Re: DNS and PF
- Original Message -
From: BradenM - Sonoma Computer [EMAIL PROTECTED]
To: Chris Kuethe [EMAIL PROTECTED]
Sent: Monday, June 18, 2007 2:43 PM
Subject: Re: DNS and PF
- Original Message -
From: Chris Kuethe [EMAIL PROTECTED]
To: Bray Mailloux [EMAIL PROTECTED]
Sent: Sunday, June 17, 2007 2:53 PM
Subject: Re: DNS and PF
On 6/17/07, Bray Mailloux [EMAIL PROTECTED] wrote:
problem exists. Anyone who is familiar with PF or DNS and has a thought
on how to solve this problem, their input is much appreciated.
The obvious and smarmy answer is that you're not correctly permitting
DNS.
A more useful answer would be to suggest that a) you turn on logging
on all your rules until you get your rules sorted and b) tcpdump on
your interfaces to see what traffic is actually being generated. See
how that compares with the output of pfctl -sr ... the actual rules
that are loaded.
Also, are you running a 4.1 or later system so that flags S/SA keep
state is implicit on every rule?
A style note... I would have said:
pass in on rl1 proto { tcp, udp } from $dmz_block to port 53
CK
--
GDB has a 'break' feature; why doesn't it have 'fix' too?
In response to your question and statement: Yes, I'm running PF 4.1 and
according to Daniel Bernstein, author of DJBDNS, the firewall which is
employed on my networks router needs to allow traffic from the internal
network on ports 1024-65535 to any computer's port 53.
Bidirectional translation for DNS and WWW servers
# ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:50:bf:3a:2e:66
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 64.142.102.8 netmask 0xff00 broadcast 64.142.102.255
inet6 fe80::250:bfff:fe3a:2e66%rl0 prefixlen 64 scopeid 0x1
rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:13:46:30:0b:b2
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
inet6 fe80::213:46ff:fe30:bb2%rl1 prefixlen 64 scopeid 0x2
vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:19:5b:3d:12:12
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255
inet6 fe80::219:5bff:fe3d:1212%vr0 prefixlen 64 scopeid 0x3
pflog0: flags=141UP,RUNNING,PROMISC mtu 33224
enc0: flags=0 mtu 1536
# cat /etc/pf.conf
#Macros
# 192.168.0.1 subnet
ext_ip=64.142.102.8
int_ip=192.168.0.1
int_block=192.168.0.0/24
#DMZ subnet
#Interface
dmz_ip=192.168.1.1
#DNS 1
scarlett=192.168.1.2
pub_scarlett=64.142.102.9
#DNS 2
shelly=192.168.1.3
pub_shelly=64.142.102.10
#WWW 1
www_ip=192.168.1.4
pub_www=64.142.102.11
#Normalizing
#scrub in all
#NAT and Binat
nat on rl0 from $int_block to any - $ext_ip
binat on rl0 from $scarlett to any - $pub_scarlett
binat on rl0 from $shelly to any - $pub_shelly
binat on rl0 from $www_ip to any - $pub_www
#Default block policy
#block all
#Anti-spoofing
#block in quick from urpf-failed
#Traffic passing through
pass in all
pass out all
#External interfaces
#pass in on rl0 inet proto { tcp, udp } all modulate state
#pass out on rl0 proto { tcp, udp, icmp } all modulate state
# dmesg
OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III (GenuineIntel 686-class) 931 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem = 401108992 (391708K)
avail mem = 357941248 (349552K)
using 4278 buffers containing 20180992 bytes (19708K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 10/14/00, BIOS32 rev. 0 @ 0xfd8a0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd8a0/0x760
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf50/144 (7 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xa000
acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82810E rev 0x03: rng active, 7Kb/sec
vga1 at pci0 dev 1 function 0 Intel 82810E Graphics rev 0x03: aperture at
0xf800, size 0x400
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 30 function 0 Intel 82801AA Hub-to-PCI rev 0x02
pci1 at ppb0 bus 1
rl0 at pci1 dev 11 function 0 Realtek 8139 rev 0x10: irq 5, address
00:50:bf:3a:2e:66
rlphy0 at rl0 phy 0: RTL internal PHY
rl1 at pci1 dev 13 function 0 D-Link Systems 530TX+ rev 0x10: irq 9,
address 00:13:46:30:0b:b2
rlphy1 at rl1 phy 0: RTL internal PHY
vr0 at pci1 dev 14 function 0 VIA VT6105 RhineIII rev 0x86: irq 10,
address 00:19:5b:3d:12:12
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 4: OUI
0x004063, model 0x0034
ichpcib0 at pci0 dev 31 function 0 Intel 82801AA LPC rev 0x02
pciide0 at pci0 dev 31 function 1 Intel 82801AA IDE rev 0x02: DMA, channel
0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: WDC WD100EB-11BHF0
wd0: 16-sector PIO, LBA, 9541MB, 19541088 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SONY, CD-RW CRX320EE, RYK4 SCSI0 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 31 function 2 Intel 82801AA USB rev 0x02: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
ichiic0 at pci0 dev 31 function 3 Intel 82801AA SMBus rev 0x02: irq 9
iic0 at ichiic0
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
it0 at isa0 port 0x290/8: IT87
npx0 at isa0
A big thanks
Hello Everyone; I just received my T-shirt and 4.1 cd set and just wanted to thank the team. Thanks guys, I appreciate it. Sincerely; Bray
a cd key
Hi; In the past, I read an article which told me of a process in which a cd houses the important system binaries and software and even some settings and is left outside of the machine so that unauthorized users, and even root, cannot access the programs unless the disc is within the system's cdrom drive. Does anyone have any resources which explain and show the process for doing something similar to that which is stated above? Thank you; Bray.
NAT with PF
Hi; My knowledge of PF has grown a tad but, despite whatever I may or may-not have learned, NAT still does not seem to be functioning and my internal lan computers cannot access the internet. The NAT rule is as such: pfctl -sn nat on rl0 inet from 192.168.0.0/24 to 192.168.0.1 - 64.142.102.8 The computers on my workgroup are receiving dynamic addresses from rl1, an ethernet card in my OpenBSD box. Ip fowarding is enabled in /etc/sysctl.conf and pf=YES in /etc/rc.conf I greatly appreciate any help in resolving this issue. If any further details are required to diagnose the problem, please contact me by email at [EMAIL PROTECTED] Thank you; Bray
OpenBSD serial terminal binary programs
Hello; I'm wondering if anyone has any recommendations for a terminal program similar to hyper terminal for windows in structure but not appearance.
Re: Static Ip's: Routing and Fowarding
- Original Message - From: Bryan Vyhmeister [EMAIL PROTECTED] To: Bray Mailloux [EMAIL PROTECTED] Cc: misc@openbsd.org Sent: Tuesday, April 17, 2007 9:08 AM Subject: Re: Static Ip's: Routing and Fowarding On Apr 17, 2007, at 8:30 AM, Bray Mailloux wrote: Shouldn't the internet connection be passed around to other hosts on the network without the use of nat and pf? Ip forwarding is on, isn't that enough? I'm just trying to get the internet connection out to other computers, filtering comes afterwards. No. You can't do that without using all publicly routable IP addresses (no 192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8). NAT is Network Address Translation and has nothing to do with filtering. Basically nat takes connections from 192.168.0.0/24 (your internal network) and sends them out as if they were actually coming from 64.142.102.8 and then keeps track so that when data comes back from other places, it actually keeps track of who asked for what and then puts the internal IP address back in the destination. The PF FAQ has an excellent explanation of how NAT works in more details: http://www.openbsd.org/faq/pf/nat.html In any case, you have to use NAT in the scenario. There are some examples in pf.conf that you can use but the basic idea is: set ext_if=rl0 and int_if=rl1 at the top of pf.conf and then use the following nat statement near the examples: nat on $ext_if from ($int_if) - ($ext_if:0) This is basically saying translate at the external interface (rl0) for anything coming from addresses on the internal interface (rl1) and use the external interface public IP address. Add those changes to pf.conf and then run these commands: pfctl -f /etc/pf.conf pfctl -e Don't forget to fix the netmask typo in dhcpd.conf and then you should be off and running. Sorry if the explanation was too basic and you already understand most of this. In any case, I hope this answers the question. Bryan Thank you for your help.
newsgroups
I've been looking into finding some news groups for openbsd but have not found any that resolve, have they all died?
OpenBSD Router woes
So, it goes like this; OpenBSD is installed and functional and in the process of becoming a PF/Router box. My problem is this, I have three ethernet cards, each assigned the names rl0 - rl2. rl0 is the ethernet card that is recieving an IPv4 address from my SBC router, rl1 will be listening to dhcp requests which I have already setup using dhcpd, and rl2 will be listening for dhcp requests but will not be connected to a computer but a wireless access point. My question, and thus my problem, is this: I have setup ip fowarding using sysctl and am now wondering how I am to distribute my internet connection from rl0 to rl1 and 2? Are PF rules required or do I have to write to the configuration file for the ethernet adapters?
