FYI, this archive:
http://www.benzedrine.cx/pf/
Has not been archiving since 12 Apr 2005.
--
http://www.lightconsulting.com/~travis/ --
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
Just letting everyone know about my cool tool for pf called dfd_keeper:
http://www.lightconsulting.com/ ~travis/dfd/dfd_keeper/
The DFD stands for Dynamic Firewall Daemon. It manages your firewall rules.
Basically dfd_keeper is a command shell for the firewall. You write a
python script which
to
change the src of inbound packets or the dst of outbound packets (save
for those made in the return direction of a state entry made by one of
the above transformations).
-- Forwarded message --
From: Travis H. [EMAIL PROTECTED]
Date: Oct 8, 2005 2:58 AM
Subject: why is pass/block
The rewritten packet still went out on $int_if even though it was
destined for 127.0.0.1 and routing was turned on. However because the
bridge interfaces had IPs, I tried a variation where instead of
redirecting to a spamd process on 127.0.0.1, I redirected it to the
IP of the $int_if,
The docs say that you can't queue on an inbound packet.
Queuing doesn't make sense inbound anyway;
once you've received the packet, it has already consumed your
bandwidth, and thus queuing won't change anything.
--
http://www.lightconsulting.com/~travis/ --
We already have enough fast, insecure
I'm working on a sniffer that will look for certain kinds of traffic
and invoke changes to the firewall in reaction to them.
You might wish to check out dfd_keeper for a framework for making
changes to pf rules, and I'm working on a python-based sniffer that
listens to an interface and invokes
Does packet filter allow you to load external files? More
specifically, could one place macro definitions in a separate file, but
hook them up to pf.conf so as you reload the pf.conf file you get your
macros? Thank you!
Quoting http://www.openbsd.org/faq/pf/anchors.html:
The load
Quoting:
http://www.openbsd.org/faq/pf/queueing.html
Note that queueing is only useful for packets in the outbound
direction. Once a packet arrives on an interface in the inbound
direction it's already too late to queue it -- it's already consumed
network bandwidth to get to the interface that
so all of the clients
are basically matching to the external public IP... so
basically I can't individually control the upload
bandwidth.
for this, i use tags. tags aren't bound to an iface, so if you
This should be in the FAQ. I had not thought of this problem,
but it seems like it
Has anyone thought of modeling packet filtering/translation/queueing
as a virtual machine? I have been thinking about how to generalize
some of the current operations, and it seems to me that a virtual
machine with operations tuned for common packet judo would be a handy
unifying architecture.
They would have to have been
really serious about protecting their patent to threaten Sun; remember
that almost all FW1 installations (checkpoints cash cow) were dependant
on solaris boxes.
Perhaps. OTOH, if you don't protect IP, you lose it. That is why so
many warnings about infringement
http://www.enyo.de/fw/security/java-firewall/
Towards the end... RFC 3514... check the date on that RFC.
HHOS at its best.
--
http://www.lightconsulting.com/~travis/ --
We already have enough fast, insecure systems. -- Schneier Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9
I am attempting to do something along these lines using a python+pcap
sniffer to watch for certain traffic, and use DFD (specifically
dfd_keeper) to make the changes to the firewall. It will also be able
to tear down the connection when it sees it close (or after a timeout
- rules can be made
On 10/25/05, Markus Friedl [EMAIL PROTECTED] wrote:
On Mon, Oct 24, 2005 at 02:38:43AM -0500, Travis H. wrote:
Has anyone thought of modeling packet filtering/translation/queueing
as a virtual machine?
BSD/OS ipfw (http://www.pix.net/software/ipfw/)
That site has some good code and links
Lots of things in the startup scripts will fail to work or hang
indefinitely if you block outbound stuff. I find it necessary to
allow at least outbound DNS in order for the machine to boot in
reasonable time. Fortunately pf is pretty good about allowing
outbound but not allowing inbound
I have something similar in the way dfd_keeper expands variables.
Basically it will expand a python variable to a macro if it contains
one value (that is, if the python variable is a string or singleton
list/tuple), and a list if it contains more than one (that is, if it
is a list/tuple of length
On 11/17/05, Kevin [EMAIL PROTECTED] wrote:
On 11/17/05, Jon Hart [EMAIL PROTECTED] wrote:
The funny thing is, in my tests, despite having ~31000 source ports to
choose from, the client is unlucky enough most of the time and very
quickly manages to reuse a port. It depends on what else the
It looks like you forgot to sort before you uniq.
Most uniq programs I've worked with require the data to be sorted
first; they just store the last line in memory for comparisons. Since
you've got to run sort anyway, you can use the -u flag.
--
http://www.lightconsulting.com/~travis/ --
We
Catching up on very old email.
On 11/15/05, Lars Hansson [EMAIL PROTECTED] wrote:
And if, for any reason whatsoever, pfctl fails to run? The system
remains wide open.
Becasue that happens a lot
Oh come on now, this is a fringe case if there ever was one.
What if your default block
Also try increasing the snaplen (-s) since it looks like some of your
packets are truncated.
For example, -s 2000 should catch full packets if the underlying media
is ethernet.
--
http://www.lightconsulting.com/~travis/ -- Knight of the Lambda Calculus
We already have enough fast, insecure
Hey all,
It took me longer than expected but I have finished adding persistence
to dfd_keeper. This means that firewall rules which can be turned on
or off now maintain their state across reboots. Similarly, other
commands which maintain state will do so across reboots without any
additional
On 12/13/05, Daniel Hartmeier [EMAIL PROTECTED] wrote:
Insertion and
removal of state entries is costly, if you set pf up to insert a state
for every single SYN and remove one for every single RST, you're exposing
yourself to a DoS attack where an attacker floods you with SYNs and
RSTs like
Hiya,
DFD is the moniker I made up to describe a program that manages your
firewall rules, allowing changes to be made in them with more ease and
less chance of error than editing a text file.
dfd_keeper is the python/pf implementation that provides a
command-line style interface to your
Yup. TCP is only when resolving multiple requests (e.g. when running
netstat -a)
--
http://www.lightconsulting.com/~travis/ -- You are free... to do as
we tell you!
My love for mathematics is like 1/x as x approaches 0.
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
On 19 Dec 2005 21:41:02 -0800, Jonathan Rogers [EMAIL PROTECTED] wrote:
In any case, refer back to the original posting - the blocked packet
from the tcpdump shown is clearly of a TCP packet (it would say UDP
at the end otherwise).
It doesn't say S(YN), and I don't know what label does.
You
You get a packet into pf by sending the packet.
There is no easy way to resume processing. Once it has been sent to
userland, processing is over. There's nothing to resume.
If you're asking about this, you're probably out of your depth.
You might wish to look at the ftp proxy to see how that
On 1/18/06, Bill Marquette [EMAIL PROTECTED] wrote:
Or because IPFW on FreeBSD has divert() and IP Tables in Linux has
netlink. It's a logical question to ask - although a few minutes in
the man page and a few hours groking the PF source would have been
enough.
I don't say this to be
Hey does anyone know of a good (well supported) PCI ethernet card, at
least 100Mbps,
that has multiple ports (preferably four)? I'd like to free a few PCI
slots and want something
that works efficiently.
--
The generation of random numbers is too important to be left to chance.
-- Robert
On 1/17/06, Peter [EMAIL PROTECTED] wrote:
2. What is the use of forcing IP-in-IP (-forcetunnel) when setting up an
SA? The vpn manpage example does this without explanation.
So that it won't use transport mode, which may be the default?
If you're setting up a vpn, you have more than one
I've always used IPSEC in Transport mode, combined with a GIF tunnel for
encapsulating the packets. Much easier to set up than tunnel-mode IPSEC.
I just finished setting up an IPsec tunnel, and it took me 7 hours.
Of course, this was my first time with IPsec, but still... it was very
very
Hey,
Sorry for the OT post, but I couldn't find a more appropriate mailing list.
I got a VPN set up but I'm wondering how to make all traffic go over
the VPN to the remote end, which is a gateway to the internet.
If I mess with my default route, my traffic stops flowing at all.
Related to
On 2/12/06, jared r r spiegel [EMAIL PROTECTED] wrote:
anyway, since it's all guesses as to what your setup is, i'll
guess that your (usual) default gateway is on the same subnet
as your external iface, and that your VPN peer is not on the
same subnet. in that case i would set the
So I think a number of people were confused about what DFD actually *did*.
I think this is best explained by an example.
Here is a sample transcript, bash$ is the Unix command line and
dfd_keeper is the dfd command line. Basically I connect up, show the
rules in the example script, block the IP
Didn't notice this was to the list too.
As I said to the OP, I use asynchronous I/O; there is one
in-user-memory image of what the rules should look like, and multiple
clients are all simultaneously handled by one thread. Commands to the
daemon are atomic, and commits to pfctl will commit the
Hi,
When I put in some rdr rules for p2p stuff, it works for a couple of
hours, then the node becomes unresponsive. The node has 48MB of RAM.
The following settings are in place:
set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
All other settings are default. I had pfctl -s
I had a tool for ipfilter that would simulate packets hitting it, and
then make sure the reaction was the same as the last edit and the
whole thing was driven by make.
You're basically asking a similar question to does this program do
what I want? which is unsolvable. Asking does this program
On 2/27/06, Morten Larsen [EMAIL PROTECTED] wrote:
rdr pass on $ext_if proto tcp from any to ($ext_if) port {135:139, 445}
- 127.0.0.1 $tarpit_port
pass in on lo0 proto tcp from any to 127.0.0.1 \
port {135:139, 445} flags S/SA synproxy state \
(max-src-conn 0, max-src-conn-rate 0/1, \
Hi, the latest release of dfd_keeper, version 3.3, has a sample script
which now implements a new command, bittorrent. This allows a client
behind NAT to receive connections from other bittorrent clients.
Right now it simply gives this privilege for the last client to ask
for it, and assumes
Sorry, hit send by reflex. Script attached.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ --
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
dfd_sniff.py
Description: Binary data
Convert all your block rules to use log, sniff on pflog0, with -e and -s 2048
That should tell you what rule is blocking the first few.
My hunch is that some kind of state is getting set up by the ICMP echo
replies, and thus future requests are being passed.
In any case, the no route to host
Hiya,
I have a fairly complex firewall setup, and whenever I try to enable
p2p networking, it works for about a day, then the firewall goes
netdead. Upon logging into the console, I find that everything looks
okay -- except network connections. If I try to ping a local IP, it
says something
rdr pass on $extif proto tcp from any to any port 21 - 127.0.0.1 port
8021
This makes inbound packets destined to port 21 on your box go to the
proxy. But they'll be blocked because you don't have a pass rule
anywhere to allow them.
block drop in log quick on $extif from $privnets to any
On 3/20/06, luke [EMAIL PROTECTED] wrote:
what does netstat -m say?
312 mbufs in use:
307 mbufs allocated to data
1 mbuf allocated to packet headers
4 mbufs allocated to socket names and addresses
307/322/6144 mbuf clusters in use (current/peak/max)
740 Kbytes allocated
On 3/25/06, Travis H. [EMAIL PROTECTED] wrote:
I have a further data point; this started happening when I switched to
policy-based filtering (i.e. using tags extensively). I also have a
few rules which only retag traffic (i.e. LAN_TO_WAN gets retagged as
PASS), which may be unusual enough
Hi,
If anyone has questions about pf, or wants firewall rulesets written,
I know that not all questions get answered here, and I am short on
cash at the moment., so I am available for consulting at reasonable
rates (e.g. ~$100 for a me to write you a ruleset, perhaps $25-50/hr
to grovel through
On 3/16/06, info.Vision [EMAIL PROTECTED] wrote:
Hello All, Anybody have Vonage or Att CallVantage working behind
a PF openBSD NAT on a DSL or Cablemodel connection.
I've had reports of people using SIP (Vonage) with success.
You might want to set these for VoIP work:
set timeout { udp.first
Hi,
I was examining my WAN connection the other day, and I found something strange.
I have rdr and nat rules in place for this connection; some ports are
forwarded to an internal host; and nat occurs for everything going
out.
However, I noticed that RST packets coming from the internal host
Hey,
I'm having issues with queueing. When I enable cbq, it seems like it
slows at lot of stuff down. This would make sense if I was severely
throttling stuff, but I hardly ever reach full capacity, and each
class has borrow. Nevertheless, I'm seeing lots of dropped packets.
Here's a typical
On 4/1/06, Daniel Hartmeier [EMAIL PROTECTED] wrote:
If this is on OpenBSD, packet tags (see mbuf_tags(9)) are allocated with
malloc(M_PACKET_TAGS) in m_tag_get() and show up in vmstat -m as
'packet tags'.
A leak would show as steadily increasing 'InUse' and 'HighUse' there.
I've attached my
Does putting borrow on all child queues make any sense?
The way I read it, it does, so like a child queue that isn't using its
bandwidth, can be borrowed by a sibling queue, is that correct?
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ --
GPG fingerprint: 9D3F 395A DAC5 5CCC
What would be the appropriate way to submit additions to the PF FAQ
and/or pf.conf manpage? Specifically, what is the source format,
where can I get the source (for the FAQ, I know where to get the
unformatted manpage), and to whom exactly should I send the diffs?
TIA
--
Security Guru for Hire
Just some suggestions.
1) Lists be allowed to contain only one value, or none. Requiring
braces when 1 value and requiring no braces when 2 values are
present is a pain for automated rule generation and should be very
easy to implement.
2) Sticky queue assignments. Using tags for many
Here's a summary of my problem:
When I use p2p applications, the system runs out of buffer space.
Network operations do not work; attempting to ping an internal host
says no memory buffers available. It is not clear how to free any
more space; one time I killed off everything and got the system
On 4/13/06, Eric Pancer [EMAIL PROTECTED] wrote:
On Thu, 2006-04-13 at 01:26:06 -0500, Travis H. proclaimed...
Just some suggestions.
Sounds like you should get coding then.
I'm developing my own projects, such as DFD, which uses pf.
I can only split my time so many ways.
Maybe when time
I recommend that you use the RFC1918 class B block. 172.16-32.x.x
I've seen networks that use 10/8 or 192.168/16 internally, and if you
have something like a laptop that needs to travel between your network
and others, things can get hairy when IP addresses conflict.
I've had to renumber my
Just curious. tcpdump has the handy host blah syntax, where it
implies src or dst.
Some of my rules could be simplified with a from or to sort of syntax.
If it doesn't exist, I'll put it on my to code some day list.
--
Curiousity killed the cat, but for a while I was a suspect -- Steven Wright
Just wondering if there's some hidden switch for dumping the rules
with numeric ports.
I personally use the nmap-services file, since it has a lot more ports
documented,
but the mapping from numbers to names is N to 1 lots of ports are named the
same thing, and pfctl prints symbolic names...
Does anyone have any ideas about tools that are desired for working with pf?
--
Curiousity killed the cat, but for a while I was a suspect -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ --
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
I wrote a tool that looks up IP addresses via DNS and updates table contents.
This is a way of getting pf to coexist with dynamic DNS.
http://www.lightconsulting.com/~travis/pf_dns_lookup/pf_dns_lookup.tar.gz
Browse the script here:
On 5/1/06, Can Erkin Acar [EMAIL PROTECTED] wrote:
On Sun, Apr 30, 2006 at 08:22:51AM -0700, [EMAIL PROTECTED] wrote:
I don't think time spent developing PF or ALTQ could be better spent
developing something other than download queueing. Everyone here seems
to agree it's PF's worst
On 5/10/06, Vas Péter [EMAIL PROTECTED] wrote:
Ooops. Well, it was quick and dirty. You'd have to figure out a way to kill
logged in users too.
This seems simple.
pfctl -k a.b.c.d
Also, I have a tool that lets you create firewall rules which time
out at a particular time.
It's called
On 5/16/06, Terry [EMAIL PROTECTED] wrote:
Page 2 gives the policies/functionality I would like to have. I want
the system to be secure but I would also like to be able to admin the
system from the outside.
You want your cake AND you want to eat it? Ambitious!
Mostly, there is the threat of
On 5/19/06, Travis H. [EMAIL PROTECTED] wrote:
Just plug one of the LAN ports into your existing network and leave
the WAN unused.
Really? I found that my traffic to the internet wasn't getting routed
when I did this.
Oh... yeah, it has to have an IP on my LAN... which is not 192.168.1/24
On 5/18/06, Daniel Hartmeier [EMAIL PROTECTED] wrote:
set skip on lo0
set skip on $pfsync_if# might not want this
These two lines don't add up, the second one replaces the first,
so lo0 is not really skipped. Use a single set skip line, listing
all interfaces to be skipped at once.
Ah,
On 5/19/06, Travis H. [EMAIL PROTECTED] wrote:
On 5/18/06, Daniel Hartmeier [EMAIL PROTECTED] wrote:
set skip on lo0
set skip on $pfsync_if# might not want this
These two lines don't add up, the second one replaces the first,
so lo0 is not really skipped. Use a single set skip line
On 5/21/06, Magne J. Andreassen [EMAIL PROTECTED] wrote:
set skip on { lo sis0 }
Well I'll be... somehow I didn't try that.
--
Curiousity killed the cat, but for a while I was a suspect -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ --
GPG fingerprint: 9D3F
On 5/28/06, Karl O. Pinc [EMAIL PROTECTED] wrote:
Is this the right place to ask this question?
Yes.
Is this the way it's supposed to work or am I missing something here?
(Id be happy to supply pf.conf but AFIK the queue layout is all
that's relevant. Some of my rules are just pass on $if
On 6/27/06, Darrin Chandler [EMAIL PROTECTED] wrote:
I've been through the documentaion and this mailing list. Is there
another way to add IP addresses to a table directly using a rule in
pf.conf? I can see the little bastards coming and I'd like to cut them
off as quickly as possible.
On 6/27/06, McLone [EMAIL PROTECTED] wrote:
We have many clients here, so i wanted to do it
on my freebsd6 router, with simple cron job switching
tables in PF, but pf doesn't support a thing like
give EACH ip in that table N kbits/s.
Yes, what you want is a list.
So i have one option now -
Yeah, great explanation.
I'm adding this to my list of things that should be in the docs
list, hopefully I'll get a chance to submit some patches some day.
--
Resolve is what distinguishes a person who has failed from a failure.
Unix guru for sale or rent -
So...
If pfstatd makes statistics available to network clients like pfstat,
how does one tell pfstat to use the network? I see no options for
such, and putting the hostname on the command line just generates an
error.
TY
--
Resolve is what distinguishes a person who has failed from a failure.
Hey,
On the FreeBSD pf list someone mentioned that they wanted the ability
to have a default deny policy with pf, like the old ipf kernel
option. That reminded me that I thought the same thing when I started
with pf. I know, I know, it's not a terribly useful setup until the
pass rules get
On 7/15/06, Ryan McBride [EMAIL PROTECTED] wrote:
Root can do stupid things which compromise security. Obfuscation or
needles complexity in an attempt to protect yourself from the root
account will only make your system less secure.
If every ruleset needs to put a rule in to default to
On 7/14/06, Michal Soltys [EMAIL PROTECTED] wrote:
Recently I've been writing rules for small router (2 internal interfaces, 1
external, few services running). I've just set 1 queue for the whole
inbound (1 mbit) on internal interface, so it won't get stalled by other
traffic from int. net to
On 7/17/06, Michal Soltys [EMAIL PROTECTED] wrote:
Back to my point: with limited inbound traffic (by isp) to 1mbit, the
incoming traffic is just some traffic. If whatever comes in, assigned
to ext_bulk1 saturates a bit ext_bulk2 - total traffic will be still
1mbit, and there won't be any hmmm,
On 7/18/06, Can Erkin Acar [EMAIL PROTECTED] wrote:
No, needless complexity is a compile time option that makes it
impossible to know whether a given installation needs the block rule or not.
Good point.
packets are sent using bpf(4) so ruleset does not really matter.
Every day a school
I locked myself out a couple of days ago by removing set skip and
not adding rules to allow any traffic on lo0.
I got sick of this and finally wrote this shell script to prevent it.
http://www.subspacefield.org/~travis/deadman/
Note that you shouldn't kill state, because then you won't be able
On Tue, Dec 12, 2006 at 09:29:34PM +0100, Stanislaw Halik wrote:
You don't need to think much.
trap [action signal ...]
Cause the shell to parse and execute action when any of the
specified signals are received.
That has been suggested a couple of times but it
On Wed, Dec 13, 2006 at 06:31:10PM +0100, Daniel Hartmeier wrote:
pass in on $first-nic proto tcp from IP-A to IP-B port 22 keep state
The point of this is that you can control _which_ interface(s) a
connection must flow through, instead of granting a permission to pass
any and all
On Wed, Dec 20, 2006 at 01:35:37PM +1100, Johan Allard wrote:
echo pass in on ne3 dup-to (lo1 1.1.12.1) inet all keep state /
etc/pf.conf
pfctl -e
pfctl -f /etc/pf.conf
and the first packet coming in on ne3 will cause a kernel dump, see
attached screenshot.
I didn't view the screenshot
So, surprisingly, many OSes don't synchronize their TCP timestamp
clock to their system clock, so effectively they leak the skew of
that clock, even if they are synching their system clock via NTP.
I am wondering what the current behavior is for OpenBSD, and if
scrubbing or any other pf function
On Fri, Jan 12, 2007 at 09:27:58AM +0100, Daniel Hartmeier wrote:
I am wondering what the current behavior is for OpenBSD, and if
scrubbing or any other pf function (e.g. synproxy) does anything
about it.
The first match searching for 'timestamp' in pf.conf(5) is in
Hmm, forgot about
Someone's guide to pf made the intelligent observation that if
you use antispoof, you can often avoid specifying an interface
in the filter rules that also refer to IPs (or ranges), because
you already know what interface those are coming from.
However, I wanted to point out that you can't really
On Tue, Jan 23, 2007 at 03:23:36PM +, Stuart Henderson wrote:
I don't use flags anywhere in my keep state rules... Are you saying that I
should use those flags everywhere
Yes, use them everywhere.
Yep. It turns out that if you don't, your firewall may pick up
a TCP connection in the
On Mon, Jan 22, 2007 at 11:04:56AM -0500, Chris Smith wrote:
Also, as it is currently, sshd only allows access by via public
key - PasswordAuthentication no,
Wise. Why play the game of try to detect bad passwords chosen by
users instead of just avoiding it altogether? You know someone will
On Wed, Jan 24, 2007 at 01:38:51AM -0600, Travis H. wrote:
At this time it appears that I would
either have to open up sshd to passwords (I'm not enamored with this idea)
and/or teach the remote users to set up and use key pairs (or do it for
them).
Another thought:
How about you
Since you're on a dynamic IP (or appear to be so), you might find this
useful:
http://home.in.tum.de/~baueran/techdoc/postfix.html
Best bet is to use relay_host to relay outbound email through your
ISP, or find someone with a static IP who will let you relay through
their machine.
--
The
87 matches
Mail list logo