[Q] is there way to use bgp-spamd.net?

2019-01-13 Thread Zeus Panchenko 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hi,

is there way to use BGP to block traffic, like it is described on
https://www.bgp-spamd.net/index.html

or even BGP feeds from spamhaus
https://www.spamhaus.org/news/article/683/spamhaus-releases-bgp-feed-bgpf-and-botnet-cc-list-bgpcc

- -- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
-BEGIN PGP SIGNATURE-

iF0EARECAB0WIQQYIXL6FUmD7SUfqoOveOk+D/ejKgUCXDwgjQAKCRCveOk+D/ej
KjLDAJ0a+9Q82cUVufYDn9c3Saq8Q0ARtgCggnadaidgIm4lBFQMUmOFEFl8b4I=
=4djw
-END PGP SIGNATURE-
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

[Q] what is the correct way to filter by remote pf?

2017-06-27 Thread Zeus Panchenko 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

greetings

please, advise

WHAT I HAVE:

routerB <-> netX/16
   ^
   |
   V
clients <-> routerA <-> netX/24


WHAT I NEED:
to provide `clients <-> netX/24' traffic on the base of routerB pf rules
so, the very decission to pass or to block have to be done on routerB



HOW I THINK TO DO THAT:

=
VARIANT I
- 
-

- ---[ routerA pf.conf quotation start 
]---
...
pass in log (to pflog1) on $if_clients-to-routerA from  to  
tag TO_AUTH
pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagged 
TO_AUTH
...
- ---[ routerA pf.conf quotation end   
]---

- ---[ routerB pf.conf quotation start 
]---
...
pass in log (to pflog1) on $if_routerB-to-routerA from  to 
 tag AUTHED
pass in log (to pflog1) route-to ($if_routerB-to-routerA $routerA_ip) tagged 
AUTHED
block  to 
...
- ---[ routerB pf.conf quotation end   
]---


RESULTS: I see packets redirected to routerB, but there the packets are looping
 untill the time to live exceeded



=
VARIANT II
- 
-

- ---[ routerA pf.conf quotation start 
]---
...
pass in log (to pflog1) on $if_clients-to-routerA from  to  
tag TO_AUTH
pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagged 
TO_AUTH
...
- ---[ routerA pf.conf quotation end   
]---


- ---[ routerB configuration quotation start 
]-

rc.conf
static_routes="netX24"
route_netX24="-net A.B.C.0/24 $routerA_ip"


pf.conf
pass in log (to pflog1) on $if_routerB-to-routerA from  to 
 tag AUTHED
block  to 

- ---[ routerB configuration quotation end   
]-


RESULTS: are same as for VARIANT I



=
VARIANT III
- 
-

something else ...
may it relate to pfsync somehow?


- -- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
-BEGIN PGP SIGNATURE-

iF0EARECAB0WIQQYIXL6FUmD7SUfqoOveOk+D/ejKgUCWVJGygAKCRCveOk+D/ej
KhQoAKCHB+55dzTYOqD6S5mSC2TtCDjV8gCgzXQfBd3U30nXJMyj5Q4Ggfq1sRA=
=ZCm0
-END PGP SIGNATURE-
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: pfsync for sshguard table sync on several hosts

2016-10-12 Thread Zeus Panchenko 
mxb  wrote:

> Use BGP to distribute list of IP addresses.
> Like it is done at http://bgp-spamd.net/

what about pfsync indeed? I need black list of addresses I do can
control on my own and to install BGP infrastructure for local needs
looks excessive

isn't psync aimed for the tasks like this one?

-- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)


pgpXSyCIWQRD7.pgp
Description: PGP signature

psync for sshguard table sync on several hosts

2016-10-11 Thread Zeus Panchenko 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hi,

please advise

I think of pfsync-ing sshguard table content among several hosts to get
one big table on each host, since IP blocked on one host I want to be
blocked on all others automatically (all hosts are terminated in one
VPN) ...

am I correct to consider psync as right way to get that?

- -- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlf9KHEACgkQr3jpPg/3oyojOwCgpZbc04rwL41LIIDaVDPgR7Vi
G8QAoOP5wj87qh4JpT7NePGvnZBbplp2
=NSkz
-END PGP SIGNATURE-
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: wan1 as default, wan2 dedicated to a service

2016-08-10 Thread Zeus Panchenko 
Max  wrote:

> Probably you should use
> pass out log on $if_dvr reply-to ($if_wan2 $gw_wan2) to 

thank you, Max, this helped

-- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: default to wan1, definite subnet replies to wan2

2016-08-04 Thread Zeus Panchenko 
sorry for noise, please ignore this incomplete message

Zeus Panchenko <z...@ibs.dn.ua> wrote:

> greetings,
> 
> I have two wan intefaces, wan1 and wan2
> 
> wan1 is for default
> 
> I have subnet in my LAN all replies from which I need to direct through
> wan2
> 
> I hoped to do that with this pf configuration:
> 
> if_service = "vlan1234" # service network
> table  const { 10.0.0.0/24 }
> # requests for the service 
> rdr pass on $if_wan2 proto { tcp, udp } to ($if_wan2) port 1234 -> 10.0.0.1 
> port 5678
> nat log on $if_wan2 from  to any -> ($if_wan2)
> ...
> pass in log on $if_video route-to ($if_wan3 $gw_wan3) from  to ! 
>  keep state
> 

-- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

wan1 as default, wan2 dedicated to a service

2016-08-04 Thread Zeus Panchenko 
hi,
I need trivial thing but wondering where am I wrong ... :(
help please

I have two WAN interfaces: wan1 and wan2
wan1 is default route interface, wan2 is dedicated for DVR (video)

I'm trying to direct all output from DVR to wan2 (here I do not care of
where a request to DVR came from, I want all replies to go out trough wan2)

so, I hoped to do that with this pf.config

---[ start ]
if_wan1 = "em0"
if_wan2 = "igb0" # ip address A.B.C.D
gw_wan2 = "E.F.G.H"
if_dvr="vlan123"
table  const { 10.0.0.0/24 }
# redirect all requests on wan2 to DVR host1
rdr pass on $if_wan2 proto { tcp, udp } to ($if_wan2) port 1234 -> 10.0.0.1 
port 5678
nat log on $if_wan2 from  to any -> ($if_wan2)
...
pass in log on $if_dvr route-to ($if_wan2 $gw_wan2) from  to any keep state
---[ stop  ]

as results, 
I see requests from world on $if_wan2
I see redirects of the requests, out packets on $if_dvr
I see replies to the requests, in packets on $if_dvr
but I see ($if_wan2) sourced replies, and I see them on *$if_wan1*

so, as I understand ... route-to works, otherwise replies wouldn't be
from ($if_wan2)

but nated replies appears on $if_wan1 what is default route ... so
... how can I have replies go out through $if_wan2? is it question of
the second routing table?

please, advise
-- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

pfctl ... driver does not support altq

2014-11-03 Thread Zeus Panchenko 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

greetings,

I see, in list the issue appears from time to time but I was not able to
find the solution for my case, please help me to get working altq on my
igb(4) if it is possible at all

I was trying igb(4) original OS drivers and the one from Intel but the
result is the same

bellow are my details:


 uname -a
FreeBSD 10.0-RELEASE-p11 #2 r273597 and64


 dmesg
- ---[ quotation start ]---

igb3: Intel(R) PRO/1000 Network Connection version - 2.4.2 port 0xa000-0xa01f 
mem 0xf710-0xf717,0xf718-0xf7183fff irq 19 at device 0.0 on pci7
igb3: Using MSIX interrupts with 5 vectors
igb3: Ethernet address: 00:25:90:d1:dc:6b
igb3: Bound queue 0 to cpu 0
igb3: Bound queue 1 to cpu 1
igb3: Bound queue 2 to cpu 2
igb3: Bound queue 3 to cpu 3

- ---[ quotation end   ]---


 pciconf -l
igb3@pci0:7:0:0:class=0x02 card=0x153315d9 chip=0x15338086 rev=0x03 
hdr=0x00
vendor = 'Intel Corporation'
device = 'I210 Gigabit Network Connection'
class  = network
subclass   = ethernet


 /boot/loader.conf
- ---[ quotation start ]---

hw.igb.rxd=4096
hw.igb.txd=4096
hw.igb.rx_process_limit=-1
hw.igb.num_queues=0
hw.igb.max_interrupt_rate=32000

net.isr.defaultqlimit=4096
net.isr.bindthreads=1
net.isr.maxthreads=4
net.isr.maxqlimit=32768

- ---[ quotation end   ]---


 /usr/src/sys/amd64/conf/MY_KERNEL
- ---[ quotation start ]---

options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_CDNR
options ALTQ_PRIQ
options ALTQ_NOPCC
options ALTQ_DEBUG

- ---[ quotation end   ]---


 /etc/pf.conf
- ---[ quotation start ]---

altq on igb3 cbq bandwidth 1000Mb queue { wan_rest, wan_viber }
 queue wan_viber bandwidth 5Mb priority 0
 queue wan_rest bandwidth 995Mb cbq(default)

- ---[ quotation end   ]---


 service pf check  service pf reload
Checking pf rules.
Reloading pf rules.
pfctl: igb3: driver does not support altq

- -- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlRYacMACgkQr3jpPg/3oyp1iwCgxQCBIWoYa5b0yKAQxVODSGNb
NSYAn15io3G83u46pHN+BwRcN2ywsNIZ
=waxI
-END PGP SIGNATURE-
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to freebsd-pf-unsubscr...@freebsd.org

Re: nat before ipsec ...

2013-12-26 Thread Zeus Panchenko 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 target - world -- em0 - freebsd - vlanA -- LAN
 ^^   net A
 ||
 +- netC -.-.-.-.- IPSec -.-.-.-.- net B -+
 ...
 where:
 A1 is some address from net A
 B2 is some address from net B
 C3 is some address from net C

 I can see incoming packets from A1 to C3 on interface vlanA, but after
 that, packets disappears, I can not find them any other interface and
 no return packets

finally I was able to get the packets redirected (actually after pf restart,
not just reload) and now I have A1 packet going to C3 on vlanA

# tcpdump -ni tun10 host C3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun10, link-type NULL (BSD loopback), capture size 65535 bytes
07:10:57.641536 IP A1  C3: ICMP echo request, id 59179, seq 8913, length 64
07:10:58.641467 IP A1  C3: ICMP echo request, id 59179, seq 8914, length 64
07:10:59.641882 IP A1  C3: ICMP echo request, id 59179, seq 8915, length 64

and further I can see them on the interface, IPSec configured on:

# tcpdump -ni em1 host C3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
07:12:28.638456 IP A1  C3: ICMP echo request, id 59179, seq 9004, length 64
07:12:29.636961 IP A1  C3: ICMP echo request, id 59179, seq 9005, length 64
07:12:30.637647 IP A1  C3: ICMP echo request, id 59179, seq 9006, length 64

but these packets *does not passing through the nat* ...

in pf.conf I do:

rdr pass on $if_vpn from A1 to C - $target-side-of-ipsec
binat on $if_vpn from A1 to C3 - B2

and net.inet.ipsec.filtertunnel is set to 1

is bellow URL the answer?

http://forum.pfsense.org/index.php/topic,49800.msg265106.html#msg265106


- -- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlK9KpgACgkQr3jpPg/3oyrcbgCfe7+k8VGcoqpQkbjg5uTmGn/A
xTUAoLLjMCD0GEcRWcAD61mXWMNZ+4ZQ
=2rY3
-END PGP SIGNATURE-
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to freebsd-pf-unsubscr...@freebsd.org

nat before ipsec ...

2013-12-25 Thread Zeus Panchenko 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hi,

please, may somebody help with the subj? is it possible at all on
FreeBSD with pf?

I need to binat some of my LAN (network A) ip addresses to some of
secure communication addresses (network B) for, behind IPSec network C,
access

target - world -- em0 - freebsd - vlanA -- LAN
^^   net A
||
+- netC -.-.-.-.- IPSec -.-.-.-.- net B -+

when I land some B network address on freebsd box, than everything from
that address works but, when I try to bi/nat some network A address to some
network B address, it is not

in pf.conf I try this:

binat on vlanA from A1 to C3 - B2

where:
A1 is some address from net A
B2 is some address from net B
C3 is some address from net C

I can see incoming packets from A1 to C3 on interface vlanA, but after
that, packets disappears, I can not find them any other interface and
no return packets

as far as I know I need nat before vpn ... but I was not able to find
how to do that ... can I do that with pf on freebsd?

I run FreeBSD 9.2-PRERELEASE #6 r255856: amd64 with system pf

please, help me understand what am I missing ...

- -- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlK7H24ACgkQr3jpPg/3oypenQCeI6R+2lILmP0UxDT273T1S8nU
078AoJ3n1NRfU4L0pSrOKSDYovMpbIRF
=2FPq
-END PGP SIGNATURE-
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to freebsd-pf-unsubscr...@freebsd.org

Re: nat before ipsec ...

2013-12-25 Thread Zeus Panchenko 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

wishmaster artem...@ukr.net wrote:

 If I understand you correctly, you want binat inside IPSec and

I'm not sure ... what I want is to nat packets from net A before they
are entering IPSec, as if they originate not on the freebsd host

so, they enters IPSec already as net B packets ...

- -- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlK7QRsACgkQr3jpPg/3oyoDeACglvxBxGXrq1/F5UxjKBIZLuj2
jN8AoNSp+doX77JlS1o4uFnhyQT0C4sC
=HPrd
-END PGP SIGNATURE-
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to freebsd-pf-unsubscr...@freebsd.org