Re: pf ALTQ bandwidth limited to a 32bit value (4294Mb)
Ermal, Thanks for the diff. When we tried it on FreeBSD 8.2-p2, ALTq would no long start. We also looked into the source under /usr/src/sys/contrib/altq/altq. Sadly, most of the changes we made either broke altq completely or had no effect. If you have any other ideas we would be happy to try them out. -- Calomel @ https://calomel.org Open Source Research and Reference On Thu, Jul 07, 2011 at 09:28:13AM -0400, Ermal Lu?i wrote: On Wed, Jul 6, 2011 at 5:25 PM, Calomel Org infallibilismindefeasibil...@calomel.org wrote: ALTQ using hfsc is limited to a maximum parent bandwidth of 4294Mb. This value is 2^32 or 4,294,967,296 bits. If you set the bandwidth any higher, altq will flip back to zero. This bug was found when trying to test 10 gigabit and 40 gigabit bandwidth models. These tests were done on OpenBSD 32bit and 64bit as well as FreeBSD 32bit and 64bit. If anyone else can verify this independently and agree with the results I would be happy to register it as a bug. How to replicate: A quick test is setting the bandwidth to 4294Mb and doing a pfctl -sq to check altq. ?altq on $ExtIf bandwidth 4294Mb hfsc queue { ack, web} ?queue root_em0 on em0 bandwidth 4.29Gb priority 0 {ack, web} Now set the bandwidth to 4295Mb and notice altq has flip to zero and add the 32.70Kb difference. ?altq on $ExtIf bandwidth 4295Mb hfsc queue { ack, web } ?queue root_em0 on em0 bandwidth 32.70Kb priority 0 {ack, web} Again, we can set the bandwidth to a multiple of two(2) to 8589Mb. The bandwidth value flips to zero once and the result is 4.29Gb. ?altq on $ExtIf bandwidth 8589Mb hfsc queue { ack, web} ?queue root_em0 on em0 bandwidth 4.29Gb priority 0 {ack, web} If we add one more megabit to 8590Mb the value flips twice and we are left with 65.41Kb. ?altq on $ExtIf bandwidth 8590Mb hfsc queue { ack, web} ?queue root_em0 on em0 bandwidth 65.41Kb priority 0 {ack, web} It is true that there is a limit because of data type used. Though it cannot be fixed easily on i386 but on amd64 this should work. Index: sys/contrib/pf/net/pfvar.h === --- sys/contrib/pf/net/pfvar.h (revision 223824) +++ sys/contrib/pf/net/pfvar.h (working copy) @@ -1491,13 +1491,13 @@ /* scheduler spec */ u_int8_t scheduler; /* scheduler type */ u_int16_ttbrsize; /* tokenbucket regulator size */ - u_int32_tifbandwidth; /* interface bandwidth */ + u_int64_tifbandwidth; /* interface bandwidth */ /* queue spec */ char qname[PF_QNAME_SIZE]; /* queue name */ char parent[PF_QNAME_SIZE]; /* parent name */ u_int32_tparent_qid;/* parent queue id */ - u_int32_tbandwidth; /* queue bandwidth */ + u_int64_tbandwidth; /* queue bandwidth */ u_int8_t priority; /* priority */ #ifdef __FreeBSD__ u_int8_t local_flags; /* dynamic interface */ Thanks. -- ? Calomel @ https://calomel.org ? Open Source Research and Reference ___ freebsd...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to freebsd-pf-unsubscr...@freebsd.org -- Ermal ___ freebsd...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to freebsd-pf-unsubscr...@freebsd.org
pf ALTQ bandwidth limited to a 32bit value (4294Mb)
ALTQ using hfsc is limited to a maximum parent bandwidth of 4294Mb. This value is 2^32 or 4,294,967,296 bits. If you set the bandwidth any higher, altq will flip back to zero. This bug was found when trying to test 10 gigabit and 40 gigabit bandwidth models. These tests were done on OpenBSD 32bit and 64bit as well as FreeBSD 32bit and 64bit. If anyone else can verify this independently and agree with the results I would be happy to register it as a bug. How to replicate: A quick test is setting the bandwidth to 4294Mb and doing a pfctl -sq to check altq. altq on $ExtIf bandwidth 4294Mb hfsc queue { ack, web} queue root_em0 on em0 bandwidth 4.29Gb priority 0 {ack, web} Now set the bandwidth to 4295Mb and notice altq has flip to zero and add the 32.70Kb difference. altq on $ExtIf bandwidth 4295Mb hfsc queue { ack, web } queue root_em0 on em0 bandwidth 32.70Kb priority 0 {ack, web} Again, we can set the bandwidth to a multiple of two(2) to 8589Mb. The bandwidth value flips to zero once and the result is 4.29Gb. altq on $ExtIf bandwidth 8589Mb hfsc queue { ack, web} queue root_em0 on em0 bandwidth 4.29Gb priority 0 {ack, web} If we add one more megabit to 8590Mb the value flips twice and we are left with 65.41Kb. altq on $ExtIf bandwidth 8590Mb hfsc queue { ack, web} queue root_em0 on em0 bandwidth 65.41Kb priority 0 {ack, web} Thanks. -- Calomel @ https://calomel.org Open Source Research and Reference
Re: PF BINAT on entire /24 subnet
Paolo, You may need to use the bitmask directive. bitmask - grafts the network portion of the pool address over top of the address that is being modified (source address for nat-to rules, destination address for rdr-to rules). Example: if the address pool is 192.0.2.1/24 and the address being modified is 10.0.0.50, then the resulting address will be 192.0.2.50. If the address pool is 192.0.2.1/25 and the address being modified is 10.0.0.130, then the resulting address will be 192.0.2.2. http://www.openbsd.org/faq/pf/pools.html -- Calomel @ https://calomel.org Open Source Research and Reference On Sat, Jun 05, 2010 at 11:41:43AM -0400, Paolo Reyes Balleza wrote: Hello all, I was using pf's (OBSD 4.6) binat for openvpn purposes with 192.168.0.0/24 binatted to 192.0.2.0/24 since I can't renumber the local LAN to avoid the overlap. This doesn't work with current: match on tun0 from 192.168.0.0/24 to any binat-to 192.0.2.0/24 for the entire subnet any more. Everything gets routed to 192.168.0.0 no matter what external host address I use. It used to be that 192.0.2.1 would map out to 192.168.0.1. One to one mapping does work though. Is this the new behaviour of pf? Just asking because it'd be a PITA to map each host. Cheers and thanks in advance.
Re: pf and ftp-proxy active/passive problems
Teemu, We have to be careful when testing ftp. Different ftp binaries for different OS's use different default options. For example, the ftp binary on OpenBSD v4.7 uses passive ftp by default, so the the commands ftp and ftp -p are exactly the same. Some older Solaris machines use active only and ftp on Ubuntu 10.04 uses active by default. Passive should work from your firewall, but active (PORT) probably will not. Active will only work if you accept a connection from any ip from port 20 to any upper port on the firewall. Not very common. The machine behind the firewall should be able to do active and passive because the ftp-proxy, if setup correctly, will anchor the proper rules to allow both connection types. For more testing you can setup the ftp-proxy daemon to log its connections to /var/log/daemon using, /usr/sbin/ftp-proxy -D7 -v. You may also want to add the log variable to your Pf rules so you can watch the logs with tcpdump -n -e -ttt -v -i pflog0. Then make sure you are using the correct ftp arguments for your ftp binary to make a passive and active connection on your LAN machine. Check the man page on the machine behind the firewall. Once you have a reliable set of test responses you should have a better idea of where the problem is. Make sense? BTW, we have examples of Pf and ftp-proxy on our site; see signature. I checked out your pf.conf. If you have time you may want to try putting your ps3 and NHL10 rules in an anchor to clean things up. How about adding QOS so the gamers get higher network priority? :) -- Calomel @ https://calomel.org Open Source Research and Reference On Thu, Jun 03, 2010 at 02:14:53AM -0400, Teemu Rinta-aho wrote: On Jun 3, 2010, at 3:51 AM, Calomel Org wrote: Teemu, Are you sure the ftp server you are connecting to supports active and passive ftp? You may want to try your test against ftp.openbsd.org. That is a very good point. I thought so as I got both modes working from different nodes, but I am not sure any more. I tried to ftp.openbsd.org and the results are different indeed. From a host behind my pf machine: host$ ftp ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 229 Entering Extended Passive Mode (|||60318|) ftp: Can't connect to `129.128.5.191': Connection refused 200 EPRT command successful. 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. host$ ftp -p ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 229 Entering Extended Passive Mode (|||63762|) ftp: Can't connect to `129.128.5.191': Connection refused From the pf machine: fw$ ftp ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. fw$ ftp -p ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. If that doesn't ring a bell and you still have time and interest, my pf.conf is at http://www.rinta-aho.org/tmp/pf.conf Thanks! Teemu
Re: PF Tables scoping.
James, I can confirm. If a table is created by an anchor with the same name as an existing table the following error is printed: pfctl: warning: namespace collision with BLOCKTEMP global table. The anchors table is different from the main pf table. pfctl -vvs Tables --a-rhC BLOCKTEMP Addresses: 12 Cleared: Wed Dec 31 19:00:00 1969 pfctl -a games -vvs Tables --a-r-C BLOCKTEMP games Addresses: 0 Cleared: Wed Jun 2 16:40:14 2010 -- Calomel @ https://calomel.org Open Source Research and Reference On Wed, Jun 02, 2010 at 04:23:54PM -0400, James Records wrote: On Wed, Jun 2, 2010 at 10:48 AM, James Records james.records gmail.comwrote: Hi All, Having an issue with anchors and tables again, I had this same issue a couple of years ago in 4.5 but never got any response, hoping someone can shed some light onto what I'm missing here, or if this is even supported, I'm trying to use an overload rule inside of an anchor to populate a table defined outside of all anchors. I haven't seen anything that specifically says this isn't supported, but if thats the case I'd like to get it clarified. Here are snippets of pf.conf that don't work, and one that does, and an explanation of why I can't just use the one that does work without side effects. Thanks in advance, J Doesn't work: ## Tables ### ## table blocked_sites persist # Blocked Sites # anchor Blocked_Sites { block in quick from blocked_sites to any } ## ### TEST_IN ### ## anchor TEST_IN { pass in log quick on em0 inet proto tcp \ from any to TEST_IN_dst \ port { 443 } keep state \ (max 100, source-track rule, max-src-nodes 10, max-src-states 20, max-src-conn 20, max-src-conn-rate 2/15, overload blocked_sites flush) } But remove the anchor from the overload rule and it works fine: ### Tables ### table blocked_sites persist # Blocked Sites # anchor Blocked_Sites { block in quick from blocked_sites to any } ### ### TEST_IN ### ### #anchor TEST_IN { pass in log quick on em0 inet proto tcp \ from any to TEST_IN_dst \ port { 443 } keep state \ (max 100, source-track rule, max-src-nodes 10, max-src-states 20, max-src-conn 20, max-src-conn-rate 2/15, overload blocked_sites flush) #} This would be simple enough but I want to be able to parse my logs using the anchor names, this isn't possible using the 2nd method. The docs say this should just work from everything I can tell, I can read from a global table from within an anchor but am failing to write to it from within an anchor using the overload rule Just an update, I've done some more digging, it seems like I'm running into an issue where its creating a new table inside the anchor, I'm thinking this is just a bug where the table gets created because it doesn't look outside of the anchor to see if one already exists, but I just want to get another pair of eyes to confirm. Thanks J pfctl -vvs Tables -pa--h-blocked_sites Addresses: 0 Cleared: Wed Jun 2 06:10:20 2010 References: [ Anchors: 3 Rules: 0 ] Evaluations: [ NoMatch: 162Match: 0 ] In/Block:[ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 0 Bytes: 0 ] In/XPass:[ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass:[ Packets: 0 Bytes: 0 ] Out/XPass: [ Packets: 0 Bytes: 0 ] $ pfctl -a TEST_IN -vvs Tables --a-r--blocked_sites TEST_IN Addresses: 1 Cleared: Wed Jun 2 01:55:11 2010 References: [ Anchors: 0 Rules: 5 ] Evaluations: [ NoMatch: 114Match: 69 ] In/Block:[ Packets: 69 Bytes: 6732 ] In/Pass: [ Packets: 0 Bytes: 0 ] In/XPass:[ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass:[ Packets: 0 Bytes: 0 ] Out/XPass: [ Packets: 0 Bytes: 0 ]
Re: pf and ftp-proxy active/passive problems
Teemu, Are you sure the ftp server you are connecting to supports active and passive ftp? You may want to try your test against ftp.openbsd.org. This is a linux machine behind a pf firewall (openbsd v4.7) using ftp-proxy. Both active (PORT) and passive listings seem to work. $ ftp ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 200 PORT command successful. 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. $ ftp -p ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp ls 227 Entering Passive Mode (129,128,5,191,214,178) 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. Was this the problem? -- Calomel @ https://calomel.org Open Source Research and Reference On Wed, Jun 02, 2010 at 07:23:24PM -0400, Teemu Rinta-aho wrote: Hi all, (First, sorry if you receive this e-mail multiple times, I changed my smtp server as the first one doesn't seem to get mails to this list.) my firewall (OpenBSD 4.7) is running packet filter with NAT and tcp-proxy to provide FTP for hosts in the network behind the firewall/NAT. The problem is that a host behind the firewall, connecting to an FTP server in the internet through the firewall, active mode works but passive doesn't. On firewall's external interface I can see packets going to the FTP server but no reply packets. Trying FTP directly from the firewall, passive mode works but active doesn't (ftp client says 425 Could not open data connection to port 55476: Connection refused). In this case ftp-proxy is not used as the firewall should be just like any other ftp client. I have updated my pf.conf as per the 4.7 upgrade instructions and I have run tcpdump to network interfaces as well as pflog0, but so far I don't understand what might be wrong. I tried to see pf rules or states inserted by ftp-proxy with commands like 'pfctl -a ftp-proxy/* -sr' but either it doesn't print anything and trying 'pfctl -a '*' -sr' I get: anchor * all { pfctl: DIOCGETRULES: Invalid argument } ... Any help appreciated. It is not a showstopper but pretty annoying, as e.g. Firefox defaults to passive mode. Teemu
Re: AMD power reduction
You can use apm. It will only save a few watts, but it may reduce the cooling costs by reducing the heat generated by the CPU. If you have _many_ machines you can easily reduce the temperature of the server room by a few degrees C. Advanced Power Management control https://calomel.org/apm_control.html -- Calomel @ https://calomel.org Open Source Research and Reference On Fri, Feb 05, 2010 at 11:37:16AM -0500, Jean-Francois wrote: Le vendredi 05 fivrier 2010 11:17:51, vous avez icrit : On 04/02/2010 23:02, Jean-Francois wrote: All, I am looking forward to reduce the TDP for a server planned to be built. As low as possible shall be best, is AMD cool'n quiet operating with latest OpenBSD ? Regards Depending on what you where looking at, you can reduce the voltages (if your BIOS has this much control) and this will lower power/heat. I've done this on PC's with bad HSF in hot temperatures. Though, like over clocking, it's an art that requires testing, trying and patience to find the lowest/highest while still being stable Hello, I think of doing this too. What I would like to understand is if I will be able to use the frequency change 1000 / 2000 MHz dynamic load based. Regards
Re: possible to configure PF to simulate latency and 1% packet loss?
Andres, You can add packet loss by using the probability argument on a pf rule. You use either a block or pass rule. probability number A probability attribute can be attached to a rule, with a value set between 0 and 1, bounds not included. In that case, the rule will be honored using the given probability value only. For ex- ample, the following rule will drop 20% of incoming ICMP packets: block in proto icmp probability 20% I do not believe you can add latency timings using PF. I agree, this would be very helpful for testing. -- Calomel @ https://calomel.org Open Source Research and Reference On Fri, Jan 22, 2010 at 03:13:09PM -0500, Andres Salazar wrote: Hello, Is it possible to do some rule in pf to simulate 300ms of latency? This is for testing purposes. A plus would be to simulate 1% packet loss. Many Thanks!!
Re: PF cluestick please - low priority queue spills over into normal queue
Aaron, When you say, seem to spill over into the normal queue do you mean the bittor queue is borrowing bandwidth from the total amount of bandwidth available? You may need to set a limit on the bittor queue if you want to limit its bandwidth. The OpenBSD Faq says, CBQ queues are arranged in an hierarchical manner. At the top of the hierarchy is the root queue which defines the total amount of bandwidth available. Child queues are created under the root queue, each of which can be assigned some portion of the root queue's bandwidth. For example, queues might be defined as follows: Root Queue (2Mbps) Queue A (1Mbps) Queue B (500Kbps) Queue C (500Kbps) Also, you can use HFSC queueing for this as well. Hierarchical Fair Service Curve (HFSC) of OpenBSD https://calomel.org/pf_hfsc.html -- Calomel @ https://calomel.org Open Source Research and Reference On Tue, Jan 05, 2010 at 07:14:59PM -0500, Aaron Mason wrote: Hi all, I've got the following pf.conf file for limiting bittorrent connections and providing higher priority to a game server. While the latter works wonderfully, the bittorrent connections seem to spill over into the normal queue and it's driving me crazy. My /etc/pf.conf file is as follows: set skip on lo # Setting some constants prio_port = { 22 53 5900 } shiori = 192.168.2.241/32 chechemaru = 192.168.2.251/32 wired_if = rl0 wlan_if= ath0 hi_bw = 33Mb norm_bw = 20Mb lo_bw = 178415b altq on $wired_if cbq bandwidth 54Mb queue { wired_hi, wired_norm, wired_lo } queue wired_hi bandwidth $hi_bw priority 2 queue wired_norm bandwidth $norm_bw cbq(default) priority 3 queue wired_lo bandwidth $lo_bw priority 4 altq on $wlan_if cbq bandwidth 54Mb queue { wlan_hi, wlan_norm, wlan_lo } queue wlan_hi bandwidth $hi_bw priority 2 queue wlan_norm bandwidth $norm_bw cbq(default) priority 3 queue wlan_lo bandwidth $lo_bw priority 4 # SSH and DNS traffic as well pass out quick on $wired_if proto { tcp udp } to any port $prio_port \ queue wired_hi pass out quick on $wired_if proto { tcp udp } from any port $prio_port \ queue wired_hi pass out quick on $wlan_if proto { tcp udp } to any port $prio_port \ queue wlan_hi pass out quick on $wlan_if proto { tcp udp } from any port $prio_port \ queue wlan_hi #High priority to Shiori pass out quick on $wired_if to $shiori queue wired_hi pass out quick on $wlan_if from $shiori queue wlan_hi #Low priority and limiting to Chechemaru #NOTE: BT connections are bidirectional, hence the seemingly \ #redundant rules pass out quick on $wired_if to $chechemaru queue wired_lo pass out quick on $wired_if from $chechemaru queue wired_lo pass out quick on $wlan_if to $chechemaru queue wlan_lo pass out quick on $wlan_if from $chechemaru queue wlan_lo # Everything else gets normal priority # pass out quick on $wired_if queue wired_norm #pass block in on ! lo0 proto tcp to port 6000:6010 A typical output from pftop shows the contents of http://paste2.org/p/596043 - notice the upstream going crazy. Unfortunately pfTop hasn't been updated to take advantage of the changes to pf, so it refuses to display the rules. I'd do it myself if I had a better understanding of how pf worked within, but I'm not quite at that stage yet. A very hard cluestick is greatly appreciated, to go along with the concussion I am suffering from banging my head on the desk. Regards -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: online documentation for new smtpd
For official docs I think the man pages are it. They should contain everything you need to get a working smtpd.conf . We put together a page with a few working examples. Opensmptd works fine for a low volume mail server and is very stable. It has been running for a few months with no issues. OpenSMTPD how to (smtpd.conf) https://calomel.org/opensmtpd.html -- Calomel @ https://calomel.org Open Source Research and Reference On Tue, Jul 21, 2009 at 12:23:31PM -0400, Lars Nooden wrote: I find the two manpages, smtpd(8) and smtpd.conf(5), in current. Is there an official online documentation or project page available for the new stmpd? Regards -Lars
Re: Calomel.org
Thanks for the heads up. I agree that with all of the work done in the newest MP kernel the page is outdated. There should be time this month to test the newest release and post the results. Network Speed and Performance Guide (OpenBSD) https://calomel.org/network_performance.html As Darren and the previous posts have said, always do your research using multiple sources. We try to be as accurate on our site as possible, but as in this case, some pages may become outdated. When you find information that is useful compare it to the man pages, to other resources on-line and ask questions. -- Calomel @ https://calomel.org Open Source Research and Reference On Thu, May 07, 2009 at 10:53:18AM -0400, Darrin Chandler wrote: On Thu, May 07, 2009 at 12:03:23PM +, Stuart Henderson wrote: There are some useful things on the site, but please, use with a big pinch of salt. This is true of any sites with OpenBSD help. Sometimes I've found some info on these sites that's saved me much time, but I'd never take the info without thinking it through myself, check against the man pages, FAQ, etc. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG dwchand...@stilyagin.com | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: Problem with binat and ftp-proxy
See if this works for you. Using the ftp proxy with binat probably will not work. Lets say 100.20.30.40 is the external ip. # cat /etc/rc.local /usr/sbin/ftp-proxy -a 100.20.30.40 -p 8021 -q bulk # cat /etc/pf.conf Translation ### rdr on $DMZIf inet proto tcp from $DMZ to any port ftp - lo0 port 8021 Filtering # pass in log on $DMZIf inet proto tcp from $DMZ to lo0 port 8021 $TcpState $FtpIntIf Ftp-Proxy how to (forward and reverse proxy) https://calomel.org/ftp_proxy.html -- Calomel @ https://calomel.org Open Source Research and Reference On Tue, Sep 30, 2008 at 01:09:25PM +0200, Com??te wrote: Hi, i run an OpenBSD 4.3 firewall with 3 network interfaces : 1 LAN, 1 WAN and 1 DMZ I use ftp-proxy to allow ftp client connexions from my LAN and it works well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they have all one different public IP. So, i use binat rules to nat them easily and it works fine too. But i need to allow these servers on DMZ to make FTP client connexions to external servers too. So I have put a rdr rule like the one i did for my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't work, i can only connect to external FTP servers from my DMZ servers if disable the binat rule associated with the server which try to connect. My question is, is there a mean to do what i want to do ? :) Thanks a lot ! below an extract of my pf rules: nat on $ext_if from !$ext_if to any - $firewall_pub nat-anchor ftp-proxy/* binat on $ext_if from $dns1_priv to any - $dns1_pub binat on $ext_if from $dns2_priv to any - $dns2_pub binat on $ext_if from $web_ville_priv to any - $web_ville_pub binat on $int_if from $web_ville_priv to any - $web_ville_pub rdr-anchor ftp-proxy/* rdr on { $int_if $dmz1_if } proto tcp from any to any port ftp - lo0 port 8021 ... pass in quick log on $dmz1_if inet proto tcp from $DMZ1 to lo0 port 8021 pass in quick log on $int_if inet proto tcp from acces_ftp_direct to lo0 port 8021 anchor ftp-proxy/* ...
Re: Light HTTP servers.
Nuno, I would highly suggest looking into Nginx. It is easy to build from source and runs efficiently, using little memory or CPU time. Even though it is a light web server compared to Apache, Nginx is able to handle high traffic loads. The WordPress blogging system recently converted all of its load balancers to Nginx, using the upstream hash module to serve 8-9 thousand requests per second. Unlike lighttpd, the author is actively developing Nginx and the community is constantly building add on modules. Finally, you can easily secure Nginx to better protect your machine from abusive clients. Nginx web server how to https://calomel.org/nginx.html -- Calomel @ https://calomel.org Open Source Research and Reference On Sun, Jul 20, 2008 at 03:14:40PM +0100, Nuno Magalh??es wrote: I have an old Compaq Armada 1500c with 32MB of RAM i want to use as a webserver. Having it support PHP and mySQL would be fun since i intend to use both. The same machine has sshd running and might also become a print-server for a parallel Epson Stylus Color 740 if i can decide on the print server (apparently either cups or lpd, whichever's lighter). I haven't fiddled with it a whole lot, it's mostly just on and showing top through ssh. Right now its memory line is this: Memory: Real: 7200K/20M act/tot Free: 3944K Swap: 0K/66M used/tot with its most cpu-intensive process being sendmail. I have no mailserver, what's that for? So, big servers like Apache are kind of out of the question. From the package list i found Bozotic, lighttpd, nginx, p5-HTTP-Server-Simple and thttpd. Of those, nginx caught my eye and while searching i came across cherokee-project.com, Hiawatha (hiawatha.leisink.org) and also shttpd.sourceforge.net Is anyone using any of these or a lightweight httpd in general? I don't mean small as in d116.com/ace/ nor are my resources as low as d116.com/spud/ but useful input would be welcome. Ya know, the constructive criticism type. TIA -- Nuno MagalhC#es
Re: question on spamd.alloweddomains
Juan, You can use email addresses, domains or partial domains in your spamd.alloweddomains file. Spamd tarpit/greylisting anti-spam how to (spamdb) https://calomel.org/spamd_config.html -- Calomel @ https://calomel.org Open Source Research and Reference On Sat, Jun 21, 2008 at 09:24:25AM -0400, Juan Miscaro wrote: I have a question re spamd.alloweddomains. The spamd man [0] page talks about domain suffixes. Is it possible to populate the file with actual addresses? Seems this would be more effective. /juan [0] The file /etc/mail/spamd.alloweddomains can be used to specify a list of domainname suffixes, one per line, one of which must match each destina- tion email address in the greylist. Any destination address which does not match one of the suffixes listed in spamd.alloweddomains will be trapped, exactly as if it were sent to a spamtrap address.
Re: simple PF question
Robert, You rule looks ok. You may want to add a variable for the port number so you can add or delete them as needed. Something like... ### Ports AllowOUT={22, 80, 443} ### Pass out interface pass out on $int_if proto tcp from ($int_if) to any port $AllowOUT modulate state flags S/SA Hope this helps, OpenBSD Pf Firewall how to ( pf.conf ) https://calomel.org/pf_config.html -- Calomel @ https://calomel.org Open Source Research and Reference On Fri, Jun 20, 2008 at 02:10:52PM -0700, Robert Gilaard wrote: Hi folks, All the time I had the following entries in my pf.conf for my Desktop system. However, as I've bought this pf book that was lately released, I begin to suspect that these rules are way to liberal. If I only want to be able to browse the web and maybe use ssh-client, how should I rewrite the rules so that only those ports are open (80,443 and 22)? I guess i'm looking forward to a RTFM answer, but hey, I wouldn't ask if I knew how to write them. The best I could guess is: pass out on $int_if proto tcp from any to any port 80 modulate state flags S/SA But I don't know if this is correct. Brgds Robert
Re: OpenSSL On Openbsd help
Khalid, A certificate bought from a trusted Certificate Authority simply means a client can verify the certificate's validity through a third party. This does not mean the web page data is securely encrypted, does not mean the data on the site is valid and does not mean that the data can not be compromised on the client or server machines. A basic SSL certificate says that the person or persons who bought the certificate are the same person or persons that own the domain. This is the simplest check done by the Certificate Authority when a certificate request (purchase) is made. The more expensive certs require that the company ordering the certificate verify their legal credentials. This may mean they have to FAX proof of their physical location, their business status (INC, CO, etc.) and contact information to the Certificate Authority and comply with an investigation. This extended verification (EV) process is expensive and can take weeks to complete. I agree that an expensive SSL cert is only worth the money if the name of the certificate authority means anything to the clients contacting your site. 99.9% of the people do not know or care what a CA is. Hope this helps. Guide to SSL Certificates https://calomel.org/ssl_certs.html -- Calomel @ https://calomel.org Open Source Research and Reference On Sun, Jun 15, 2008 at 03:02:48AM +1000, Damien Miller wrote: On Sat, 14 Jun 2008, Khalid Schofield wrote: Hi, I need to get a proper signed ssl certificate for my ecommerce website hosted on my openbsd box. Getting confused as most websites describe how to do this in many different ways and most refere to self signed certificates. Wanted to ask the experts before I go and throw $100 at the task. First, I'd recommend that you spend a little time reading up on X.509 certificates and how they relate to public key cryptography. There are nasty consequences if you get things wrong that extend well past wasting $100 on a certificate you can't use. So do I have to use pass phrases when generating the certificate? If I use a pass phrase why? How does it effect the certificate and it's use? Certificates don't have passphrases, private keys do. A key passphrase gives some measure of protection should the file containing your key fall into someone else's hands, e.g. by compromising your server. If you private key is disclosed, an attacker could impersonate your sever. Also if I use a pass phrase do I have to tell apache about it? Does it go in a config or do I have to enter it when reloading apache? Putting it in a configuration file would defeat the purpose, no? Yes, if you use a passphrase then you need to tell Apache about it every time it is reloaded. For this reason, many web servers do not set passphrases on their keys. Also what command do you use to do this? Please tell all :) openssl req OpenSSL is complex and patchily documented, it assumes that its users are quite familiar with x.509 certificates and public key cryptography. There are some frontends that make things more simple, and some good guides on the net. Try typing openssl certificate into your favourite search engine for a few. One last thing who would you recomend to sign my csr? Go for the cheapest certification authority that is supported by Firefox and Internet Explorer. Do not be fooled by any claims of premium certification as the overwhelming majority of users do not check the CA details. Thanks sorry for the stupid questions but I've never done this before and risked my actual money (only the companies). Like I said, risking $100 on a dud cert is the least of your worries. -d
Re: Multiple FTP servers behind firewalls
Joe, We have used a CARP firewall (two machines in failover and not load balancing) in front of a dozen ftp servers. We use 12 different ip addresses in total. One ftp-proxy for each CARP interface and forwarding the traffic to one of the 12 backend ftp server. This works fine. Ftp-Proxy (forward and reverse proxy) https://calomel.org/ftp_proxy.html If you use one external ip and thus one CARP virtual device, you might be able to use different external ports redirected to each ftp-proxy daemon. This might cause a bit of confusion depending on your users and what clients they use. Clients normally expect ftp to be on port 21 of course. vhosts would definitely be a welcome addition, but I am not sure how this would be implemented. Some problems you may see is when the CARP firewalls failover. The ftp-proxy anchors are not inherited by the second BACKUP firewall. Clients can just reconnect after the BACKUP firewall comes up. You may also want to see if you can limit ftp connection to passive mode only. This seems to help with some of the broken windows clients, though you can use the -r argument in ftp-proxy to suit ancient clients. If anyone has any other solutions I would also be interested in hearing about them. -- Calomel @ https://calomel.org Open Source Research and Reference On Wed, Jun 04, 2008 at 05:02:45PM +0100, Joe Warren-Meeks wrote: Hey guys, I have a a pair of OpenBSD firewalls, using carp+pf protecting all our services. Now, we are going to end up in a situation where we need to have multiple separate ftp servers behind these firewalls (one per project). Currently I'm thinking of creating a new CARP interface on the external interface with a unique IP and a separate ftp-proxy per back-end server My question is basically has anyone done this already and does it work? Are there any problems with having multiple CARP interfaces using the same physical one? Is there a better, easier solution? It's times like these that I wish the ftp protocol included vhosts. Cheers chaps. -- joe. I don't like Annika. She's so pretentious.
Re: Is there a badblocks-equivalent for OpenBSD?
Ropers, You can find the badblocks utility prepackaged in e2fsprogs. Hope this helps, BadBlocks Hard Drive Validation and/or Destructive Wipe http://calomel.org/badblocks_wipe.html -- Calomel @ http://calomel.org Open Source Research and Reference On Fri, Apr 18, 2008 at 08:44:27PM +0200, ropers wrote: Sometimes I find myself in need of a disk checking utility that can check both disks with known *and unknown* filesystems, and/or that can check even currently unpartitioned space on a disk. There exists such a program for Linux, called badblocks: http://www.linuxmanpages.com/man8/badblocks.8.php A command of badblocks -svn /dev/devicename allows me to scan all kinds of disks, even some of these old Macintosh floppies and other esoteric stuff. The n is for a non-destructive read and write scan. Basically it scans the entire disk, and doesn't care what's on it, it just reads every single bit of data on the device, then does its write test and write back the original data. Sure, fsck can also scan disks, but AFAIK it can't do a surface scan, much less of an unknown file system, because fsck only invokes file-system-specific programs. Thus far, I've mostly booted Linux Live-CDs and then issued badblocks -svn /dev/devicename whenever I needed to do such checks. Is there a way to do the same thing with OpenBSD? I am not a programmer, and anything exceeding script-kiddie level scripting will probably be over my head. Many thanks and kind regards, --ropers
Re: spamd in modified greylisting mode.
Preston, I do not believe that spamd can deliver mail on the first attempt. Hosts like Southwest airlines and a few others only attempt to send mail _once_ and never try again. Even worse are hosts that use unique From: addresses on every attempt and thus never get white listed. Other hosts only retry the delivery of mail once or twice in a four(4) hour period. I understand your dilemma especially if you work in marketing. Spamd needs to know about the host trying to deliver the mail before it can white list the host. Normally, the remote host would need to connect to your mail host at least three times before the mail can be delivered. For example: attempt 1: host is GREY listed attempt 2: host is WHITE listed attempt 3: host connects to the real mail server to deliver its mail We have written Perl scripts to watch the spamd logs and add remote hosts that send to valid email addresses to the white list. This will reduce the amount of attempts the remote host needs to make down to two: attempt 1: host is GREY listed by spamd _and_ WHITE listed by our script attempt 2: host connects to the real mail server to deliver its mail The speed at which the email is delivered is dependent on the retry rate of the remote host. This still in not a perfect solution. Now, you could try to collect a white list of hosts you always accept mail for, but the problem is your users want to accept mail quickly from all hosts. If your business is highly dynamic and you accept email from new potential clients all the time then this method is not really that helpful. If anyone has any other ideas on this topic I would also be interested in hear them. Hope this helps. Spamd tarpit/greylisting anti-spam how to http://calomel.org/spamd_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Tue, Apr 15, 2008 at 10:48:47AM -0500, Preston Kutzner wrote: I'm hoping someone can help me by answering a couple of questions regarding spamd. Ultimately, I'm wanting to know if the spamd setup I'm envisioning is possible. I'll explain the situation. To begin, we attempted a typical setup of spamd in greylisting mode on our firewall in front of our MX. This worked great and was catching lots of spam, for around 48 hours. During this time, we (IT Dept.) got several complaints about delayed delivery of emails from our clients. This was mostly due to impatient recipients within our organization. However, as a result, we were told, by executive order, to shut down the greylisting. Apparently the greylisting, in doing what it's supposed to do, was disrupting time-sensitive email. Nevermind that we were white-listing these senders as we were made aware of them. So, this brings me to my set-up inquiry. We do receive lots of delivery attempts to non-existent addresses in our domain and the greytrapping feature of spamd was especially handy for blocking sites attempting to deliver to these non-existent addresses. I would like to be able to take advantage of this feature of spamd, along with the blacklist features, while not delaying email to non spamtrapped addresses. From my understanding of the interaction between spamd and pf, this either isn't possible or is non-trivial. However, I figured I would see if anyone has done a similar set-up or knows of a way to implement this. Thanks. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: PF ssh bruteforce logging and blocking
Chris, Your /etc/bruteforce file will be read when pf loads its rules. Ip's added to the bruteforce table through the overload directive will _not_ be added to the /etc/bruteforce text file. Can you see ips in the bruteforce table? pfctl -t bruteforce -T show If you want to dump those ips from the table to the text file you can always do pfctl -t bruteforce -T show /etc/bruteforce Hope this helps. OpenBSD Pf Firewall how to ( pf.conf ) http://calomel.org/pf_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Wed, Apr 16, 2008 at 12:20:38PM +1000, Chris wrote: I have some rules in my pf.conf for ssh brute force where it should block and log the offending IP address in /etc/bruteforce file. I also told syslog to log all ssh logging in /var/log/sshd. I can see some failed login in /var/log/sshd but my /etc/bruteforce file is still empty. Here's my pf.conf - ext_if = fxp0 tcp_services = {80, 443, 123} udp_services = {123} icmp_services = {echo_req} set block-policy drop set loginterface $ext_if scrub in all fragment reassemble scrub out all random-id fragment reassemble block all pass quick on lo0 all pass out quick on lo0 all table bruteforce persist file /etc/bruteforce block quick from bruteforce antispoof log for { lo0, $ext_if } block drop in quick log on $ext_if inet6 all pass in log on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state pass in on $ext_if inet proto tcp from any to ($ext_if) port $udp_services pass inet proto tcp from any to any port ssh \ flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 5/3, \ overload bruteforce flush global) pass out log on $ext_if inet proto tcp from any to any port $tcp_services block drop in quick on $ext_if from any to {255.255.255.255, 192.168.25.255} block drop out quick on $ext_if inet proto icmp from any to {192.168.25.1} block quick from any os NMAP pass out log on $ext_if proto { tcp, udp, icmp } all keep state block drop out quick log on $ext_if inet proto tcp from any to port 22 Here's what I can see on my /var/log/sshd - Invalid user test from xxx.xx.xx.xx input_userauth_request: invalid user test Failed password for invalid user test from xxx.xx.xx.xx port 43734 ssh2 Is there anything I am doing wrong in my pf.conf? Thanks for any help.
Re: CARP and pfsync weird behaviour
John, I ran a test using iperf on an external openbsd system (client) through a carp firewall to an internal openbsd system (server). All systems are running OpenBSD v4.2 with the latest patches. external --- CARP --- internal (iperf -i 1 -t 600 -c carp0)(iperf -s) I did _not_ see any slow down through the MASTER when I rebooted the BACKUP server. For example, I started the reboot of the BACKUP at 5 seconds and the BACKUP finished rebooting at 102 seconds: [ 3] 1.0- 2.0 sec 81.2 MBytes681 Mbits/sec [ 3] 2.0- 3.0 sec 82.3 MBytes690 Mbits/sec [ 3] 3.0- 4.0 sec 83.8 MBytes703 Mbits/sec [ 3] 4.0- 5.0 sec 86.6 MBytes727 Mbits/sec -- start reboot [ 3] 5.0- 6.0 sec 86.8 MBytes728 Mbits/sec [ 3] 6.0- 7.0 sec 86.3 MBytes724 Mbits/sec [ 3] 7.0- 8.0 sec 82.8 MBytes695 Mbits/sec [ 3] 8.0- 9.0 sec 86.7 MBytes728 Mbits/sec [ 3] 9.0-10.0 sec 85.8 MBytes720 Mbits/sec [ 3] 10.0-11.0 sec 86.1 MBytes722 Mbits/sec cut [ 3] 96.0-97.0 sec 83.4 MBytes699 Mbits/sec [ 3] 97.0-98.0 sec 82.4 MBytes692 Mbits/sec [ 3] 98.0-99.0 sec 81.9 MBytes687 Mbits/sec [ 3] 99.0-100.0 sec 84.7 MBytes710 Mbits/sec [ 3] 100.0-101.0 sec 83.3 MBytes699 Mbits/sec [ 3] 101.0-102.0 sec 83.7 MBytes702 Mbits/sec -- finished reboot [ 3] 102.0-103.0 sec 83.3 MBytes699 Mbits/sec [ 3] 103.0-104.0 sec 83.6 MBytes701 Mbits/sec [ 3] 104.0-105.0 sec 85.3 MBytes716 Mbits/sec [ 3] 105.0-106.0 sec 83.4 MBytes699 Mbits/sec I also did not see any errors in the logs of either system running ipref or on the firewalls. The load on the MASTER firewall was around 0.30. Are the firewalls kernel patched? Are their any hardware failures to report? Are the firewalls overloaded? You are welcome to check out some of the how to's I have at http://calomel.org if you need to. -- Calomel @ http://calomel.org Open Source Research and Reference On Thu, Apr 10, 2008 at 12:35:17PM +0100, openbsd firewall wrote: Hello, I'm testing an OpenBSD 4.2 firewall with Iperf and I'm experiencing a very strange behaviour. What happens is that when I reboot the backup node the connection rate drops while the backup node is coming back. Iperf log: [ 3] 233.0-234.0 sec 6.62 MBytes 55.5 Mbits/sec [ 3] 234.0-235.0 sec 6.62 MBytes 55.5 Mbits/sec [ 3] 235.0-236.0 sec 6.62 MBytes 55.5 Mbits/sec [ 3] 236.0-237.0 sec 6.70 MBytes 56.2 Mbits/sec [ 3] 237.0-238.0 sec288 KBytes 2.36 Mbits/sec [ 3] 238.0-239.0 sec 3.40 MBytes 28.5 Mbits/sec [ 3] 239.0-240.0 sec 0.00 Bytes 0.00 bits/sec [ 3] 240.0-241.0 sec 3.55 MBytes 29.8 Mbits/sec [ 3] 241.0-242.0 sec 0.00 Bytes 0.00 bits/sec [ 3] 242.0-243.0 sec 3.49 MBytes 29.3 Mbits/sec [ 3] 243.0-244.0 sec 0.00 Bytes 0.00 bits/sec [ 3] 244.0-245.0 sec 3.49 MBytes 29.3 Mbits/sec [ 3] 245.0-246.0 sec 2.30 MBytes 19.3 Mbits/sec [ 3] 246.0-247.0 sec 5.23 MBytes 43.9 Mbits/sec [ 3] 247.0-248.0 sec 2.60 MBytes 21.8 Mbits/sec [ 3] 248.0-249.0 sec 5.37 MBytes 45.0 Mbits/sec [ 3] 249.0-250.0 sec 1.28 MBytes 10.7 Mbits/sec [ 3] 250.0-251.0 sec 4.69 MBytes 39.3 Mbits/sec [ 3] 251.0-252.0 sec 4.69 MBytes 39.3 Mbits/sec [ 3] 252.0-253.0 sec 6.62 MBytes 55.5 Mbits/sec [ 3] 253.0-254.0 sec 6.62 MBytes 55.5 Mbits/sec [ 3] 254.0-255.0 sec 6.62 MBytes 55.5 Mbits/sec That drop in connection is when the rebooted node is coming back ! Iperf is being tested from one machine behind one firewall interface and another machine behind another firewall interface. One machine is running Openbsd and the other Linux. Is there any reason for this behaviour ? I do not expect the backup node to have any influence over the flow on active node. Related to this is a problem with pfsync. Sometimes I get a bad state after the backup firewall comes back and then Iperf gets totally messed up, sometimes recovering others not. No difference if psync is configured with multicast or with syncpeer. Log from the active node: Apr 10 06:57:03 inferno /bsd: pfsync: received bulk update request Apr 10 06:57:04 inferno /bsd: pfsync: bulk update complete Apr 10 06:57:04 inferno pflogd[23092]: invalid size 484 (116/116), packet dropped Apr 10 06:57:11 inferno pflogd[23092]: invalid size 144 (116/116), packet dropped Apr 10 06:57:16 inferno last message repeated 3 times Apr 10 06:57:31 inferno pflogd[23092]: invalid size 484 (116/116), packet dropped Apr 10 06:57:31 inferno /bsd: pf: BAD state: TCP xx.xx.xx.4:5001 xx.xx.xx.4:5001 xx.xx.xx.5:43558 [lo=2191798936 high=2191798936 win=5840 modulator=0] [lo=911995449 high=912001289 win=65535 modulator=0] 4:4 A seq=2191798936 (2191798936) ack=911995449 len=1460 ackskew=0 pkts=1267241:671313 dir=in,fwd Apr 10 06:57:31 inferno /bsd: pf: State failure on: 1 Apr 10 06:57:31 inferno /bsd: pf: BAD state: TCP xx.xx.xx.4:5001 xx.xx.xx.4:5001 xx.xx.xx.5:43558 [lo=2191798936 high=2191798936 win=5840 modulator=0] [lo=911995449 high
Re: script to process spamd and generate html
We use a simple Perl script to analyze the spamd logs and generate HTML output. Spamd Statistics Script (annoying spammers) http://calomel.org/spamd_stats.html -- Calomel @ http://calomel.org Open Source Research and Reference On Thu, Apr 03, 2008 at 10:19:18AM -0300, Jose Fragoso wrote: Hi, Anyone written scripts that analyse SPAMD logs and generate html reports, and could share them with us? Thanks in advance. Regards, Jose -- Want an e-mail address like mine? Get a free e-mail account today at www.mail.com!
Re: Pfstat - issue
You also need to tell pfstat what action you want to do. You can query to collect the pf interface statistics, generate new graphs or clean up the database. See if our page can help you out. Pfstat how to ( pfstat.conf ) http://calomel.org/pfstat.html -- Calomel @ http://calomel.org Open Source Research and Reference On Wed, Apr 02, 2008 at 08:13:35PM -0700, Parvinder Bhasin wrote: I cannot get pfstat to run with -c or -d option whenever I run: pfstat -c /etc/pfstat.conf I get: usage: pfstat [-v] [-c config] [-d data] [-r host[:port]] [-p] [-q] [-t days[:days]] same thing when I even run against provided example pfstat.conf file. Any ideas? anyone? any help, highly appreciated :) thx.
Re: selective state flush
Jose, Correct. If you load a block rule with an anchor or by hand, but the state has already been made for a connection, the current state will not be cleared. If you wanted to clear all states before you load the new rules this could be done. Selectively, you can use pfctl with the argument -k to drop connections dependent on ip address. For example, If we wanted to drop all states from any ip to our internal server at 10.10.10.22 we could execute: pfctl -k 0.0.0.0/0 -k 10.10.10.22 Hope this helps. PF Config how to (pf.conf) http://calomel.org/pf_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Thu, Apr 03, 2008 at 06:44:41PM -0500, Jeff Santos wrote: Hi, Suppose I have an anchor in PF that, when some condition is met, is loaded with a set of block rules. If the condition is met, the connections that were open before these blcok rules were loaded to the anchor are not dropped, correct? If so, is there some way to selectively drop some connections (flush some states)? Thanks in advance. Regards, Jose -- Want an e-mail address like mine? Get a free e-mail account today at www.mail.com!
Re: relayd layer 7 http proxy and filtering questions
First, I would like to congratulate the developers of relayd. They have made a great daemon which is fast and very flexible. I was able to get relayd to replace all of the functions of a Pound reverse proxy except URL and request method filtering. As far as I can tell relayd does not have these abilities. Is there a site, mailing list or person I could contact to suggest additions to relayd? Does anyone else use relayd and find these suggestions useful? It has been two weeks since my original post (below) and I just wanted to follow up. All of my configs can be found here: Relayd proxy how to (relayd.conf) http://calomel.org/relayd.html -- Calomel @ http://calomel.org Open Source Research and Reference On Tue, Mar 18, 2008 at 05:07:53PM -0400, Calomel wrote: We are looking to do some URL path and request method filtering with relayd if possible. Many of the other layer 7 filters like User-Agent and Referer work without issue. The box is built using relayd from -current cvs downloaded on Mar 18, 2008. Relayd is setup to be a reverse HTTP proxy with layer 7 filtering as a relay to a test webserver. Similar to a firewall mindset, we are looking to block everything other than what we specifically list out. As a test, the URL or path filtering can allow /, *.html and *.jpg. We are unable to figure out how to get relayd to allow only these types of files, and deny any other access. The following is from our test relayd.conf file, but these rules block all access. Is there a way to list out each file type, one per line? Can we instead use something similar to a regular expression like, request path expect (^\/|\.html|\.jpg)$ ## ## URL filtering (NOT working yet) label BAD path request request path expect / request path expect /*.html request path expect /*.jpg The second question is how to only accept the GET and HEAD request methods and deny any others. For example we do not want the webserver to ever see POST or TRACE methods. As GET and HEAD are not headers, we are unsure as what rules to use. ## ## Block bad request method (NOT working yet) label BAD request method request header expect GET request header expect HEAD Since it is a work in progress, our full relayd.conf file can be found here for reference: Relayd proxy how to (relayd.conf) http://calomel.org/relayd.html -- Calomel @ http://calomel.org Open Source Research and Reference
Re: problem regarding squid
Anil, This is from the squid FAQ: 12.40 dnsSubmit: queue overload, rejecting blah This means that you are using external dnsserver processes for lookups, and all processes are busy, and Squid's pending queue is full. Each dnsserver program can only handle one request at a time. When all dnsserver processes are busy, Squid queues up requests, but only to a certain point. To alleviate this condition, you need to either (1) increase the number of dnsserver processes by changing the value for dns_children in your config file, or (2) switch to using Squid's internal DNS client code. Note that in some versions, Squid limits dns_children to 32. To increase it beyond that value, you would have to edit the source code. Hope this helps. Squid config how to (squid.conf) http://calomel.org/squid.html -- Calomel @ http://calomel.org Open Source Research and Reference On Mon, Mar 31, 2008 at 05:04:10PM +0530, Anil Saini wrote: hello sir m using squid on openBSD 4.2 my cache.log shows dnssubmit: queue overloaded, rejecting x.com dnssubmit: queue overloaded, rejecting x.com dnssubmit: queue overloaded, rejecting x.com dnssubmit: queue overloaded, rejecting x.com dnssubmit: queue overloaded, rejecting x.com how i solve this problem -- Anil Saini M.E. - Software Systems B.E. - Electronics and Communication Project Assistant CISCO LAB Information Processing Center Unit BITS-PILANI [EMAIL PROTECTED]
Re: ssh queue rules
I believe your low queue is for ssh interactive traffic only. The high queue is for bulk traffic like scp or sftp transfers. If you watch your queues in pftop (page 8) you should see ssh traffic like typed commands in the low queue and the rest goes to the high queue. Hope this helps PF Config how to (pf.conf) http://calomel.org/pf_config.html -- Calomel @ http://calomel.org/ Open Source Research and Reference On Wed, Mar 26, 2008 at 04:41:01PM -0700, Lord Sporkton wrote: I have this rule in my PF and its not working everything just gets thrown into the high queue and nothing touches the low queue (this is from the output of pfctl -s rules) pass in on em0 inet proto tcp from any to 208.70.72.13 port = ssh flags S/SA modulate state (source-track rule, max-src-conn-rate 3/30, overload ssh-attack, src.track 30) queue(low, high) my ssh is being set with lowdelay (from tcpdump) 14:40:24.180347 13-72-70-208.uniplex.us.ssh georgia.static.qwest.net.61282: P 5820:5984(164) ack 53 win 17520 (DF) [tos 0x10] and my ssh transfer is being tagged high throughput (from tcpdump) 14:43:53.936143 13-72-70-208.uniplex.us.ssh georgia.static.qwest.net.2904: . 269868:271328(1460) ack 961 win 17520 (DF) [tos 0x8] any suggestions on what im doing wrong? thanks -- -Lawrence
Re: understanding PF src-limit counter
Jose, The 'src-limit' counter advances by one for every packet blocked by a rate limited rule. If you write a pf rule using stateful tracking options to allow connections at a rate of 20 per 60 seconds then packets arriving faster than this would be blocked. You could then look at the 'src-limit' value in pfctl -si to see how many packets were dropped in this way. I do not believe packets dropped by a rate limited rule are logged as logging a DDOS attack might stress the machine. Hope this helps. OpenBSD Pf Firewall how to ( pf.conf ) http://calomel.org/pf_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Mon, Mar 24, 2008 at 08:52:50AM -0500, Jose Fragoso wrote: Hi, I searched the FAQ and the man pages (for pf, pf.conf and pfctl.conf), but I did not find a definition for the src-limit counter which is showed by the command pfctl -si. With pfctl -sa I saw this: LIMITS: stateshard limit 20 src-nodes hard limit1 frags hard limit 5000 tableshard limit 1000 table-entries hard limit 20 So I am guessing that src-limit has something to do with src-nodes. Is it a limit of different source concurrent IP address for connections? I am seeing this counter increase in one of the machines I control. If someone could point out where to find more information about this counter, I would appreciate. Thanks in advance. Regards, Jose. -- Want an e-mail address like mine? Get a free e-mail account today at www.mail.com!
relayd layer 7 http proxy and filtering questions
We are looking to do some URL path and request method filtering with relayd if possible. Many of the other layer 7 filters like User-Agent and Referer work without issue. The box is built using relayd from -current cvs downloaded on Mar 18, 2008. Relayd is setup to be a reverse HTTP proxy with layer 7 filtering as a relay to a test webserver. Similar to a firewall mindset, we are looking to block everything other than what we specifically list out. As a test, the URL or path filtering can allow /, *.html and *.jpg. We are unable to figure out how to get relayd to allow only these types of files, and deny any other access. The following is from our test relayd.conf file, but these rules block all access. Is there a way to list out each file type, one per line? Can we instead use something similar to a regular expression like, request path expect (^\/|\.html|\.jpg)$ ## ## URL filtering (NOT working yet) label BAD path request request path expect / request path expect /*.html request path expect /*.jpg The second question is how to only accept the GET and HEAD request methods and deny any others. For example we do not want the webserver to ever see POST or TRACE methods. As GET and HEAD are not headers, we are unsure as what rules to use. ## ## Block bad request method (NOT working yet) label BAD request method request header expect GET request header expect HEAD Since it is a work in progress, our full relayd.conf file can be found here for reference: Relayd proxy how to (relayd.conf) http://calomel.org/relayd.html -- Calomel @ http://calomel.org Open Source Research and Reference
Re: sftp logging using chroot internal-sftp in -current
Damien, Thanks for the pointer. I believe the environment is now setup correctly, but I can not get DEBUG3 messages to appear from internal-sftp in authlog. I setup the log device file /ftp_jail/dev/log... [EMAIL PROTECTED]: ls -la /ftp_jail/dev/log srw-rw-rw- 1 root ftp 0 Mar 13 14:31 /ftp_jail/dev/log ...and syslogd points to /ftp_jail/dev/log syslogd -a /ftp_jail/dev/log -a /var/empty/dev/log When I sftp from 192.168.2.2 to the sftp server test0 I now get a line I did not see before, subsystem request for sftp. As far as I can tell the log device is working correctly. This is the log of a sftp connection. As a test I switched directory, downloaded a test file and then disconnected. As you can see there is no mention in the logs. Mar 13 16:23:12 test0 sshd[24079]: Server listening on 0.0.0.0 port 22. Mar 13 16:23:25 test0 sshd[26118]: Connection from 192.168.2.2 port 48518 Mar 13 16:23:26 test0 sshd[26118]: Failed none for ftp from 192.168.2.2 port 48518 ssh2 Mar 13 16:23:26 test0 sshd[26118]: Failed publickey for ftp from 192.168.2.2 port 48518 ssh2 Mar 13 16:23:28 test0 sshd[26118]: Accepted password for ftp from 192.168.2.2 port 48518 ssh2 Mar 13 16:23:28 test0 sshd[10427]: Changed root directory to /ftp_jail Mar 13 16:23:28 test0 sshd[10427]: subsystem request for sftp Mar 13 16:23:44 test0 sshd[10427]: Connection closed by 192.168.2.2 Mar 13 16:23:44 test0 sshd[10427]: Closing connection to 192.168.2.2 This is my /etc/ssh/sshd_config if you can see anything wrong with it. I tried adding ForceCommand internal-sftp -l DEBUG3 but this caused sshd to error. I appreciate the assistance. http://calomel.org/sftp_chroot.html ## /etc/ssh/sshd_config AllowTcpForwarding no ClientAliveCountMax 3 ClientAliveInterval 0 Compression delayed LoginGraceTime 60s LogLevel DEBUG3 MaxAuthTries 6 PasswordAuthentication yes PermitEmptyPasswords no PermitRootLogin no PermitTunnel no PermitUserEnvironment no Port 22 Protocol 2 StrictModes yes SyslogFacility AUTH TCPKeepAlive yes UseDNS no UsePrivilegeSeparation yes X11Forwarding no ## sftp directives Subsystem sftp internal-sftp -f AUTH -l DEBUG3 Match User ftp ForceCommand internal-sftp ChrootDirectory /ftp_jail http://calomel.org/sftp_chroot.html -- Calomel @ http://calomel.org Open Source Research and Reference On Thu, Mar 13, 2008 at 12:32:04PM +1100, Damien Miller wrote: On Wed, 12 Mar 2008, Calomel wrote: Is it possible to enable DEBUG logging for internal-sftp in sshd? Using -current (Mar 12, 2008) and enabling a chroot'd sftp server we can get sshd to log initial connections. But, we would also like to log sftp activity like uploads, downloads, and directory changes similar to what vsftpd does. The older sftp-server man page had a log facility (-f) and log level (-l) options, but those arguments might not have been carried over to internal-sftp. Perhaps the chroot environment keeps us from logging internal-sftp? Yes. You should be able to have syslogd(8) listen on /dev/log inside the chroot to make messages from the internal sftp-server visible. -d
Re: ftp-proxy and carp
Joe, You can bind your reverse ftp-proxy to the carp addresses. BTW, a problem you might eventually see is when the firewalls fail over. Current connections to the ftp server will die when the backup firewall takes over because it does not have ftp-proxy anchors from the first firewall. The anchors are not pfsync states and thus are not transfered to the backup firewall through pfsync. But, if the users issue a reconnect to your ftp server after the firewall fail over they will connect without issue. -- Calomel @ http://calomel.org Open Source Research and Reference On Wed, Mar 12, 2008 at 12:28:00PM +, Joe Warren-Meeks wrote: Hey chaps, I have a pair of OpenBSD firewalls running CARP $ uname -a OpenBSD ns-gs-fw2.host.nativ-systems.com 4.2 NS-GS-FW#0 i386 They both have internal and external addresses and an internal carp and external carp address shared. Now, they are protecting an FTP server that I want to allow access to. Ideally, I'd have ftp-proxy bind to the CARP address, so that if there was a failover event, inbound ftp would still work. Is this possible, or do I have to bind it to the real address and let inbound ftp fail in the event of a failover? -- joe. Have you seen the syrup on that bloke? Unreal.
sftp logging using chroot internal-sftp in -current
Is it possible to enable DEBUG logging for internal-sftp in sshd? Using -current (Mar 12, 2008) and enabling a chroot'd sftp server we can get sshd to log initial connections. But, we would also like to log sftp activity like uploads, downloads, and directory changes similar to what vsftpd does. The older sftp-server man page had a log facility (-f) and log level (-l) options, but those arguments might not have been carried over to internal-sftp. Perhaps the chroot environment keeps us from logging internal-sftp? Any help is appreciated. Thanks for your time. http://calomel.org/sftp_chroot.html ## /etc/ssh/sshd_config AllowTcpForwarding no ClientAliveCountMax 3 ClientAliveInterval 0 Compression delayed LoginGraceTime 60s LogLevel DEBUG3 MaxAuthTries 6 PasswordAuthentication yes PermitEmptyPasswords no PermitRootLogin no PermitTunnel no PermitUserEnvironment no Port 22 Protocol 2 StrictModes yes SyslogFacility AUTH TCPKeepAlive yes UseDNS no UsePrivilegeSeparation yes X11Forwarding no ## sftp directives Subsystem sftp internal-sftp Match User ftp ForceCommand internal-sftp ChrootDirectory /ftp_jail http://calomel.org/sftp_chroot.html -- Calomel @ http://calomel.org Open Source Research and Reference
Re: spamd and freemail hosts
Aaron, White listing or blacklisting is up to you. If you are using another person's blacklist then you must accept their methods or decisions. Try using spamd to weed out mail servers and perhaps manually white list servers who you want to trust. Then setup your own blacklist with your own scripts or how about using the Greyscanning script by Bob Beck? How about setting up greytrapping with spamd.alloweddomains file? This link lists out a lot of options we found make spamd very powerful. Spamd tarpit/greylisting anti-spam how to (spamdb) http://calomel.org/spamd_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Mon, Feb 25, 2008 at 09:48:20PM -0600, Aaron Martinez wrote: I've got spamd up and running in the default greylisting mode on a 4.2 stable system. Things seem to be working great, however I've noticed that some freemail like yahoo and hotmail stuff isn't getting through. Valid mail that i'm sending from my yahoo and hotmail accounts to my home accounts where I'm running the spamd instances. I found that the IPs of the hosts are in the Blacklist. I was looking through my daemon log and found some of the (BLACK) instances of the mail I was sending from my yahoo account to valid addresses on my OpenBSD box. (BLACK) 69.147.97.90: [EMAIL PROTECTED] - [EMAIL PROTECTED] I was wondering, is this IP (69.147.97.90) Blacklisted or is this tuple blacklisted? Does anyone have any thoughts on white listing freemail hosts like hotmail and yahoo? I know that people do spam somewhat from these places, but I thought it was mainly from people forging the domains and I do get a lot of valid email that is not getting though. I also host a couple domains and want to be prepared if people start complaining that they aren't getting mail. Is there a way to whitelist domains on a per-recipient domain basis? Thanks in advance. Aaron Martinez
Re: : Zombie Network Spam Attack
On Mon, Feb 11, 2008 at 11:17:35AM +0100, Raimo Niskanen wrote: On Fri, Feb 08, 2008 at 11:20:31AM -0500, Calomel wrote: Raimo, Can you use the spamd.alloweddomains to whitelist email addresses and domains you accept mail for? Any email sent to your mail server that is not on the list will only goto spamd and never get the chance to be greylisted/whitelisted. Then you could write a simple script to look through the spamd logs of BLACK entries. Well, that was already done. All incoming backscatter was to a valid domain. If you can compile a list of valid email address this might help. Instead of @example.com you could list [EMAIL PROTECTED], [EMAIL PROTECTED] Any server sending to an invalid address would be blacklisted and a script could add those ips to a pf block table. cat /var/log/daemon | grep spamd | grep BLACK | awk '{print $7}' | sort | uniq The problem seemed to be that spamd overloaded the network connection. If spamd is sending to many packets back try increasing the stutter time -S90 and the stutter speed -s5. At 600 connections total and 600 packets per 5 seconds the network would need to handle 120 packets per second each direction; around 180 kilobytes in each direction. This might still need be too much bandwidth, but you could increase the values as needed or decrease the amount of connections spamd will accept with -c. maxcon may not exceed kern.maxfiles - 200, and defaults to 800. ...and add the offending ips to a block table with a cron job running a few times a day. This page might give you some more ideas: Spamd tarpit/greylisting anti-spam how to (spamdb) http://calomel.org/spamd_config.html I will have a look at it. Thank you for the ideas. -- Calomel @ http://calomel.org Open Source Research and Reference On Fri, Feb 08, 2008 at 11:07:15AM +0100, Raimo Niskanen wrote: Apparently we (our mail server) got targeted by a zombie network since suddenly there were some 3 hosts on spamd's whitelist, continously some 600 connections to spamd, and only mails to unknown users coming in. The network connection was flooded, the web server sluggish, downloads creeped, basically nothing worked. Can spamd do anything about zombie hosts? They behave like normal MTAs so they will pass spamd's behavioural tests, right? Now I analyze the greylist, do some heuristics on the sender address (among other things) and trap the bad hosts. The trapped hosts are then copied to a pf table to be blocked in the firewall. Tarpitting them through spamd is simply too much work for the mail server, but blocking works fine. Here come the questions: * Does anyone know of a good strategy against zombie network spam attacks? * To make the greylist heuristics validate recepients and blacklist hosts that send to invalid recepients would blacklist valid MTAs that send bounces of mails with fake sender addresses to me, right? And that would be too cruel, or? Because it would certainly decrease the spam amount. * To make the greylist herustics validate the hosts by reverse DNS PTR lookup and then forward A lookup is apparetly a debatable issue according to the current thread running mail server at home. But if it is (fairly) common practice it would be a simple thing to do, and certainly decrease spam volume. But would it be to narrow? -- / Raimo Niskanen, Erlang/OTP, Ericsson AB -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: Zombie Network Spam Attack
Raimo, Can you use the spamd.alloweddomains to whitelist email addresses and domains you accept mail for? Any email sent to your mail server that is not on the list will only goto spamd and never get the chance to be greylisted/whitelisted. Then you could write a simple script to look through the spamd logs of BLACK entries. cat /var/log/daemon | grep spamd | grep BLACK | awk '{print $7}' | sort | uniq ...and add the offending ips to a block table with a cron job running a few times a day. This page might give you some more ideas: Spamd tarpit/greylisting anti-spam how to (spamdb) http://calomel.org/spamd_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Fri, Feb 08, 2008 at 11:07:15AM +0100, Raimo Niskanen wrote: Apparently we (our mail server) got targeted by a zombie network since suddenly there were some 3 hosts on spamd's whitelist, continously some 600 connections to spamd, and only mails to unknown users coming in. The network connection was flooded, the web server sluggish, downloads creeped, basically nothing worked. Can spamd do anything about zombie hosts? They behave like normal MTAs so they will pass spamd's behavioural tests, right? Now I analyze the greylist, do some heuristics on the sender address (among other things) and trap the bad hosts. The trapped hosts are then copied to a pf table to be blocked in the firewall. Tarpitting them through spamd is simply too much work for the mail server, but blocking works fine. Here come the questions: * Does anyone know of a good strategy against zombie network spam attacks? * To make the greylist heuristics validate recepients and blacklist hosts that send to invalid recepients would blacklist valid MTAs that send bounces of mails with fake sender addresses to me, right? And that would be too cruel, or? Because it would certainly decrease the spam amount. * To make the greylist herustics validate the hosts by reverse DNS PTR lookup and then forward A lookup is apparetly a debatable issue according to the current thread running mail server at home. But if it is (fairly) common practice it would be a simple thing to do, and certainly decrease spam volume. But would it be to narrow? -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: pf anchors with tag/tagged
Are the pass rules valid for the packets you are redirecting? A redirect rule and pass rule like the following works without issue. rdr on $ExtIf inet proto tcp from $WorkSsh to ($ExtIf) port ssh tag OPENSSH - lo0 port $SshPort pass in log on $ExtIf inet proto tcp from $WorkSsh to lo0 port $SshPort $SynState tagged OPENSSH OpenBSD Pf Firewall how to ( pf.conf ) http://calomel.org/pf_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Fri, Feb 08, 2008 at 08:35:44AM -0500, S. Scott Sima, CISA, CISM wrote: (sorry, orig post errantly had no subject) Trying to redact (simplify) pf rdr statements by moving the repeating (common) criteria to the top. The rules load error free. The pfctl -vvsnat shows the rdr-anchor in place; however, tcpdump shows the block rules being hit AS IF THE TAG/TAGGED IS NOT BEING SEEN. Anyone, any ideas? Thanks... /etc/pf.anchor.rdr1 # - anchor log on outside inet proto tcp \ from !droplist to (outside:0) { rdr port 25 tag T1 - 192.168.2.225 rdr port 5060 tag T1 - 192.168.2.200 rdr port 443 tag T2 - 192.168.2.250 } # --- /etc/pf.conf rdr-anchor /etc/pf.anchor.rdr1 ... block all ... pass log quick ...tagged T1 ... pass log quick ...tagged T2 ... ...
Re: pf anchors with tag/tagged
All macros, redirections and rules must be in the that uses it anchor as I understand it. Take a look at the anchors section of this link. OpenBSD Pf Firewall how to ( pf.conf ) http://calomel.org/pf_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Fri, Feb 08, 2008 at 01:24:40PM -0500, scott wrote: The pf.conf -- with the tag/tagged -- is a long-time working config. All I did (trying to do) is move the rdr, in the redacted form, to an anchor as shown. In the future, there's going to be a very large number of rdr's and I'm seeking a cleaner and effective variant. It's behaving as if the tag's scope is inside the anchor only; therefore, is not seen by the larger pf.conf. /S -Original Message- From: Calomel [EMAIL PROTECTED] Reply-To: Calomel [EMAIL PROTECTED] To: misc@openbsd.org Subject: Re: pf anchors with tag/tagged Date: Fri, 8 Feb 2008 11:30:17 -0500 Delivered-To: [EMAIL PROTECTED] Are the pass rules valid for the packets you are redirecting? A redirect rule and pass rule like the following works without issue. rdr on $ExtIf inet proto tcp from $WorkSsh to ($ExtIf) port ssh tag OPENSSH - lo0 port $SshPort pass in log on $ExtIf inet proto tcp from $WorkSsh to lo0 port $SshPort $SynState tagged OPENSSH OpenBSD Pf Firewall how to ( pf.conf ) http://calomel.org/pf_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Fri, Feb 08, 2008 at 08:35:44AM -0500, S. Scott Sima, CISA, CISM wrote: (sorry, orig post errantly had no subject) Trying to redact (simplify) pf rdr statements by moving the repeating (common) criteria to the top. The rules load error free. The pfctl -vvsnat shows the rdr-anchor in place; however, tcpdump shows the block rules being hit AS IF THE TAG/TAGGED IS NOT BEING SEEN. Anyone, any ideas? Thanks... /etc/pf.anchor.rdr1 # - anchor log on outside inet proto tcp \ from !droplist to (outside:0) { rdr port 25 tag T1 - 192.168.2.225 rdr port 5060 tag T1 - 192.168.2.200 rdr port 443 tag T2 - 192.168.2.250 } # --- /etc/pf.conf rdr-anchor /etc/pf.anchor.rdr1 ... block all ... pass log quick ...tagged T1 ... pass log quick ...tagged T2 ... ...
Re: PF - using overload for port 80 attacks/floods
Since you already stated you have valid clients which could open many connections at once it seems pf might not be the right solution. Have you thought about using a reverse proxy server in front of your web servers? A program like Pound would allow you to specify valid URL regular expressions which would then goto your web servers. All of the invalid requests would get an error by the proxy server. If you wanted to, you could make a script to watch the logs and add ips to the pf blacklist table. Pound secure reverse proxy how to http://calomel.org/pound.html If your webserver has the ability to use mod_evasive this might also help. Mod_evasive will return errors for clients who connect over a set limit. I believe mod_security can blacklist clients who produce too many errors. If you decide to stick with just PF then take a stab at writing a script to watch the webserver logs. If you have a web client producing a certain amount or type of errors put them in a slow queue for a while. Using Pf's probabilitydirective works really well if you want to slow, but not completely block the host. You can find pf examples here: OpenBSD Pf Firewall how to ( pf.conf ) http://calomel.org/pf_config.html Hope this helps. -- Calomel @ http://calomel.org Open Source Research and Reference On Thu, Jan 31, 2008 at 10:50:43AM -0600, Cache Hit wrote: Hello, I've been successfully using the max-src-conn and max-src-conn-rate with an overload into a table that I block for our external firewall that protects a few dozen (mostly Sun) web servers. As it stands it works great for blocking ssh, ftp, smtp and several other protocols when there are attempts at floods or hacks. I group them by port and and have different settings for different sets of ports. One thing I continually run into on the machines are port 80 attacks or floods.I'd like to do something similar with PF as I'm already doing for other protocols to overload these into a table and block them, but I'm finding it very hard to come up with a set of rules that eliminate any false positives while still catching actual attacks.I find in particular there are a few websites behind our firewall that have very complex page structures with lots of embedded images such that a fast browser with a fast connection viewing certain sections of the site can easily do 100's of legit GET's in a matter of a couple seconds. Does anyone have any suggestions for weeding out the false positives? Merely upping either of max-src-conn or max-src-conn- rate seems to be eventually self-defeating as it just allows attacks through as well as allowing the fast legit traffic. thanks, -- [EMAIL PROTECTED] The sky above the port was the color of television, tuned to a dead station.
Re: spamd not un-greylisting entries?
Dan, The blocked while grey listed number of 8 is dependent on the amount of retries the remote mail server attempted while grey listed. Comcast servers for example will try once per minute to deliver their mail. For example, if you grey listed comcast for 25 minutes the blocked number would be around 24-26. What is your grey listed time out? By default I believe it is set at 25 minutes. (-G 25:4:864) Perhaps it is too low or too high? This is probably not your issue, but may give you a place to start. Spamd anti-spam how to (spamdb) http://calomel.org/spamd_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Mon, Jan 14, 2008 at 01:00:44PM -0500, Daniel Barowy wrote: Hello everyone, My apologies if you get this twice-- it just occurred to me that I sent my original message out using the wrong email address. I would greatly appreciate it someone would help me diagnose this spamd problem. We've been running spamd since last October, and until this past Thursday, it was working great. I may be mistaken, but I don't think I've ever seen entries like the following before (email addresses munged intentionally): GREY|76.96.62.64|[EMAIL PROTECTED]|[EMAIL PROTECTED]|1200331179|1200345579|1200345579|8|0 Notice that the block column count is high. In the past, I don't recall this number ever exceeding 2. Our users are now complaining that they are not receiving many expected inbound emails. My understanding is that the GREY spamdb entry should turn to WHITE upon the remote MTA's retry. No? I was troubleshooting a separate issue that required a restart of our firewall (spamd is running on the firewall and not the mail servers), and this problem popped up shortly thereafter. I have not changed anything with our pf.conf or spamd.conf that I know of, except that I've added a number of crucial mailhosts to our PF whitelist-- something I've done dozens of times before. This is on an OpenBSD 4.0 machine. Any suggestions? Many thanks, Dan
PF, limit remote clients by total bandwidth used over time
Good morning, Can PF be written to filter client connections based on the total amount of bandwidth a remote client uploads/downloads over a given time frame? As far as I know PF does _NOT_ have this ability. Pf can flush the states of a client ip that has connected too many times in a given time frame. What I am proposing is an extension to this behavior. One would be able to write a rule looking at the total amount of bandwidth the remote client has used and add them to a table if they exceed this amount in a given time. For example: max-src-bandwidth-amount 2000/60 This could be the stateful tracking option to limit a client to 2000 Kilobytes per 60 seconds. The ip could then be dynamically added to a table, its states flushed and put into a slower queue with limited bandwidth or blocked completely. Does anyone else find the ability to limit connections by total bandwidth used over time to be useful? Perhaps this can be an option request in a later version of PF. ( Background ) For those wondering how this can be used in the real world it would help... ...a wireless public network. Using the wireless network connection of a local cafe we offer free Internet access to cafe patrons and people in the park across the street. The access rules specify a limit of 500meg per visit per day. Most people are well under this amount and others abuse the service. ...limiting a child's downloads on the local LAN at a public school. Some ISP's will send out warning letters to their customers who use more than their fair share of bandwidth (100Gig/month). By limiting a local LAN ip to one gig per day we can make sure to stay under this limit for example. ...stopping people from abusing a ftp or web server on a metered connection. If you know exactly how much data a normal user is expected to download then you can set upper limits. If you need to pay for that bandwidth then there is a financial incentive to stop abusers or broken clients. For example, if we expect an automated bot to get 15 meg per hour from the ftp server. If we then see clients connect and download 100 meg per minute there is a problem and the ips can be blocked or slowed. Thanks for your time, -- Calomel @ http://calomel.org Open Source Research and Reference
Re: pf + wii
The Wii may be running into the same problem that users of the Xbox 360 Live service see. You simply need to make sure you are using a nat rule with static-port for the gaming ip. You do not need to use miniupnp or a upnp capable router. Search for Xbox 360 on this page for an example. OpenBSD Pf Firewall how to ( pf.conf ) http://calomel.org/pf_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Tue, Dec 25, 2007 at 10:22:09AM -0800, Chris Cappuccio wrote: upnp is also necessary for other multiplayer games like xbox live. it's unfortunate, but true. Lord Sporkton [EMAIL PROTECTED] wrote: my point was that its a possibility, as upnp support is not standard, whether or not that is the issue at hand can be decided from game documentation and testing with static pat however thank you for the mention of the upnp daemons, i will have to check those out. On 24/12/2007, Nick Gustas [EMAIL PROTECTED] wrote: johan beisser wrote: On Dec 24, 2007, at 12:34 AM, Lord Sporkton wrote: i could be wrong but here is my 2 cents: ive seen something like this related to upnp, i would venture to guess your 2 friends have routers which support upnp and so far as i know openbsd does not support upnp. I would suggest either consulting the guitar hero manual or a tcpdump for the required ports for this game and try a static pat translation to your public ip. upnp allows the wii to request certain ports from the nat device be opened for it, in this case it sounds like you wii needs certain ports open to allow the server to connect to it, normally upnp would take care of it dynamically, but you dont have upnp, so you have to static assign the pat. UPnPd for OpenBSD.. http://www.tateoka.org/~tate/doc/openbsd-upnp.html http://miniupnp.free.fr/ Personally, I've yet to need anything like this. I haven't tried it with a Wii yet, but I've used miniupnp for a year or so now and it's worked great whenever I've needed upnp support on a pf firewall. Make sure you follow the documentation and add the required anchors to the appropriate places in your pf.conf or else you won't make too much progress! -- -Lawrence -Student ID 1028219 -- You were about to change the channel when God healed you -- Benny Hinn
Re: Passive ftp problem: 425 error
Try using the ftp-proxy daemon. The proxy will take care of what ports need to be open and close them when they are not needed. It will make your life easier. Ftp-proxy how to (forward and reverse) http://calomel.org/ftp_proxy.html -- Calomel @ http://calomel.org Open Source Research and Reference On Thu, Nov 29, 2007 at 01:20:42PM -0800, Doug Milam wrote: Greetings, I'm having trouble getting FTP to work in passive mode. (I've set the machine up as an FTP server). I can connect in active mode, with a PORT connection, but I'm seeing a 425 error (can't open passive connection; can't assign requested address) for passive attempts. The FTP server is 'self-protected' by pf and I've got one high port assigned in addition to 21, of course. I chose to restrict the high port to one port rather than a range. I've also set this in sysctl.conf. The machine also sits on a LAN behind a router which currently only allows in port 21, but allows out everything. Suggestions welcome! -- Be aware. Stay present. Speak honestly. - Get easy, one-click access to your favorites. Make Yahoo! your homepage.
Re: Using CBQ with variable upload bandwidth
I have to agree with Girish. Take some time and find out the average bandwidth for your link. Then set the higher priority users a higher percentage of the total amount than the other users. You could also use a script. If you know what the current upload bandwidth amount is then you could vary the altq on $ExtIf bandwidth 744Kb line to reflect this. If the rest of the queues are setup to use a percentage of the primary bandwidth amount then every thing will fall into line. Lastly, refresh pf for the new settings to take effect. Reference: http://calomel.org/pf_hfsc.html -- Calomel @ http://calomel.org Open Source Research and Reference On Fri, Nov 16, 2007 at 12:15:29PM +0530, Girish Venkatachalam wrote: On 08:00:08 Nov 16, Jonathan Stewart wrote: I though about doing something like that but the usable upload is so variable that 60% could completely knock the normal_folk off when it gets congested. I have 256kbit up right now and get anywhere from as low as 64kbit to 160kbit+ actual throughput depending on how busy the system is. If PF had a weighted round robin queuing system that would be almost perfect because then it would scale with the amount of bandwidth available. Ideally something that says if one queue has priority 5 and another 3 for every 5 packets sent from the first one 3 are sent from the other, unless there is something wrong with that I'm missing (other than increased jitter.) What is stopping you from using the priority field with HFSC? And why don't you determine the average uplink bandwidth statistically? If you measure it for a week or so and mark out the variance and figure out the standard deviation or some such thing...then you can do what you want. From my experience with ADSL links I find that there is usually not much variance in the uplink path. Is my reasoning correct? regards, Girish
Re: Excess interrupts using ALTQ
Fernando, Doing a quick google search I see other people have also reported problems with the on board Broadcom BCM5708 on the dells. Can you try another network card like the Intel Pro/1000 MT (OpenBSD interface name: em0) ? My place of business transfers an average of 450Mbit with OpenBSD 4.1/4.2 with ALTQ (HFSC) without issue. CPU usage for the interrupts are around 33% on a amd64 2.2GHz. -- Calomel @ http://calomel.org Open Source Research and Reference On Mon, Nov 12, 2007 at 02:05:54PM -0300, Fernando Braga wrote: Hi, I've setup a bridge over a 200Mb link, and everytime I turn ALTQ on, top shows interrupts at 99.2%. If I flush queue (pfctl -Fq), interrupt usage drop to 35% instantly. I've also noticed that only cpu0 is able to handle interrupts. Is there a way to minimize interrupts usage in this configuration ? My pf.conf is: # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ ext_if=bnx0 int_if=bnx1 table network-int persist { 200.254.131.128/25 } table redes-biz persist file /etc/pf.biz set skip on lo set limit states 75 scrub in altq on $int_if bandwidth 1000Mb hfsc queue { local, embratel } altq on $ext_if bandwidth 1000Mb hfsc queue { local, embratel } queue local bandwidth 100Mb hfsc queue embratel bandwidth 200Mb hfsc(ecn realtime 200Mb upperlimit 200Mb )\ { Q-pri Q-icmp Q-vpn Q-biz Q-mail Q-http Q-ftp Q-def } queue Q-pri bandwidth 25Mb hfsc(realtime 15Mb linkshare 25Mb upperlimit 180Mb) priority 7 queue Q-icmp bandwidth 25Mb hfsc(realtime 15Mb linkshare 25Mb upperlimit 30Mb) priority 7 queue Q-vpn bandwidth 25Mb hfsc(realtime 15Mb linkshare 25Mb upperlimit 180Mb) priority 6 queue Q-biz bandwidth 25Mb hfsc(realtime 15Mb linkshare 25Mb upperlimit 180Mb) priority 6 queue Q-mail bandwidth 25Mb hfsc(realtime 15Mb linkshare 25Mb upperlimit 180Mb) priority 4 queue Q-http bandwidth 25Mb hfsc(realtime 15Mb linkshare 25Mb upperlimit 180Mb) priority 4 queue Q-ftp bandwidth 25Mb hfsc(realtime 15Mb linkshare 25Mb upperlimit 180Mb) priority 4 queue Q-def bandwidth 25Mb hfsc(defaultlinkshare 25Mb upperlimit 128Mb) priority 0 block in log pass out antispoof quick for { lo $ext_if } pass in quick on lo0 no state ## Regras de merovingio -- bridge pass in on $ext_if proto tcp to ($ext_if) port ssh queue(local) pass in on $int_if queue(Q-def Q-pri) label int-DEFA pass in on $int_if proto icmp queue(Q-icmp ) label int-ICMP pass in on $int_if proto gre queue(Q-vpn ) label int-VPN-gre pass in on $int_if proto esp queue(Q-vpn ) label int-VPN-esp pass in on $int_if proto ah queue(Q-vpn ) label int-VPN-ah pass in on $int_if proto l2tp queue(Q-vpn ) label int-VPN-l2tp pass in on $int_if proto { tcp udp } to port { 500 4500 } queue(Q-vpn ) label int-VPN-ipsec pass in on $int_if proto { tcp udp } to port { pptp } queue(Q-vpn ) label int-VPN-pptp pass in on $int_if proto tcp to port { snmp } queue(Q-icmp Q-pri) label int-ICMP-snmp pass in on $int_if proto tcp to port { www} queue(Q-http Q-pri) label int-HTTP pass in on $int_if proto tcp to port { https } queue(Q-biz Q-pri) label int-BIZZ-https pass in on $int_if proto { tcp udp } to port { domain ntp } queue( Q-pri) label int-PRII pass in on $int_if to redes-biz queue(Q-biz Q-pri) label int-BIZZ-redes pass in on $int_if proto tcp to port { smtp pop3 imap 465 995 } queue(Q-mail q-pri) label int-MAIL pass in on $ext_if queue(Q-def Q-pri) label ext-DEFA pass in on $ext_if proto icmp queue(Q-icmp ) label ext-ICMP pass in on $ext_if proto gre queue(Q-vpn ) label ext-VPN-gre pass in on $ext_if proto esp queue(Q-vpn ) label ext-VPN-esp pass in on $ext_if proto ah queue(Q-vpn ) label ext-VPN-ah pass in on $ext_if proto l2tp queue(Q-vpn ) label ext-VPN-l2tp pass in on $ext_if proto { tcp udp } to port { 500 4500 } queue(Q-vpn ) label ext-VPN-ipsec pass in on $ext_if proto { tcp udp } to port { pptp } queue(Q-vpn ) label ext-VPN-pptp pass in on $ext_if proto tcp to port { snmp } queue(Q-icmp Q-pri) label ext-ICMP-snmp pass in on $ext_if proto tcp to port { www} queue(Q-http Q-pri) label ext-HTTP pass in on $ext_if proto tcp to port { https } queue(Q-biz Q-pri) label ext-BIZZ-https pass in on $ext_if proto { tcp udp } to port { domain ntp } queue( Q-pri) label ext-PRII pass in on $ext_if from redes-biz queue(Q-biz Q-pri) label ext-BIZZ-https pass in on $ext_if proto tcp to port { smtp pop3 imap 465 995 } queue(Q-mail q-pri) label ext-MAIL dmesg follows: OpenBSD 4.2 (GENERIC.MP) #1378: Tue Aug 28 10:48:58 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 3488907264 (3327MB) avail mem = 3373899776 (3217MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xcffbc000 (62 entries) bios0: vendor Dell Inc. version 1.3.7 date 03/26/2007 bios0
Re: Using CBQ with variable upload bandwidth
Jonathan, HFSC will do what you want. You could setup a queue using the realtime directive to guarantee bandwidth to the big_spenders. Lets say 60% of the total connection speed. Then assign 20% to the normal_folk. Both queues can borrow from each other, but will always guarantee the amount of bandwidth specified by realtime. See if this link helps you out. Hierarchical Fair Service Curve (HFSC) of OpenBSD http://calomel.org/pf_hfsc.html -- Calomel @ http://calomel.org Open Source Research and Reference On Fri, Nov 16, 2007 at 04:56:51AM +0300, Jonathan Stewart wrote: Is it possible to use CBQ as a weighted round robin queue when the upload bandwidth is highly variable? This is on FreeBSD RELENG_7 which I believe uses pf from OpenBSD 4.1 Example queue idea: Root Queue (1Mbps) big_spenders (500Kbps, priority 5, borrow) normal_folk (500Kbps, priority 3, borrow) Based on my reading of the FAQ it would seem that if your actual upload is less than the queue is configured for the queue would always be congested. Queues with a higher priority are preferred during congestion over queues with a lower priority as long as both queues share the same parent In this case does the queue act like a simple priority queue and abandon the normal_folk queue as long as there is data for the big_spenders queue or will it act like a weighted round robin queue and prefer the big_spenders but also pass some traffic from normal_folk? I also want to allow either queue to be able to use all available bandwidth. Putting borrow on both should work correct? Here is my situation... I'm running a shared access satellite system and some people are willing to pay more than others. IP addresses are statically assigned and I would like to assign people to queues based on how much they are willing to pay. I want to give the big_spenders a boost when the connection is busy but I don't want to block the normal_folk completely in the process. Any suggestions are welcome. Thank you for your time, Jonathan Stewart
Re: Queuing for my homelan (which scheduler to use?)
Chris, It looks like you have quite a few questions. The obsd list will not write your firewall for you, but this should get you started in the right direction. Hierarchical Fair Service Curve (HFSC) of OpenBSD http://calomel.org/pf_hfsc.html -- Calomel @ http://calomel.org Open Source Research and Reference On Tue, Nov 13, 2007 at 01:34:06PM +0100, Chris Cohen wrote: Hi all, sadly I can't get more than ADSL3000 (3072kbit dl/384kbit ul) at home therefore I want to use queues on my 4.2 gateway. I seperated my lan into clients (10.1.0.0/24), wlan (10.1.16.0/24), servers (10.1.3.0/24) and some other, but they don't need internet access... I read http://www.openbsd.org/faq/pf/queueing.html and want to seperate traffic by: client_in (downloads originated by my own clients) client_out (uploads originated by my own clients) wlan_in (downloads originated by my and some others laptops) wlan_out (uploads originated by my and some others laptops) server_in (downloads originated by my servers) server_out (upload originated by my servers) icmp_out (don't disturb my pings...) mail_out (large mails sent by my mailrelay in the servers subnet shouldn't disturb eg. the one hit my website recieves a day ;) ) ssh_out (...) tcp_ack_out (...) I think the protocol specific queues should have a higher priority than the subnet specific ones. (?) What would be the best way to archive this? I am not sure which scheduler I should use in which combinations of priority and bandwidth. Any tips are really appreciated. -- Greetings Chris
Re: Daily insecurity report and drop priv accounts for handling automated tasks
Dave, In our backup environment the backup user needs a shell and home dir for ssh keys as you described. The passwd is disabled and ssh keys are required. We also limit access to the backup user to specific source ip addresses like the backup server. We also use ssh wrappers. Using the command argument in the ssh keys file you can have a script check what command is being run. The backup user only needs to accept rsync so that is what we are validating. If any other command is run or if a shell is requested the connection is denied. This is a link to the explanation of our backup methodology and at the bottom is an example of the rsync wrapper script. Rsync remote files to backup server http://calomel.org/backup_server_rsync.html As Nick explained, if you have untrustworthy admins any setup can be compromised. I suggest writing a script to execute a simple command like ls using the backup user. If ls is successful, the wrapper in not working. If anyone has any other recommendations I would be interested in hearing about them. There is always room for improvement. -- Calomel @ http://calomel.org Open Source Research and Reference On Tue, Nov 13, 2007 at 10:17:07PM -0500, Nick Holland wrote: Dave Harrison wrote: Hi all, I've been wondering how to deal with this particular issue for quite some time now, and I can't find any references to the right way(TM) to handle it. I always prefer to run automated tasks as limited privilege users on my OpenBSD hosts - such as tasks that pull files across from other hosts, and other such nightly tasks. To make this work the drop priv user account needs a shell and a home dir (for SSH keys etc), and has no need for a password. However this causes the /etc/security script to generate warnings every night such as, Login nightlysync is off but still has a valid shell and alternate access files in home directory are still readable. The tasks that this user performs are scheduled through cron. Is there a better way for me to be setting up these kinds of tasks so that this warning doesn't get raised ? Or is the warning spurious ? here's my way of squishing those messages: * create the user, give it a non-trivial (but easy to type) PW. This is often useful in the development stage anyway. Don't use a trivial password in case you forget to do the next step... * When ready to kill the PW, rather than clearing it, by putting a few repeated chars in the encrypted PW string, for example, , using vipw. You now have an account that technically has a PW, but it is unlikely anyone will find something that hashes to the string you created. The string probably has the wrong number of characters anyway. Daily is happy, you are happy, and no one can log in. ...you hope. Here's a problem. You may want to be aware of funny accounts on your system. Let's say you kill a password as I suggested, then your evil co-administrator, Bob, decides he wants to keep having access to this machine after he quits. So, he quietly does a chpass on that account, then puts in his resignation. You run around and delete all his accounts, and think, Job done. Bob now logs into that account, and uses the ssh key he also dropped in place to get wherever he wanted to go (assuming a little pre- planning, of course). So, you might WANT to have as part of your daily routine verifying that you have X insecurity reports, and that they are there for the reasons you expect. 'course, that's hardly the only attack vector. If seeing Insecurity Report freaks your boss out, you might find it safer to eliminate the report (Windows never tells me how insecure it is, so it must be better!). Otherwise, treat it as just part of your daily mails. (Interestingly, your subject line auto-filed your message into my Insecurity Reports folder, and it rather concerned me that a new message suddenly arrived there. :) Nick.
Re: Logging bandwidth usage with PF
Joel, Check out pfflowd. This site has a how to. Configuration of NetFlow, Flowtools, pfflowd on OpenBSD Have you ever wanted to keep track of every packet going through your firewall? How about getting some stats on the hosts using your network. Stats like most bandwidth used or most popular ports or ip's. Well NetFlow is what your looking for. NetFlow is an open but proprietary network protocol developed by Cisco Systems to run on Cisco IOS-enabled equipment for collecting IP traffic information. http://www.pantz.org/software/flowtools/configflowtoolspfflow.html -- Calomel @ http://calomel.org Open Source Research and Reference On Mon, Nov 12, 2007 at 09:31:08AM -0600, Joel Gudknecht wrote: Misc list: I'm trying to figure out a way to log and analyze bandwidth usage passing through my PF gateway. It's doing NAT for ~60 users. Here are the pertinent logging rules; rdr pass log on $ext_if proto tcp to port smtp - $host rdr pass log on $ext_if proto tcp to port www - $host rdr pass log on $ext_if proto tcp to port pop3 - $host rdr pass log on $ext_if proto tcp to port 1494 - $host rdr pass log on $ext_if proto tcp to port 3389 - $host pass out log keep state I've tried analyzing pflogs using ethereal/wireshark but could not get specifics about IP's and connection rates from it. I've also looked at ntop and pftop, which looks good for real-time monitoring but I don't think they apply for what I'm trying to do. I'd like to generate a sorted list of top bandwidth hogs and their IP addresses. Thanks. Joel
Re: how to create cdrom42.fs?
I believe the boot image must be less than 9900 sectors to be used on a bootable cdrom. bsd.rd would be too large. -- Calomel @ http://calomel.org Open Source Research and Reference On Wed, Nov 07, 2007 at 07:45:52PM -0500, Steve Shockley wrote: Calomel wrote: You can use geteltorito.pl by Rainer Krienke. It will extract what it needs from the cdemu42.iso image and make a new cdrom42.fs image. Just takes a second. Doing: ./geteltorito.pl -o test cd42.iso results in a file test that's identical to cdbr. Why jump through so many hoops to do things the hard way? I'm not sure I see the advantage of using 2.88 emulation, especially when bsd.rd is ~5M.
Re: how to create cdrom42.fs?
You can use geteltorito.pl by Rainer Krienke. It will extract what it needs from the cdemu42.iso image and make a new cdrom42.fs image. Just takes a second. Check out Step 3, option 2 at Making a bootable OpenBSD install CD http://calomel.org/bootable_openbsd_cd.html -- Calomel @ http://calomel.org Open Source Research and Reference On Tue, Nov 06, 2007 at 05:03:05PM +0800, 23?? wrote: Hi, anything script? -- Best Regards, No.23 http://blog.chinaunix.net/u1/42287
Re: Fair Internet Sharing with OpenBSD
Edd, Check out ALTQ like Lars said, perticularly HFSC. Something like this should work well: altq on $ExtIf bandwidth 744Kb hfsc queue { ack, edd, frank, fred, jack, mike, bulk } queue ack bandwidth 10% priority 7 qlimit 50 hfsc (realtime 50%) queue edd bandwidth 15% priority 5 qlimit 50 hfsc (realtime 5% ) queue frank bandwidth 15% priority 5 qlimit 50 hfsc (realtime 5% ) queue fred bandwidth 15% priority 5 qlimit 50 hfsc (realtime 5% ) queue jack bandwidth 15% priority 5 qlimit 50 hfsc (realtime 5% ) queue mike bandwidth 15% priority 5 qlimit 50 hfsc (realtime 5% ) queue bulk bandwidth 5% priority 1 qlimit 50 hfsc (realtime 5% default) And use the ack with the queue name on the rules like, queue (edd, ack) This might help you out with the directive definitions. http://calomel.org/pf_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Sun, Nov 04, 2007 at 08:29:02PM +0200, Lars Nood??n wrote: Edd Barrett wrote: If there are 5 of us, it would be ideal to have x/5 bandwidth each (where x is the available internet bandwidth), but if 1 person is not using the connection others should be able to share the unused portion. Is there a solution? AltQ, described in following, seems to be relevant. I'm looking into a similar setup, though for different reasons. PF: Packet Queueing and Prioritization http://openbsd.org/faq/pf/queueing.html ALTQ - allocation by percentage http://home.nuug.no/~peter/pf/en/altqbypct.html Firewalling IPv6 with OpenBSD's pf (packet filter) https://solarflux.org/pf/pf+IPv6.php I'm still in the planning stages, though. I'm currently using DNSmasq for DHCP, but would prefer to do something else and use only IPv6 in-house. The version of DNSmasq in the openbsd pkg archive has some problems, so I'm using a 'test' version of 2.41: http://www.thekelleys.org.uk/dnsmasq/ Regards, -Lars
Re: Where is 'cdrom42.fs'? 4.2 -release
Rod, You are absolutely correct. Using the --reject *iso directive for wget in the instructions will now filter out all iso files from downloading. The wording on the web page has been cleaned up and clarified. Thanks for your feedback, it is appreciated. -- Calomel @ http://calomel.org OpenSource Research and Reference On Fri, Nov 02, 2007 at 12:55:39PM +1100, RW wrote: On Thu, 1 Nov 2007 20:01:16 -0400, Calomel wrote: Making a custom, bootable OpenBSD install CD http://calomel.org/bootable_openbsd_cd.html Calomel, I think you need to rapidly go edit your instructions and the script to get rid of the wildcard in the wget command to get the install files. Nobody building a custom CD will thank you for imposing a dowload of the 204MB install42.iso along with the needed files. Secondly, you need to stop referring to install sets as packages. I was really confused when I read The OpenBSD group do (sic) offer iso's you can download and use to install a system. The problem is they may have packages you know you will never use. because I knew that the downloadable iso includes NO packages. Packages are precompiled applications from the ports tree. Let's not confuse newbies. Rod/ In the beginning was The Word and The Word was Content-type: text/plain The Word of Rod.
Re: Where is 'cdrom42.fs'? 4.2 -release
Bibby, As far a I know there is no cdrom42.fs file for the v4.2 release. This is an oversight in the docs unless I am wrong. You can use the install42.iso or you can make your own custom cd iso by using the cdrom41.fs from v4.1. Making a custom, bootable OpenBSD install CD http://calomel.org/bootable_openbsd_cd.html -- Calomel @ http://calomel.org OpenSource Research and Reference On Fri, Nov 02, 2007 at 03:12:30AM +0800, Bibby wrote: Hi, all. Part of file: 4.2/i386/INSTALL.i386: --- cdrom42.fsThe i386 boot and installation 2.88MB floppy image that contains almost all OpenBSD drivers; see below. If i want to use 'mkisofs' to create a custom iso image(e.g, add some binary packages), which file should i use for the '-b' option? Thanks very much. -- Bibby(Huangbin Zhang) OpenBSD User in China Mainland: http://www.OpenBSDonly.org/
Re: Samba files used logging
You need to use at least samba-2.2.7a and use the audit.so module. The samba source code has what you need. Check out the information in ~samba/examples/VFS/audit.c and in the README file in that directory. -- Calomel @ http://calomel.org OpenSource Research and Reference On Sun, Oct 28, 2007 at 03:22:27PM +0100, [EMAIL PROTECTED] wrote: Hello I've set up a little samba server on my OpenBSD box. I would like to know which files are being accessed (write, copy) by smbd. I tried fstat, pstat but none of them give me the name of the files. Any idea ? Thanks
Re: 4.2/amd64 cannot detect any CDROM even the one from which it was installed
Siju, Has the device name changed? Perhaps to /dev/cd0a -- Calomel @ http://calomel.org OpenSource Research and Reference On Thu, Oct 25, 2007 at 07:12:59PM +0530, Siju George wrote: Hi, I installed OpenBSD 4.2 on CD on my amd64 that was running OpenBSD 4.0 fine. I tried to mount the sparc64 CDROM to copy ports.tgz But I get the following Error # mount_cd9660 /dev/cd0c /mnt/ mount_cd9660: /dev/cd0c on /mnt: No medium found # mount_cd9660 /dev/cd0c /mnt/ mount_cd9660: /dev/cd0c on /mnt: No medium found # mount_cd9660 /dev/cd0c /mnt/ mount_cd9660: /dev/cd0c on /mnt: No medium found # This Error I checked is the same error I get when there is no CDROM inside. I tried other CDs but the effect is the same. Finally I tried to mount the CD from which 4.2 was installed but failed. I used to mount CDs in 4.0 without any problems :-( Could somebody help me trouble shoot this problem? Thankyou so much :-) Kind Regards Siju The dmesg and /var/log/messages are as follows OpenBSD 4.2 (GENERIC) #1179: Tue Aug 28 10:37:50 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 469037056 (447MB) avail mem = 443813888 (423MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf0730 (54 entries) bios0: vendor American Megatrends Inc. version 080012 date 06/19/2006 bios0: ASUSTeK Computer INC. A8V-VM acpi at mainbus0 not configured cpu0 at mainbus0: (uniprocessor) cpu0: AMD Athlon(tm) 64 Processor 3500+, 2200.44 MHz
Re: Remove escape characters from file
Pieter, To remove the ^M characters at the end of all lines in vi, use: :%s/^V^M//g The ^v is a CONTROL-V character and ^m is a CONTROL-M. When you type this, it will look like this: :%s/^M//g -- Calomel @ http://calomel.org Open Source Research and Reference On Fri, Oct 26, 2007 at 03:45:39PM +0200, Pieter Verberne wrote: Hi, does OpenBSD have a program/script to remove control characters (escape sequence) from text files? Pieter
Re: Help needed to get PF working
Timo, If this box is going to be a firewall and you expect to pass packets from one interface to the other you _MUST_ enable packet forwarding. Even if pf is setup correctly for your network, no packets will traverse between your internal and external networks unless packet forwarding is turned on. You can see if ip.forwarding is set to on=1 or off=0 by typing sysctl -a | grep ip.forward. If ip.forwarding is off you can manually enable it by typing sysctl net.inet.ip.forwarding=1. This command will only take affect for this session and ip.forwarding will be set back to its previous setting on reboot. OpenBSD Pf Firewall how to ( pf.conf ) http://calomel.org/pf_config.html -- Calomel @ http://calomel.org On Thu, Oct 25, 2007 at 09:15:22AM +0300, Timo Myyr? wrote: Hi, I'm currently trying to configure small home network: ADSL Server / Firewall Desktop Now I'm working on building a proper firewall to my server. So far the situation is following: - Servers internet connection works - Desktop receives IP, nameserver and default route from server's DHCP service. -Desktop can connect to server by SSH but can't connect to anything beyond that. Server's fxp0 gets dynamic IP from ISP and fxp1 uses static IP. What I need: -server running the most common services available to public. Then some services available only to LAN. -Desktop will only run games as client and will use the servers private services Here's my current pf.conf: ### MACROS ### ext_if=fxp0 lan_if=fxp1 server_ip=xxx.xxx.xxx.xxx pri_ports={ 20,21,22,25,80,110,113,123,443,2049,3306,6660,6669,6900:6999,8080} # Ports open on server to LAN pub_ports={ 20,21,22,25,80,110,113,123,443,6900:6999,8080} # Ports open on server to internet game_ports=27000:27040 lan_ip=xxx.xxx.xxx.xxx p180_ip=xxx.xxx.xxx.xxx ### TABLES ### table spamd-white persist table intruders persist table badhosts const {10.0.0.0/8, 176.16.0.0/12, 192.168.0.0/16} ### OPTIONS ### set skip on lo set block-policy return set optimization normal set loginterface fxp0 set limit { states 5, frags 10 } # Are these good limits, I have 4GB RAM? ### TRAFFIC NORMALIZATION ### scrub in all fragment reassemble ### BANDWIDTH MANAGEMENT ### ### TRANSLATION ### nat-anchor ftp-proxy/* nat on $ext_if from !($ext_if) to any - ($ext_if) ### REDIRECTION ### rdr-anchor ftp-proxy/* rdr pass on $lan_if proto tcp to port ftp - 127.0.0.1 port 8021 rdr pass on $ext_if proto tcp from any to any port smtp - 127.0.0.1 port 8025 no rdr on $ext_if proto tcp from spamd-white to any port smtp rdr on $ext_if inet proto {tcp,udp} from any to ($ext_if) port $game_ports - $p180_ip rdr on $lan_if inet proto {tcp,udp} from $lan_ip to any - ($ext_if) ### ANCHORS ### anchor ftp-proxy/* ### PACKET FILTERING ### # Block rules block in all# Default to block all incoming and outgoing traffic block out all # Antispoof antispoof quick log for { lo $lan_if } # Incoming traffic pass in on $ext_if proto {tcp,udp} from port $game_ports to $p180_ip #pass quick on $lan_if no state pass in on $ext_if proto {tcp,udp} to ($ext_if) port $pub_ports pass in log on $lan_if proto {tcp,udp} from ($lan_if) port $pri_ports to $server_ip pass in on $lan_if proto {tcp,udp} from any to any keep state # Outgoing traffic pass out log on $ext_if proto {tcp,udp} from ($ext_if) to port $pub_ports pass out on $ext_if proto {tcp,udp,icmp} from $lan_ip to any How to change the pf.conf to allow desktop traffic to access the internet? I have tried some solutions like removing the default block rules but it still didn't work and I'm starting to run out of ideas.
Re: max-src-conn-rate rule question
David, I would take a look at adding synproxy to your rules before worrying about max-src-states. Synproxy will allow max-src-conn-rate to work more reliably. By default, pf(4) passes packets that are part of a tcp(4) handshake be- tween the endpoints. The synproxy state option can be used to cause pf(4) itself to complete the handshake with the active endpoint, perform a handshake with the passive endpoint, and then forward packets between the endpoints. No packets are sent to the passive endpoint before the active endpoint has completed the handshake, hence so-called SYN floods with spoofed source addresses will not reach the passive endpoint, as the sender can't complete the handshake. The proxy is transparent to both endpoints, they each see a single connection from/to the other endpoint. pf(4) chooses random initial se- quence numbers for both handshakes. Once the handshakes are completed, the sequence number modulators (see previous section) are used to translate further packets of the connection. Synproxy state includes modulate state. (pf.conf man page) -- Calomel @ http://calomel.org On Tue, Oct 23, 2007 at 11:23:05PM -0500, david l goodrich wrote: On Tue, Oct 23, 2007 at 05:46:45PM -0400, Calomel wrote: David, Was the offending client completing the 3-way handshake everytime it connected? For stateful TCP connections, limits on established connections (connec- tions which have completed the TCP 3-way handshake) can also be enforced per source IP. The max-src-conn-rate number/seconds limit the rate of new connections over a time interval. The connection rate is an approximation calculated as a moving average. You may also want to use synproxy for ssh and take a look at max-src-states. I have examples here: http://calomel.org/pf_config.html I didn't respond to this until now, because I wanted to do some research first. As the hosts that are being blocked by this aren't hosts I control, I needed to set up some access on the outside. So it looks like i can run 'nmap -sS -p22 25.103.82.80/28' until doomsday and it will always show as a passed connection. But when i start telnetting to port 22 on machines in this subnet, the fourth 'telnet' connection is blocked, no matter which host I hit previously. So I think that you are correct in that the attackers are not initially completing the 3-way handshake, and are thus not tripping the filter. I'll look in to max-src-states, but I think now that I've shown that the actual attack (if that's what they are) attempts are blocked properly, I'm not terribly concerned if they can scan the subnet. Thanks, --david -- Calomel @ http://calomel.org On Tue, Oct 23, 2007 at 03:58:52PM -0500, david l goodrich wrote: Nobody? Sad, it's still doing it. On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote: I've set up a max-src-conn-rate rule on my gateway router to mitigate brute-force ssh attacks. This router protects a /28 subnet, 25.108.82.80/28. The relevant rules: # pfctl -sr | grep attack block drop in log quick proto tcp from sshd_attackers to any pass in log proto tcp from any to any port = ssh keep state (source-track rule, max-src-conn-rate 3/30, overload sshd_attackers flush global, src.track 30) # What the three columns of output in the below tcpdump output are: timestamp, rule action, and target host. As you can tell from the tcpdump command, the sending host is the same in all cases, 208.53.147.204 # tcpdump -enr /var/log/pflog host 208.53.147.204 \ | awk '{print $1,$4,$11}' | sed s/.22:// | head -30 reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) 12:09:45.849594 pass 25.103.82.80 12:09:45.850279 pass 25.103.82.82 12:09:45.850827 pass 25.103.82.83 12:09:45.851310 pass 25.103.82.84 12:09:45.852003 pass 25.103.82.85 12:09:45.852496 pass 25.103.82.86 12:09:45.853007 pass 25.103.82.87 12:09:45.866580 pass 25.103.82.88 12:09:45.867345 pass 25.103.82.89 12:09:45.868339 pass 25.103.82.92 12:09:45.902389 pass 25.103.82.95 12:25:52.632295 pass 25.103.82.80 12:25:52.632973 pass 25.103.82.82 12:25:52.648804 pass 25.103.82.83 12:25:52.684792 pass 25.103.82.84 12:25:52.687989 pass 25.103.82.85 12:25:52.688652 pass 25.103.82.86 12:25:52.690882 pass 25.103.82.87 12:25:52.691371 pass 25.103.82.88 12:25:52.692290 pass 25.103.82.89 12:25:52.695340 pass 25.103.82.92 12:25:52.698864 pass 25.103.82.95 13:08:36.949178 pass 25.103.82.87 13:08:38.864585 pass 25.103.82.87 13:08:40.452215 pass 25.103.82.87 13:08:42.038388 pass 25.103.82.87 13:08:46.923469 block 25.103.82.88 13:08:49.922116 block 25.103.82.88 13:08:50.212040 block 25.103.82.87 13:08:51.099435 block 25.103.82.87 # It seems to me like this host should have been blocked back at 12:09:45, not 13:08:46. Am I misunderstanding the rule? --david [demime 1.01d removed an attachment of type application/pgp-signature
Re: max-src-conn-rate rule question
David, Was the offending client completing the 3-way handshake everytime it connected? For stateful TCP connections, limits on established connections (connec- tions which have completed the TCP 3-way handshake) can also be enforced per source IP. The max-src-conn-rate number/seconds limit the rate of new connections over a time interval. The connection rate is an approximation calculated as a moving average. You may also want to use synproxy for ssh and take a look at max-src-states. I have examples here: http://calomel.org/pf_config.html -- Calomel @ http://calomel.org On Tue, Oct 23, 2007 at 03:58:52PM -0500, david l goodrich wrote: Nobody? Sad, it's still doing it. On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote: I've set up a max-src-conn-rate rule on my gateway router to mitigate brute-force ssh attacks. This router protects a /28 subnet, 25.108.82.80/28. The relevant rules: # pfctl -sr | grep attack block drop in log quick proto tcp from sshd_attackers to any pass in log proto tcp from any to any port = ssh keep state (source-track rule, max-src-conn-rate 3/30, overload sshd_attackers flush global, src.track 30) # What the three columns of output in the below tcpdump output are: timestamp, rule action, and target host. As you can tell from the tcpdump command, the sending host is the same in all cases, 208.53.147.204 # tcpdump -enr /var/log/pflog host 208.53.147.204 \ | awk '{print $1,$4,$11}' | sed s/.22:// | head -30 reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) 12:09:45.849594 pass 25.103.82.80 12:09:45.850279 pass 25.103.82.82 12:09:45.850827 pass 25.103.82.83 12:09:45.851310 pass 25.103.82.84 12:09:45.852003 pass 25.103.82.85 12:09:45.852496 pass 25.103.82.86 12:09:45.853007 pass 25.103.82.87 12:09:45.866580 pass 25.103.82.88 12:09:45.867345 pass 25.103.82.89 12:09:45.868339 pass 25.103.82.92 12:09:45.902389 pass 25.103.82.95 12:25:52.632295 pass 25.103.82.80 12:25:52.632973 pass 25.103.82.82 12:25:52.648804 pass 25.103.82.83 12:25:52.684792 pass 25.103.82.84 12:25:52.687989 pass 25.103.82.85 12:25:52.688652 pass 25.103.82.86 12:25:52.690882 pass 25.103.82.87 12:25:52.691371 pass 25.103.82.88 12:25:52.692290 pass 25.103.82.89 12:25:52.695340 pass 25.103.82.92 12:25:52.698864 pass 25.103.82.95 13:08:36.949178 pass 25.103.82.87 13:08:38.864585 pass 25.103.82.87 13:08:40.452215 pass 25.103.82.87 13:08:42.038388 pass 25.103.82.87 13:08:46.923469 block 25.103.82.88 13:08:49.922116 block 25.103.82.88 13:08:50.212040 block 25.103.82.87 13:08:51.099435 block 25.103.82.87 # It seems to me like this host should have been blocked back at 12:09:45, not 13:08:46. Am I misunderstanding the rule? --david [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: [Newbie] OpenBSD HTTP proxy
Tony, I agree with lars, squid is an excellent choice to proxy http and https. Here are some instructions and a working example if you need them. Squid Proxy (Secure, Paranoid and Non-caching) http://calomel.org/squid.html -- Calomel @ http://calomel.org On Tue, Oct 09, 2007 at 03:43:12AM +0300, Lars Nood??n wrote: Tony Bruguier wrote: ... I would like to install an HTTP proxy. ... Squid is recommended. Read the directions carefully and you will have to make one or two changes to the configuration. Have squid listen localhost and then tunnel to get to it. ... In the long term, I would like to implement a full IP tunelling. Any solutions? Ease him off of Windows. Many of the games he is addicted to will run under WINE. -Lars
Re: pf
padilla, Perhaps if you take a step back and look at an example of pf everything might make more sense. It might help if you had a working pf.conf to learn from and a basic explanation of what each part of pf does. OpenBSD Pf Firewall how to ( pf.conf ) http://calomel.org/pf_config.html This example might be more than you really wanted for your machine, but it should point you in the right direction for a secure nat'ed firewall. When you become more fluent in pf, I have included a few of the more useful options in the same example. If you have any questions I would be happy to help. -- Calomel @ http://calomel.org On Fri, Oct 05, 2007 at 08:25:26AM -0400, a.padilla wrote: ext_if =rl0 #macro for external interface int_if =dc0 #macro for internal interface localnet= $int_if:network nat on $ext_if from $localnet to any - ($ext_if) #block in pass out keep state pass out on $ext_if proto tcp all pass inet proto tcp from {lo0, $localnet} to any keep state I commented out block in for testing purposes. still, no success. If you know what's wrong, please don' t just answer. I want to understand the solution. ip forwarding is set to 1 and pf is enabled. On Oct 4, 2007, at 11:50 AM, Roman Strogin wrote: On 10/4/07, a.padilla [EMAIL PROTECTED] wrote: Hi, I'm a student trying to learn pf on my own. I'm trying to set up a nat. I've read documentation yet I still can't get the internal machine to communicate to the outside world. I've been following this documentation: http://www.openbsd.org/faq/ pf/ nat.html before I go any further, is this the correct place to ask this sort of question? 1) Have you enabled IP forwarding or, in other words, have you uncommented following lines in your /etc/sysctl.conf: net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 2) Show your pf.conf. Roman. Roman.
Re: pf
matheus, It is the order. The fist queue is for bulk packets and the second is for ack packets. Daniel Hartmeier has a detailed page with examples that may make this clearer. Prioritizing empty TCP ACKs with pf and ALTQ http://www.benzedrine.cx/ackpri.html -- Calomel @ http://calomel.org On Sat, Oct 06, 2007 at 12:36:42AM -0300, Nenhum_de_Nos wrote: On 10/5/07, Calomel [EMAIL PROTECTED] wrote: padilla, Perhaps if you take a step back and look at an example of pf everything might make more sense. It might help if you had a working pf.conf to learn from and a basic explanation of what each part of pf does. OpenBSD Pf Firewall how to ( pf.conf ) http://calomel.org/pf_config.html This example might be more than you really wanted for your machine, but it should point you in the right direction for a secure nat'ed firewall. When you become more fluent in pf, I have included a few of the more useful options in the same example. If you have any questions I would be happy to help. -- Calomel @ http://calomel.org hi, i read the reffered link and this as well http://calomel.org/pf_hfsc.html but if you let me, I do have a question. when you say: pass out on $ExtIf inet proto tcp from ($ExtIf) to any flags S/SA modulate state queue (bulk, ack) pass out on $ExtIf inet proto tcp from ($ExtIf) to any port ssh flags S/SA modulate state queue (ssh_bulk, ssh_login) The first rule is passing out bulk traffic on the external interface and prioritizing ack packets. The second rule is passing out data on port 22(ssh) and prioritizing the interactive ssh traffic. This traffic is originating on our internal network or on the firewall itself. you say the two queues are bound to that rule in that line ? I never got 100% this bindings from queues and rules. how will pf know that in the first rule, it will treat ack packets differente from bulk ones ? thats my main doubt ... is the order (bulk,ack) that does it ? or anything with the flags (S/SA) ? I really never got the mechanics of this ... if anyone could explain, thanks, matheus -- We will call you cygnus, The God of balance you shall be