Updating 3.9

2006-04-20 Thread Hutger H. 
Hello Folks,

I've got a question about OpenBSD 3.9 update ... I have a firewall
running 3.9 release and I'd like to know the best away to keep the
system updated, such as debian does using APT. Any suggestions?

Thanks in advance.

Hutger

FTP Issues

2006-03-24 Thread Hutger H. 
Hi all,

I've got a problem running ftp through my PF firewall. That is the issue:

- I installed a new firewall (OpenBSD 3.9) in my network to connect some
users to the Internet through a new link. The users need to connect via
FTP to a server located externally (Internet), so the connections must
to pass by the PF firewall.

- The firewall is working fine, except when some of the users try to
establish a FTP connection to the outside. As soon as they connect and
try to list the directories, after a long wait, they get disconnected.
My firewall rules are showed at the end of the message.

- Analysing the firewall's traffic, I could notice that the problem
happens when the FTP server try to make a new connection back to the
client using I high port. I got some tutorials explaining how to solve
this problem using ftp-proxy and some PF rules/rdr, but none of the them
seem to work for me.

Does anyone here has an idea *how I can solve this question?

*Ps: Sorry if the question is basic ... I consider myself a PF newbie
since a I've worked until now only with Linux based firewalls.

Thanks in advance,

Hutger.

---

#--- Rules begin here

ext_if=pcn0
int_if=pcn1

ext_ip=172.21.28.20/32
int_ip=192.168.1.254/32

int_net=192.168.1.0/24

set skip on lo
set state-policy if-bound
scrub in all

nat on $ext_if from $int_net - $ext_ip
rdr pass on $int_if proto tcp from any to any port ftp - 127.0.0.1 port
8021

block in all
block out all

antispoof log quick for {$ext_if,$dmz_if,$int_if} inet

# Permitindo acesso ao firewall
pass in quick on $ext_if inet proto tcp from any to $ext_ip port ssh
keep state flags S/SA

# Acessos a partir da rede local p/ Internet
pass in quick on $int_if inet proto tcp from $int_net to any modulate state
pass in quick on $int_if inet proto {udp,icmp} from $int_net to any keep
state

# Permitindo a saida de pacotes nas interfaces
pass out quick on {$ext_if,$int_if} inet proto {tcp,udp,icmp} all keep state

# FTP Proxy Inbound
pass in on $ext_if inet proto tcp from port ftp-data to ($ext_if) \
user proxy flags S/SA keep state

#--- Rules end here

IDS solution

2006-03-21 Thread Hutger H. 
Hi folks,

I've been looking for a consolidated IDS solution that I can deploy in
my network. Snort is really a good option but currently it seems that
they are charging for updates, it that true? I'd like to find out a free
of charge Linux, or BSD, solution that can works as good as snort works
and, rather with some successful deployment cases.

Any ideas?

Thanks in advance,

Hutger.