_if from $martians to any
>block out quick on $ext_if from any to $martians
>
># Letting ping through:
>pass log on inet proto icmp icmp-type $icmp_types
>pass log on inet6 proto icmp6 icmp6-type $icmp6_types
>
>pass out all
>
>
Re: Firewall setup
> On Apr 14, 2024, at 08:09, Karel Lucas wrote: > > Hi all, Hi. > So let's start simple and then proceed step by step. I want to continue with > ping so that I can test the connection to the internet. This works: ping -c > 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. As others > have stated, I have a problem with using DNS servers on the internet. Does DNS resolution work without PF being enabled? If you want to “start simple”, don’t enable PF (or disable it, or use the default ruleset that OpenBSD ships with) and make sure everything works. Sean
Re: Firewall setup
Hello Karel,
if you want to start simply, then I would recommend to remove all marcos
from your pf.conf which are not referenced. You can add them later if
needed. As already state by others, there is a syntax error in marco
martians. If there are syntax errors in pf.conf, the rules are not
loaded at all.
Also correct the syntax errors in the rules "Letting ping through". The
key word "on" without interfacename, -group or keyword any looks
incorrect. Give it a parameter or remove it.
After changing pf.conf, first check it with
> pfctl -nf /etc/pf.conf
before loading it. If no errors occur, simply update the ruleset in the
kernel with
> pftl -f /etc/pf.conf
and test your changes. Keep in mind that reloading the ruleset does not
affect the states of allready estblished connections.
Please check your current running configuration with
> pfctl -sr
It prints out all currently active rules. If something behaves too
wired, it can help to proof that the ruleset in /etc/pf.conf is the same
as we assume to be active in the kernel. Because of the syntax errors I
would guest that this is not true in your case.
Try get IPv4 running first. If that goal is reached you have more
experience and can go further adding IPv6, which is different in case of
ICMP. If you don't have a static IPv6 address configuration, then the
rules in your pf.conf are far too restrictive to get an autonconfigured
IPv6 address, managed (DHCP6) or not (SLAAC).
Jens
Am 14.04.2024 um 17:09 schrieb Karel Lucas:
Hi all,
Everything about PF is all very confusing to me at the moment, so any
help is appreciated. So let's start simple and then proceed step by
step. I want to continue with ping so that I can test the connection to
the internet. This works: ping -c 10 195.121.1.34. But this doesn't
work: ping -c 10 www.apple.com. As others haveo you get rid of the first syntax
error yourstated, I have a problem
with using DNS servers on the internet. The PF ruleset needs to be
adjusted for this, but it is still not clear to me how to do that. What
else do I need to get ping to work correctly? To get started simply, I
created a new pf.conf file, see below.
/etc/pf.conf:
ext_if = igc0 # The interface to the
outside world
int_if = "{ igc1, igc2 }" # The interfaces to the private
hosts
localnet = "192.168.2.0/24" # Hosts on the screened LAN
tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
udp_services = "{ domain, ntp }"
email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
icmp_types = "{ echoreq, unreach }"
icmp6_types = "{ echoreq, unreach }"
nameservers = "{ 195.121.1.34, 195.121.1.66 }"
client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
446, cvspserver, 2628, 5999, 8000, 8080 }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
# Options:
set block-policy return
set skip on lo
block log all # block stateless traffic
# Normalize packets:
match in all scrub ( no-df max-mss 1440 )
block in quick on $ext_if from $martians to any
block out quick on $ext_if from any to $martians
# Letting ping through:
pass log on inet proto icmp icmp-type $icmp_types
pass log on inet6 proto icmp6 icmp6-type $icmp6_types
pass out all
Re: Firewall setup
On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote:
> Hi all,
>
> Everything about PF is all very confusing to me at the moment, so any help
> is appreciated. So let's start simple and then proceed step by step. I want
> to continue with ping so that I can test the connection to the internet.
> This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10
> www.apple.com. As others have stated, I have a problem with using DNS
> servers on the internet. The PF ruleset needs to be adjusted for this, but
> it is still not clear to me how to do that. What else do I need to get ping
> to work correctly? To get started simply, I created a new pf.conf file, see
> below.
I'd put this somewhere after your block rules:
pass inet proto { tcp, udp } from igc1:network to port $client_out
pass inet proto { tcp, udp } from igc2:network to port $client_out
- that way you will actually use the macro. But the macro sitll references
the invalid service nportntp (you probably want ntp instead), and I would
think that the services "446, cvspserver, 2628, 5999, 8000, 8080" are unlikely
to be useful unless you *know* you need to pass traffic for those.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
There is a typo on the second line of the martians definition (spurious comma
and space).
Michael
> On Apr 14, 2024, at 11:09, Karel Lucas wrote:
>
> Hi all,
>
> Everything about PF is all very confusing to me at the moment, so any help is
> appreciated. So let's start simple and then proceed step by step. I want to
> continue with ping so that I can test the connection to the internet. This
> works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10
> www.apple.com. As others have stated, I have a problem with using DNS servers
> on the internet. The PF ruleset needs to be adjusted for this, but it is
> still not clear to me how to do that. What else do I need to get ping to work
> correctly? To get started simply, I created a new pf.conf file, see below.
>
>
> /etc/pf.conf:
>
> ext_if = igc0 # The interface to the outside
> world
> int_if = "{ igc1, igc2 }"# The interfaces to the private hosts
> localnet = "192.168.2.0/24" # Hosts on the screened LAN
>
> tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> udp_services = "{ domain, ntp }"
> email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> icmp_types = "{ echoreq, unreach }"
> icmp6_types = "{ echoreq, unreach }"
> nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
> 446, cvspserver, 2628, 5999, 8000, 8080 }"
> martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
> 0.0.0.0/8, 240.0.0.0/4 }"
>
> # Options:
> set block-policy return
>
> set skip on lo
>
> block log all# block stateless traffic
>
> # Normalize packets:
> match in all scrub ( no-df max-mss 1440 )
>
> block in quick on $ext_if from $martians to any
> block out quick on $ext_if from any to $martians
>
> # Letting ping through:
> pass log on inet proto icmp icmp-type $icmp_types
> pass log on inet6 proto icmp6 icmp6-type $icmp6_types
>
> pass out all
>
>
Re: Firewall setup
On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote:
> Hi all,
>
> Everything about PF is all very confusing to me at the moment, so any help
> is appreciated. So let's start simple and then proceed step by step. I want
> to continue with ping so that I can test the connection to the internet.
> This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10
> www.apple.com. As others have stated, I have a problem with using DNS
> servers on the internet. The PF ruleset needs to be adjusted for this, but
> it is still not clear to me how to do that. What else do I need to get ping
> to work correctly?
You are blocking everything by default, with the "block log all" on top
of your ruleset. This means that _everything_ needs to be explicitely
allowed in and out of your firewall.
If you want to resolve hostnames, you need to allow DNS requests (i.e.
traffic _to_ UDP port 53) to enter and leave the firewall. So if a
machine on your LAN needs to make a DNS request, you need something like
pass in on $int_if proto udp to port 53
You have a $nameservers macro, which suggests you want to allow traffic
to only those two, so you could rewrite the above rule as
pass in on $int_if proto udp to $nameservers port 53
But then you need to make sure every machine on your LAN uses those IPs
as resolvers, otherwise they'll try to query other DNS servers and fail.
As I said on a reply to your other thread, you will probably need to use
NAT on your egress traffic.
I personally prefer to keep the most general rules at the top, and then
to the specifics, so I would move "pass out all" next to "block log
all", but it's a matter of taste.
> To get started simply, I created a new pf.conf file, see
> below.
>
>
> /etc/pf.conf:
>
> ext_if = igc0 # The interface to the outside
> world
> int_if = "{ igc1, igc2 }" # The interfaces to the private
> hosts
> localnet = "192.168.2.0/24" # Hosts on the screened LAN
>
> tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> udp_services = "{ domain, ntp }"
> email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> icmp_types = "{ echoreq, unreach }"
> icmp6_types = "{ echoreq, unreach }"
> nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
> 446, cvspserver, 2628, 5999, 8000, 8080 }"
> martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
> 0.0.0.0/8, 240.0.0.0/4 }"
>
> # Options:
> set block-policy return
>
> set skip on lo
>
> block log all # block stateless traffic
>
> # Normalize packets:
> match in all scrub ( no-df max-mss 1440 )
>
> block in quick on $ext_if from $martians to any
> block out quick on $ext_if from any to $martians
>
> # Letting ping through:
> pass log on inet proto icmp icmp-type $icmp_types
> pass log on inet6 proto icmp6 icmp6-type $icmp6_types
>
> pass out all
>
>
--
