Re: PF Seems To Reload Its Default Rules Unexpectedly

2009-03-11 Thread Hilco Wijbenga 
It happened again...

2009/3/9 J.C. Roberts list-...@designtools.org:
 As for whether or not the assigned IP address you get from your ISP via
 DHCP will become a problem really depends on the netmask and default
 route they give you along with the IP.

 If your internal network is 192.168.151.*
 And your ISP gives you 192.168.1.* with a netmask of 255.255.0.0
 then you're officially hosed. The provided netmask means your internal
 network is *within* the range of your external network. bad juju!

 That netmask would give you the range 192.168.0.0 - 192.168.255.255 on
 your external interface, and hence, overlapping your internal network.

The netmask is 192.168.1.255 so I should be okay there.

 When using Point to Point Protocol (PPP, PPPoE, and similar), it can get
 far more confusing. Take a look at the following:

No PPP or PPPoE, just simple DHCP.

 None the less, the safest thing you can do is use an obtuse private
 network range for your internal LAN.

I guess it would be a good idea to do that then anyway.

 If I was able to 'keep state' every time I 'pass out' drinking would be
 far more enjoyable. Though I can't do it, pf can, and does it by
 default, but it seems I've digressed. Additionally, you need to be very
 careful when using the quick keyword since it intentionally short
 circuits your rule evaluation.

 B  B  B  B ext_if = sk0
 B  B  B  B int_if = sk1
 B  B  B  B set skip on lo
 B  B  B  B scrub in

 B  B  B  B nat on $ext_if from !($ext_if) -) ($ext_if:0)

 B  B  B  B block in log
 B  B  B  B pass out
 B  B  B  B antispoof quick for { lo $int_if }
 B  B  B  B pass quick on $int_if no state


 On the last line, you do not necessarily need the 'no state' (but it
 eliminates collecting pointless state entries) and you don't need the
 'quick' since it's the last rule evaluated (but you might follow this
 with other rules).

I'll see if simplifying the rules helps.

 If during a DHCP (re)assignment the DHCP server sends an ICMP Echo
 Request packet (Type 8), and you're blocking the packet but due
 to your block-policy replying with ICMP Destination Unreachable packet
 (Type 3), strange things might occur.

The problem is definitely with DHCP assigning a new IP address. I
checked and (as everybody here was already expecting) pf is still
using the same rules as before.

So apparently using ($ext_if) isn't working properly. I need to reload
pf.conf for the firewall to work again. I'll see if changing the
return policy makes any difference.

Cheers,
Hilco

Re: PF Seems To Reload Its Default Rules Unexpectedly

2009-03-09 Thread Hilco Wijbenga 
2009/3/9 J.C. Roberts list-...@designtools.org:
 On Sun, 8 Mar 2009 16:01:57 -0700 Hilco Wijbenga
 hilco.wijbe...@gmail.com wrote:

 I have pf running on my firewall box and I'm experiencing some strange
 behaviour. After several hours (this may even be 24 hours) of
 functioning normally, pf seems to reload its default rules which means
 that from that point on all traffic is blocked. A simple pfctl -f
 /etc/pf.conf fixes the problem but it is very annoying.

 ummm... no. Think about it for a moment. The default rules *are* stored
 in /etc/pf.conf --the very same file you are manually reloading, so
 it's obviously not magically reloading the default rules as you claim.

Ah, different semantics. :-) By default rules I mean whatever pf
does *without* an /etc/pf.conf. Probably something like block all.

 What kind of connection are you running?
 Is your public IP address static or dynamic?
 More importantly, are you running some sort of
 tunneling/authentication such as PPPoE or simlar?

I use DHCP so my IP can change. It's not particularly public though.
My ISP gives me an IP in 192.168.1.*. :-( (A smart move on their part,
I guess [no more running out of IPv4 addresses for them] but not very
useful to me.)

 In sort my first guess is your IP is changing every 24 hours or so due
 to your service provider using dynamic addressing (and trying to
 prevent you from having a particular IP for too long). If I'm right,
 then your problem is that pf is holding on to the old rules for your
 old IP address even though your IP had changed. In other words, you
 have a configuration error.

That definitely makes sense. However, I thought that by referring to
an interface instead of an IP I was protected from that? I mean, it's
fairly common to have a dynamic IP, is it not?

Cheers,
Hilco

Re: PF Seems To Reload Its Default Rules Unexpectedly

2009-03-09 Thread Hilco Wijbenga 
2009/3/9 J.C. Roberts list-...@designtools.org:
 On Mon, 9 Mar 2009 09:07:51 -0700 Hilco Wijbenga
 hilco.wijbe...@gmail.com wrote:

 2009/3/9 J.C. Roberts list-...@designtools.org:
  On Sun, 8 Mar 2009 16:01:57 -0700 Hilco Wijbenga
  hilco.wijbe...@gmail.com wrote:
 
  I have pf running on my firewall box and I'm experiencing some
  strange behaviour. After several hours (this may even be 24 hours)
  of functioning normally, pf seems to reload its default rules
  which means that from that point on all traffic is blocked. A
  simple pfctl -f /etc/pf.conf fixes the problem but it is very
  annoying.
 
  ummm... no. Think about it for a moment. The default rules *are*
  stored in /etc/pf.conf --the very same file you are manually
  reloading, so it's obviously not magically reloading the default
  rules as you claim.

 Ah, different semantics. :-) By default rules I mean whatever pf
 does *without* an /etc/pf.conf. Probably something like block all.


 :-)

  What kind of connection are you running?
  Is your public IP address static or dynamic?
  More importantly, are you running some sort of
  tunneling/authentication such as PPPoE or simlar?

 I use DHCP so my IP can change. It's not particularly public though.
 My ISP gives me an IP in 192.168.1.*. :-( (A smart move on their part,
 I guess [no more running out of IPv4 addresses for them] but not very
 useful to me.)

 I doubt your ISP only has 254 customers, so they are most likely using
 more than just the stated 192.168.1.0 - 192.168.1.255 range.

Let's hope so for them. :-) I always get an IP in that range, though.
Well, so far anyway.

 If you are doing your own NAT'ing for other machines on your private
 LAN, the fact your ISP is assigning you an IP address from the private
 address space could lead to a conflict.

I had been wondering about that. I use 192.168.151.* internally. That
should be okay then, shouldn't it?

 The smart answer for an ISP is moving to IPv6 since it's the only
 long term solution. Unfortunately, with less than 1% uptake on IPv6, it
 doesn't get you much usability right now and network address
 translation hacks are still required in some cases.

We're talking about a very big ISP. Smart doesn't come into the picture. ;-)

  In sort my first guess is your IP is changing every 24 hours or so
  due to your service provider using dynamic addressing (and trying to
  prevent you from having a particular IP for too long). If I'm right,
  then your problem is that pf is holding on to the old rules for your
  old IP address even though your IP had changed. In other words, you
  have a configuration error.

 That definitely makes sense. However, I thought that by referring to
 an interface instead of an IP I was protected from that? I mean, it's
 fairly common to have a dynamic IP, is it not?


 It depends on *how* you refer to the interface in your rules. As
 mentioned in the thread, you may have left off the needed parenthesis
 around your interface variable. You would be neither the first nor last
 to make this mistake. If you would post your pf.conf it would be very
 helpful.

ext_if = sk0
int_if = sk1

set skip on lo
set block-policy return
scrub in

nat log on $ext_if from $int_if:network to any - ($ext_if)

block log
pass out quick from $int_if to $int_if:network
pass out quick from $ext_if to any
#pass in quick on $ext_if proto { tcp, udp } from any to ($ext_if)
port { domain, ntp }
pass in quick on $int_if from $int_if:network to any

 p.s. I hope you don't mind I cc'd m...@. I figured your off-list reply
 was due to my mistaken off-list reply.

:-) Yep.

Cheers,
Hilco

PF Seems To Reload Its Default Rules Unexpectedly

2009-03-08 Thread Hilco Wijbenga 
Hi all,

I have pf running on my firewall box and I'm experiencing some strange
behaviour. After several hours (this may even be 24 hours) of
functioning normally, pf seems to reload its default rules which means
that from that point on all traffic is blocked. A simple pfctl -f
/etc/pf.conf fixes the problem but it is very annoying.

I don't see anything relevant in /var/log/pflog or /var/log/messages
but I'm not sure what I am looking for so I may have missed something.

Do you have any idea why this is happening? Do you have any tips for
debugging this? I'm running a stock OpenBSD 4.4.

Cheers,
Hilco

acpitz0: THRM: failed to read _TMP

2009-03-08 Thread Hilco Wijbenga 
Hi all,

I'm seeing the following messages logged to the console:

acpitz0: THRM: failed to read _TMP
acpitz0: THRM: failed to read temp

(both lines are repeated many times).

It looks like OpenBSD (4.4) is unable to read the CPU temperature
which would explain why my previously whisper quiet box now resembles
a starting F16. I have the box under the desk running 24/7 so I really
want it to be quiet.

Google didn't find anything other than the fact that OpenBSD has
support for reading temperature (and other) sensors.

Any ideas?

Cheers,
Hilco

Re: PF Seems To Reload Its Default Rules Unexpectedly

2009-03-08 Thread Hilco Wijbenga 
2009/3/8 Jason Dixon ja...@dixongroup.net:
 On Sun, Mar 08, 2009 at 04:01:57PM -0700, Hilco Wijbenga wrote:
 Hi all,

 I have pf running on my firewall box and I'm experiencing some strange
 behaviour. After several hours (this may even be 24 hours) of
 functioning normally, pf seems to reload its default rules which means
 that from that point on all traffic is blocked. A simple pfctl -f
 /etc/pf.conf fixes the problem but it is very annoying.

 There's nothing in OpenBSD or pf that reloads any configurations
 automagically.

:-) Yeah, I didn't think there would be.

 I don't see anything relevant in /var/log/pflog or /var/log/messages
 but I'm not sure what I am looking for so I may have missed something.

 Do you have any idea why this is happening? Do you have any tips for
 debugging this? I'm running a stock OpenBSD 4.4.

 You could start by showing us pfctl -sr before and after this supposedly
 takes place. B And uptime to prove it hasn't been rebooted. B And grep
 pf /etc/rc.conf.local so we can see how you're starting it.

 In other words, *useful information*.

I'll get the pfctl -sr when it happens again. In the meantime, I'd
like to point out that rebooting loads the rules correctly. So both
pfctl -f /etc/pf.conf and reboot solve the problem.

# grep pf /etc/rc.conf.local
pf=YES  # Packet filter / NAT
# uptime
 5:39PM  up 9 days, 19:44, 1 user, load averages: 0.10, 0.09, 0.08
# pfctl -sr
scrub in all fragment reassemble
block return log all
pass out quick inet from 192.168.151.1 to 192.168.151.0/24 flags S/SA keep
state
pass out quick inet from 192.168.1.64 to any flags S/SA keep state
pass out quick on sk0 inet6 from fe80::21c:f0ff:fe9f:e13 to any flags
S/SA keep state
pass in quick on sk1 inet from 192.168.151.0/24 to any flags S/SA keep state

As you can see I haven't rebooted this box for 9 days. I think I've
reloaded pf.conf 4 or 5 times. I'm quite curious what pfctl -sr says
the next time it happens.

There is one other strange thing that's being logged every now and then:
acpitz0: THRM: failed to read _TMP
acpitz0: THRM: failed to read temp

(See my other email specifically about this.)

It doesn't seem related but who knows so I thought I'd mention it.

Cheers,
Hilco

Re: NAT, Firewall pf

2009-02-24 Thread Hilco Wijbenga 
2009/2/24 Jorge Enrique Valbuena Vargas jvalbue...@gmail.com:
 1. You need to enable routing on your BSD box
 edit /etc/sysctl.conf and change the 0 (zero) with 1

 net.inet.ip.forwarding=1 B  B  B  B # 1=Permit forwarding (routing) of IPv4
 packets

My problem isn't that basic. :-) Forwarding is permitted. That was the
very first thing I set up.

Re: NAT, Firewall pf

2009-02-24 Thread Hilco Wijbenga 
2009/2/23 Jason Dixon ja...@dixongroup.net:
 On Mon, Feb 23, 2009 at 05:58:20PM -0800, Hilco Wijbenga wrote:
 Hi all,

 I've been trying to get a simple firewall system up-and-running in
 OpenBSD. I have The Book of PF and Secure Architectures
 with OpenBSD so I thought it would be very simple. Well, we're two
 weeks later now and still no firewall. :-) The pf rules I found in
 those books don't seem to work as I expected them to work.

 Before I list my current pf.conf, let me give a few more details. My
 firewall will be running a few services for my network (DHCP, NTP, and
 DNS). I need to use NAT to get my own network Internet access. DHCP
 works. I seem to have managed to get DNS (maradns on lo0 and sk1) and
 ICMP working.

 Sounds like a very basic home setup. B You want your firewall to handle
 DHCP, NTP and act as a DNS resolver for your local network. B Easy
 enough.

Yes, exactly what I thought. :-)

 /etc/pf.conf
 01 ext_if = sk0
 02 int_if = sk1
 03 localnet = $int_if:network
 04 internet = $ext_if:network
 05 udp_services = { domain, ntp }
 06 icmp_types = { echoreq, unreach }
 07
 08 nat log on $ext_if from $localnet to any - ($ext_if)
 09
 10 block log all
 11
 12 pass quick inet proto { tcp, udp } from $internet to any port
$udp_services
 13 pass quick inet proto { tcp, udp } from $localnet to any port
$udp_services
 14 pass quick inet proto { tcp, udp } from $lo0:network to any port
 $udp_services
 15
 16 pass inet proto icmp all icmp-type $icmp_types
 17 pass from { lo0, $localnet } to any keep state

 a. Why do I need 12? I had expected 13 (which I don't seem to need).
 Wouldn't 12 be for incoming requests from the Internet?
 b. Given that ping works from my network (so that presumably routing
 is okay), why doesn't anything else work? HTTP seems blocked by the
 firewall.
 c. How can I get pflog to flush immediately? I noticed I have to wait
 a minute or so before logged lines show up.
 d. Any other pointers?

 Let's start off with your questions and then a working example below.

 a. B If you're only intending to allow outbound traffic from your local
 network, you don't. B That rule would be to allow inbound requests from
 the internet to your firewall (and optionally, other internal services
 if you had rdr or binat rules). B By default, pf uses keep state on all
 pass rules, which means that it will track your connections outbound and
 allow the appropriate replies from external services.

That's what I thought, hence the question because line 12 was required
for it to work.

 b. B Because line 16 is allowing icmp outbound *and* inbound. B You have
 no directional (or interface) qualifiers.

Shouldn't 17 take care of all that for (e.g.) HTTP requests? It's from
the local net to anywhere and it keeps state (not relevant for HTTP, I
guess, but still).

 c. B I would need more details here to give you a qualified answer. B As
 in, examples. B You're only logging blocked traffic.

Yes, I thought that would make it easier. It isn't always clear to me
what a logged line is for: was it logged because it was blocked or
because it was allowed?

 d. B Read the PF FAQ.

Right. :-)

 Ok, here is a working example based on your description. B Noticed the
 beauty in the simplicity. B :)

What!?! You didn't like my near random mish-mash of rules? ;-)

 ##
 00 ext_if = sk0
 01 int_if = sk1
 02
 03 set skip on lo
 04
 05 scrub in
 06
 07 nat on $ext_if from $int_if:network to any - ($ext_if:0)
 08
 09 block in log all
 10 pass in on $int_if inet keep state
 ##

I'll try that tonight.

 The first two lines are obvious. B Why did I remove localnet and
 internet? B The first is truly unnecessary in a ruleset this small; B it
 simply adds abstraction where none is needed. B The internet is already
 provided via the any and all keywords.

That's one thing that isn't obvious to me. To the firewall sk0 and sk1
are just two interfaces, why/how would any and all refer to the
internet? Or do you simply mean they refer/include all interfaces so
also the internet?

 Line 3 allows us to skip state on loopback, nothing exciting there.

Yeah, I read about that and figured it could wait till later. Just
icing on the cake, right?

 Line 5 provides scrubbing, also known as packet defragmentation. B This
 helps pf by reassembling packet fragments before applying rules. B In
 short, it's a safety mechanism.

Same thing, I figured that could wait.

 Line 7 allows outbound NAT to the internet.

Okay, so the only difference with my attempt at it is the :0 you
added at the end. Does it mean anything special or was it simply
implied in my version?

 Line 9 provides a basic block all for inbound requests. B This affects
 both inbound from the internet, as well as inbound (from the firewall's
 perspective) from the local network. B Which requires...

Was this the main problem then? I was blocking everything

Re: NAT, Firewall pf

2009-02-24 Thread Hilco Wijbenga 
2009/2/23 Jason Dixon ja...@dixongroup.net:
 ##
 00 ext_if = sk0
 01 int_if = sk1
 02
 03 set skip on lo
 04
 05 scrub in
 06
 07 nat on $ext_if from $int_if:network to any - ($ext_if:0)
 08
 09 block in log all
 10 pass in on $int_if inet keep state
 ##

I tried this and I'm afraid it doesn't work. I can't ping anymore,
neither from my own box nor from the firewall. This setup is basically
what I also found in the books I have, I guess. :-(

DHCP works (i.e. my box gets an IP from the DHCP daemon on the
firewall) and I can see maradns receiving requests from localhost (the
firewall) and from the int_if (my box) when I try to ping something.
It's all blocked by the firewall, though.

I don't think it should matter but the only special thing about my
setup is that my external IP is on 192.168.1.0/24. Yes, that's my
*external* network. No more IPv4 address shortages for my ISP. :-)

Please also see my next reply.

NAT, Firewall pf

2009-02-23 Thread Hilco Wijbenga 
Hi all,

I've been trying to get a simple firewall system up-and-running in
OpenBSD. I have The Book of PF and Secure Architectures
with OpenBSD so I thought it would be very simple. Well, we're two
weeks later now and still no firewall. :-) The pf rules I found in
those books don't seem to work as I expected them to work.

Before I list my current pf.conf, let me give a few more details. My
firewall will be running a few services for my network (DHCP, NTP, and
DNS). I need to use NAT to get my own network Internet access. DHCP
works. I seem to have managed to get DNS (maradns on lo0 and sk1) and
ICMP working.

/etc/pf.conf
01 ext_if = sk0
02 int_if = sk1
03 localnet = $int_if:network
04 internet = $ext_if:network
05 udp_services = { domain, ntp }
06 icmp_types = { echoreq, unreach }
07
08 nat log on $ext_if from $localnet to any - ($ext_if)
09
10 block log all
11
12 pass quick inet proto { tcp, udp } from $internet to any port $udp_services
13 pass quick inet proto { tcp, udp } from $localnet to any port $udp_services
14 pass quick inet proto { tcp, udp } from $lo0:network to any port
$udp_services
15
16 pass inet proto icmp all icmp-type $icmp_types
17 pass from { lo0, $localnet } to any keep state

a. Why do I need 12? I had expected 13 (which I don't seem to need).
Wouldn't 12 be for incoming requests from the Internet?
b. Given that ping works from my network (so that presumably routing
is okay), why doesn't anything else work? HTTP seems blocked by the
firewall.
c. How can I get pflog to flush immediately? I noticed I have to wait
a minute or so before logged lines show up.
d. Any other pointers?

Cheers,
Hilco