Re: pf block unwanted traffic
it isn't passed, it is blocked.
not by a rule but by pf itself long before since the header length is
invalid. and since there is no rule to refer to it refers to the
default rule.
* David Diggles da...@elven.com.au [2013-01-16 08:43]:
Hello List,
I just got a similar event in my pflog.
Jan 16 16:08:02.435283 rule def/(short) pass in on pppoe0: 50.112.59.10.0
59.167.212.41.0: SFRWE [bad hdr length]
I don't know what this is, or why it is passed.
Can someone explain or attempt a guess at what this is?
The intention of my pf.conf is to block all incoming
by default on pppoe0.
Am I doing something really stupid here?
/etc/hostname.carp1
inet 172.75.100.1 255.255.255.0 172.25.101.255 balancing ip-stealth carpnodes
1:0,2:100 pass secret1
group dmz
/etc/hostname.carp2
inet 172.25.100.1 255.255.255.0 172.25.100.255 balancing ip-stealth carpnodes
4:0,5:100 pass secret2
group lan
/etc/hostname.em0
up mtu 1508
/etc/hostname.em1
inet 172.75.100.4 255.255.255.0
group dmz
/etc/hostname.em2
inet 172.25.100.4 255.255.255.0
group lan
/etc/hostname.pppoe0
inet 59.167.212.41 255.255.255.255 NONE mtu 1500 \
pppoedev em0 authproto pap \
authname pppoeuser authkey pppoepass up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1
!/sbin/route add -inet6 default -ifp pppoe0 ::1
/etc/pf.conf
#---
# defaults
#---
table rfc1918 const { 192.168/16 172.16/12 10/8 }
table dmz const { dmz:network }
table lan const { lan:network }
set loginterface egress
set skip on lo
block in quick on egress from rfc1918
antispoof log quick for { pppoe0 em0 }
pass
block quick on egress proto carp
block quick on { egress dmz } inet6
block in log on { egress dmz }
#---
# ack priority
#---
match on egress inet proto tcp prio(1,7)
#---
# sand blasting
#---
match in on egress scrub (reassemble tcp)
#match in on { egress dmz } scrub (reassemble tcp)
#match on egress scrub (max-mss 1440)
#---
# translation and redirections
#---
match out on egress nat-to (egress)
match in on { lan dmz } inet proto tcp to ! bincrow.net \
port www rdr-to localhost port 8080
match in on { lan dmz } inet proto tcp to bincrow.net \
port www rdr-to localhost
match in on { lan dmz } inet to bincrow.net rdr-to localhost
#---
# incoming port forwards
#---
# torrent
pass in on egress inet proto tcp to egress port 6881 rdr-to meile \
modulate state
pass in on egress inet proto udp to egress port 6881 rdr-to meile \
keep state
#---
# allow anyone to this
#---
pass in on egress inet proto tcp from any to egress port www \
modulate state
#---
# dns
#---
table dns-white persist file /etc/pf/dns-white
pass in on egress inet proto { tcp udp } from \
dns-white to egress port domain
pass in on dmz inet proto { tcp udp } from \
dmz to dmz port domain
#---
# ntp
#---
pass in on dmz inet proto { tcp udp } from dmz \
to dmz port { daytime time ntp }
#---
# ssh - whitelist, and rate limit overflows into blacklist
#---
table ssh-black persist file /etc/pf/ssh-black
table ssh-white persist file /etc/pf/ssh-white
pass in log on { egress dmz } inet proto tcp from ssh-white to \
port ssh rdr-to localhost
pass in log on { egress dmz } inet proto tcp from !ssh-black to \
port ssh rdr-to localhost keep state \
(max-src-conn-rate 1/30, overload ssh-black flush)
#---
# imaps - whitelist, and rate limit overflows into blacklist
#---
table imaps-black persist file /etc/pf/imaps-black
table imaps-white persist file /etc/pf/imaps-white
pass in log
Re: CARP compatibility between 5.1 and 5.2
R0me0 *** knight@gmail.com a écrit : Hello misc, I've a OpenBSD 5.1 in production and I will put another OpenBSD 5.2 and then configure CARP. will I have some compatibility issue ? Thanks in advanced Hi I have such à setup running surtout issue. Cheers Laurent
Re: new hardware
Laptop batteries area planned to have a 1-2 year life, and some times you get less some times you get more, I have one Thinkpad that the battery lasted about 6 months and wont hold a charge, I have another that is 5 years old. Yeah. It drives me mad. My thinkpad has 5 hours in console mode and about a half in xorg. From the very start I was not sure if that battery was correct. Since I started this thread, to report what decision I made: I will get small case, chieftec bt-02b-180, intel g550 and asus p8h61-m lx3 r2.0. I hope this will run 5.2 in graphical mode. Best regards Zoran
Re: Arpresolve route without link local address
Take a step back and ever disable PF or put pass keep state (e.g. simple
rules) and see if you can reproduce this problem.
//mxb
On 14 jan 2013, at 21:38, Атанас Владимиров don.na...@gmail.com wrote:
Hi,
Today I upgraded to 11.01.2013 snapshot and I'm still get the same error.
I have permanent static for my default route.
[ns]~$ sudo /usr/sbin/arp -Ff /etc/ether.mac
[ns]~$ cat /etc/ether.mac
XX.XX.XX.33 00:50:45:5f:16:58 permanent
[ns]~$ arp -a
gw.xx.xx (XX.XX.XX.33) at 00:50:45:5f:16:58 on em0 permanent static
After a while:
[ns]~$ arp -a
gw.xx.xx (XX.XX.XX.33) at 00:50:45:5f:16:58 on em0
the permanent static arp disappear.
/var/log/messages:
Jan 14 20:46:47 ns /bsd: arpresolve: XX.XX.7.33: route without link local
address
Jan 14 20:51:47 ns last message repeated 42 times
/var/log/daemon:
Jan 14 20:46:47 ns dhclient[2970]: DHCPREQUEST on em0 to XX.XX.7.1 port 67
Jan 14 20:46:47 ns dhclient[2970]: DHCPACK from XX.XX.7.33
(00:50:45:5f:16:58)
Jan 14 20:46:47 ns dhclient[2970]: bound to XX.XX.7.48 -- renewal in 300
seconds.
Here is my pf.conf
[ns]~$ sudo cat /etc/pf.conf
Macros
###
### Interfaces ###
ExtIf =em0
IntIf =vlan41
Free =vlan81
pppx =192.168.3.0/25
lo0 =127.0.0.1
### Hosts ###
vl=192.168.1.2
jl=192.168.1.3
ve=192.168.1.4
ntp=192.168.1.5
sam=192.168.1.14
dpc11=192.168.1.11
### Ports ###
low_ports = 0:1024
hi_ports = 1025:65535
web = {20, 21, 22, 25, 80, 443, 3389, 5900, 6000, , 8080}
ssh_extif =
rdc = 3389
rdc_extif = 4900
squid = 8080
squid_extif = 443
vl_skype = 30001
jl_skype = 30002
ve_skype = 30003
vl_torrent= 30004
jl_torrent= 30005
ve_torrent= 30006
vl_hfs= 8081
ftp_proxy = 8021
symux = 2100
ftp = 21
vnc_ext = 59001
vnc_int = 5900
sftp = 2
l2tp = { 500, 1701, 4500 }
trace = 33434:33498
### Queues, States and Types ###
IcmpType =icmp-type 8 code 0
SynState =flags S/SAFR synproxy state
### Tables ###
table bgnets file /etc/bgnets
table spamd-white persist
table proxy-users persist { 188.254.185.154, 212.50.72.29,
85.217.136.0/21, \
95.111.100.14, 212.233.176.65, 78.128.124.161, 190.32.172.28 }
## panama
table isp persist { 94.26.7.32/27 }
table BLOCK persist { 82.119.88.70 }
Options
##
### Misc Options
set block-policy drop
set loginterface $ExtIf
set skip on lo0
set optimization aggressive
# set state-defaults pflow
Queueing
altq on $ExtIf bandwidth 100% hfsc queue { BG, INTER }
queue INTER bandwidth 3% hfsc (upperlimit 2950Kb) \
{ i_ack, i_dns, i_ntp, i_web, i_bulk, i_bittor }
queue i_ack bandwidth 30% priority 8 qlimit 500 hfsc (realtime
30%)
queue i_dns bandwidth 5% priority 7 qlimit 500 hfsc (realtime
10%)
queue i_ntp bandwidth 10% priority 6 qlimit 500 hfsc (realtime
10%)
queue i_web bandwidth 30% priority 5 qlimit 500 hfsc (realtime
20%)
queue i_bulkbandwidth 19% priority 2 qlimit 500 hfsc (realtime
15%)
queue i_bittor bandwidth 1% priority 0 qlimit 2000 hfsc (default,
upperlimit 60%)
queue BG bandwidth 30% hfsc (upperlimit 30Mb) \
{ b_ack, b_dns, b_ntp, b_rdc, b_web, b_bulk, b_bittor }
queue b_ack bandwidth 10% priority 8 qlimit 500 hfsc (realtime
10%)
queue b_dns bandwidth 1% priority 7 qlimit 500 hfsc (realtime
1% )
queue b_ntp bandwidth 10% priority 7 qlimit 500 hfsc (realtime
1% )
queue b_rdc bandwidth 10% priority 6 qlimit 500 hfsc (realtime
10%)
queue b_web bandwidth 30% priority 5 qlimit 500 hfsc (realtime
30%)
queue b_bulkbandwidth 30% priority 4 qlimit 500 hfsc (realtime
10%)
queue b_bittor bandwidth 1% priority 0 qlimit 500 hfsc
(upperlimit 85%)
Translation and Filtering
###
### BLOCK all in/out on all interfaces by default and log
blocklog on $ExtIf
block return log on $IntIf
block return log on $Free
block quick log on $ExtIf from BLOCK
### Network Address Translation (NAT with outgoing source port
randomization)
match out log on egress from (self) \
to any nat-to ($ExtIf:0) port 1024:65535
match out log on egress from !($ExtIf:0) \
to any nat-to ($ExtIf:0) port 1024:65535
### NAT from IntIf to FreeWifi
match out log on $Free from $IntIf:network \
to $Free:network nat-to ($Free:0) port 1024:65535
### Packet normalization ( scrubbing )
match log on $ExtIf all scrub (random-id max-mss 1472)
### Ftp ( secure ftp proxy for LAN )
anchor ftp-proxy/*
### pppx
pass log from $pppx
### $ExtIf inbound
# npppd
pass in
Re: OSPFD on a VLAN Trunk Interface
MJ(m...@sci.fi) on 2013.01.15 22:45:46 +0200: [...] 4) On box3, all routes show up with next-hop of 10.1.0.1 (vlan2 on box2), instead of the IP addresses of the respective vlan interfaces. I want the real gateways to show up as next-hops. [...] box 3 -- [root@box3 ~]# ospfctl s r Destination Nexthop Path TypeType CostUptime 10.0.0.1 10.1.0.1 Inter-Area Router20 01:45:09 10.0.0.2 10.1.0.1 Intra-Area Router10 03:28:33 10.0.0.0/21 10.1.0.1 Inter-Area Network 20 01:45:15 10.1.0.0/21 10.1.0.12 Intra-Area Network 10 03:28:38 0.0.0.0/010.1.0.1 Type 1 ext Network 120 01:45:09 10.1.8.0/22 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.12.0/22 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.16.0/22 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.32.0/22 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.48.0/21 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.56.0/21 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.64.0/21 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.72.0/22 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.76.0/22 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.80.0/21 10.1.0.1 Type 1 ext Network 110 03:28:33 10.1.88.0/21 10.1.0.1 Type 1 ext Network 110 03:28:33 10.100.103.0/24 10.1.0.1 Type 1 ext Network 110 03:28:33 192.168.1.0/24 10.1.0.1 Type 1 ext Network 110 03:28:33 Above: next-hop for 10.1.8.0/22 should be 10.1.8.1 (vlan3 interface on box2), and so forth. why? as far as i understand your config, box3 is connected to box2 via network 10.1.0.0/21. So it sees all those networks via nexthop 10.1.0.1 on box2. Nothing wrong with that.
Re: Running OpenBSD on Raspberry Pi
On Sat, Jan 12, 2013 at 4:59 AM, Patrick Wildt wrote: Hello, I'm currently working on porting OpenBSD to the Freescale i.MX6, an ARM Cortex-A9 (1-4 cores). It is already supporting USB and SDMMC, works like a charm. The i.MX6 itself got some interesting features like PCIe, SATA and Gigabit Ethernet. So, if 200$ don't sound too much, that might be an alternative. So, where is your diff? \Patrick http://boundarydevices.com/products/sabre-lite-imx6-sbc/ http://boundarydevices.com/products/nitrogen6x-board-imx6-arm-cortex-a9-sbc/ Regards, Doug.
OpenBGPd multiple local AS
Hello!
I have public AS and address range, everything is Ok, but now I want to
connect my routers via LAN and announce my public networks between them.
So I need to configure private AS and peers, as I think:
R1:
AS 5 65006
# public ISP
neighbor 1.1.1.1 {
announce self
remote-as 4
}
# my private LAN peer
neighbor 10.0.41.5 {
announce self
remote-as 65005
descr r2
}
And R2 router:
AS 5 65005
# public ISP
neighbor 2.2.2.2 {
announce self
remote-as 2
}
# my private LAN peer
neighbor 10.0.41.6 {
announce none
remote-as 65006
descr r1
}
But when I restart bgpd, I receive error:
Last error: AS unacceptable
I suppose I have to force announcement of private AS for my private peer, but
didn't find how to do it in config file.
---
Andrey
