Re: pf ALTQ bandwidth limited to a 32bit value (4294Mb)

[Calomel Org]

Ermal,

Thanks for the diff. When we tried it on FreeBSD 8.2-p2, ALTq would no
long start. We also looked into the source under
/usr/src/sys/contrib/altq/altq. Sadly, most of the changes we made
either broke altq completely or had no effect. 

If you have any other ideas we would be happy to try them out.

--
   Calomel @ https://calomel.org
   Open Source Research and Reference


On Thu, Jul 07, 2011 at 09:28:13AM -0400, Ermal Lu?i wrote:
On Wed, Jul 6, 2011 at 5:25 PM, Calomel Org
infallibilismindefeasibil...@calomel.org wrote:
 ALTQ using hfsc is limited to a maximum parent bandwidth of 4294Mb.
 This value is 2^32 or 4,294,967,296 bits. If you set the bandwidth any
 higher, altq will flip back to zero. This bug was found when trying
 to test 10 gigabit and 40 gigabit bandwidth models. These tests were
 done on OpenBSD 32bit and 64bit as well as FreeBSD 32bit and 64bit.

 If anyone else can verify this independently and agree with the
 results I would be happy to register it as a bug.


 How to replicate:

 A quick test is setting the bandwidth to 4294Mb and doing a pfctl -sq
 to check altq.

 ?altq on $ExtIf bandwidth 4294Mb hfsc queue { ack, web}
 ?queue root_em0 on em0 bandwidth 4.29Gb priority 0 {ack, web}

 Now set the bandwidth to 4295Mb and notice altq has flip to zero and
 add the 32.70Kb difference.

 ?altq on $ExtIf bandwidth 4295Mb hfsc queue { ack, web }
 ?queue root_em0 on em0 bandwidth 32.70Kb priority 0 {ack, web}

 Again, we can set the bandwidth to a multiple of two(2) to 8589Mb.
 The bandwidth value flips to zero once and the result is 4.29Gb.

 ?altq on $ExtIf bandwidth 8589Mb hfsc queue { ack, web}
 ?queue root_em0 on em0 bandwidth 4.29Gb priority 0 {ack, web}

 If we add one more megabit to 8590Mb the value flips twice and we are
 left with 65.41Kb.

 ?altq on $ExtIf bandwidth 8590Mb hfsc queue { ack, web}
 ?queue root_em0 on em0 bandwidth 65.41Kb priority 0 {ack, web}


It is true that there is a limit because of data type used.
Though it cannot be fixed easily on i386 but on amd64 this should work.

Index: sys/contrib/pf/net/pfvar.h
===
--- sys/contrib/pf/net/pfvar.h  (revision 223824)
+++ sys/contrib/pf/net/pfvar.h  (working copy)
@@ -1491,13 +1491,13 @@
/* scheduler spec */
u_int8_t scheduler; /* scheduler type */
u_int16_ttbrsize;   /* tokenbucket regulator size 
 */
-   u_int32_tifbandwidth;   /* interface bandwidth */
+   u_int64_tifbandwidth;   /* interface bandwidth */

/* queue spec */
char qname[PF_QNAME_SIZE];  /* queue name */
char parent[PF_QNAME_SIZE]; /* parent name */
u_int32_tparent_qid;/* parent queue id */
-   u_int32_tbandwidth; /* queue bandwidth */
+   u_int64_tbandwidth; /* queue bandwidth */
u_int8_t priority;  /* priority */
 #ifdef __FreeBSD__
u_int8_t local_flags;   /* dynamic interface */



 Thanks.

 --
 ? Calomel @ https://calomel.org
 ? Open Source Research and Reference
 ___
 freebsd...@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-pf
 To unsubscribe, send any mail to freebsd-pf-unsubscr...@freebsd.org




-- 
Ermal
___
freebsd...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to freebsd-pf-unsubscr...@freebsd.org

pf ALTQ bandwidth limited to a 32bit value (4294Mb)

[Calomel Org]

ALTQ using hfsc is limited to a maximum parent bandwidth of 4294Mb.
This value is 2^32 or 4,294,967,296 bits. If you set the bandwidth any
higher, altq will flip back to zero. This bug was found when trying
to test 10 gigabit and 40 gigabit bandwidth models. These tests were
done on OpenBSD 32bit and 64bit as well as FreeBSD 32bit and 64bit.

If anyone else can verify this independently and agree with the
results I would be happy to register it as a bug. 


How to replicate:

A quick test is setting the bandwidth to 4294Mb and doing a pfctl -sq
to check altq. 

 altq on $ExtIf bandwidth 4294Mb hfsc queue { ack, web}
 queue root_em0 on em0 bandwidth 4.29Gb priority 0 {ack, web}

Now set the bandwidth to 4295Mb and notice altq has flip to zero and
add the 32.70Kb difference.

 altq on $ExtIf bandwidth 4295Mb hfsc queue { ack, web }
 queue root_em0 on em0 bandwidth 32.70Kb priority 0 {ack, web}

Again, we can set the bandwidth to a multiple of two(2) to 8589Mb.
The bandwidth value flips to zero once and the result is 4.29Gb.

 altq on $ExtIf bandwidth 8589Mb hfsc queue { ack, web}
 queue root_em0 on em0 bandwidth 4.29Gb priority 0 {ack, web}

If we add one more megabit to 8590Mb the value flips twice and we are
left with 65.41Kb.

 altq on $ExtIf bandwidth 8590Mb hfsc queue { ack, web}
 queue root_em0 on em0 bandwidth 65.41Kb priority 0 {ack, web}


Thanks.

--
   Calomel @ https://calomel.org
   Open Source Research and Reference

Re: PF BINAT on entire /24 subnet

[Calomel Org]

Paolo,

You may need to use the bitmask directive.

bitmask - grafts the network portion of the pool address over top of
the address that is being modified (source address for nat-to rules,
destination address for rdr-to rules).

Example: if the address pool is 192.0.2.1/24 and the address being
modified is 10.0.0.50, then the resulting address will be 192.0.2.50.
If the address pool is 192.0.2.1/25 and the address being modified is
10.0.0.130, then the resulting address will be 192.0.2.2. 

http://www.openbsd.org/faq/pf/pools.html

--
   Calomel @ https://calomel.org
   Open Source Research and Reference


On Sat, Jun 05, 2010 at 11:41:43AM -0400, Paolo Reyes Balleza wrote:
Hello all,

I was using pf's (OBSD 4.6) binat for openvpn purposes with
192.168.0.0/24 binatted to 192.0.2.0/24 since I can't renumber the local
LAN to avoid the overlap.

This doesn't work with current:
match on tun0 from 192.168.0.0/24 to any binat-to 192.0.2.0/24
for the entire subnet any more.

Everything gets routed to 192.168.0.0 no matter what external host
address I use. It used to be that 192.0.2.1 would map out to
192.168.0.1.

One to one mapping does work though.

Is this the new behaviour of pf?

Just asking because it'd be a PITA to map each host.

Cheers and thanks in advance.

Re: pf and ftp-proxy active/passive problems

[Calomel Org]

Teemu,

We have to be careful when testing ftp. Different ftp binaries for
different OS's use different default options. For example, the ftp
binary on OpenBSD v4.7 uses passive ftp by default, so the the
commands ftp and ftp -p are exactly the same. Some older Solaris
machines use active only and ftp on Ubuntu 10.04 uses active by
default.

Passive should work from your firewall, but active (PORT) probably
will not. Active will only work if you accept a connection from any ip
from port 20 to any upper port on the firewall. Not very common.

The machine behind the firewall should be able to do active and
passive because the ftp-proxy, if setup correctly, will anchor the
proper rules to allow both connection types.

For more testing you can setup the ftp-proxy daemon to log its
connections to /var/log/daemon using, /usr/sbin/ftp-proxy -D7 -v.
You may also want to add the log variable to your Pf rules so you
can watch the logs with tcpdump -n -e -ttt -v -i pflog0.

Then make sure you are using the correct ftp arguments for your ftp
binary to make a passive and active connection on your LAN machine.
Check the man page on the machine behind the firewall.

Once you have a reliable set of test responses you should have a
better idea of where the problem is.


Make sense?


BTW, we have examples of Pf and ftp-proxy on our site; see signature.

I checked out your pf.conf. If you have time you may want to try
putting your ps3 and NHL10 rules in an anchor to clean things up. How
about adding QOS so the gamers get higher network priority? :)

--
   Calomel @ https://calomel.org
   Open Source Research and Reference


On Thu, Jun 03, 2010 at 02:14:53AM -0400, Teemu Rinta-aho wrote:
On Jun 3, 2010, at 3:51 AM, Calomel Org wrote:

 Teemu,

 Are you sure the ftp server you are connecting to supports active and
 passive ftp? You may want to try your test against ftp.openbsd.org.

That is a very good point. I thought so as I got both modes working
from different nodes, but I am not sure any more. I tried to
ftp.openbsd.org and the results are different indeed.

From a host behind my pf machine:

host$ ftp ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
ftp ls
229 Entering Extended Passive Mode (|||60318|)
ftp: Can't connect to `129.128.5.191': Connection refused
200 EPRT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
total 8
drwxr-xr-x  2 0  0  512 May  4  2009 etc
drwxr-xr-x  3 0  0  512 Jul 21  2009 pub
226 Transfer complete.

host$ ftp -p ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
ftp ls
229 Entering Extended Passive Mode (|||63762|)
ftp: Can't connect to `129.128.5.191': Connection refused

From the pf machine:

fw$ ftp ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
ftp ls
150 Opening ASCII mode data connection for '/bin/ls'.
total 8
drwxr-xr-x  2 0  0  512 May  4  2009 etc
drwxr-xr-x  3 0  0  512 Jul 21  2009 pub
226 Transfer complete.

fw$ ftp -p ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
ftp ls
150 Opening ASCII mode data connection for '/bin/ls'.
total 8
drwxr-xr-x  2 0  0  512 May  4  2009 etc
drwxr-xr-x  3 0  0  512 Jul 21  2009 pub
226 Transfer complete.

If that doesn't ring a bell and you still have time and
interest, my pf.conf is at http://www.rinta-aho.org/tmp/pf.conf

Thanks!

Teemu

Re: PF Tables scoping.

[Calomel Org]

James,

I can confirm. If a table is created by an anchor with the same name as
an existing table the following error is printed:

pfctl: warning: namespace collision with BLOCKTEMP global table.


The anchors table is different from the main pf table.

pfctl -vvs Tables 
--a-rhC BLOCKTEMP
Addresses:   12
Cleared: Wed Dec 31 19:00:00 1969

pfctl -a games -vvs Tables 
--a-r-C BLOCKTEMP   games
Addresses:   0
Cleared: Wed Jun  2 16:40:14 2010

--
   Calomel @ https://calomel.org
   Open Source Research and Reference


On Wed, Jun 02, 2010 at 04:23:54PM -0400, James Records wrote:
On Wed, Jun 2, 2010 at 10:48 AM, James Records james.records gmail.comwrote:

 Hi All,

 Having an issue with anchors and tables again, I had this same issue a
 couple of years ago in 4.5 but never got any response, hoping someone can
 shed some light onto what I'm missing here, or if this is even supported,
 I'm trying to use an overload rule inside of an anchor to populate a table
 defined outside of all anchors.  I haven't seen anything that specifically
 says this isn't supported, but if thats the case I'd like to get it
 clarified.  Here are snippets of pf.conf that don't work, and one that does,
 and an explanation of why I can't just use the one that does work without
 side effects.

 Thanks in advance,

 J



 Doesn't work:

 ##
  Tables  ###
 ##
 table blocked_sites persist

 #
  Blocked Sites 
 #
 anchor Blocked_Sites {
  block in  quick from blocked_sites to any
 }

 ##
 ### TEST_IN ###
 ##
 anchor TEST_IN {
 pass in log quick on em0 inet proto tcp \
 from any to TEST_IN_dst \
  port { 443 } keep state \
 (max 100, source-track rule, max-src-nodes 10, max-src-states 20,
 max-src-conn 20, max-src-conn-rate 2/15, overload blocked_sites flush)
 }


 But remove the anchor from the overload rule and it works fine:

 ###
  Tables  
 ###
 table blocked_sites persist

 #
  Blocked Sites 
 #
 anchor Blocked_Sites {
 block in  quick from blocked_sites to any
 }

 ###
 ### TEST_IN ###
 ###
 #anchor TEST_IN {
 pass in log quick on em0 inet proto tcp \
  from any to TEST_IN_dst \
 port { 443 } keep state \
 (max 100, source-track rule, max-src-nodes 10, max-src-states 20,
 max-src-conn 20, max-src-conn-rate 2/15, overload blocked_sites flush)
 #}

 This would be simple enough but I want to be able to parse my logs using
 the anchor names, this isn't possible using the 2nd method.

 The docs say this should just work from everything I can tell, I can read
 from a global table from within an anchor but am failing to write to it
 from within an anchor using the overload rule




Just an update, I've done some more digging, it seems like I'm running into
an issue where its creating a new table inside the anchor, I'm thinking this
is just a bug where the table gets created because it doesn't look outside
of the anchor to see if one already exists, but I just want to get another
pair of eyes to confirm.

Thanks
J

 pfctl -vvs Tables
-pa--h-blocked_sites
   Addresses:   0
   Cleared: Wed Jun  2 06:10:20 2010
   References:  [ Anchors: 3  Rules: 0  ]
   Evaluations: [ NoMatch: 162Match: 0  ]
   In/Block:[ Packets: 0  Bytes: 0  ]
   In/Pass: [ Packets: 0  Bytes: 0  ]
   In/XPass:[ Packets: 0  Bytes: 0  ]
   Out/Block:   [ Packets: 0  Bytes: 0  ]
   Out/Pass:[ Packets: 0  Bytes: 0  ]
   Out/XPass:   [ Packets: 0  Bytes: 0  ]

$ pfctl -a TEST_IN -vvs Tables
--a-r--blocked_sites   TEST_IN
   Addresses:   1
   Cleared: Wed Jun  2 01:55:11 2010
   References:  [ Anchors: 0  Rules: 5  ]
   Evaluations: [ NoMatch: 114Match: 69 ]
   In/Block:[ Packets: 69 Bytes: 6732   ]
   In/Pass: [ Packets: 0  Bytes: 0  ]
   In/XPass:[ Packets: 0  Bytes: 0  ]
   Out/Block:   [ Packets: 0  Bytes: 0  ]
   Out/Pass:[ Packets: 0  Bytes: 0  ]
   Out/XPass:   [ Packets: 0  Bytes: 0  ]

Re: pf and ftp-proxy active/passive problems

[Calomel Org]

Teemu,

Are you sure the ftp server you are connecting to supports active and
passive ftp? You may want to try your test against ftp.openbsd.org.
This is a linux machine behind a pf firewall (openbsd v4.7) using
ftp-proxy. Both active (PORT) and passive listings seem to work.

$ ftp ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
ftp ls
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
total 8
drwxr-xr-x  2 0  0  512 May  4  2009 etc
drwxr-xr-x  3 0  0  512 Jul 21  2009 pub
226 Transfer complete.

$ ftp -p ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
ftp ls
227 Entering Passive Mode (129,128,5,191,214,178)
150 Opening ASCII mode data connection for '/bin/ls'.
total 8
drwxr-xr-x  2 0  0  512 May  4  2009 etc
drwxr-xr-x  3 0  0  512 Jul 21  2009 pub
226 Transfer complete.


Was this the problem?

--
   Calomel @ https://calomel.org
   Open Source Research and Reference


On Wed, Jun 02, 2010 at 07:23:24PM -0400, Teemu Rinta-aho wrote:
Hi all,

(First, sorry if you receive this e-mail multiple times,
I changed my smtp server as the first one doesn't seem
to get mails to this list.)

my firewall (OpenBSD 4.7) is running packet filter with NAT
and tcp-proxy to provide FTP for hosts in the network behind
the firewall/NAT.

The problem is that a host behind the firewall, connecting
to an FTP server in the internet through the firewall, active
mode works but passive doesn't. On firewall's external
interface I can see packets going to the FTP server but no reply
packets.

Trying FTP directly from the firewall, passive mode works but active
doesn't (ftp client says 425 Could not open data connection
to port 55476: Connection refused). In this case ftp-proxy is
not used as the firewall should be just like any other ftp client.

I have updated my pf.conf as per the 4.7 upgrade instructions
and I have run tcpdump to network interfaces as well as pflog0,
but so far I don't understand what might be wrong. I tried to
see pf rules or states inserted by ftp-proxy with commands like
'pfctl -a ftp-proxy/* -sr' but either it doesn't print anything
and trying 'pfctl -a '*' -sr' I get:


anchor * all {
pfctl: DIOCGETRULES: Invalid argument
}
...

Any help appreciated. It is not a showstopper but pretty annoying,
as e.g. Firefox defaults to passive mode.

Teemu

Re: AMD power reduction

[Calomel Org]

You can use apm. It will only save a few watts, but it may reduce the
cooling costs by reducing the heat generated by the CPU. If you have
_many_ machines you can easily reduce the temperature of the server room
by a few degrees C. 

  Advanced Power Management control
  https://calomel.org/apm_control.html

--
   Calomel @ https://calomel.org
   Open Source Research and Reference


On Fri, Feb 05, 2010 at 11:37:16AM -0500, Jean-Francois wrote:
Le vendredi 05 fivrier 2010 11:17:51, vous avez icrit :
 On 04/02/2010 23:02, Jean-Francois wrote:
  All,
 
  I am looking forward to reduce the TDP for a server planned to be built.
  As low as possible shall be best, is AMD cool'n quiet operating with
  latest OpenBSD ?
 
  Regards

 Depending on what you where looking at, you can reduce the voltages (if
 your BIOS has this much control) and this will lower power/heat. I've
 done this on PC's with bad HSF in hot temperatures. Though, like over
 clocking, it's an art that requires testing, trying and patience to find
 the lowest/highest while still being stable


Hello,

I think of doing this too.
What I would like to understand is if I will be able to use the frequency
change 1000 / 2000 MHz dynamic load based.

Regards

Re: possible to configure PF to simulate latency and 1% packet loss?

[Calomel Org]

Andres,

You can add packet loss by using the probability argument on a pf
rule. You use either a block or pass rule.

probability number

A probability attribute can be attached to a rule, with a
value set between 0 and 1, bounds not included.  In that case, the
rule will be honored using the given probability value only.  For ex-
ample, the following rule will drop 20% of incoming ICMP packets:

   block in proto icmp probability 20%


I do not believe you can add latency timings using PF. I agree, this
would be very helpful for testing.

--
   Calomel @ https://calomel.org
   Open Source Research and Reference


On Fri, Jan 22, 2010 at 03:13:09PM -0500, Andres Salazar wrote:
Hello,

Is it possible to do some rule in pf to simulate 300ms of latency?
This is for testing purposes.

A plus would be to simulate 1% packet loss.

Many Thanks!!

Re: PF cluestick please - low priority queue spills over into normal queue

[Calomel Org]

Aaron,

When you say, seem to spill over into the normal queue do you mean
the bittor queue is borrowing bandwidth from the total amount of
bandwidth available?

You may need to set a limit on the bittor queue if you want to limit
its bandwidth. The OpenBSD Faq says, CBQ queues are arranged in an
hierarchical manner. At the top of the hierarchy is the root queue
which defines the total amount of bandwidth available. Child queues
are created under the root queue, each of which can be assigned some
portion of the root queue's bandwidth. For example, queues might be
defined as follows:

 Root Queue (2Mbps)
   Queue A (1Mbps) 
   Queue B (500Kbps) 
   Queue C (500Kbps) 


Also, you can use HFSC queueing for this as well. 

 Hierarchical Fair Service Curve (HFSC) of OpenBSD
 https://calomel.org/pf_hfsc.html

--
   Calomel @ https://calomel.org
   Open Source Research and Reference


On Tue, Jan 05, 2010 at 07:14:59PM -0500, Aaron Mason wrote:
Hi all,

I've got the following pf.conf file for limiting bittorrent
connections and providing higher priority to a game server.  While the
latter works wonderfully, the bittorrent connections seem to spill
over into the normal queue and it's driving me crazy.

My /etc/pf.conf file is as follows:
set skip on lo

# Setting some constants
prio_port  = { 22 53 5900 }
shiori = 192.168.2.241/32
chechemaru = 192.168.2.251/32
wired_if   = rl0
wlan_if= ath0

hi_bw   = 33Mb
norm_bw = 20Mb
lo_bw   = 178415b

altq on $wired_if cbq bandwidth 54Mb queue { wired_hi, wired_norm, wired_lo }
  queue wired_hi bandwidth $hi_bw priority 2
  queue wired_norm bandwidth $norm_bw cbq(default) priority 3
  queue wired_lo bandwidth $lo_bw priority 4

altq on $wlan_if cbq bandwidth 54Mb queue { wlan_hi, wlan_norm, wlan_lo }
  queue wlan_hi bandwidth $hi_bw priority 2
  queue wlan_norm bandwidth $norm_bw cbq(default) priority 3
  queue wlan_lo bandwidth $lo_bw priority 4

# SSH and DNS traffic as well
pass out quick on $wired_if proto { tcp udp } to any port $prio_port \
   queue wired_hi
pass out quick on $wired_if proto { tcp udp } from any port $prio_port \
   queue wired_hi
pass out quick on $wlan_if proto { tcp udp } to any port $prio_port \
   queue wlan_hi
pass out quick on $wlan_if proto { tcp udp } from any port $prio_port \
   queue wlan_hi

#High priority to Shiori
pass out quick on $wired_if to $shiori queue wired_hi
pass out quick on $wlan_if from $shiori queue wlan_hi

#Low priority and limiting to Chechemaru
#NOTE: BT connections are bidirectional, hence the seemingly \
#redundant rules
pass out quick on $wired_if to $chechemaru queue wired_lo
pass out quick on $wired_if from $chechemaru queue wired_lo
pass out quick on $wlan_if to $chechemaru queue wlan_lo
pass out quick on $wlan_if from $chechemaru queue wlan_lo

# Everything else gets normal priority
# pass out quick on $wired_if queue wired_norm
#pass
block in on ! lo0 proto tcp to port 6000:6010

A typical output from pftop shows the contents of
http://paste2.org/p/596043 - notice the upstream going crazy.
Unfortunately pfTop hasn't been updated to take advantage of the
changes to pf, so it refuses to display the rules.  I'd do it myself
if I had a better understanding of how pf worked within, but I'm not
quite at that stage yet.

A very hard cluestick is greatly appreciated, to go along with the
concussion I am suffering from banging my head on the desk.

Regards


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse

Re: online documentation for new smtpd

[Calomel Org]

For official docs I think the man pages are it. They should contain
everything you need to get a working smtpd.conf .

We put together a page with a few working examples. Opensmptd works
fine for a low volume mail server and is very stable. It has been
running for a few months with no issues. 

 OpenSMTPD how to (smtpd.conf)
 https://calomel.org/opensmtpd.html

--
   Calomel @ https://calomel.org
   Open Source Research and Reference


On Tue, Jul 21, 2009 at 12:23:31PM -0400, Lars Nooden wrote:
I find the two manpages, smtpd(8) and smtpd.conf(5), in current.

Is there an official online documentation or project page available for
the new stmpd?

Regards
-Lars

Re: Calomel.org

[Calomel]

Thanks for the heads up.

I agree that with all of the work done in the newest MP kernel the
page is outdated. There should be time this month to test the newest
release and post the results. 

Network Speed and Performance Guide (OpenBSD)
https://calomel.org/network_performance.html

As Darren and the previous posts have said, always do your research
using multiple sources. We try to be as accurate on our site as
possible, but as in this case, some pages may become outdated. When
you find information that is useful compare it to the man pages, to
other resources on-line and ask questions.

--
  Calomel @ https://calomel.org
  Open Source Research and Reference


On Thu, May 07, 2009 at 10:53:18AM -0400, Darrin Chandler wrote:
On Thu, May 07, 2009 at 12:03:23PM +, Stuart Henderson wrote:
 There are some useful things on the site, but please, use with a big
 pinch of salt.

This is true of any sites with OpenBSD help. Sometimes I've found some
info on these sites that's saved me much time, but I'd never take the
info without thinking it through myself, check against the man pages,
FAQ, etc.

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
dwchand...@stilyagin.com   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Re: Problem with binat and ftp-proxy

[Calomel]

See if this works for you. Using the ftp proxy with binat probably
will not work. Lets say 100.20.30.40 is the external ip. 

# cat /etc/rc.local
 /usr/sbin/ftp-proxy -a 100.20.30.40 -p 8021 -q bulk

# cat /etc/pf.conf
 Translation ###
rdr on $DMZIf inet proto tcp from $DMZ to any port ftp - lo0 port 8021

 Filtering #
pass in log on $DMZIf inet proto tcp from $DMZ to lo0 port 8021 $TcpState 
$FtpIntIf


 Ftp-Proxy how to (forward and reverse proxy)
 https://calomel.org/ftp_proxy.html

--
  Calomel @ https://calomel.org
  Open Source Research and Reference


On Tue, Sep 30, 2008 at 01:09:25PM +0200, Com??te wrote:
Hi,

i run an OpenBSD 4.3 firewall with 3 network interfaces : 1 LAN, 1 WAN
and 1 DMZ
I use ftp-proxy to allow ftp client connexions from my LAN and it works
well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they
have all one different public IP. So, i use binat rules to nat them
easily and it works fine too.
But i need to allow these servers on DMZ to make FTP client connexions
to external servers too. So I have put a rdr rule like the one i did for
my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't
work, i can only connect to external FTP servers from my DMZ servers if
disable the binat rule associated with the server which try to connect.

My question is, is there a mean to do what i want to do ? :)

Thanks a lot !

below an extract of my pf rules:

nat on $ext_if from !$ext_if to any - $firewall_pub
nat-anchor ftp-proxy/*

binat on $ext_if from $dns1_priv to any - $dns1_pub
binat on $ext_if from $dns2_priv to any - $dns2_pub
binat on $ext_if from $web_ville_priv to any - $web_ville_pub
binat on $int_if from $web_ville_priv to any - $web_ville_pub

rdr-anchor ftp-proxy/*
rdr on { $int_if $dmz1_if } proto tcp from any to any port ftp - lo0
port 8021

...

pass in quick log on $dmz1_if inet proto tcp from $DMZ1 to lo0 port 8021
pass in quick log on $int_if inet proto tcp from acces_ftp_direct to
lo0 port 8021
anchor ftp-proxy/*

...

Re: Light HTTP servers.

[Calomel]

Nuno,

I would highly suggest looking into Nginx. It is easy to build from
source and runs efficiently, using little memory or CPU time. Even
though it is a light web server compared to Apache, Nginx is able to
handle high traffic loads. The WordPress blogging system recently
converted all of its load balancers to Nginx, using the upstream hash
module to serve 8-9 thousand requests per second.

Unlike lighttpd, the author is actively developing Nginx and the
community is constantly building add on modules. Finally, you can
easily secure Nginx to better protect your machine from abusive
clients.

 Nginx web server how to
 https://calomel.org/nginx.html

--
  Calomel @ https://calomel.org
  Open Source Research and Reference


On Sun, Jul 20, 2008 at 03:14:40PM +0100, Nuno Magalh??es wrote:
I have an old Compaq Armada 1500c with 32MB of RAM i want to use as a
webserver. Having it support PHP and mySQL would be fun since i intend
to use both. The same machine has sshd running and might also become a
print-server for a parallel Epson Stylus Color 740 if i can decide on
the print server (apparently either cups or lpd, whichever's lighter).

I haven't fiddled with it a whole lot, it's mostly just on and showing
top through ssh. Right now its memory line is this:
Memory: Real: 7200K/20M act/tot  Free: 3944K  Swap: 0K/66M used/tot
with its most cpu-intensive process being sendmail. I have no
mailserver, what's that for?

So, big servers like Apache are kind of out of the question. From the
package list i found Bozotic, lighttpd, nginx,  p5-HTTP-Server-Simple
and thttpd. Of those, nginx caught my eye and while searching i came
across cherokee-project.com,  Hiawatha (hiawatha.leisink.org) and also
shttpd.sourceforge.net

Is anyone using any of these or a lightweight httpd in general? I
don't mean small as in d116.com/ace/ nor are my resources as low as
d116.com/spud/ but useful input would be welcome. Ya know, the
constructive criticism type.

TIA

-- 
Nuno MagalhC#es

Re: question on spamd.alloweddomains

[Calomel]

Juan,

You can use email addresses, domains or partial domains in your
spamd.alloweddomains file. 

 Spamd tarpit/greylisting anti-spam how to (spamdb)
 https://calomel.org/spamd_config.html

--
  Calomel @ https://calomel.org
  Open Source Research and Reference


On Sat, Jun 21, 2008 at 09:24:25AM -0400, Juan Miscaro wrote:
I have a question re spamd.alloweddomains.  The spamd man [0] page
talks about domain suffixes.  Is it possible to populate the file with
actual addresses?  Seems this would be more effective.

/juan

[0]
 The file /etc/mail/spamd.alloweddomains can be used to specify a list of
 domainname suffixes, one per line, one of which must match each destina-
 tion email address in the greylist.  Any destination address which does
 not match one of the suffixes listed in spamd.alloweddomains will be
 trapped, exactly as if it were sent to a spamtrap address.

Re: simple PF question

[Calomel]

Robert,

You rule looks ok. You may want to add a variable for the port number
so you can add or delete them as needed. Something like... 

### Ports
AllowOUT={22, 80, 443}

### Pass out interface
pass out on $int_if proto tcp from ($int_if) to any port $AllowOUT modulate 
state flags S/SA


Hope this helps,

 OpenBSD Pf Firewall how to ( pf.conf )
 https://calomel.org/pf_config.html

--
  Calomel @ https://calomel.org
  Open Source Research and Reference


On Fri, Jun 20, 2008 at 02:10:52PM -0700, Robert Gilaard wrote:
Hi folks,

All the time I had the following entries in my pf.conf for my Desktop system.
However, as I've bought this pf book that was lately released, I begin to 
suspect that these rules are way to liberal.

If I only want to be able to browse the web and maybe use ssh-client, how 
should I rewrite the rules so that only those ports are open (80,443 and 22)?

I guess i'm looking forward to a RTFM answer, but hey, I wouldn't ask if I 
knew how to write them.

The best I could guess is:

pass out on $int_if proto tcp from any to any port 80 modulate state flags S/SA

But I don't know if this is correct.

Brgds
Robert

Re: OpenSSL On Openbsd help

[Calomel]

Khalid,

A certificate bought from a trusted Certificate Authority simply means
a client can verify the certificate's validity through a third party.
This does not mean the web page data is securely encrypted, does not
mean the data on the site is valid and does not mean that the data can
not be compromised on the client or server machines.

A basic SSL certificate says that the person or persons who bought the
certificate are the same person or persons that own the domain.  This
is the simplest check done by the Certificate Authority when a
certificate request (purchase) is made. The more expensive certs
require that the company ordering the certificate verify their legal
credentials. This may mean they have to FAX proof of their physical
location, their business status (INC, CO, etc.) and contact
information to the Certificate Authority and comply with an
investigation. This extended verification (EV) process is expensive
and can take weeks to complete.

I agree that an expensive SSL cert is only worth the money if the name
of the certificate authority means anything to the clients contacting
your site. 99.9% of the people do not know or care what a CA is.

Hope this helps.

 Guide to SSL Certificates
 https://calomel.org/ssl_certs.html

--
  Calomel @ https://calomel.org
  Open Source Research and Reference


On Sun, Jun 15, 2008 at 03:02:48AM +1000, Damien Miller wrote:
On Sat, 14 Jun 2008, Khalid Schofield wrote:

 Hi,
 I need to get a proper signed ssl certificate for my ecommerce website
 hosted on my openbsd box. Getting confused as most websites describe
 how to do this in many different ways and most refere to self signed
 certificates. Wanted to ask the experts before I go and throw $100 at
 the task.

First, I'd recommend that you spend a little time reading up on X.509
certificates and how they relate to public key cryptography. There
are nasty consequences if you get things wrong that extend well past
wasting $100 on a certificate you can't use.

 So do I have to use pass phrases when generating the certificate? If
 I use a pass phrase why? How does it effect the certificate and it's
 use?

Certificates don't have passphrases, private keys do. A key passphrase
gives some measure of protection should the file containing your key
fall into someone else's hands, e.g. by compromising your server. If
you private key is disclosed, an attacker could impersonate your sever.

 Also if I use a pass phrase do I have to tell apache about it? Does it
 go in a config or do I have to enter it when reloading apache?

Putting it in a configuration file would defeat the purpose, no?
Yes, if you use a passphrase then you need to tell Apache about it every
time it is reloaded. For this reason, many web servers do not set
passphrases on their keys.

 Also what command do you use to do this? Please tell all :)

openssl req

OpenSSL is complex and patchily documented, it assumes that its users
are quite familiar with x.509 certificates and public key cryptography.
There are some frontends that make things more simple, and some good
guides on the net. Try typing openssl certificate into your favourite
search engine for a few.

 One last thing who would you recomend to sign my csr?

Go for the cheapest certification authority that is supported by Firefox
and Internet Explorer. Do not be fooled by any claims of premium
certification as the overwhelming majority of users do not check the
CA details.

 Thanks sorry for the stupid questions but I've never done this before
 and risked my actual money (only the companies).

Like I said, risking $100 on a dud cert is the least of your worries.

-d

Re: Multiple FTP servers behind firewalls

[Calomel]

Joe,

We have used a CARP firewall (two machines in failover and not
load balancing) in front of a dozen ftp servers. We use 12 different
ip addresses in total. One ftp-proxy for each CARP interface and
forwarding the traffic to one of the 12 backend ftp server. This works
fine.

  Ftp-Proxy (forward and reverse proxy)
  https://calomel.org/ftp_proxy.html

If you use one external ip and thus one CARP virtual device, you might
be able to use different external ports redirected to each ftp-proxy
daemon.  This might cause a bit of confusion depending on your users
and what clients they use. Clients normally expect ftp to be on port
21 of course.  vhosts would definitely be a welcome addition, but I am
not sure how this would be implemented.

Some problems you may see is when the CARP firewalls failover. The
ftp-proxy anchors are not inherited by the second BACKUP firewall.
Clients can just reconnect after the BACKUP firewall comes up. You may
also want to see if you can limit ftp connection to passive mode only.
This seems to help with some of the broken windows clients, though you
can use the -r argument in ftp-proxy to suit ancient clients.

If anyone has any other solutions I would also be interested in
hearing about them.

--
  Calomel @ https://calomel.org
  Open Source Research and Reference


On Wed, Jun 04, 2008 at 05:02:45PM +0100, Joe Warren-Meeks wrote:
Hey guys,

I have a a pair of OpenBSD firewalls, using carp+pf protecting all
our services.

Now, we are going to end up in a situation where we need to have
multiple separate ftp servers behind these firewalls (one per project).
Currently I'm thinking of creating a new CARP interface on the external
interface with a unique IP and a separate ftp-proxy per back-end server

My question is basically has anyone done this already and does it work?

Are there any problems with having multiple CARP interfaces using the
same physical one?

Is there a better, easier solution? It's times like these that I wish
the ftp protocol included vhosts.

Cheers chaps.

 -- joe.

I don't like Annika. She's so pretentious.

Re: Is there a badblocks-equivalent for OpenBSD?

[Calomel]

Ropers,

You can find the badblocks utility prepackaged in e2fsprogs.
 

Hope this helps,

  BadBlocks Hard Drive Validation and/or Destructive Wipe
  http://calomel.org/badblocks_wipe.html

--
  Calomel @ http://calomel.org
  Open Source Research and Reference


On Fri, Apr 18, 2008 at 08:44:27PM +0200, ropers wrote:
Sometimes I find myself in need of a disk checking utility that can
check both disks with known *and unknown* filesystems, and/or that can
check even currently unpartitioned space on a disk.

There exists such a program for Linux, called badblocks:
http://www.linuxmanpages.com/man8/badblocks.8.php
A command of badblocks -svn /dev/devicename allows me to scan all
kinds of disks, even some of these old Macintosh floppies and other
esoteric stuff. The n is for a non-destructive read and write scan.
Basically it scans the entire disk, and doesn't care what's on it, it
just reads every single bit of data on the device, then does its write
test and write back the original data. Sure, fsck can also scan disks,
but AFAIK it can't do a surface scan, much less of an unknown file
system, because fsck only invokes file-system-specific programs.

Thus far, I've mostly booted Linux Live-CDs and then issued badblocks
-svn /dev/devicename whenever I needed to do such checks.

Is there a way to do the same thing with OpenBSD? I am not a
programmer, and anything exceeding script-kiddie level scripting will
probably be over my head.

Many thanks and kind regards,
--ropers

Re: spamd in modified greylisting mode.

[Calomel]

Preston,

I do not believe that spamd can deliver mail on the first attempt. Hosts
like Southwest airlines and a few others only attempt to send mail _once_
and never try again. Even worse are hosts that use unique From: addresses on
every attempt and thus never get white listed. Other hosts only retry the
delivery of mail once or twice in a four(4) hour period. I understand your
dilemma especially if you work in marketing.

Spamd needs to know about the host trying to deliver the mail before it can
white list the host. Normally, the remote host would need to connect to
your mail host at least three times before the mail can be delivered. For
example:

  attempt 1: host is GREY listed
  attempt 2: host is WHITE listed
  attempt 3: host connects to the real mail server to deliver its mail

We have written Perl scripts to watch the spamd logs and add remote hosts
that send to valid email addresses to the white list. This will reduce the
amount of attempts the remote host needs to make down to two:

  attempt 1: host is GREY listed by spamd _and_ WHITE listed by our script
  attempt 2: host connects to the real mail server to deliver its mail

The speed at which the email is delivered is dependent on the retry rate of
the remote host. This still in not a perfect solution.

Now, you could try to collect a white list of hosts you always accept mail
for, but the problem is your users want to accept mail quickly from all
hosts.  If your business is highly dynamic and you accept email from new
potential clients all the time then this method is not really that helpful.

If anyone has any other ideas on this topic I would also be interested in
hear them.


Hope this helps.

  Spamd tarpit/greylisting anti-spam how to
  http://calomel.org/spamd_config.html

--
  Calomel @ http://calomel.org
  Open Source Research and Reference


On Tue, Apr 15, 2008 at 10:48:47AM -0500, Preston Kutzner wrote:
I'm hoping someone can help me by answering a couple of questions
regarding spamd.  Ultimately, I'm wanting to know if the spamd setup
I'm envisioning is possible.  I'll explain the situation.

To begin, we attempted a typical setup of spamd in greylisting mode on
our firewall in front of our MX.  This worked great and was catching
lots of spam, for around 48 hours.  During this time, we (IT Dept.)
got several complaints about delayed delivery of emails from our
clients.  This was mostly due to impatient recipients within our
organization.  However, as a result, we were told, by executive order,
to shut down the greylisting.  Apparently the greylisting, in doing
what it's supposed to do, was disrupting time-sensitive email.
Nevermind that we were white-listing these senders as we were made
aware of them.

So, this brings me to my set-up inquiry.  We do receive lots of
delivery attempts to non-existent addresses in our domain and the
greytrapping feature of spamd was especially handy for blocking sites
attempting to deliver to these non-existent addresses.  I would like to
be able to take advantage of this feature of spamd, along with the
blacklist features, while not delaying email to non spamtrapped
addresses.

From my understanding of the interaction between spamd and pf, this
either isn't possible or is non-trivial.  However, I figured I would
see if anyone has done a similar set-up or knows of a way to implement
this.  Thanks.

[demime 1.01d removed an attachment of type application/pgp-signature which 
had a name of signature.asc]

Re: PF ssh bruteforce logging and blocking

[Calomel]

Chris,

Your /etc/bruteforce file will be read when pf loads its rules. Ip's added
to the bruteforce table through the overload directive will _not_ be
added to the /etc/bruteforce text file.

Can you see ips in the bruteforce table?

pfctl -t bruteforce -T show

If you want to dump those ips from the table to the text file you can
always do pfctl -t bruteforce -T show  /etc/bruteforce


Hope this helps.

  OpenBSD Pf Firewall how to ( pf.conf )
  http://calomel.org/pf_config.html

--
  Calomel @ http://calomel.org
  Open Source Research and Reference


On Wed, Apr 16, 2008 at 12:20:38PM +1000, Chris wrote:
I have some rules in my pf.conf for ssh brute force where it should
block and log the offending IP address in /etc/bruteforce file. I also
told syslog to log all ssh logging in /var/log/sshd. I can see some
failed login in /var/log/sshd but my /etc/bruteforce file is still
empty. Here's my pf.conf -


ext_if = fxp0

tcp_services = {80, 443, 123}
udp_services = {123}
icmp_services = {echo_req}

set block-policy drop
set loginterface $ext_if

scrub in all fragment reassemble
scrub out all random-id fragment reassemble

block all
pass quick on lo0 all
pass out quick on lo0 all

table bruteforce persist file /etc/bruteforce

block quick from bruteforce
antispoof log for { lo0, $ext_if }

block drop in quick log on $ext_if inet6 all

pass in log on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port $udp_services

pass inet proto tcp from any to any port ssh \
flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 5/3, \
overload bruteforce flush global)

pass out log on $ext_if inet proto tcp from any to any port $tcp_services

block drop in quick on $ext_if from any to {255.255.255.255, 192.168.25.255}
block drop out quick on $ext_if inet proto icmp from any to {192.168.25.1}

block quick from any os NMAP

pass out log on $ext_if proto { tcp, udp, icmp } all keep state

block drop out quick log on $ext_if inet proto tcp from any to port 22

Here's what I can see on my /var/log/sshd -

Invalid user test from xxx.xx.xx.xx
input_userauth_request: invalid user test
Failed password for invalid user test from xxx.xx.xx.xx port 43734 ssh2

Is there anything I am doing wrong in my pf.conf? Thanks for any help.

Re: CARP and pfsync weird behaviour

[Calomel]

John,

I ran a test using iperf on an external openbsd system (client) through a carp
firewall to an internal openbsd system (server). All systems are running
OpenBSD v4.2 with the latest patches.

  external   --- CARP ---  internal
(iperf -i 1 -t 600 -c carp0)(iperf -s)

I did _not_ see any slow down through the MASTER when I rebooted the BACKUP
server. For example, I started the reboot of the BACKUP at 5 seconds and
the BACKUP finished rebooting at 102 seconds:

[  3]  1.0- 2.0 sec  81.2 MBytes681 Mbits/sec
[  3]  2.0- 3.0 sec  82.3 MBytes690 Mbits/sec
[  3]  3.0- 4.0 sec  83.8 MBytes703 Mbits/sec
[  3]  4.0- 5.0 sec  86.6 MBytes727 Mbits/sec -- start reboot
[  3]  5.0- 6.0 sec  86.8 MBytes728 Mbits/sec
[  3]  6.0- 7.0 sec  86.3 MBytes724 Mbits/sec
[  3]  7.0- 8.0 sec  82.8 MBytes695 Mbits/sec
[  3]  8.0- 9.0 sec  86.7 MBytes728 Mbits/sec
[  3]  9.0-10.0 sec  85.8 MBytes720 Mbits/sec
[  3] 10.0-11.0 sec  86.1 MBytes722 Mbits/sec

cut

[  3] 96.0-97.0 sec  83.4 MBytes699 Mbits/sec
[  3] 97.0-98.0 sec  82.4 MBytes692 Mbits/sec
[  3] 98.0-99.0 sec  81.9 MBytes687 Mbits/sec
[  3] 99.0-100.0 sec  84.7 MBytes710 Mbits/sec
[  3] 100.0-101.0 sec  83.3 MBytes699 Mbits/sec
[  3] 101.0-102.0 sec  83.7 MBytes702 Mbits/sec -- finished reboot
[  3] 102.0-103.0 sec  83.3 MBytes699 Mbits/sec
[  3] 103.0-104.0 sec  83.6 MBytes701 Mbits/sec
[  3] 104.0-105.0 sec  85.3 MBytes716 Mbits/sec
[  3] 105.0-106.0 sec  83.4 MBytes699 Mbits/sec

I also did not see any errors in the logs of either system running ipref
or on the firewalls. The load on the MASTER firewall was around 0.30.

Are the firewalls kernel patched? Are their any hardware failures to
report? Are the firewalls overloaded? 

You are welcome to check out some of the how to's I have at
http://calomel.org if you need to.
 
--
  Calomel @ http://calomel.org
  Open Source Research and Reference


On Thu, Apr 10, 2008 at 12:35:17PM +0100, openbsd firewall wrote:
Hello,

I'm testing an OpenBSD 4.2 firewall with Iperf and I'm experiencing a very
strange behaviour.
What happens is that when I reboot the backup node the connection rate drops
while the backup node is coming back.
Iperf log:
[  3] 233.0-234.0 sec  6.62 MBytes  55.5 Mbits/sec
[  3] 234.0-235.0 sec  6.62 MBytes  55.5 Mbits/sec
[  3] 235.0-236.0 sec  6.62 MBytes  55.5 Mbits/sec
[  3] 236.0-237.0 sec  6.70 MBytes  56.2 Mbits/sec
[  3] 237.0-238.0 sec288 KBytes  2.36 Mbits/sec
[  3] 238.0-239.0 sec  3.40 MBytes  28.5 Mbits/sec
[  3] 239.0-240.0 sec  0.00 Bytes  0.00 bits/sec
[  3] 240.0-241.0 sec  3.55 MBytes  29.8 Mbits/sec
[  3] 241.0-242.0 sec  0.00 Bytes  0.00 bits/sec
[  3] 242.0-243.0 sec  3.49 MBytes  29.3 Mbits/sec
[  3] 243.0-244.0 sec  0.00 Bytes  0.00 bits/sec
[  3] 244.0-245.0 sec  3.49 MBytes  29.3 Mbits/sec
[  3] 245.0-246.0 sec  2.30 MBytes  19.3 Mbits/sec
[  3] 246.0-247.0 sec  5.23 MBytes  43.9 Mbits/sec
[  3] 247.0-248.0 sec  2.60 MBytes  21.8 Mbits/sec
[  3] 248.0-249.0 sec  5.37 MBytes  45.0 Mbits/sec
[  3] 249.0-250.0 sec  1.28 MBytes  10.7 Mbits/sec
[  3] 250.0-251.0 sec  4.69 MBytes  39.3 Mbits/sec
[  3] 251.0-252.0 sec  4.69 MBytes  39.3 Mbits/sec
[  3] 252.0-253.0 sec  6.62 MBytes  55.5 Mbits/sec
[  3] 253.0-254.0 sec  6.62 MBytes  55.5 Mbits/sec
[  3] 254.0-255.0 sec  6.62 MBytes  55.5 Mbits/sec

That drop in connection is when the rebooted node is coming back ! Iperf is
being tested from one machine behind one firewall interface and another
machine behind another firewall interface. One machine is running Openbsd
and the other Linux.
Is there any reason for this behaviour ? I do not expect the backup node to
have any influence over the flow on active node.

Related to this is a problem with pfsync. Sometimes I get a bad state after
the backup firewall comes back and then Iperf gets totally messed up,
sometimes recovering others not. No difference if psync is configured with
multicast or with syncpeer.
Log from the active node:
Apr 10 06:57:03 inferno /bsd: pfsync: received bulk update request
Apr 10 06:57:04 inferno /bsd: pfsync: bulk update complete
Apr 10 06:57:04 inferno pflogd[23092]: invalid size 484 (116/116), packet
dropped
Apr 10 06:57:11 inferno pflogd[23092]: invalid size 144 (116/116), packet
dropped
Apr 10 06:57:16 inferno last message repeated 3 times
Apr 10 06:57:31 inferno pflogd[23092]: invalid size 484 (116/116), packet
dropped
Apr 10 06:57:31 inferno /bsd: pf: BAD state: TCP xx.xx.xx.4:5001
xx.xx.xx.4:5001 xx.xx.xx.5:43558 [lo=2191798936 high=2191798936 win=5840
modulator=0] [lo=911995449 high=912001289 win=65535 modulator=0] 4:4 A
seq=2191798936 (2191798936) ack=911995449 len=1460 ackskew=0
pkts=1267241:671313 dir=in,fwd
Apr 10 06:57:31 inferno /bsd: pf: State failure on: 1
Apr 10 06:57:31 inferno /bsd: pf: BAD state: TCP xx.xx.xx.4:5001
xx.xx.xx.4:5001 xx.xx.xx.5:43558 [lo=2191798936 high=2191798936 win=5840
modulator=0] [lo=911995449 high

Re: script to process spamd and generate html

[Calomel]

We use a simple Perl script to analyze the spamd logs and generate HTML
output.

  Spamd Statistics Script (annoying spammers)
  http://calomel.org/spamd_stats.html

--
  Calomel @ http://calomel.org
  Open Source Research and Reference


On Thu, Apr 03, 2008 at 10:19:18AM -0300, Jose Fragoso wrote:
Hi,

Anyone written scripts that analyse SPAMD logs and generate
html reports, and could share them with us?

Thanks in advance.

Regards,

Jose

--
Want an e-mail address like mine?
Get a free e-mail account today at www.mail.com!

Re: Pfstat - issue

[Calomel]

You also need to tell pfstat what action you want to do. You can query to
collect the pf interface statistics, generate new graphs or clean up the
database.

See if our page can help you out.

  Pfstat how to ( pfstat.conf )
  http://calomel.org/pfstat.html

--
  Calomel @ http://calomel.org
  Open Source Research and Reference


On Wed, Apr 02, 2008 at 08:13:35PM -0700, Parvinder Bhasin wrote:
I cannot get pfstat to run with -c or -d option whenever I run:

pfstat -c /etc/pfstat.conf

I get:
usage: pfstat [-v] [-c config] [-d data] [-r host[:port]] [-p] [-q] [-t 
days[:days]]

same thing when I even run against provided example pfstat.conf file.

Any ideas? anyone?

any help, highly appreciated :)

thx.

Re: selective state flush

[Calomel]

Jose,

Correct. If you load a block rule with an anchor or by hand, but the state
has already been made for a connection, the current state will not be
cleared. If you wanted to clear all states before you load the new rules
this could be done.

Selectively, you can use pfctl with the argument -k to drop connections
dependent on ip address. For example, If we wanted to drop all states from
any ip to our internal server at 10.10.10.22 we could execute:

pfctl -k 0.0.0.0/0 -k 10.10.10.22


Hope this helps.

  PF Config how to (pf.conf)
  http://calomel.org/pf_config.html

--
  Calomel @ http://calomel.org
  Open Source Research and Reference


On Thu, Apr 03, 2008 at 06:44:41PM -0500, Jeff Santos wrote:
Hi,

Suppose I have an anchor in PF that, when some condition
is met, is loaded with a set of block rules.

If the condition is met, the connections that were
open before these blcok rules were loaded to the
anchor are not dropped, correct?

If so, is there some way to selectively drop some
connections (flush some states)?

Thanks in advance.

Regards,

Jose

--
Want an e-mail address like mine?
Get a free e-mail account today at www.mail.com!

Re: relayd layer 7 http proxy and filtering questions

[Calomel]

First, I would like to congratulate the developers of relayd. They have
made a great daemon which is fast and very flexible.

I was able to get relayd to replace all of the functions of a Pound reverse
proxy except URL and request method filtering. As far as I can tell relayd
does not have these abilities. 

Is there a site, mailing list or person I could contact to suggest
additions to relayd?

Does anyone else use relayd and find these suggestions useful?

It has been two weeks since my original post (below) and I just wanted to
follow up. All of my configs can be found here:

  Relayd proxy how to (relayd.conf)
  http://calomel.org/relayd.html

--
  Calomel @ http://calomel.org
  Open Source Research and Reference


On Tue, Mar 18, 2008 at 05:07:53PM -0400, Calomel wrote:
We are looking to do some URL path and request method filtering with relayd
if possible. Many of the other layer 7 filters like User-Agent and
Referer work without issue. 

The box is built using relayd from -current cvs downloaded on Mar 18, 2008.
Relayd is setup to be a reverse HTTP proxy with layer 7 filtering as a
relay to a test webserver.

Similar to a firewall mindset, we are looking to block everything other
than what we specifically list out.


As a test, the URL or path filtering can allow /, *.html and *.jpg.
We are unable to figure out how to get relayd to allow only these types of
files, and deny any other access. The following is from our test
relayd.conf file, but these rules block all access.  Is there a way to list
out each file type, one per line?  Can we instead use something similar to
a regular expression like, request path expect (^\/|\.html|\.jpg)$

## ## URL filtering (NOT working yet)
 label BAD path request
 request path expect /
 request path expect /*.html
 request path expect /*.jpg


The second question is how to only accept the GET and HEAD request
methods and deny any others. For example we do not want the webserver to
ever see POST or TRACE methods. As GET and HEAD are not headers, we are
unsure as what rules to use.

## ## Block bad request method (NOT working yet)
 label BAD request method
 request header expect GET
 request header expect HEAD


Since it is a work in progress, our full relayd.conf file can be found
here for reference:

  Relayd proxy how to (relayd.conf)
  http://calomel.org/relayd.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference

Re: problem regarding squid

[Calomel]

Anil,

This is from the squid FAQ:

12.40 dnsSubmit: queue overload, rejecting blah

This means that you are using external dnsserver processes for lookups, and
all processes are busy, and Squid's pending queue is full. Each dnsserver
program can only handle one request at a time. When all dnsserver processes
are busy, Squid queues up requests, but only to a certain point.

To alleviate this condition, you need to either (1) increase the number of
dnsserver processes by changing the value for dns_children in your config
file, or (2) switch to using Squid's internal DNS client code.

Note that in some versions, Squid limits dns_children to 32. To increase it
beyond that value, you would have to edit the source code.


Hope this helps.

  Squid config how to (squid.conf)
  http://calomel.org/squid.html

--
  Calomel @ http://calomel.org
  Open Source Research and Reference


On Mon, Mar 31, 2008 at 05:04:10PM +0530, Anil Saini wrote:
hello sir

m using squid on openBSD 4.2

 my cache.log shows

 dnssubmit: queue overloaded, rejecting x.com
 dnssubmit: queue overloaded, rejecting x.com
 dnssubmit: queue overloaded, rejecting x.com
 dnssubmit: queue overloaded, rejecting x.com
 dnssubmit: queue overloaded, rejecting x.com

 how i solve this problem


 --
 Anil Saini
 M.E. - Software Systems
 B.E. - Electronics and Communication

 Project Assistant
 CISCO LAB
 Information Processing Center Unit
 BITS-PILANI [EMAIL PROTECTED]

Re: ssh queue rules

[Calomel]

I believe your low queue is for ssh interactive traffic only. The high
queue is for bulk traffic like scp or sftp transfers.

If you watch your queues in pftop (page 8) you should see ssh traffic like
typed commands in the low queue and the rest goes to the high queue.

Hope this helps

  PF Config how to (pf.conf)
  http://calomel.org/pf_config.html

--
 Calomel @ http://calomel.org/
 Open Source Research and Reference


On Wed, Mar 26, 2008 at 04:41:01PM -0700, Lord Sporkton wrote:
I have this rule in my PF
and its not working

everything just gets thrown into the high queue and nothing touches
the low queue

(this is from the output of pfctl -s rules)
pass in on em0 inet proto tcp from any to 208.70.72.13 port = ssh
flags S/SA modulate state (source-track rule, max-src-conn-rate 3/30,
overload ssh-attack, src.track 30) queue(low, high)

my ssh is being set with lowdelay

(from tcpdump)
14:40:24.180347 13-72-70-208.uniplex.us.ssh 
georgia.static.qwest.net.61282: P 5820:5984(164) ack 53 win 17520 (DF)
[tos 0x10]

and my ssh transfer is being tagged high throughput

(from tcpdump)
14:43:53.936143 13-72-70-208.uniplex.us.ssh 
georgia.static.qwest.net.2904: . 269868:271328(1460) ack 961 win 17520
(DF) [tos 0x8]

any suggestions on what im doing wrong?
thanks

-- 
-Lawrence

Re: understanding PF src-limit counter

[Calomel]

Jose,

The 'src-limit' counter advances by one for every packet blocked by a rate
limited rule. If you write a pf rule using stateful tracking options to
allow connections at a rate of 20 per 60 seconds then packets arriving
faster than this would be blocked. You could then look at the 'src-limit'
value in pfctl -si to see how many packets were dropped in this way.

I do not believe packets dropped by a rate limited rule are logged as
logging a DDOS attack might stress the machine.

Hope this helps.

  OpenBSD Pf Firewall how to ( pf.conf )
  http://calomel.org/pf_config.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Mon, Mar 24, 2008 at 08:52:50AM -0500, Jose Fragoso wrote:
Hi,

I searched the FAQ and the man pages (for pf, pf.conf and pfctl.conf),
but I did not find a definition for the src-limit counter which is
showed by the command pfctl -si.

With pfctl -sa I saw this:

LIMITS:
stateshard limit   20
src-nodes hard limit1
frags hard limit 5000
tableshard limit 1000
table-entries hard limit   20

So I am guessing that src-limit has something to do with src-nodes.
Is it a limit of different source concurrent IP address for
connections? I am seeing this counter increase in one of the
machines I control.

If someone could point out where to find more information about
this counter, I would appreciate.

Thanks in advance.

Regards,

Jose.

--
Want an e-mail address like mine?
Get a free e-mail account today at www.mail.com!

relayd layer 7 http proxy and filtering questions

[Calomel]

We are looking to do some URL path and request method filtering with relayd
if possible. Many of the other layer 7 filters like User-Agent and
Referer work without issue. 

The box is built using relayd from -current cvs downloaded on Mar 18, 2008.
Relayd is setup to be a reverse HTTP proxy with layer 7 filtering as a
relay to a test webserver.

Similar to a firewall mindset, we are looking to block everything other
than what we specifically list out.


As a test, the URL or path filtering can allow /, *.html and *.jpg.
We are unable to figure out how to get relayd to allow only these types of
files, and deny any other access. The following is from our test
relayd.conf file, but these rules block all access.  Is there a way to list
out each file type, one per line?  Can we instead use something similar to
a regular expression like, request path expect (^\/|\.html|\.jpg)$

## ## URL filtering (NOT working yet)
 label BAD path request
 request path expect /
 request path expect /*.html
 request path expect /*.jpg


The second question is how to only accept the GET and HEAD request
methods and deny any others. For example we do not want the webserver to
ever see POST or TRACE methods. As GET and HEAD are not headers, we are
unsure as what rules to use.

## ## Block bad request method (NOT working yet)
 label BAD request method
 request header expect GET
 request header expect HEAD


Since it is a work in progress, our full relayd.conf file can be found
here for reference:

  Relayd proxy how to (relayd.conf)
  http://calomel.org/relayd.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference

Re: sftp logging using chroot internal-sftp in -current

[Calomel]

Damien,

Thanks for the pointer. I believe the environment is now setup correctly, but
I can not get DEBUG3 messages to appear from internal-sftp in authlog. 


I setup the log device file /ftp_jail/dev/log...

[EMAIL PROTECTED]: ls -la /ftp_jail/dev/log 
srw-rw-rw-  1 root  ftp  0 Mar 13 14:31 /ftp_jail/dev/log

...and syslogd points to /ftp_jail/dev/log 

syslogd -a /ftp_jail/dev/log -a /var/empty/dev/log

When I sftp from 192.168.2.2 to the sftp server test0 I now get a line I
did not see before, subsystem request for sftp. As far as I can tell the
log device is working correctly.

This is the log of a sftp connection. As a test I switched directory,
downloaded a test file and then disconnected. As you can see there is no
mention in the logs.

Mar 13 16:23:12 test0 sshd[24079]: Server listening on 0.0.0.0 port 22.
Mar 13 16:23:25 test0 sshd[26118]: Connection from 192.168.2.2 port 48518
Mar 13 16:23:26 test0 sshd[26118]: Failed none for ftp from 192.168.2.2 port 
48518 ssh2
Mar 13 16:23:26 test0 sshd[26118]: Failed publickey for ftp from 192.168.2.2 
port 48518 ssh2
Mar 13 16:23:28 test0 sshd[26118]: Accepted password for ftp from 192.168.2.2 
port 48518 ssh2
Mar 13 16:23:28 test0 sshd[10427]: Changed root directory to /ftp_jail
Mar 13 16:23:28 test0 sshd[10427]: subsystem request for sftp
Mar 13 16:23:44 test0 sshd[10427]: Connection closed by 192.168.2.2
Mar 13 16:23:44 test0 sshd[10427]: Closing connection to 192.168.2.2


This is my /etc/ssh/sshd_config if you can see anything wrong with it. I
tried adding ForceCommand internal-sftp -l DEBUG3 but this caused sshd
to error.

I appreciate the assistance.

 http://calomel.org/sftp_chroot.html
## /etc/ssh/sshd_config
 
AllowTcpForwarding no
ClientAliveCountMax 3
ClientAliveInterval 0
Compression delayed
LoginGraceTime 60s
LogLevel DEBUG3
MaxAuthTries 6
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin no
PermitTunnel no
PermitUserEnvironment no
Port 22
Protocol 2
StrictModes yes
SyslogFacility AUTH
TCPKeepAlive yes
UseDNS no
UsePrivilegeSeparation yes
X11Forwarding no

## sftp directives
Subsystem  sftp  internal-sftp -f AUTH -l DEBUG3

Match User ftp
ForceCommand internal-sftp
ChrootDirectory /ftp_jail

 http://calomel.org/sftp_chroot.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Thu, Mar 13, 2008 at 12:32:04PM +1100, Damien Miller wrote:
On Wed, 12 Mar 2008, Calomel wrote:

 Is it possible to enable DEBUG logging for internal-sftp in sshd?
 
 Using -current (Mar 12, 2008) and enabling a chroot'd sftp server we can
 get sshd to log initial connections. But, we would also like to log sftp
 activity like uploads, downloads, and directory changes similar to what
 vsftpd does.
 
 The older sftp-server man page had a log facility (-f) and log level (-l)
 options, but those arguments might not have been carried over to
 internal-sftp.
 
 Perhaps the chroot environment keeps us from logging internal-sftp?

Yes. You should be able to have syslogd(8) listen on /dev/log inside the
chroot to make messages from the internal sftp-server visible.

-d

Re: ftp-proxy and carp

[Calomel]

Joe,

You can bind your reverse ftp-proxy to the carp addresses.

BTW, a problem you might eventually see is when the firewalls fail over.
Current connections to the ftp server will die when the backup firewall
takes over because it does not have ftp-proxy anchors from the first
firewall. The anchors are not pfsync states and thus are not transfered to
the backup firewall through pfsync.

But, if the users issue a reconnect to your ftp server after the firewall
fail over they will connect without issue.

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Wed, Mar 12, 2008 at 12:28:00PM +, Joe Warren-Meeks wrote:
Hey chaps,

I have a pair of OpenBSD firewalls running CARP

$ uname -a
OpenBSD ns-gs-fw2.host.nativ-systems.com 4.2 NS-GS-FW#0 i386

They both have internal and external addresses and an internal carp and
external carp address shared.

Now, they are protecting an FTP server that I want to allow access to.
Ideally, I'd have ftp-proxy bind to the CARP address, so that if there
was a failover event, inbound ftp would still work. 

Is this possible, or do I have to bind it to the real address and let
inbound ftp fail in the event of a failover?


 -- joe.

Have you seen the syrup on that bloke? Unreal.

sftp logging using chroot internal-sftp in -current

[Calomel]

Is it possible to enable DEBUG logging for internal-sftp in sshd?

Using -current (Mar 12, 2008) and enabling a chroot'd sftp server we can
get sshd to log initial connections. But, we would also like to log sftp
activity like uploads, downloads, and directory changes similar to what
vsftpd does.

The older sftp-server man page had a log facility (-f) and log level (-l)
options, but those arguments might not have been carried over to
internal-sftp.

Perhaps the chroot environment keeps us from logging internal-sftp?

Any help is appreciated. Thanks for your time.


 http://calomel.org/sftp_chroot.html

## /etc/ssh/sshd_config
 
AllowTcpForwarding no
ClientAliveCountMax 3
ClientAliveInterval 0
Compression delayed
LoginGraceTime 60s
LogLevel DEBUG3
MaxAuthTries 6
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin no
PermitTunnel no
PermitUserEnvironment no
Port 22
Protocol 2
StrictModes yes
SyslogFacility AUTH
TCPKeepAlive yes
UseDNS no
UsePrivilegeSeparation yes
X11Forwarding no

## sftp directives
Subsystem  sftp  internal-sftp

Match User ftp
ForceCommand internal-sftp
ChrootDirectory /ftp_jail

 http://calomel.org/sftp_chroot.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference

Re: spamd and freemail hosts

[Calomel]

Aaron,

White listing or blacklisting is up to you. If you are using another
person's blacklist then you must accept their methods or decisions.

Try using spamd to weed out mail servers and perhaps manually white list
servers who you want to trust. Then setup your own blacklist with your own
scripts or how about using the Greyscanning script by Bob Beck?  How about
setting up greytrapping with spamd.alloweddomains file?


This link lists out a lot of options we found make spamd very powerful.

 Spamd tarpit/greylisting anti-spam how to (spamdb)
 http://calomel.org/spamd_config.html 

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Mon, Feb 25, 2008 at 09:48:20PM -0600, Aaron Martinez wrote:
I've got spamd up and running in the default greylisting mode on a 4.2 
stable system.  Things seem to be working great, however I've noticed 
that some freemail like yahoo and hotmail stuff isn't getting through.  
Valid mail that i'm sending from my yahoo and hotmail accounts to my 
home accounts where I'm running the spamd instances.  I found that the 
IPs of the hosts are in the Blacklist.
I was looking through my daemon log and found some of the (BLACK)  
instances of the mail I was sending from my yahoo account to valid 
addresses on my OpenBSD box. (BLACK) 69.147.97.90: [EMAIL PROTECTED] 
- [EMAIL PROTECTED]

I was wondering, is this IP (69.147.97.90) Blacklisted or is this tuple 
blacklisted?

Does anyone have any thoughts on white listing freemail hosts like 
hotmail and yahoo?  I know that people do spam somewhat from these 
places, but I thought it was mainly from people forging the domains and 
I do get a lot of  valid email that is not getting though.  I also host 
a couple domains and want to be prepared if people start complaining 
that they aren't getting mail.
Is there a way to whitelist domains on a per-recipient domain basis?


Thanks in advance.


Aaron Martinez

Re: : Zombie Network Spam Attack

[Calomel]

On Mon, Feb 11, 2008 at 11:17:35AM +0100, Raimo Niskanen wrote:
On Fri, Feb 08, 2008 at 11:20:31AM -0500, Calomel wrote:
 Raimo,
 
 Can you use the spamd.alloweddomains to whitelist email addresses and
 domains you accept mail for? Any email sent to your mail server that is not
 on the list will only goto spamd and never get the chance to be
 greylisted/whitelisted. Then you could write a simple script to look
 through the spamd logs of BLACK entries.
 

Well, that was already done. All incoming backscatter was to a valid
domain.

If you can compile a list of valid email address this might help. Instead
of @example.com you could list [EMAIL PROTECTED], [EMAIL PROTECTED] Any server
sending to an invalid address would be blacklisted and a script could add
those ips to a pf block table. 


 cat /var/log/daemon | grep spamd | grep BLACK | awk '{print $7}' | sort | 
 uniq
 

The problem seemed to be that spamd overloaded the network connection.

If spamd is sending to many packets back try increasing the stutter time
-S90 and the stutter speed -s5. At 600 connections total and 600
packets per 5 seconds the network would need to handle 120 packets per
second each direction; around 180 kilobytes in each direction. This might
still need be too much bandwidth, but you could increase the values as
needed or decrease the amount of connections spamd will accept with -c.
maxcon may not exceed kern.maxfiles - 200, and defaults to 800.


 ...and add the offending ips to a block table with a cron job running a few
 times a day. This page might give you some more ideas:
 
   Spamd tarpit/greylisting anti-spam how to (spamdb)
   http://calomel.org/spamd_config.html

I will have a look at it. Thank you for the ideas.


 --
  Calomel @ http://calomel.org
  Open Source Research and Reference
 
 
 On Fri, Feb 08, 2008 at 11:07:15AM +0100, Raimo Niskanen wrote:
 Apparently we (our mail server) got targeted by a zombie network
 since suddenly there were some 3 hosts on spamd's whitelist,
 continously some 600 connections to spamd, and only mails to
 unknown users coming in. The network connection was flooded,
 the web server sluggish, downloads creeped, basically
 nothing worked.
 
 Can spamd do anything about zombie hosts? They behave like
 normal MTAs so they will pass spamd's behavioural tests, right?
 
 Now I analyze the greylist, do some heuristics on the
 sender address (among other things) and trap the bad hosts.
 The trapped hosts are then copied to a pf table to be blocked
 in the firewall. Tarpitting them through spamd is simply
 too much work for the mail server, but blocking works fine.
 
 Here come the questions:
 
 * Does anyone know of a good strategy against zombie network
 spam attacks?
 
 * To make the greylist heuristics validate recepients and
 blacklist hosts that send to invalid recepients would
 blacklist valid MTAs that send bounces of mails with 
 fake sender addresses to me, right? And that would be
 too cruel, or? Because it would certainly decrease
 the spam amount.
 
 * To make the greylist herustics validate the hosts
 by reverse DNS PTR lookup and then forward A lookup
 is apparetly a debatable issue according to the 
 current thread running mail server at home.
 But if it is (fairly) common practice it would
 be a simple thing to do, and certainly decrease
 spam volume. But would it be to narrow?
 
 -- 
 
 / Raimo Niskanen, Erlang/OTP, Ericsson AB

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: Zombie Network Spam Attack

[Calomel]

Raimo,

Can you use the spamd.alloweddomains to whitelist email addresses and
domains you accept mail for? Any email sent to your mail server that is not
on the list will only goto spamd and never get the chance to be
greylisted/whitelisted. Then you could write a simple script to look
through the spamd logs of BLACK entries.

cat /var/log/daemon | grep spamd | grep BLACK | awk '{print $7}' | sort | uniq

...and add the offending ips to a block table with a cron job running a few
times a day. This page might give you some more ideas:

  Spamd tarpit/greylisting anti-spam how to (spamdb)
  http://calomel.org/spamd_config.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Fri, Feb 08, 2008 at 11:07:15AM +0100, Raimo Niskanen wrote:
Apparently we (our mail server) got targeted by a zombie network
since suddenly there were some 3 hosts on spamd's whitelist,
continously some 600 connections to spamd, and only mails to
unknown users coming in. The network connection was flooded,
the web server sluggish, downloads creeped, basically
nothing worked.

Can spamd do anything about zombie hosts? They behave like
normal MTAs so they will pass spamd's behavioural tests, right?

Now I analyze the greylist, do some heuristics on the
sender address (among other things) and trap the bad hosts.
The trapped hosts are then copied to a pf table to be blocked
in the firewall. Tarpitting them through spamd is simply
too much work for the mail server, but blocking works fine.

Here come the questions:

* Does anyone know of a good strategy against zombie network
spam attacks?

* To make the greylist heuristics validate recepients and
blacklist hosts that send to invalid recepients would
blacklist valid MTAs that send bounces of mails with 
fake sender addresses to me, right? And that would be
too cruel, or? Because it would certainly decrease
the spam amount.

* To make the greylist herustics validate the hosts
by reverse DNS PTR lookup and then forward A lookup
is apparetly a debatable issue according to the 
current thread running mail server at home.
But if it is (fairly) common practice it would
be a simple thing to do, and certainly decrease
spam volume. But would it be to narrow?

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: pf anchors with tag/tagged

[Calomel]

Are the pass rules valid for the packets you are redirecting? A redirect
rule and pass rule like the following works without issue.

rdr on $ExtIf inet proto tcp from $WorkSsh to ($ExtIf) port ssh tag OPENSSH - 
lo0 port $SshPort
pass in log on $ExtIf inet proto tcp from $WorkSsh to lo0 port $SshPort 
$SynState tagged OPENSSH


  OpenBSD Pf Firewall how to ( pf.conf )
  http://calomel.org/pf_config.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Fri, Feb 08, 2008 at 08:35:44AM -0500, S. Scott Sima, CISA, CISM wrote:
(sorry, orig post errantly had no subject)

Trying to redact (simplify) pf rdr statements by moving the repeating
(common) criteria to the top.

The rules load error free.  The pfctl -vvsnat shows the rdr-anchor in
place; however, tcpdump shows the block rules being hit AS IF THE
TAG/TAGGED IS NOT BEING SEEN.

Anyone, any ideas?

Thanks...

/etc/pf.anchor.rdr1
# -
anchor log on outside inet proto tcp \
from !droplist to (outside:0) {
rdr port   25 tag T1 - 192.168.2.225
rdr port 5060 tag T1 - 192.168.2.200
rdr port  443 tag T2 - 192.168.2.250
}
# ---

/etc/pf.conf
rdr-anchor /etc/pf.anchor.rdr1
...
block all
...
pass log quick ...tagged T1 ...
pass log quick ...tagged T2 ...
...

Re: pf anchors with tag/tagged

[Calomel]

All macros, redirections and rules must be in the that uses it anchor as I
understand it. Take a look at the anchors section of this link.

  OpenBSD Pf Firewall how to ( pf.conf )
  http://calomel.org/pf_config.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Fri, Feb 08, 2008 at 01:24:40PM -0500, scott wrote:
The pf.conf -- with the tag/tagged -- is a long-time working config. All
I did (trying to do) is move the rdr, in the redacted form, to an anchor
as shown.

In the future, there's going to be a very large number of rdr's and I'm
seeking a cleaner and effective variant.

It's behaving as if the tag's scope is inside the anchor only;
therefore, is not seen by the larger pf.conf.

/S




-Original Message-
From: Calomel [EMAIL PROTECTED]
Reply-To: Calomel [EMAIL PROTECTED]
To: misc@openbsd.org
Subject: Re: pf anchors with tag/tagged
Date: Fri, 8 Feb 2008 11:30:17 -0500
Delivered-To: [EMAIL PROTECTED]

Are the pass rules valid for the packets you are redirecting? A redirect
rule and pass rule like the following works without issue.

rdr on $ExtIf inet proto tcp from $WorkSsh to ($ExtIf) port ssh tag OPENSSH - 
lo0 port $SshPort
pass in log on $ExtIf inet proto tcp from $WorkSsh to lo0 port $SshPort 
$SynState tagged OPENSSH


  OpenBSD Pf Firewall how to ( pf.conf )
  http://calomel.org/pf_config.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Fri, Feb 08, 2008 at 08:35:44AM -0500, S. Scott Sima, CISA, CISM wrote:
(sorry, orig post errantly had no subject)

Trying to redact (simplify) pf rdr statements by moving the repeating
(common) criteria to the top.

The rules load error free.  The pfctl -vvsnat shows the rdr-anchor in
place; however, tcpdump shows the block rules being hit AS IF THE
TAG/TAGGED IS NOT BEING SEEN.

Anyone, any ideas?

Thanks...

/etc/pf.anchor.rdr1
# -
anchor log on outside inet proto tcp \
from !droplist to (outside:0) {
rdr port   25 tag T1 - 192.168.2.225
rdr port 5060 tag T1 - 192.168.2.200
rdr port  443 tag T2 - 192.168.2.250
}
# ---

/etc/pf.conf
rdr-anchor /etc/pf.anchor.rdr1
...
block all
...
pass log quick ...tagged T1 ...
pass log quick ...tagged T2 ...
...

Re: PF - using overload for port 80 attacks/floods

[Calomel]

Since you already stated you have valid clients which could open many
connections at once it seems pf might not be the right solution.

Have you thought about using a reverse proxy server in front of your web
servers?

A program like Pound would allow you to specify valid URL regular
expressions which would then goto your web servers. All of the invalid
requests would get an error by the proxy server. If you wanted to, you
could make a script to watch the logs and add ips to the pf blacklist
table.

Pound secure reverse proxy how to
http://calomel.org/pound.html


If your webserver has the ability to use mod_evasive this might also help.
Mod_evasive will return errors for clients who connect over a set limit. I
believe mod_security can blacklist clients who produce too many errors.


If you decide to stick with just PF then take a stab at writing a script to
watch the webserver logs. If you have a web client producing a certain
amount or type of errors put them in a slow queue for a while. Using Pf's
probabilitydirective works really well if you want to slow, but not
completely block the host. You can find pf examples here:

OpenBSD Pf Firewall how to ( pf.conf )
http://calomel.org/pf_config.html


Hope this helps.

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Thu, Jan 31, 2008 at 10:50:43AM -0600, Cache Hit wrote:
Hello,

I've been successfully using the max-src-conn and max-src-conn-rate
with an overload into a table that I block for our external firewall
that protects a few dozen (mostly Sun) web servers. As it stands it
works great for blocking ssh, ftp, smtp and several other protocols
when there are attempts at floods or hacks. I group them by port
and and have different settings for different sets of ports.

One thing I continually run into on the machines are port 80 attacks
or floods.I'd like to do something similar with PF as I'm already
doing for other protocols to overload these into a table and block
them, but I'm finding it very hard to come up with a set of rules
that eliminate any false positives while still catching actual
attacks.I find in particular there are a few websites behind our
firewall that have very complex page structures with lots of embedded
images such that a fast browser with a fast connection viewing
certain sections of the site can easily do 100's of legit GET's in a
matter of a couple seconds.

Does anyone have any suggestions for weeding out the false
positives? Merely upping either of max-src-conn or max-src-conn-
rate seems to be eventually self-defeating as it just allows attacks
through as well as allowing the fast legit traffic.

thanks,

--
[EMAIL PROTECTED]
The sky above the port was the color of television, tuned to a dead
station.

Re: spamd not un-greylisting entries?

[Calomel]

Dan,

The blocked while grey listed number of 8 is dependent on the amount of
retries the remote mail server attempted while grey listed. Comcast servers
for example will try once per minute to deliver their mail. For example, if
you grey listed comcast for 25 minutes the blocked number would be around
24-26.

What is your grey listed time out? By default I believe it is set at 25
minutes. (-G 25:4:864) Perhaps it is too low or too high?

This is probably not your issue, but may give you a place to start.


Spamd anti-spam how to (spamdb)
http://calomel.org/spamd_config.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Mon, Jan 14, 2008 at 01:00:44PM -0500, Daniel Barowy wrote:
Hello everyone,

  My apologies if you get this twice-- it just occurred to me that I sent 
my original message out using the wrong email address.

  I would greatly appreciate it someone would help me diagnose this spamd 
problem.  We've been running spamd since last October, and until this past 
Thursday, it was working great.  I may be mistaken, but I don't think I've 
ever seen entries like the following before (email addresses munged 
intentionally):

GREY|76.96.62.64|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|1200331179|1200345579|1200345579|8|0

  Notice that the block column count is high.  In the past, I don't 
recall this number ever exceeding 2.  Our users are now complaining that 
they are not receiving many expected inbound emails.  My understanding is 
that the GREY spamdb entry should turn to WHITE upon the remote MTA's 
retry.  No?

  I was troubleshooting a separate issue that required a restart of our 
firewall (spamd is running on the firewall and not the mail servers), and 
this problem popped up shortly thereafter.

  I have not changed anything with our pf.conf or spamd.conf that I know 
of, except that I've added a number of crucial mailhosts to our PF 
whitelist-- something I've done dozens of times before.

  This is on an OpenBSD 4.0 machine.

  Any suggestions?

Many thanks,
Dan

PF, limit remote clients by total bandwidth used over time

[Calomel]

Good morning,

Can PF be written to filter client connections based on the total amount of
bandwidth a remote client uploads/downloads over a given time frame?  As
far as I know PF does _NOT_ have this ability.
 

Pf can flush the states of a client ip that has connected too many times in
a given time frame. What I am proposing is an extension to this behavior.

One would be able to write a rule looking at the total amount of
bandwidth the remote client has used and add them to a table if they exceed
this amount in a given time.

For example:   max-src-bandwidth-amount 2000/60

This could be the stateful tracking option to limit a client to 2000
Kilobytes per 60 seconds. The ip could then be dynamically added to a
table, its states flushed and put into a slower queue with limited
bandwidth or blocked completely.

Does anyone else find the ability to limit connections by total bandwidth
used over time to be useful? Perhaps this can be an option request in a
later version of PF.



( Background )

For those wondering how this can be used in the real world it would help...

...a wireless public network. Using the wireless network connection of a
local cafe we offer free Internet access to cafe patrons and people in the
park across the street. The access rules specify a limit of 500meg per
visit per day. Most people are well under this amount and others abuse the
service. 

...limiting a child's downloads on the local LAN at a public school. Some
ISP's will send out warning letters to their customers who use more than
their fair share of bandwidth (100Gig/month). By limiting a local LAN ip
to one gig per day we can make sure to stay under this limit for example.

...stopping people from abusing a ftp or web server on a metered
connection. If you know exactly how much data a normal user is expected to
download then you can set upper limits. If you need to pay for that
bandwidth then there is a financial incentive to stop abusers or broken
clients. For example, if we expect an automated bot to get 15 meg per hour
from the ftp server. If we then see clients connect and download 100 meg
per minute there is a problem and the ips can be blocked or slowed.


Thanks for your time,

--
 Calomel @ http://calomel.org
 Open Source Research and Reference

Re: pf + wii

[Calomel]

The Wii may be running into the same problem that users of the Xbox 360
Live service see.  You simply need to make sure you are using a nat rule
with static-port for the gaming ip.

You do not need to use miniupnp or a upnp capable router. Search
for Xbox 360 on this page for an example.

OpenBSD Pf Firewall how to ( pf.conf )
http://calomel.org/pf_config.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Tue, Dec 25, 2007 at 10:22:09AM -0800, Chris Cappuccio wrote:
upnp is also necessary for other multiplayer games like xbox live.  it's
unfortunate, but true.

Lord Sporkton [EMAIL PROTECTED] wrote:
 my point was that its a possibility, as upnp support is not standard,
 whether or not that is the issue at hand can be decided from game
 documentation and testing with static pat
 
 however thank you for the mention of the upnp daemons, i will have to
 check those out.
 
 On 24/12/2007, Nick Gustas [EMAIL PROTECTED] wrote:
  johan beisser wrote:
   On Dec 24, 2007, at 12:34 AM, Lord Sporkton wrote:
  
   i could be wrong but here is my 2 cents:
  
   ive seen something like this related to upnp, i would venture to guess
   your 2 friends have routers which support upnp and so far as i know
   openbsd does not support upnp.
  
   I would suggest either consulting the guitar hero manual or a tcpdump
   for the required ports for this game and try a static pat translation
   to your public ip.
  
   upnp allows the wii to request certain ports from the nat device be
   opened for it, in this case it sounds like you wii needs certain ports
   open to allow the server to connect to it, normally upnp would take
   care of it dynamically, but you dont have upnp, so you have to static
   assign the pat.
  
  
   UPnPd for OpenBSD..
  
   http://www.tateoka.org/~tate/doc/openbsd-upnp.html
   http://miniupnp.free.fr/
  
   Personally, I've yet to need anything like this.
 
  I haven't tried it with a Wii yet, but I've used miniupnp for a year or
  so now and it's worked great whenever I've needed upnp support on a pf
  firewall. Make sure you follow the documentation and add the required
  anchors to the appropriate places in your pf.conf or else you won't make
  too much progress!
 
 
 
 
 -- 
 -Lawrence
 -Student ID 1028219

-- 
You were about to change the channel when God healed you -- Benny Hinn

Re: Passive ftp problem: 425 error

[Calomel]

Try using the ftp-proxy daemon. The proxy will take care of what ports need
to be open and close them when they are not needed. It will make your life
easier.

Ftp-proxy how to (forward and reverse)
http://calomel.org/ftp_proxy.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Thu, Nov 29, 2007 at 01:20:42PM -0800, Doug Milam wrote:
Greetings,

I'm having trouble getting FTP to work in passive mode. (I've set the machine 
up as an FTP server).

I can connect in active mode, with a PORT connection, but I'm seeing a 425 
error (can't open passive connection; can't assign requested address) for 
passive attempts.

The FTP server is 'self-protected' by pf and I've got one high port assigned 
in addition to 21, of course. I chose to restrict the high port to one port 
rather than a range. I've also set this in sysctl.conf.

The machine also sits on a LAN behind a router which currently only allows in 
port 21, but allows out everything.

Suggestions welcome! 


--
Be aware. Stay present. Speak honestly.
   
-
Get easy, one-click access to your favorites.  Make Yahoo! your homepage.

Re: Using CBQ with variable upload bandwidth

[Calomel]

I have to agree with Girish. Take some time and find out the average
bandwidth for your link. Then set the higher priority users a higher
percentage of the total amount than the other users. 

You could also use a script. If you know what the current upload bandwidth
amount is then you could vary the altq on $ExtIf bandwidth 744Kb line to
reflect this.  If the rest of the queues are setup to use a percentage of
the primary bandwidth amount then every thing will fall into line. Lastly,
refresh pf for the new settings to take effect.

Reference: http://calomel.org/pf_hfsc.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Fri, Nov 16, 2007 at 12:15:29PM +0530, Girish Venkatachalam wrote:
On 08:00:08 Nov 16, Jonathan Stewart wrote:
 
 I though about doing something like that but the usable upload is so
 variable that 60% could completely knock the normal_folk off when it
 gets congested.  I have 256kbit up right now and get anywhere from as
 low as 64kbit to 160kbit+ actual throughput depending on how busy the
 system is.  If PF had a weighted round robin queuing system that would
 be almost perfect because then it would scale with the amount of
 bandwidth available.  Ideally something that says if one queue has
 priority 5 and another 3 for every 5 packets sent from the first one 3
 are sent from the other, unless there is something wrong with that I'm
 missing (other than increased jitter.)

What is stopping you from using the priority field with HFSC?

And why don't you determine the average uplink bandwidth statistically?

If you measure it for a week or so and mark out the variance and figure
out the standard deviation or some such thing...then you can do what you
want.

From my experience with ADSL links I find that there is 
usually not much variance in the uplink path. 

Is my reasoning correct?

regards,
Girish

Re: Excess interrupts using ALTQ

[Calomel]

Fernando,

Doing a quick google search I see other people have also reported problems
with the on board Broadcom BCM5708 on the dells. Can you try another
network card like the Intel Pro/1000 MT (OpenBSD interface name: em0) ? 

My place of business transfers an average of 450Mbit with OpenBSD 4.1/4.2
with ALTQ (HFSC) without issue. CPU usage for the interrupts are around 33%
on a amd64 2.2GHz.

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Mon, Nov 12, 2007 at 02:05:54PM -0300, Fernando Braga wrote:
Hi,

I've setup a bridge over a 200Mb link, and everytime I turn ALTQ on,
top shows interrupts at 99.2%. If I flush queue (pfctl -Fq), interrupt
usage drop to 35% instantly. I've also noticed that only cpu0 is able
to handle interrupts.

Is there a way to minimize interrupts usage in this configuration ?

My pf.conf is:

#   $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $

ext_if=bnx0
int_if=bnx1

table network-int persist { 200.254.131.128/25 }
table redes-biz   persist file /etc/pf.biz

set skip on lo
set limit states 75

scrub in

altq on $int_if bandwidth 1000Mb hfsc queue { local, embratel }
altq on $ext_if bandwidth 1000Mb hfsc queue { local, embratel }

queue local bandwidth 100Mb hfsc

queue embratel bandwidth 200Mb hfsc(ecn realtime 200Mb upperlimit
200Mb )\
{ Q-pri Q-icmp Q-vpn Q-biz Q-mail Q-http Q-ftp Q-def }

queue Q-pri  bandwidth  25Mb hfsc(realtime  15Mb linkshare 25Mb
upperlimit 180Mb) priority 7
queue Q-icmp bandwidth  25Mb hfsc(realtime  15Mb linkshare 25Mb
upperlimit  30Mb) priority 7
queue Q-vpn  bandwidth  25Mb hfsc(realtime  15Mb linkshare 25Mb
upperlimit 180Mb) priority 6
queue Q-biz  bandwidth  25Mb hfsc(realtime  15Mb linkshare 25Mb
upperlimit 180Mb) priority 6
queue Q-mail bandwidth  25Mb hfsc(realtime  15Mb linkshare 25Mb
upperlimit 180Mb) priority 4
queue Q-http bandwidth  25Mb hfsc(realtime  15Mb linkshare 25Mb
upperlimit 180Mb) priority 4
queue Q-ftp  bandwidth  25Mb hfsc(realtime  15Mb linkshare 25Mb
upperlimit 180Mb) priority 4
queue Q-def  bandwidth  25Mb hfsc(defaultlinkshare 25Mb
upperlimit 128Mb) priority 0

block in log
pass out

antispoof quick for { lo $ext_if }
pass in quick on lo0 no state

## Regras de merovingio -- bridge
pass in on $ext_if proto tcp to ($ext_if) port ssh queue(local)

pass in on $int_if
queue(Q-def  Q-pri) label int-DEFA
pass in on $int_if proto icmp
queue(Q-icmp  ) label int-ICMP
pass in on $int_if proto gre
queue(Q-vpn   ) label int-VPN-gre
pass in on $int_if proto esp
queue(Q-vpn   ) label int-VPN-esp
pass in on $int_if proto ah
queue(Q-vpn   ) label int-VPN-ah
pass in on $int_if proto l2tp
queue(Q-vpn   ) label int-VPN-l2tp
pass in on $int_if proto { tcp udp } to port { 500 4500   }
queue(Q-vpn   ) label int-VPN-ipsec
pass in on $int_if proto { tcp udp } to port { pptp   }
queue(Q-vpn   ) label int-VPN-pptp
pass in on $int_if proto tcp to port { snmp   }
queue(Q-icmp Q-pri) label int-ICMP-snmp
pass in on $int_if proto tcp to port { www}
queue(Q-http Q-pri) label int-HTTP
pass in on $int_if proto tcp to port {  https }
queue(Q-biz  Q-pri) label int-BIZZ-https
pass in on $int_if proto { tcp udp } to port { domain ntp } queue(
  Q-pri) label int-PRII

pass in on $int_if   to redes-biz
queue(Q-biz  Q-pri) label int-BIZZ-redes
pass in on $int_if proto tcp to port { smtp pop3 imap 465 995 }
queue(Q-mail q-pri) label int-MAIL

pass in on $ext_if
queue(Q-def  Q-pri) label ext-DEFA
pass in on $ext_if proto icmp
queue(Q-icmp  ) label ext-ICMP
pass in on $ext_if proto gre
queue(Q-vpn   ) label ext-VPN-gre
pass in on $ext_if proto esp
queue(Q-vpn   ) label ext-VPN-esp
pass in on $ext_if proto ah
queue(Q-vpn   ) label ext-VPN-ah
pass in on $ext_if proto l2tp
queue(Q-vpn   ) label ext-VPN-l2tp
pass in on $ext_if proto { tcp udp } to port { 500 4500   }
queue(Q-vpn   ) label ext-VPN-ipsec
pass in on $ext_if proto { tcp udp } to port { pptp   }
queue(Q-vpn   ) label ext-VPN-pptp
pass in on $ext_if proto tcp to port { snmp   }
queue(Q-icmp Q-pri) label ext-ICMP-snmp
pass in on $ext_if proto tcp to port { www}
queue(Q-http Q-pri) label ext-HTTP
pass in on $ext_if proto tcp to port {  https }
queue(Q-biz  Q-pri) label ext-BIZZ-https
pass in on $ext_if proto { tcp udp } to port { domain ntp } queue(
  Q-pri) label ext-PRII

pass in on $ext_if   from redes-biz
queue(Q-biz  Q-pri) label ext-BIZZ-https
pass in on $ext_if proto tcp to port { smtp pop3 imap 465 995 }
queue(Q-mail q-pri) label ext-MAIL

dmesg follows:

OpenBSD 4.2 (GENERIC.MP) #1378: Tue Aug 28 10:48:58 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3488907264 (3327MB)
avail mem = 3373899776 (3217MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xcffbc000 (62 entries)
bios0: vendor Dell Inc. version 1.3.7 date 03/26/2007
bios0

Re: Using CBQ with variable upload bandwidth

[Calomel]

Jonathan,

HFSC will do what you want. You could setup a queue using the realtime
directive to guarantee bandwidth to the big_spenders. Lets say 60% of the
total connection speed. Then assign 20% to the normal_folk. Both queues can
borrow from each other, but will always guarantee the amount of bandwidth
specified by realtime. See if this link helps you out.

Hierarchical Fair Service Curve (HFSC) of OpenBSD
http://calomel.org/pf_hfsc.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Fri, Nov 16, 2007 at 04:56:51AM +0300, Jonathan Stewart wrote:
Is it possible to use CBQ as a weighted round robin queue when the
upload bandwidth is highly variable?  This is on FreeBSD RELENG_7 which
I believe uses pf from OpenBSD 4.1

Example queue idea:
Root Queue (1Mbps)
big_spenders (500Kbps, priority 5, borrow)
normal_folk  (500Kbps, priority 3, borrow)

Based on my reading of the FAQ it would seem that if your actual upload
is less than the queue is configured for the queue would always be
congested.  Queues with a higher priority are preferred during
congestion over queues with a lower priority as long as both queues
share the same parent

In this case does the queue act like a simple priority queue and abandon
the normal_folk queue as long as there is data for the big_spenders
queue or will it act like a weighted round robin queue and prefer the
big_spenders but also pass some traffic from normal_folk?

I also want to allow either queue to be able to use all available
bandwidth.  Putting borrow on both should work correct?

Here is my situation... I'm running a shared access satellite system and
some people are willing to pay more than others.  IP addresses are
statically assigned and I would like to assign people to queues based on
how much they are willing to pay.  I want to give the big_spenders a
boost when the connection is busy but I don't want to block the
normal_folk completely in the process.  Any suggestions are welcome.

Thank you for your time,
Jonathan Stewart

Re: Queuing for my homelan (which scheduler to use?)

[Calomel]

Chris,

It looks like you have quite a few questions. The obsd list will not write
your firewall for you, but this should get you started in the right
direction.

Hierarchical Fair Service Curve (HFSC) of OpenBSD
http://calomel.org/pf_hfsc.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Tue, Nov 13, 2007 at 01:34:06PM +0100, Chris Cohen wrote:
Hi all,

sadly I can't get more than ADSL3000 (3072kbit dl/384kbit ul) at home 
therefore I want to use queues on my 4.2 gateway.
I seperated my lan into clients (10.1.0.0/24), wlan (10.1.16.0/24), servers 
(10.1.3.0/24) and some other, but they don't need internet access...

I read http://www.openbsd.org/faq/pf/queueing.html and want to seperate 
traffic by:

client_in (downloads originated by my own clients)
client_out (uploads originated by my own clients)
wlan_in (downloads originated by my and some others laptops)
wlan_out (uploads originated by my and some others laptops)
server_in (downloads originated by my servers)
server_out (upload originated by my servers)
icmp_out (don't disturb my pings...)
mail_out (large mails sent by my mailrelay in the servers subnet shouldn't 
disturb eg. the one hit my website recieves a day ;) )
ssh_out (...)
tcp_ack_out (...)

I think the protocol specific queues should have a higher priority than the 
subnet specific ones. (?)

What would be the best way to archive this? I am not sure which scheduler I 
should use in which combinations of priority and bandwidth.

Any tips are really appreciated.

-- 
Greetings
Chris

Re: Daily insecurity report and drop priv accounts for handling automated tasks

[Calomel]

Dave,

In our backup environment the backup user needs a shell and home dir for
ssh keys as you described. The passwd is disabled and ssh keys are
required. We also limit access to the backup user to specific source ip
addresses like the backup server.

We also use ssh wrappers. Using the command argument in the ssh keys file
you can have a script check what command is being run. The backup user only
needs to accept rsync so that is what we are validating. If any other
command is run or if a shell is requested the connection is denied. This is
a link to the explanation of our backup methodology and at the bottom is an
example of the rsync wrapper script.

Rsync remote files to backup server
http://calomel.org/backup_server_rsync.html


As Nick explained, if you have untrustworthy admins any setup can be
compromised. I suggest writing a script to execute a simple command like
ls using the backup user. If ls is successful, the wrapper in not
working.

If anyone has any other recommendations I would be interested in hearing
about them. There is always room for improvement.

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Tue, Nov 13, 2007 at 10:17:07PM -0500, Nick Holland wrote:
Dave Harrison wrote:
 Hi all,
 
 I've been wondering how to deal with this particular issue for quite
 some time now, and I can't find any references to the right way(TM)
 to handle it.
 
 I always prefer to run automated tasks as limited privilege users on
 my OpenBSD hosts - such as tasks that pull files across from other
 hosts, and other such nightly tasks.  To make this work the drop priv
 user account needs a shell and a home dir (for SSH keys etc), and has
 no need for a password.  However this causes the /etc/security script
 to generate warnings every night such as,
 
 
 Login nightlysync is off but still has a valid shell and alternate
 access files in home directory are still readable.
 
 
 The tasks that this user performs are scheduled through cron.
 
 Is there a better way for me to be setting up these kinds of tasks so
 that this warning doesn't get raised ?  Or is the warning spurious ?

here's my way of squishing those messages:
* create the user, give it a non-trivial (but easy to type) PW.  This
  is often useful in the development stage anyway.  Don't use a trivial
  password in case you forget to do the next step...
* When ready to kill the PW, rather than clearing it, by putting a
  few repeated chars in the encrypted PW string, for example, ,
  using vipw.

You now have an account that technically has a PW, but it is unlikely
anyone will find something that hashes to the string you created.  The
string probably has the wrong number of characters anyway.  Daily is
happy, you are happy, and no one can log in.

...you hope.

Here's a problem.  You may want to be aware of funny accounts on
your system.  Let's say you kill a password as I suggested, then
your evil co-administrator, Bob, decides he wants to keep having
access to this machine after he quits.  So, he quietly does a chpass
on that account, then puts in his resignation.  You run around and
delete all his accounts, and think, Job done.

Bob now logs into that account, and uses the ssh key he also dropped
in place to get wherever he wanted to go (assuming a little pre-
planning, of course).

So, you might WANT to have as part of your daily routine verifying
that you have X insecurity reports, and that they are there for the
reasons you expect.

'course, that's hardly the only attack vector.  If seeing
Insecurity Report freaks your boss out, you might find it safer
to eliminate the report  (Windows never tells me how insecure it
is, so it must be better!).  Otherwise, treat it as just part of
your daily mails.

(Interestingly, your subject line auto-filed your message into my
Insecurity Reports folder, and it rather concerned me that a new
message suddenly arrived there. :)

Nick.

Re: Logging bandwidth usage with PF

[Calomel]

Joel,

Check out pfflowd. This site has a how to.


Configuration of NetFlow, Flowtools, pfflowd on OpenBSD

Have you ever wanted to keep track of every packet going through your
firewall? How about getting some stats on the hosts using your network.
Stats like most bandwidth used or most popular ports or ip's. Well NetFlow
is what your looking for. NetFlow is an open but proprietary network
protocol developed by Cisco Systems to run on Cisco IOS-enabled equipment
for collecting IP traffic information.

http://www.pantz.org/software/flowtools/configflowtoolspfflow.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Mon, Nov 12, 2007 at 09:31:08AM -0600, Joel Gudknecht wrote:
Misc list:

I'm trying to figure out a way to log and analyze bandwidth usage
passing through my PF gateway. It's doing NAT for ~60 users.

Here are the pertinent logging rules;

rdr pass log on $ext_if proto tcp to port smtp - $host
rdr pass log on $ext_if proto tcp to port www - $host
rdr pass log on $ext_if proto tcp to port pop3 - $host
rdr pass log on $ext_if proto tcp to port 1494 - $host
rdr pass log on $ext_if proto tcp to port 3389 - $host

pass out log keep state

I've tried analyzing pflogs using ethereal/wireshark but could not get
specifics about IP's and connection rates from it. I've also looked at
ntop and pftop, which looks good for real-time monitoring but I don't
think they apply for what I'm trying to do.

I'd like to generate a sorted list of top bandwidth hogs and their IP 
addresses.

Thanks.

Joel

Re: how to create cdrom42.fs?

[Calomel]

I believe the boot image must be less than 9900 sectors to be used on a
bootable cdrom. bsd.rd would be too large. 

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Wed, Nov 07, 2007 at 07:45:52PM -0500, Steve Shockley wrote:
Calomel wrote:
You can use geteltorito.pl by Rainer Krienke. It will extract what it needs
from the cdemu42.iso image and make a new cdrom42.fs image. Just takes a
second.

Doing:

./geteltorito.pl -o test cd42.iso

results in a file test that's identical to cdbr.  Why jump through so 
many hoops to do things the hard way?  I'm not sure I see the advantage 
of using 2.88 emulation, especially when bsd.rd is ~5M.

Re: how to create cdrom42.fs?

[Calomel]

You can use geteltorito.pl by Rainer Krienke. It will extract what it needs
from the cdemu42.iso image and make a new cdrom42.fs image. Just takes a
second.

Check out Step 3, option 2 at Making a bootable OpenBSD install CD
http://calomel.org/bootable_openbsd_cd.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Tue, Nov 06, 2007 at 05:03:05PM +0800, 23?? wrote:
Hi,
  anything script?

-- 
Best Regards,
No.23

http://blog.chinaunix.net/u1/42287

Re: Fair Internet Sharing with OpenBSD

[Calomel]

Edd,

Check out ALTQ like Lars said, perticularly HFSC. Something like this
should work well:

altq on $ExtIf bandwidth 744Kb hfsc queue { ack, edd, frank, fred, jack, mike, 
bulk }
   queue ack   bandwidth 10% priority 7 qlimit 50 hfsc (realtime 50%)
   queue edd   bandwidth 15% priority 5 qlimit 50 hfsc (realtime 5% )
   queue frank bandwidth 15% priority 5 qlimit 50 hfsc (realtime 5% )
   queue fred  bandwidth 15% priority 5 qlimit 50 hfsc (realtime 5% )
   queue jack  bandwidth 15% priority 5 qlimit 50 hfsc (realtime 5% )
   queue mike  bandwidth 15% priority 5 qlimit 50 hfsc (realtime 5% )
   queue bulk  bandwidth  5% priority 1 qlimit 50 hfsc (realtime 5% default)

And use the ack with the queue name on the rules like, queue (edd, ack)

This might help you out with the directive definitions. 
 http://calomel.org/pf_config.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference

On Sun, Nov 04, 2007 at 08:29:02PM +0200, Lars Nood??n wrote:
Edd Barrett wrote:

 If there are 5 of us, it would be ideal to have x/5 bandwidth each
 (where x is the available internet bandwidth), but if 1 person is not
 using the connection others should be able to share the unused
 portion.
 
 Is there a solution?

AltQ, described in following, seems to be relevant.  I'm looking into a
similar setup, though for different reasons.

 PF: Packet Queueing and Prioritization
   http://openbsd.org/faq/pf/queueing.html

 ALTQ - allocation by percentage
   http://home.nuug.no/~peter/pf/en/altqbypct.html

 Firewalling IPv6 with OpenBSD's pf (packet filter)
   https://solarflux.org/pf/pf+IPv6.php

I'm still in the planning stages, though.

I'm currently using DNSmasq for DHCP, but would prefer to do something
else and use only IPv6 in-house.  The version of DNSmasq in the openbsd
pkg archive has some problems, so I'm using a 'test' version of 2.41:
   http://www.thekelleys.org.uk/dnsmasq/

Regards,
-Lars

Re: Where is 'cdrom42.fs'? 4.2 -release

[Calomel]

Rod,

You are absolutely correct. Using the --reject *iso directive for wget in
the instructions will now filter out all iso files from downloading. The
wording on the web page has been cleaned up and clarified.

Thanks for your feedback, it is appreciated.

--
 Calomel @ http://calomel.org
 OpenSource Research and Reference

On Fri, Nov 02, 2007 at 12:55:39PM +1100, RW wrote:
On Thu, 1 Nov 2007 20:01:16 -0400, Calomel wrote:

Making a custom, bootable OpenBSD install CD
http://calomel.org/bootable_openbsd_cd.html


Calomel, I think you need to rapidly go edit your instructions and the
script to get rid of the wildcard in the wget command to get the
install files.

Nobody building a custom CD will thank you for imposing a dowload of
the 204MB install42.iso along with the needed files.

Secondly, you need to stop referring to install sets as packages.

I was really confused when I read The OpenBSD group do (sic) offer
iso's you can download and use to install a system. The problem is they
may have packages you know you will never use. because I knew that the
downloadable iso includes NO packages.

Packages are precompiled applications from the ports tree. 

Let's not confuse newbies.

Rod/

In the beginning was The Word
and The Word was Content-type: text/plain
The Word of Rod.

Re: Where is 'cdrom42.fs'? 4.2 -release

[Calomel]

Bibby,

As far a I know there is no cdrom42.fs file for the v4.2 release. This is
an oversight in the docs unless I am wrong. You can use the install42.iso
or you can make your own custom cd iso by using the cdrom41.fs from v4.1.

Making a custom, bootable OpenBSD install CD
http://calomel.org/bootable_openbsd_cd.html

--
 Calomel @ http://calomel.org
 OpenSource Research and Reference

On Fri, Nov 02, 2007 at 03:12:30AM +0800, Bibby wrote:
Hi, all.

Part of file: 4.2/i386/INSTALL.i386:
---

cdrom42.fsThe i386 boot and installation 2.88MB
floppy image that contains almost all OpenBSD
drivers; see below.
If i want to use 'mkisofs' to create a custom iso image(e.g, add some
binary packages), which file should i use for the '-b' option?

Thanks very much.

-- 
Bibby(Huangbin Zhang)
OpenBSD User in China Mainland: http://www.OpenBSDonly.org/

Re: Samba files used logging

[Calomel]

You need to use at least samba-2.2.7a and use the audit.so module.  The
samba source code has what you need. Check out the information in
~samba/examples/VFS/audit.c and in the README file in that directory.

--
 Calomel @ http://calomel.org
 OpenSource Research and Reference

On Sun, Oct 28, 2007 at 03:22:27PM +0100, [EMAIL PROTECTED] wrote:
Hello

I've set up a little samba server on my OpenBSD box.
I would like to know which files are being accessed (write, copy) by smbd.

I tried fstat, pstat but none of them give me the name of the files.

Any idea ?

Thanks

Re: 4.2/amd64 cannot detect any CDROM even the one from which it was installed

[Calomel]

Siju,

Has the device name changed? Perhaps to /dev/cd0a 

--
 Calomel @ http://calomel.org
 OpenSource Research and Reference

On Thu, Oct 25, 2007 at 07:12:59PM +0530, Siju George wrote:
Hi,

I installed OpenBSD 4.2 on CD on my amd64 that was running OpenBSD 4.0 fine.
I tried to mount the sparc64 CDROM to copy ports.tgz
But I get the following Error

# mount_cd9660 /dev/cd0c /mnt/
mount_cd9660: /dev/cd0c on /mnt: No medium found
# mount_cd9660 /dev/cd0c /mnt/
mount_cd9660: /dev/cd0c on /mnt: No medium found
# mount_cd9660 /dev/cd0c /mnt/
mount_cd9660: /dev/cd0c on /mnt: No medium found
#

This Error I checked is the same error I get when there is no CDROM inside.

I tried other CDs but the effect is the same.
Finally I tried to mount the CD from which 4.2 was installed but failed.
I used to mount CDs in 4.0 without any problems :-(
Could somebody help me trouble shoot this problem?

Thankyou so much :-)

Kind Regards

Siju

The dmesg and /var/log/messages are as follows



OpenBSD 4.2 (GENERIC) #1179: Tue Aug 28 10:37:50 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 469037056 (447MB)
avail mem = 443813888 (423MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf0730 (54 entries)
bios0: vendor American Megatrends Inc. version 080012  date 06/19/2006
bios0: ASUSTeK Computer INC. A8V-VM
acpi at mainbus0 not configured
cpu0 at mainbus0: (uniprocessor)
cpu0: AMD Athlon(tm) 64 Processor 3500+, 2200.44 MHz

Re: Remove escape characters from file

[Calomel]

Pieter,

To remove the ^M characters at the end of all lines in vi, use:

:%s/^V^M//g

The ^v is a CONTROL-V character and ^m is a CONTROL-M. When you type this,
it will look like this:

:%s/^M//g

--
 Calomel @ http://calomel.org
 Open Source Research and Reference

On Fri, Oct 26, 2007 at 03:45:39PM +0200, Pieter Verberne wrote:
Hi,

does OpenBSD have a program/script to remove control characters (escape
sequence) from text files?

Pieter

Re: Help needed to get PF working

[Calomel]

Timo,

If this box is going to be a firewall and you expect to pass packets from
one interface to the other you _MUST_ enable packet forwarding. Even if pf
is setup correctly for your network, no packets will traverse between your
internal and external networks unless packet forwarding is turned on.

You can see if ip.forwarding is set to on=1 or off=0 by typing sysctl -a |
grep ip.forward. If ip.forwarding is off you can manually enable it by
typing sysctl net.inet.ip.forwarding=1. This command will only take
affect for this session and ip.forwarding will be set back to its previous
setting on reboot.

OpenBSD Pf Firewall how to ( pf.conf )
http://calomel.org/pf_config.html

--
 Calomel @ http://calomel.org

On Thu, Oct 25, 2007 at 09:15:22AM +0300, Timo Myyr? wrote:
Hi,

I'm currently trying to configure small home network:
ADSL  Server / Firewall  Desktop

Now I'm working on building a proper firewall to my server. So far the
situation is following:

- Servers internet connection works
- Desktop receives IP, nameserver and default route from server's
DHCP service.
-Desktop can connect to server by SSH but can't connect to anything beyond
that.

Server's fxp0 gets dynamic IP from ISP and fxp1 uses static IP.

What I need:
-server running the most common services available to public. Then some
services available only to LAN.
-Desktop will only run games as client and will use the servers private
services

Here's my current pf.conf:

### MACROS ###
ext_if=fxp0
lan_if=fxp1
server_ip=xxx.xxx.xxx.xxx
pri_ports={ 
20,21,22,25,80,110,113,123,443,2049,3306,6660,6669,6900:6999,8080}
# Ports open on server to LAN
pub_ports={ 20,21,22,25,80,110,113,123,443,6900:6999,8080} # Ports
open on server to internet
game_ports=27000:27040

lan_ip=xxx.xxx.xxx.xxx

p180_ip=xxx.xxx.xxx.xxx


### TABLES ###
table spamd-white persist
table intruders persist
table badhosts const {10.0.0.0/8, 176.16.0.0/12, 192.168.0.0/16}

### OPTIONS ###
set skip on lo
set block-policy return

set optimization normal

set loginterface fxp0
set limit { states 5, frags 10 } # Are these good limits, I
have 4GB RAM?


### TRAFFIC NORMALIZATION ###
scrub in all fragment reassemble

### BANDWIDTH MANAGEMENT ###


### TRANSLATION ###
nat-anchor ftp-proxy/*
nat on $ext_if from !($ext_if) to any - ($ext_if)


### REDIRECTION ###
rdr-anchor ftp-proxy/*
rdr pass on $lan_if proto tcp to port ftp - 127.0.0.1 port 8021
rdr pass on $ext_if proto tcp from any to any port smtp - 127.0.0.1 port 8025
no rdr on $ext_if proto tcp from spamd-white to any port smtp
rdr on $ext_if inet proto {tcp,udp} from any to ($ext_if) port
$game_ports - $p180_ip
rdr on $lan_if inet proto {tcp,udp} from $lan_ip to any - ($ext_if)

### ANCHORS ###
anchor ftp-proxy/*

### PACKET FILTERING ###
# Block rules
block in all# Default to block all incoming and outgoing traffic
block out all

# Antispoof
antispoof quick log for { lo $lan_if }

# Incoming traffic
pass in on $ext_if proto {tcp,udp} from port $game_ports to $p180_ip
#pass quick on $lan_if no state

pass in on $ext_if proto {tcp,udp} to ($ext_if) port $pub_ports
pass in log on $lan_if proto {tcp,udp} from ($lan_if) port $pri_ports
to $server_ip
pass in on $lan_if proto {tcp,udp} from any to any keep state

# Outgoing traffic
pass out log on $ext_if proto {tcp,udp} from ($ext_if) to port $pub_ports
pass out on $ext_if proto {tcp,udp,icmp} from $lan_ip to any

 How to change the pf.conf to allow desktop traffic to access the internet?
I have tried some solutions like removing the default block rules but it
still didn't work and I'm starting to run out of ideas.

Re: max-src-conn-rate rule question

[Calomel]

David,

I would take a look at adding synproxy to your rules before worrying about
max-src-states. Synproxy will allow max-src-conn-rate to work more
reliably.


By default, pf(4) passes packets that are part of a tcp(4) handshake be-
tween the endpoints.  The synproxy state option can be used to cause pf(4)
itself to complete the handshake with the active endpoint, perform a
handshake with the passive endpoint, and then forward packets between the
endpoints.

No packets are sent to the passive endpoint before the active endpoint
has completed the handshake, hence so-called SYN floods with spoofed source
addresses will not reach the passive endpoint, as the sender can't complete
the handshake.

The proxy is transparent to both endpoints, they each see a single
connection from/to the other endpoint.  pf(4) chooses random initial se-
quence numbers for both handshakes.  Once the handshakes are completed, the
sequence number modulators (see previous section) are used to translate
further packets of the connection. Synproxy state includes modulate state.

(pf.conf man page)

--
 Calomel @ http://calomel.org

On Tue, Oct 23, 2007 at 11:23:05PM -0500, david l goodrich wrote:
On Tue, Oct 23, 2007 at 05:46:45PM -0400, Calomel wrote:
 David,

 Was the offending client completing the 3-way handshake everytime it
 connected?

 For stateful TCP connections, limits on established connections (connec-
 tions which have completed the TCP 3-way handshake) can also be enforced
 per source IP. The max-src-conn-rate number/seconds limit the rate of
 new connections over a time interval.  The connection rate is an
 approximation calculated as a moving average.

 You may also want to use synproxy for ssh and take a look at
 max-src-states. I have examples here: http://calomel.org/pf_config.html

I didn't respond to this until now, because I wanted to do some
research first.  As the hosts that are being blocked by this
aren't hosts I control, I needed to set up some access on the
outside.

So it looks like i can run  'nmap -sS -p22 25.103.82.80/28' until
doomsday and it will always show as a passed connection.

But when i start telnetting to port 22 on machines in this
subnet, the fourth 'telnet' connection is blocked, no matter
which host I hit previously.  So I think that you are correct
in that the attackers are not initially completing the 3-way
handshake, and are thus not tripping the filter.

I'll look in to max-src-states, but I think now that I've shown
that the actual attack (if that's what they are) attempts are
blocked properly, I'm not terribly concerned if they can scan the
subnet.

Thanks,
  --david


 --
  Calomel @ http://calomel.org

 On Tue, Oct 23, 2007 at 03:58:52PM -0500, david l goodrich wrote:
 Nobody?  Sad, it's still doing it.
 
 
 On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:
  I've set up a max-src-conn-rate rule on my gateway router to
  mitigate brute-force ssh attacks.  This router protects a /28
  subnet, 25.108.82.80/28.
 
  The relevant rules:
 
  # pfctl -sr | grep attack
  block drop in log quick proto tcp from sshd_attackers to any
  pass in log proto tcp from any to any port = ssh keep state
  (source-track rule, max-src-conn-rate 3/30, overload
  sshd_attackers flush global, src.track 30)
  #
 
  What the three columns of output in the below tcpdump output are:
  timestamp, rule action, and target host.  As you can tell from
  the tcpdump command, the sending host is the same in all cases,
  208.53.147.204
 
  # tcpdump -enr /var/log/pflog host 208.53.147.204 \
 | awk '{print $1,$4,$11}' | sed s/.22:// | head -30
  reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
  12:09:45.849594 pass 25.103.82.80
  12:09:45.850279 pass 25.103.82.82
  12:09:45.850827 pass 25.103.82.83
  12:09:45.851310 pass 25.103.82.84
  12:09:45.852003 pass 25.103.82.85
  12:09:45.852496 pass 25.103.82.86
  12:09:45.853007 pass 25.103.82.87
  12:09:45.866580 pass 25.103.82.88
  12:09:45.867345 pass 25.103.82.89
  12:09:45.868339 pass 25.103.82.92
  12:09:45.902389 pass 25.103.82.95
  12:25:52.632295 pass 25.103.82.80
  12:25:52.632973 pass 25.103.82.82
  12:25:52.648804 pass 25.103.82.83
  12:25:52.684792 pass 25.103.82.84
  12:25:52.687989 pass 25.103.82.85
  12:25:52.688652 pass 25.103.82.86
  12:25:52.690882 pass 25.103.82.87
  12:25:52.691371 pass 25.103.82.88
  12:25:52.692290 pass 25.103.82.89
  12:25:52.695340 pass 25.103.82.92
  12:25:52.698864 pass 25.103.82.95
  13:08:36.949178 pass 25.103.82.87
  13:08:38.864585 pass 25.103.82.87
  13:08:40.452215 pass 25.103.82.87
  13:08:42.038388 pass 25.103.82.87
  13:08:46.923469 block 25.103.82.88
  13:08:49.922116 block 25.103.82.88
  13:08:50.212040 block 25.103.82.87
  13:08:51.099435 block 25.103.82.87
  #
 
  It seems to me like this host should have been blocked back at
  12:09:45, not 13:08:46.  Am I misunderstanding the rule?
--david
 
  [demime 1.01d removed an attachment of type application/pgp-signature

Re: max-src-conn-rate rule question

[Calomel]

David,

Was the offending client completing the 3-way handshake everytime it
connected? 

For stateful TCP connections, limits on established connections (connec-
tions which have completed the TCP 3-way handshake) can also be enforced
per source IP. The max-src-conn-rate number/seconds limit the rate of
new connections over a time interval.  The connection rate is an
approximation calculated as a moving average.

You may also want to use synproxy for ssh and take a look at
max-src-states. I have examples here: http://calomel.org/pf_config.html 

--
 Calomel @ http://calomel.org

On Tue, Oct 23, 2007 at 03:58:52PM -0500, david l goodrich wrote:
Nobody?  Sad, it's still doing it.


On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:
 I've set up a max-src-conn-rate rule on my gateway router to
 mitigate brute-force ssh attacks.  This router protects a /28
 subnet, 25.108.82.80/28.

 The relevant rules:

 # pfctl -sr | grep attack
 block drop in log quick proto tcp from sshd_attackers to any
 pass in log proto tcp from any to any port = ssh keep state
 (source-track rule, max-src-conn-rate 3/30, overload
 sshd_attackers flush global, src.track 30)
 #

 What the three columns of output in the below tcpdump output are:
 timestamp, rule action, and target host.  As you can tell from
 the tcpdump command, the sending host is the same in all cases,
 208.53.147.204

 # tcpdump -enr /var/log/pflog host 208.53.147.204 \
| awk '{print $1,$4,$11}' | sed s/.22:// | head -30
 reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
 12:09:45.849594 pass 25.103.82.80
 12:09:45.850279 pass 25.103.82.82
 12:09:45.850827 pass 25.103.82.83
 12:09:45.851310 pass 25.103.82.84
 12:09:45.852003 pass 25.103.82.85
 12:09:45.852496 pass 25.103.82.86
 12:09:45.853007 pass 25.103.82.87
 12:09:45.866580 pass 25.103.82.88
 12:09:45.867345 pass 25.103.82.89
 12:09:45.868339 pass 25.103.82.92
 12:09:45.902389 pass 25.103.82.95
 12:25:52.632295 pass 25.103.82.80
 12:25:52.632973 pass 25.103.82.82
 12:25:52.648804 pass 25.103.82.83
 12:25:52.684792 pass 25.103.82.84
 12:25:52.687989 pass 25.103.82.85
 12:25:52.688652 pass 25.103.82.86
 12:25:52.690882 pass 25.103.82.87
 12:25:52.691371 pass 25.103.82.88
 12:25:52.692290 pass 25.103.82.89
 12:25:52.695340 pass 25.103.82.92
 12:25:52.698864 pass 25.103.82.95
 13:08:36.949178 pass 25.103.82.87
 13:08:38.864585 pass 25.103.82.87
 13:08:40.452215 pass 25.103.82.87
 13:08:42.038388 pass 25.103.82.87
 13:08:46.923469 block 25.103.82.88
 13:08:49.922116 block 25.103.82.88
 13:08:50.212040 block 25.103.82.87
 13:08:51.099435 block 25.103.82.87
 #

 It seems to me like this host should have been blocked back at
 12:09:45, not 13:08:46.  Am I misunderstanding the rule?
   --david

 [demime 1.01d removed an attachment of type application/pgp-signature which
had a name of signature.asc]

[demime 1.01d removed an attachment of type application/pgp-signature which 
had a name of signature.asc]

Re: [Newbie] OpenBSD HTTP proxy

[Calomel]

Tony,

I agree with lars, squid is an excellent choice to proxy http and https.  

Here are some instructions and a working example if you need them.

Squid Proxy (Secure, Paranoid and Non-caching)
http://calomel.org/squid.html

--
 Calomel @ http://calomel.org

On Tue, Oct 09, 2007 at 03:43:12AM +0300, Lars Nood??n wrote:
Tony Bruguier wrote:
...
 I would like to install an HTTP proxy.
...

Squid is recommended.  Read the directions carefully and you will have
to make one or two changes to the configuration.

Have squid listen localhost and then tunnel to get to it.

 ...
 In the long term, I would like to implement a full IP tunelling. Any
 solutions?

Ease him off of Windows.  Many of the games he is addicted to will run
under WINE.

-Lars

Re: pf

[Calomel]

padilla,

Perhaps if you take a step back and look at an example of pf everything
might make more sense. It might help if you had a working pf.conf to learn
from and a basic explanation of what each part of pf does.

   OpenBSD Pf Firewall how to ( pf.conf )
   http://calomel.org/pf_config.html

This example might be more than you really wanted for your machine, but it
should point you in the right direction for a secure nat'ed firewall. When
you become more fluent in pf, I have included a few of the more useful
options in the same example. If you have any questions I would be happy to
help.

--
 Calomel @ http://calomel.org


On Fri, Oct 05, 2007 at 08:25:26AM -0400, a.padilla wrote:
ext_if =rl0  #macro for external interface
int_if =dc0  #macro for internal interface

localnet= $int_if:network

nat on $ext_if from $localnet to any - ($ext_if)
#block in
pass out keep state


pass out on $ext_if proto tcp all
pass inet proto tcp from {lo0, $localnet} to any keep state


I commented out block in for testing purposes. still, no success.   
If you know what's wrong, please don' t just answer.  I want to  
understand the solution.

ip forwarding is set to 1 and pf is enabled.

On Oct 4, 2007, at 11:50 AM, Roman Strogin wrote:

 On 10/4/07, a.padilla [EMAIL PROTECTED] wrote:
 Hi, I'm a student trying to learn pf on my own.  I'm trying to set up
 a nat.  I've read  documentation yet I still can't get the internal
 machine to communicate to the outside world.

 I've been following this documentation: http://www.openbsd.org/faq/ 
 pf/
 nat.html

 before I go any further, is this the correct place to ask this sort
 of question?

 1) Have you enabled IP forwarding or, in other words, have you
 uncommented following lines in your /etc/sysctl.conf:
 net.inet.ip.forwarding=1
 net.inet6.ip6.forwarding=1
 2) Show your pf.conf.

 Roman.

 Roman.

Re: pf

[Calomel]

matheus,

It is the order. The fist queue is for bulk packets and the second is for
ack packets.

Daniel Hartmeier has a detailed page with examples that may make this
clearer. 

Prioritizing empty TCP ACKs with pf and ALTQ
http://www.benzedrine.cx/ackpri.html 

--
 Calomel @ http://calomel.org

On Sat, Oct 06, 2007 at 12:36:42AM -0300, Nenhum_de_Nos wrote:
On 10/5/07, Calomel [EMAIL PROTECTED] wrote:
 padilla,

 Perhaps if you take a step back and look at an example of pf everything
 might make more sense. It might help if you had a working pf.conf to learn
 from and a basic explanation of what each part of pf does.

OpenBSD Pf Firewall how to ( pf.conf )
http://calomel.org/pf_config.html

 This example might be more than you really wanted for your machine, but it
 should point you in the right direction for a secure nat'ed firewall. When
 you become more fluent in pf, I have included a few of the more useful
 options in the same example. If you have any questions I would be happy to
 help.

 --
  Calomel @ http://calomel.org

hi,

i read the reffered link and this as well

http://calomel.org/pf_hfsc.html

but if you let me, I do have a question. when you say:
pass out on $ExtIf inet proto tcp from ($ExtIf) to any flags S/SA
modulate state queue (bulk, ack)
pass out on $ExtIf inet proto tcp from ($ExtIf) to any port ssh flags
S/SA modulate state queue (ssh_bulk, ssh_login)

The first rule is passing out bulk traffic on the external interface
and prioritizing ack packets. The second rule is passing out data on
port 22(ssh) and prioritizing the interactive ssh traffic. This
traffic is originating on our internal network or on the firewall
itself.

you say the two queues are bound to that rule in that line ? I never
got 100% this bindings from queues and rules. how will pf know that in
the first rule, it will treat ack packets differente from bulk ones ?
thats my main doubt ...

is the order (bulk,ack) that does it ? or anything with the flags
(S/SA) ? I really never got the mechanics of this ...

if anyone could explain,

thanks,

matheus
-- 
We will call you cygnus,
The God of balance you shall be