Re: Simplifying pf-rules
Marko: Thanks for your input. Your proposals got me thinking a few steps further. I now came up with the following solution which have all propertiers i want: pass in on re0 inet to !all:network pass in on re0 inet to em0:network # Just in case we would need to interact # with some other service on the same segment... block in quick log on re0 inet to em0 # ... but not our own IP The above lines replaces my initial rule "pass in on re0 to !re0:network" 2018-01-04 16:29 GMT+01:00 Marko Cupać <marko.cu...@mimar.rs>: > On Thu, 4 Jan 2018 14:09:50 +0100 > Jon S <jonsjost...@gmail.com> wrote: > > > Hello misc! > > > > My OpenBSD file server just became a router too (after getting a new > > internet connection where the provider does not include a router in > > the subscription). > > If possible, I'd avoid combining file server and firewall services on > single box > > > This led to my first experieces with pf. After some work I came up > > with whats below. It works as I want it to work, but I wonder if > > there is a way to create a rule where incomming traffic to the > > internal NIC (re0) is passed if it is targeted for em0 (external, > > internet NIC)? The current solution would require an update of the > > "pass in on re0 to !re0:network"-rule if another NIC is added (lets > > say a DMZ). > > All my pf rulesets start with defining interface macros so they are > more readable, and also more flexible (this way changing NIC with > different driver needs one line changed, instead of all lines in the > ruleset referencing that interface): > > # INTERFACE MACROS > if_int = "re0" > if_ext = "em0" > > > set skip on lo0 > > > > # Block everything everywhere by default > > block log all > > I prefer to put "match" section above default "block log all" rule. > It's more logical to me, as something being "matched" has no impact if > it's not "passed" or "blocked" later on in the ruleset. > > > # NAT local network to external > > match out on em0 inet from re0:network nat-to (em0) > > > > # Allow all outgoing traffic > > pass out on {em0, re0} > > > > # Allow only specific services on this machine to be accessed from > > # local network > > pass in on re0 inet proto tcp to port ssh # ssh > > pass in on re0 inet proto icmp# icmp > > pass in on re0 inet proto tcp to port 445 # samba > > Your description line does not describe accurately what next three > lines do - as destination IP is not present, "to any" is assumed, so > more accurate description would be "Allow specific services on any > machine be accessed from local network". > > If you wanted your ruleset to match description line, and your > services listen on internal NIC, you would do something like: > > pass in on $if_int inet proto tcp from re0:network to re0 port ssh > pass in on $if_int inet proto icmp from re0:network to re0 > pass in on $if_int inet proto tcp from re0:network to re0 port 445 > > > > > #pass in on re0 inet to em0:network # This does not work, since the > > #mask for this IF will only let traffic through to the limitied set of > > #IPs on the same C-segment as em0. That would probably be a set of > > #other customers at the nework operator... > > > > # This works, but will require an update if any furter NIC is involved > > # later > > pass in on re0 to !re0:network > > There are multiple ways to achieve this. One of them would be passing > everything on $if_int, and blocking what you don't want later (if > "quick" keyword is not used, last matching rule wins): > > pass in on $if_int > block in on $if_int inet proto tcp from $if_int:network to \ > $if_int port { !=ssh !=445 } > > The other one would be blocking unwanted stuff quickly early in the > ruleset, and passing what you want later on: > > block in quick on $if_int inet proto tcp from $if_int:network to \ > $if_int port { !=ssh !=445 } > pass in on $if_int > > Both examples block only TCP to internal NIC, so blocking other > protocols if there are any on the firewall also needs to be done. > > > > # I would like something like this to work, so that future added NICs > > # wont open new unwanted paths > > #pass in on re0 to em0 > > > > # Allow only incomming SSH to external NIC > > pass in on em0 inet proto tcp to port ssh > > In the end, your ruleset seems quite minimal. I suggest you start > worrying about new NIC once you add it. For now it would be better to > play around with pfctl -vvsr, systat states/rules, tcpdumping pflog etc. > > Hope this helps, > > -- > Before enlightenment - chop wood, draw water. > After enlightenment - chop wood, draw water. > > Marko Cupać > https://www.mimar.rs/ > -- <> Jon Sjöstedt Gamla Björboholmsvägen 2 443 72 GRÅBO Mobil 0735 - 029 557 jonsjost...@gmail.com jonsjost...@hotmail.com
Simplifying pf-rules
Hello misc! My OpenBSD file server just became a router too (after getting a new internet connection where the provider does not include a router in the subscription). This led to my first experieces with pf. After some work I came up with whats below. It works as I want it to work, but I wonder if there is a way to create a rule where incomming traffic to the internal NIC (re0) is passed if it is targeted for em0 (external, internet NIC)? The current solution would require an update of the "pass in on re0 to !re0:network"-rule if another NIC is added (lets say a DMZ). set skip on lo0 # Block everything everywhere by default block log all # NAT local network to external match out on em0 inet from re0:network nat-to (em0) # Allow all outgoing traffic pass out on {em0, re0} # Allow only specific services on this machine to be accessed from # local network pass in on re0 inet proto tcp to port ssh # ssh pass in on re0 inet proto icmp# icmp pass in on re0 inet proto tcp to port 445 # samba #pass in on re0 inet to em0:network # This does not work, since the #mask for this IF will only let traffic through to the limitied set of #IPs on the same C-segment as em0. That would probably be a set of #other customers at the nework operator... # This works, but will require an update if any furter NIC is involved # later pass in on re0 to !re0:network # I would like something like this to work, so that future added NICs # wont open new unwanted paths #pass in on re0 to em0 # Allow only incomming SSH to external NIC pass in on em0 inet proto tcp to port ssh -- <> Jon Sjöstedt jonsjost...@gmail.com
Re: fsck_ffs: cannot alloc 131427074 bytes for lncntp
Problem solved/workaround: running fsck /dev/... worked. The problem seemd to be with running fsck_ffs /dev/... On 25 Jul 2017 5:17 pm, "Jon S" <jonsjost...@gmail.com> wrote: No. Filesystem is FFS. The os is 4.9 or later but not above 5.4 afaik. I will have physical access to the host tomorrow. It will probably be replaced and installed with 6.1, but it would still be interesting to know what kind of error this is and what can be done about it. On 25 Jul 2017 3:40 pm, "Jeremie Courreges-Anglas" <j...@wxcvbn.org> wrote: On Tue, Jul 25 2017, Jon S <jonsjost...@gmail.com> wrote: > Hello misc! The message in the subject is the result of trying to run > fsck_ffs in single user mode when auto fsck fails at boot. Any ideas or > input on how to solve? This error message is only present in the -current source code for fsck_ext2fs (there's src/sbin/fsck_ffs/SMM.doc/4.t but this looks outdated). Are you using ext2fs? -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: fsck_ffs: cannot alloc 131427074 bytes for lncntp
No. Filesystem is FFS. The os is 4.9 or later but not above 5.4 afaik. I will have physical access to the host tomorrow. It will probably be replaced and installed with 6.1, but it would still be interesting to know what kind of error this is and what can be done about it. On 25 Jul 2017 3:40 pm, "Jeremie Courreges-Anglas" <j...@wxcvbn.org> wrote: On Tue, Jul 25 2017, Jon S <jonsjost...@gmail.com> wrote: > Hello misc! The message in the subject is the result of trying to run > fsck_ffs in single user mode when auto fsck fails at boot. Any ideas or > input on how to solve? This error message is only present in the -current source code for fsck_ext2fs (there's src/sbin/fsck_ffs/SMM.doc/4.t but this looks outdated). Are you using ext2fs? -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
fsck_ffs: cannot alloc 131427074 bytes for lncntp
Hello misc! The message in the subject is the result of trying to run fsck_ffs in single user mode when auto fsck fails at boot. Any ideas or input on how to solve?
Standard way to create a generic queue in ksh
Hello all! As a port of a backup solution, i needa a queue. Having looked around the net, i haven found any standard way (besides named pipes) that I can use. Requirements are: * There will be few elements in the queue (<20) * No critical section is needed (this is already adressed using mkdir) * The queue must be possible to examine without altering it * It would be nice if the queue only can contain unique elements (no point in queing the same job twice) My own two ideas are: * Files in a dir. Gives uniqueness if names are well selected, but I dont know how to handle element order neatly * Rows in a file: No guarantee for unique jobs. Easy to define order and to add a new job at end (or beginning) of a file or pop a job Any ideas or proposal of standard way to do this? -- <> Jon Sjöstedt
ls cant print higher UTF-8 chars
Hello misc! In an attempt to get a better idea on how to make all non-ascii chars appear correctly in windows/samba, ssh and the local console I get the impression that UTF-8 is the charset that is mostly used in general and also most growing. Using UTF-8 in samba and ssh on a OpenBSD 4.9 i386 generic machine that is about to retire works as expected, tested with swedish and icelandish letters outside the 7bit ascii range. However, the new machine to replace the 4.9-box, running OpenBSD 5.6 on amd64 generic.mp #333, shows questionmarks when doing ls in ssh (using PuTTY set to UTF-8 in translation). The funny thing is that autocomplete using tab shows the expected letters. pwd shows expected letters and even ls | cat shows correct letters. Is this a known problem? Is there a solution to make ls print correct UTF-8? -- <> Jon Sjöstedt
Re: Unable to do putty/SSH into fresh openBSD 5.6-install
Thanks for the tip. It gave me some clues, like not reacting at all sometimes, going half way other times and some other inconsistent behaviour. After giving the new box a static IP that it did NOT share with a switch everything works smooth as expected :) 2015-04-19 19:34 GMT+02:00 Kent Fritz fritz.k...@gmail.com: You need to look at debug. From console: # /etc/rc.d/sshd stop sshd(ok) # /usr/sbin/sshd -d Now try to log in and see if you can get any clues from the output. On Sun, Apr 19, 2015 at 10:11 AM, Jon S jonsjost...@gmail.com wrote: Updated PuTTY from 0,63 to 0,64, but no improvement. Any other ideas? 2015-04-19 18:22 GMT+02:00 Mike. the.li...@mgm51.com: On 4/19/2015 at 5:09 PM Jon S wrote: |Hi all! | |I just installed a fresh OpenBSD 5.6 on a new machine (booting from a |USB-stick and running bsd.rd, installing from ftp.eu.openbsd.org = |networking is fine). All sets are installed. | |Now i cant ssh(using putty) into the new machine. authlog says fatal: |Timeout before authentication ip. My attempt to ssh is from a local |network. I can se a forked SSHD-process when i try to putty/ssh into the |new machine. | |ssh out from the new 5.6-machine to a different OpenBSD 4.9-machine works |fine. ssh back from the 4.9-machine to the new 5.6-machine works too. | |doing putty into the 4.9-machine also work | |Any ideas as to what can cause this? As far as I can remeber the |4.9-machine uses the default SSH-settings, just as the 5.6-machine = Are you using a current version of putty? When I had similar symptoms, I found out I was using an older version of putty. Once I downloaded and installed the current version, all was happiness -- Jon Sjöstedt Gamla Björboholmsvägen 2 443 72 GRà BO Mobil 0735 - 029 557 jonsjost...@gmail.com jonsjost...@hotmail.com -- Jon Sjöstedt Gamla Björboholmsvägen 2 443 72 GRà BO Mobil 0735 - 029 557 jonsjost...@gmail.com jonsjost...@hotmail.com
Unable to do putty/SSH into fresh openBSD 5.6-install
Hi all! I just installed a fresh OpenBSD 5.6 on a new machine (booting from a USB-stick and running bsd.rd, installing from ftp.eu.openbsd.org = networking is fine). All sets are installed. Now i cant ssh(using putty) into the new machine. authlog says fatal: Timeout before authentication ip. My attempt to ssh is from a local network. I can se a forked SSHD-process when i try to putty/ssh into the new machine. ssh out from the new 5.6-machine to a different OpenBSD 4.9-machine works fine. ssh back from the 4.9-machine to the new 5.6-machine works too. doing putty into the 4.9-machine also work Any ideas as to what can cause this? As far as I can remeber the 4.9-machine uses the default SSH-settings, just as the 5.6-machine -- Jon Sjöstedt jonsjost...@gmail.com jonsjost...@hotmail.com
Re: Unable to do putty/SSH into fresh openBSD 5.6-install
Updated PuTTY from 0,63 to 0,64, but no improvement. Any other ideas? 2015-04-19 18:22 GMT+02:00 Mike. the.li...@mgm51.com: On 4/19/2015 at 5:09 PM Jon S wrote: |Hi all! | |I just installed a fresh OpenBSD 5.6 on a new machine (booting from a |USB-stick and running bsd.rd, installing from ftp.eu.openbsd.org = |networking is fine). All sets are installed. | |Now i cant ssh(using putty) into the new machine. authlog says fatal: |Timeout before authentication ip. My attempt to ssh is from a local |network. I can se a forked SSHD-process when i try to putty/ssh into the |new machine. | |ssh out from the new 5.6-machine to a different OpenBSD 4.9-machine works |fine. ssh back from the 4.9-machine to the new 5.6-machine works too. | |doing putty into the 4.9-machine also work | |Any ideas as to what can cause this? As far as I can remeber the |4.9-machine uses the default SSH-settings, just as the 5.6-machine = Are you using a current version of putty? When I had similar symptoms, I found out I was using an older version of putty. Once I downloaded and installed the current version, all was happiness -- Jon Sjöstedt Gamla Björboholmsvägen 2 443 72 GRà BO Mobil 0735 - 029 557 jonsjost...@gmail.com jonsjost...@hotmail.com
Group access issue
Hi! I have a situation where I would like to assign one group of people rights to read a file and a different group of people the right to read and write the same file (there are actually many files). A different way to describe it would be: I would like a file to belong to two groups, one with RW-permissions and one with R--permissions. The files are accessed using ssh. I run OpenBSD 4.9. Installing new software and/or upgrading to latest OpenBSD would be acceptable partial solutions. Any hints or ideas on how I can accomplish this? -- Jon Sjöstedt jonsjost...@hotmail.com