Re: DNS and PF
- Original Message - From: BradenM - Sonoma Computer [EMAIL PROTECTED] To: Chris Kuethe [EMAIL PROTECTED] Sent: Monday, June 18, 2007 2:43 PM Subject: Re: DNS and PF - Original Message - From: Chris Kuethe [EMAIL PROTECTED] To: Bray Mailloux [EMAIL PROTECTED] Sent: Sunday, June 17, 2007 2:53 PM Subject: Re: DNS and PF On 6/17/07, Bray Mailloux [EMAIL PROTECTED] wrote: problem exists. Anyone who is familiar with PF or DNS and has a thought on how to solve this problem, their input is much appreciated. The obvious and smarmy answer is that you're not correctly permitting DNS. A more useful answer would be to suggest that a) you turn on logging on all your rules until you get your rules sorted and b) tcpdump on your interfaces to see what traffic is actually being generated. See how that compares with the output of pfctl -sr ... the actual rules that are loaded. Also, are you running a 4.1 or later system so that flags S/SA keep state is implicit on every rule? A style note... I would have said: pass in on rl1 proto { tcp, udp } from $dmz_block to port 53 CK -- GDB has a 'break' feature; why doesn't it have 'fix' too? In response to your question and statement: Yes, I'm running PF 4.1 and according to Daniel Bernstein, author of DJBDNS, the firewall which is employed on my networks router needs to allow traffic from the internal network on ports 1024-65535 to any computer's port 53.
Bidirectional translation for DNS and WWW servers
# ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:50:bf:3a:2e:66 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 64.142.102.8 netmask 0xff00 broadcast 64.142.102.255 inet6 fe80::250:bfff:fe3a:2e66%rl0 prefixlen 64 scopeid 0x1 rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:13:46:30:0b:b2 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::213:46ff:fe30:bb2%rl1 prefixlen 64 scopeid 0x2 vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:19:5b:3d:12:12 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 inet6 fe80::219:5bff:fe3d:1212%vr0 prefixlen 64 scopeid 0x3 pflog0: flags=141UP,RUNNING,PROMISC mtu 33224 enc0: flags=0 mtu 1536 # cat /etc/pf.conf #Macros # 192.168.0.1 subnet ext_ip=64.142.102.8 int_ip=192.168.0.1 int_block=192.168.0.0/24 #DMZ subnet #Interface dmz_ip=192.168.1.1 #DNS 1 scarlett=192.168.1.2 pub_scarlett=64.142.102.9 #DNS 2 shelly=192.168.1.3 pub_shelly=64.142.102.10 #WWW 1 www_ip=192.168.1.4 pub_www=64.142.102.11 #Normalizing #scrub in all #NAT and Binat nat on rl0 from $int_block to any - $ext_ip binat on rl0 from $scarlett to any - $pub_scarlett binat on rl0 from $shelly to any - $pub_shelly binat on rl0 from $www_ip to any - $pub_www #Default block policy #block all #Anti-spoofing #block in quick from urpf-failed #Traffic passing through pass in all pass out all #External interfaces #pass in on rl0 inet proto { tcp, udp } all modulate state #pass out on rl0 proto { tcp, udp, icmp } all modulate state # dmesg OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 931 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 401108992 (391708K) avail mem = 357941248 (349552K) using 4278 buffers containing 20180992 bytes (19708K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 10/14/00, BIOS32 rev. 0 @ 0xfd8a0 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd8a0/0x760 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf50/144 (7 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xa000 acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82810E rev 0x03: rng active, 7Kb/sec vga1 at pci0 dev 1 function 0 Intel 82810E Graphics rev 0x03: aperture at 0xf800, size 0x400 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb0 at pci0 dev 30 function 0 Intel 82801AA Hub-to-PCI rev 0x02 pci1 at ppb0 bus 1 rl0 at pci1 dev 11 function 0 Realtek 8139 rev 0x10: irq 5, address 00:50:bf:3a:2e:66 rlphy0 at rl0 phy 0: RTL internal PHY rl1 at pci1 dev 13 function 0 D-Link Systems 530TX+ rev 0x10: irq 9, address 00:13:46:30:0b:b2 rlphy1 at rl1 phy 0: RTL internal PHY vr0 at pci1 dev 14 function 0 VIA VT6105 RhineIII rev 0x86: irq 10, address 00:19:5b:3d:12:12 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 4: OUI 0x004063, model 0x0034 ichpcib0 at pci0 dev 31 function 0 Intel 82801AA LPC rev 0x02 pciide0 at pci0 dev 31 function 1 Intel 82801AA IDE rev 0x02: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: WDC WD100EB-11BHF0 wd0: 16-sector PIO, LBA, 9541MB, 19541088 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SONY, CD-RW CRX320EE, RYK4 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 31 function 2 Intel 82801AA USB rev 0x02: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered ichiic0 at pci0 dev 31 function 3 Intel 82801AA SMBus rev 0x02: irq 9 iic0 at ichiic0 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 it0 at isa0 port 0x290/8: IT87 npx0 at isa0
A big thanks
Hello Everyone; I just received my T-shirt and 4.1 cd set and just wanted to thank the team. Thanks guys, I appreciate it. Sincerely; Bray
a cd key
Hi; In the past, I read an article which told me of a process in which a cd houses the important system binaries and software and even some settings and is left outside of the machine so that unauthorized users, and even root, cannot access the programs unless the disc is within the system's cdrom drive. Does anyone have any resources which explain and show the process for doing something similar to that which is stated above? Thank you; Bray.
NAT with PF
Hi; My knowledge of PF has grown a tad but, despite whatever I may or may-not have learned, NAT still does not seem to be functioning and my internal lan computers cannot access the internet. The NAT rule is as such: pfctl -sn nat on rl0 inet from 192.168.0.0/24 to 192.168.0.1 - 64.142.102.8 The computers on my workgroup are receiving dynamic addresses from rl1, an ethernet card in my OpenBSD box. Ip fowarding is enabled in /etc/sysctl.conf and pf=YES in /etc/rc.conf I greatly appreciate any help in resolving this issue. If any further details are required to diagnose the problem, please contact me by email at [EMAIL PROTECTED] Thank you; Bray
OpenBSD serial terminal binary programs
Hello; I'm wondering if anyone has any recommendations for a terminal program similar to hyper terminal for windows in structure but not appearance.
Re: Static Ip's: Routing and Fowarding
- Original Message - From: Bryan Vyhmeister [EMAIL PROTECTED] To: Bray Mailloux [EMAIL PROTECTED] Cc: misc@openbsd.org Sent: Tuesday, April 17, 2007 9:08 AM Subject: Re: Static Ip's: Routing and Fowarding On Apr 17, 2007, at 8:30 AM, Bray Mailloux wrote: Shouldn't the internet connection be passed around to other hosts on the network without the use of nat and pf? Ip forwarding is on, isn't that enough? I'm just trying to get the internet connection out to other computers, filtering comes afterwards. No. You can't do that without using all publicly routable IP addresses (no 192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8). NAT is Network Address Translation and has nothing to do with filtering. Basically nat takes connections from 192.168.0.0/24 (your internal network) and sends them out as if they were actually coming from 64.142.102.8 and then keeps track so that when data comes back from other places, it actually keeps track of who asked for what and then puts the internal IP address back in the destination. The PF FAQ has an excellent explanation of how NAT works in more details: http://www.openbsd.org/faq/pf/nat.html In any case, you have to use NAT in the scenario. There are some examples in pf.conf that you can use but the basic idea is: set ext_if=rl0 and int_if=rl1 at the top of pf.conf and then use the following nat statement near the examples: nat on $ext_if from ($int_if) - ($ext_if:0) This is basically saying translate at the external interface (rl0) for anything coming from addresses on the internal interface (rl1) and use the external interface public IP address. Add those changes to pf.conf and then run these commands: pfctl -f /etc/pf.conf pfctl -e Don't forget to fix the netmask typo in dhcpd.conf and then you should be off and running. Sorry if the explanation was too basic and you already understand most of this. In any case, I hope this answers the question. Bryan Thank you for your help.
newsgroups
I've been looking into finding some news groups for openbsd but have not found any that resolve, have they all died?
OpenBSD Router woes
So, it goes like this; OpenBSD is installed and functional and in the process of becoming a PF/Router box. My problem is this, I have three ethernet cards, each assigned the names rl0 - rl2. rl0 is the ethernet card that is recieving an IPv4 address from my SBC router, rl1 will be listening to dhcp requests which I have already setup using dhcpd, and rl2 will be listening for dhcp requests but will not be connected to a computer but a wireless access point. My question, and thus my problem, is this: I have setup ip fowarding using sysctl and am now wondering how I am to distribute my internet connection from rl0 to rl1 and 2? Are PF rules required or do I have to write to the configuration file for the ethernet adapters?