)
At this point I'm not confident it's publishing quality, but I'd love to
hear comments of any kind.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice
to the last version which was able to
pass at least some traffic, then introduce rules one at a time from
there, testing each change. That way you will be in a much better
position to see what breaks, if it does.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http
from $otherlan to any keep state
- with the addition of some restriction on which ports and a few other
embellishments - could be what you need.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no
the lines of now what on g*d's green earth are you
doing that for? is a lot less than you think.
Posting your config along with your problem description is always
good. Obfuscate if you have to.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149
/dev/pf
It certainly looks like being a member of wheel is a distinct advantage,
at least.
What kinds of operations did you have in mind?
Would eg a sensible authpf setup help achieve what you want to do?
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http
Jason Dixon [EMAIL PROTECTED] writes:
# su - hatchet
$ pfctl -vsr
pfctl: /dev/pf: Permission denied
$ whoami
hatchet
$ groups
hatchet wheel
You asked about running pfctl via sudo, but there's no trace of sudo
here. I would think a reasonable sudo config is what you want.
--
Peter N. M
). So being a wheel member
doesn't really matter in this case.
A correct sudoers file is probably all that's needed for the OP, the
exact contents would of course be up to whatever is appropriate at the
site. That, and actually using sudo instead of su - ;)
--
Peter N. M. Hansteen, member
Kimi Ostro [EMAIL PROTECTED] writes:
I would not usually ask for a feature. Anyway, the proposal would be
that you could set the TOS on TCP/UDP packets like so:
Sounds somewhat like you could achieve at least some of the same
effect via altq, with a set of queues and priorities.
--
Peter N
more
faith in the things I can control, on my own gear. Setting TOS values is
useful, but only to the extent they are actually honored further down
the track.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http
, and to the excellent PF developers, OpenBSD and elsewhere.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
would be non-trivial to say the least.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
alex wilkinson [EMAIL PROTECTED] writes:
Is it possible to disguise this behaviour ? From a client perspective.
Assuming you have the near-infinite processing resources it would take
to make the decrypting and pattern recognition happen without noticeable
delay, sure.
--
Peter N. M. Hansteen
Agency or the Central Intelligence
Agency on the list of prerequisites, but thought I'd better not, since
that might trigger all sorts of stupidity.
oh bummer.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http
.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
, but would not
a reasonable NAT combined with something like
pass inet proto tcp from $localnet to $Windows_RDServer port 3389 keep state
'just work'? Does the server need to start connections which are not taken care
of by the state information back to the clients?
--
Peter N. M. Hansteen
, 192.168.101.0/24 }
nat on $ext_if from $myranges to any - ($ext_if)
just my NOK 0.02
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
is, which interface, if any, should I
filter on for PPP?. The answer is then tun0 unless I'm very mistaken.
Then again, you may not need to reference the interface name at all in a
single computer setup. It's possible you would find my PF tutorial at
http://www.bgnett.no/~peter/pf/ useful.
--
Peter N
arun kumarn [EMAIL PROTECTED] writes:
I want to know which are the type of attacks that are taken care in
current version of OpenBSD Pf.
I would think that the answer to this depends crucially on the contents
of your configuration.
--
Peter N. M. Hansteen, member of the first RFC 1149
setup to compensate for dynamic, and
possibly changing, IP addresses on your external interface:
nat on $ext_if from $int_if:network to any - ($ext_if)
then add options and flags as needed. The () notation should help.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
simply filter on the tun interface
(usually tun0, but of course you may have more than one). For bridging,
look into the brconfig and bridgename.if manpages - the bridge plus pf
combination is quite flexible.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http
is a desirable feature. For a bit of context, the thread in question
starts at [EMAIL PROTECTED]
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice
/rc. The minimal default rule set AFAICS is the smart
solution to the problem.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded
if you know your way around rcNG.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
, though.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
of what you expect from a startup script.
Which means essentially an empty or invalid pf.conf will leave you with
a system where you are able to log in, unless of course you managed to
break your network in other ways.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http
. The problem seems
to be that the /FreeBSD/ PF port for some reason did not bring over the
pre network interface rc bits from OpenBSD. I haven't checked the others
(NetBSD, DragonFlyBSD), so I'm not sure what the status is there.
Anyway the 'window of opportunity' would be ahem, rather small.
--
Peter N
you
pass imaps on $int_if as well?
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
I'm trying to redirected outside traffic to internal Exchange Server using
IMAPS protocol :
when you manage to get it working, I would be interested in hearing
about it. it might be a useful addition to my PF tutorial.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation
in greylisting mode volunteer to do the same tests and send
me their results (or raw data for that matter)? Any other feedback
would be welcome of course, and truly useful data will merit at least a
mention in the thanks to list if this gets published.
- P
--
Peter N. M. Hansteen, member of the first RFC
of the tutorial.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
is up at the usual spot
(http://www.bgnett.no/~peter/pf/ - Norwegians will have to wait a
bit more)
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers
=9053/sam0403j/0403j.htm
Then again, the packages you mention may be better suited to your
particular needs.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers
N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
to take care of?
as in
ext_if = tun0 # macro for external interface - use tun0 for PPPoE
int_if = xl1 # macro for internal interface
# ext_if IP address could be dynamic, hence ($ext_if)
nat on $ext_if from $int_if:network to any - ($ext_if)
--
Peter N. M. Hansteen, member of the first RFC
available).
[1] For some odd reason these messages were not as easy to find as I
had thought, but I'm pretty sure they're in the archives somewhere
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no
.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds.
accessible after spending some time with my PF tutorial at
http://www.bgnett.no/~peter/pf/ (see events.html at the openbsd site for
live performances of a slightly revised version).
debugging PF rule sets might actually be a good tutorial topic. Noted
for later.
--
Peter N. M. Hansteen, member
it sounds rather attractive though.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
20:11:56 delilah spamd[26905
other way to do what they needed.
(Microsoft - no, there's always an easier way :))
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded
into the
logic issues here. The readability issues are probably byproducts of
using a GUI tool, so I won't beat you over the head with them just yet.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no
tutorial at http://www.bgnett.no/~peter/pf/ for a
gentle walkthrough.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
20:11
://www.bgnett.no/~peter/pf/ are not yet in
sync.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
20:11:56 delilah spamd[26905
a NAT rule in your config as well.
- have you enabled gatewaying (sysctl net.inet.ip.forwarding=1)?
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet
you better in the end.
My rant about this is at http://www.bgnett.no/~peter/pf/en/basicgw.html
(part of a PF tutorial).
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all
/32 portmap tcp/udp 1025:65000
map $ext_if 192.168.10.0/24 - 1.2.3.4/32
browsing the IPF howto briefly, I think you should be able to get those
done via rdr constructs and matching pass rules. The finer details
escape me, though.
--
Peter N. M. Hansteen, member of the first RFC 1149
[EMAIL PROTECTED] (mouss) writes:
map != rdr.
ipf != pf.
.?
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
20:11:56
be easier to
help if you could explain what you want to do (ie make sure service Y
requests from network Z reach computer X in my NATed LAN).
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First
can see, so would carry over
with minor adjustments.
Hope this helps,
[1] the tutorial is a work in progress, with a reasonably up to date
version posted at http://www.bgnett.no/~peter/pf/. For the ftp part,
see the section http://www.bgnett.no/~peter/pf/en/ftpproblem.html
--
Peter N. M
of a putty.exe equipped machine
elsewhere, it all started working again in that particular case. Given
the stability of the platform running putty.exe, this has happened more
than once.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http
that obviously good or b) you need to work a bit
more on that explanation. Abuse and name-calling never helps your
case, ever.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we
, and so on.
There are several more ways to misconfigure a machine so it will
produce the rather bizarre symptoms you are describing, but from the
information you are volunteering it's pretty much impossible to tell
what is causing the situation.
--
Peter N. M. Hansteen, member of the first RFC 1149
on something mission critical a
continent away, 'glutton for punishment' comes to mind.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded
are tuneable via pf.conf 'set limit' options. I forget
what the default max table size is, but the pf.conf man page contains
the magic to set it to 100,000 entries. Going from there should be
straightforward.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http
them
to point to the new address http://home.nuug.no/~peter/pf/ instead.
File and subdirectory names remain the same.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill
pass from self to any keep state
or
pass from 10.12.14.0/24 to any port ssh keep state
it's extremely flexible really. The reason you see interface name
macros so often is that people tend to find them useful, but you can
do without them entirely if you like, I suppose.
--
Peter N. M. Hansteen
://home.nuug.no/~peter/pf/en/whatsyourlocalnet.html
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
20:11:56 delilah spamd
/,
specifically http://home.nuug.no/~peter/pf/en/tables.html, and of
course man pfctl is your dearest friend :)
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers
Dominik Zalewski [EMAIL PROTECTED] writes:
I have OpenBSD 4.0 firewall and I would like to redirect all outgoing http
requests to my squid web proxy.
Daniel Hartmeier wrote about this a while back, his article can be found at
http://www.benzedrine.cx/transquid.html
--
Peter N. M. Hansteen
pass on $int_if proto tcp from any to any port 80 - $squid port 8080
I would supplement this with a 'no rdr' rule for the proxy generated traffic.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no
of icmp codes too, 'host-unr' would be a valid member of your list of
codes.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
constructs
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
delilah spamd[29949]: 85.152.224.147: disconnected after 42673
bad either.
Cheers,
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673
around the problem by
omitting direction (implicitly writing rules for both inbound and
outbound traffic), ie
block inet from 192.168.0.1 to 192.168.114.31
pass inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
logical perspective if you think of it.
That's why I spend so much time hammering that in during the
relatively basic PF tutorial I've been giving. (yes, the one at
http://home.nuug.no/~peter/pf/).
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com
upon too.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
main redundancy feature off the table. Why not just a
carp/pfsync setup?
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949
be totally desirable, bu then it's
possible I'm just being incredibly dense. I think I'd need more
information about your setup such as addresses and netmasks to offer
any input on that.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http
a lot closer to a
solution that would fit the basic requirements, ie adding flexibility
without adding clutter to the system at the same time.
Just my EUR 0.02, and maybe better ideas will be had by morning.
All the best,
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
. Sorry.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
and destination addresses respectively.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673
addresses (say, with a script that checks if each name
resolves, then adds the returned addresses to the table). Brittle,
but with a fighting chance of working.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no
certification', and of course any input on what the task
and skills spec should contain.
[1] http://www.bsdcertification.org/index.php?NAV=FAQ#Q04
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set
to study the
actual traffic and the inevitable tweaking of the parameters such as
lowering number of allowed connections.
- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit
Michael Grigoni michael.grig...@cybertheque.org writes:
Please let us know what IRC server and channel you found for 'pf'
discussions; it would be very useful.
FreeNode has a #pf channel. relatively low volume, at times quite useful.
--
Peter N. M. Hansteen, member of the first RFC 1149
hu st hust...@yahoo.com writes:
So could pf limit the maximum number of simultaneous state entries
that a single source IP's source port can create with a rule?
(borrow from man pf.conf :))
max-src-states? (see STATEFUL TRACKING OPTIONS in man 5 pf.conf)
- P
--
Peter N. M. Hansteen, member
tcp)
or some variation (some other parameters are possible). It's in the
official docs, but not all the other resources out there that your
favorite search engine will turn up have caught up with the news yet.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http
.
One random thought - does your rule set include such things as limits
on max number of connections? Pure speculation, of course, but it is
one of many situations would fit the symptoms you describe.
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http
that change with some frequency.
Is there a straightforward way to incorporate dynamic ip source addresses in
the
pf ruleset?
I'd say this sounds like a situation where authpf could come in quite handy.
- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http
that comes with pf.
but you're right, it requires ssh to be accessible in order to log in,
and so may not be what the original poster was looking for.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember
.
One could of course argue that a little sshd config would go a long
way too, say enabling key based logins only (turning off password
authentication) and disallowing root logins so on, but we don't know
whether they've done that already.
- Peter
--
Peter N. M. Hansteen, member of the first RFC
, and that may still happen given
enough round tuits. In the meantime, the main points have already
been presented.
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit
/labelstats.html and also
covered in The Book of PF (http://nostarch.com/pf2.htm and at
better bookstores)
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious
told you).
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
out of (http://home.nuug.no/~peter/pf/, which links to full text
versions plus recent slides from conferences that cover more than the
BSD-licensed tutorial text).
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net
developers in general,
but quite possibly some of the relevant developers read this as well.
- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network
85 matches
Mail list logo
