from:"Jonas Lindskog"

Problem logging in.

2006-06-08 Thread Jonas Lindskog

Hello,

A week ago my open bsd firewall started to show a very strange behaviour.
I have the ssh-daemon running and ususally log-in remotely to be able to
administrate the pf.conf file. But now I cant log in. Ok, maybe I've just
forgott my password. I booted in single user mode and changed it, then
booted normally but couldn't log in anyway. I booted in single user mode
again changed it to another password, changed to another user (using su)
and then changed user to root again (again using su). Was prompted for the
password, entered it and login was again rejected. When i tried to change
the password it complained that something was wrong with a file called
/etc/master.passwd. When looking at the file it contained parts of my
pf.conf file.

Have I've been hacked or is it just a major error done from my side.

I understand that the information probably isn't enough but if someone
could guide me further I would be very happy.

regards
Jonas Lindskog

Routing problem?

2006-01-22 Thread Jonas Lindskog


Hello,

We are running Open BSD 3.8 as a firewall router. The router has two 
internal networks to handle; a DMZ with real
ip adresses and a NAT network to which our workstations are connected. 
The problem I have is that its not possible to
connect to the server on the DMZ (ip 38.87.5.122, netmask 
255.255.255.252) from the outside (but from the inside).
I guess that I somehow has to make the external interface listen to the 
same adress as the server (they are on the same net), but if I add
an alias to the external interface it doesn't (of course) route packages 
to the DMZ. How do I make OpenBSD route packages to the server

(and the DMZ subnet)?

Our ISP has given us a net that has the following data:

Net segment: 38.87.5.112 /28 
net address:   38.87.5.112

gw address:   38.87.5.113
firewall:  38.87.5.114
free ip ip: 38.87.5.115-126
broadcast address:38.87.5.127
netmask:  255.255.255.240

the server has the following interfaces configured:
### interfaces 
#external interface
inet 38.87.5.114 255.255.255.240 NONE

#internal interface
inet 192.168.97.254 255.255.255.0 NONE

# dmz
inet 38.87.5.121 255.255.255.252 NONE

Thanks in advance

Jonas

Re: Unable to reach server in dmz. Whats wrong?

2006-01-20 Thread Jonas Lindskog

Abraham Al-Saleh wrote:

On 1/10/06, Jonas Lindskog [EMAIL PROTECTED] wrote:

Hello,

We are using OpenBSD 3.8 as a firewall/router. We have two internal
nets; one with workstations (NAT) and one DMZ with a single server. And
thus we have three network interfaces installed in the router: one for
the NAT, one for the DMZ and one for the external net.

Our ISP has given us a range of IP adresses (the ones below are
obfuscated ;)), which we cant change:

Segment: 38.87.5.112 /28
net address:   38.87.5.112
gateway adress:   38.87.5.113
firewall:  38.87.5.114
fria fasta ip: 38.87.5.115-126
broadcast address:38.87.5.127
netmask:  255.255.255.240

I have set up the DMZ with
net adress 38.87.5.120
Gateway: 38.87.5.121
Server: 38.87.5.122

netmask:  255.255.255.252

To ensure that routing worked properly I just entered pass (and nat of
course) in the /etc/pf.conf file.

I have no trouble connecting to the server at 38.87.5.122 from the
internal net where nat-addresses are used, but for some reason
I cant connect to the server from the outside. I thought it was a
routing problem but when I entered a port redirect from the gateway

(38.87.5.113) to the server at  38.87.5.122  for the ssh port I reached
the server. I haven't got a
clue whats wrong. Can anybody help to explain this or have an idea of a
workaround (I dont want the port
redirect)? Thanks in advance.

/Jonas


It would help if you attached your pf.conf, and relevant configuration
files (hostname.if, for example)

ok, finally :) this is how my pf.conf and interfaces look like.

# 1. macros
if_ext=fxp0
if_int=bce0
if_dmz=re0
if_lo=lo0

icmp_types = echoreq
dmz_servers = {38.87.5.122}
services = {22, 8080, 8081}
internal_services ={2401}
reserved= { 0.0.0.0/8, 10.0.0.0/8, 20.0.0.0/24 127.0.0.0/8, \
 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16,
\ 224.0.0.0/3, 255.255.255.255}

# 2. Tables
# No tables are defined

# 3. Options
# What should we do with blocked traffic? drop or return.
set block-policy return
# we can only gather statistics on one interface at a time
set loginterface $if_ext

# 4. Packet normalization
scrub in all

# 5. Queueing is not done

# 6. Adress translation
# The internal network has NAT-adresses
nat on $if_ext from $if_int:network to any - ($if_ext)

# Redirecting ports
# Port redirect to make ftp possible. See manual for OpenBSD
rdr on $if_int proto tcp from any to any port 21 - 127.0.0.1 port 8021

# temporary redirects
rdr on $if_ext proto tcp from any to any port 8080 - 38.87.5.122 port
8080 rdr on $if_ext proto tcp from any to any port 8081 - 38.87.5.122
port 8081 #rdr on $if_ext proto tcp from any to any port 22 - 38.87.5.122
port 22

# 7. Filtering
#allow loopback

# Block everything
block all

pass quick on if_lo all

# Antispoof
antispoof for { $if_lo, $if_ext, $if_int }

# Allow traffic in on our ssh-deamon
pass in log quick on $if_ext proto tcp from any to any port 22 flags S/SA
keep state

# Allow trafic to and from the internal interface
# are the lines below the same as
# pass quick on $if_int all
pass in  on $if_int from $if_int:network to any keep state
pass out on $if_int from any to $if_int:network keep state

# block all traffic from reserved nets to external interface
block in quick on $if_ext from $reserved to any

#allow pinging
pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state

# Open ports 8080 and ssh to trused machines on the dmz
pass in on $if_ext proto tcp from any to any port 8081 keep state
pass in on $if_ext proto tcp from any to any port 8080 keep state

#Allow active ftp
pass in on $if_ext inet proto tcp from port 20 to ($if_ext) \
 user proxy flags S/SA keep state

# Users on the internal network is allowd to initate external contact pass
out on $if_ext proto tcp all modulate state flags S/SA
pass out on $if_ext proto {udp, icmp} all keep state

# DMZ rules. As default we stop all traffic in to the dmz.
# To open up a service we use port forwarding in the external if
# to the specific server in the dmz
block in on $if_dmz all
pass out on $if_dmz proto tcp from any to any port $services flags S/SA
keep state
pass out on $if_dmz proto tcp from any to any port internal_services flags
S/SA keep state
pass in quick on $if_dmz proto tcp from $if_int to $dmz_servers port
internal_services keep state

#pf.conf ends here

### interfaces 
hostname.fxp0
#external interface
inet 38.87.5.114 255.255.255.240 NONE


# more hostname.bce0
#internal interface
inet 192.168.97.254 255.255.255.0 NONE

# more hostname.re0
# dmz
inet 38.87.5.121 255.255.255.252 NONE

[no subject]

2006-01-20 Thread Jonas Lindskog

Abraham Al-Saleh wrote:

On 1/10/06, Jonas Lindskog [EMAIL PROTECTED] wrote:

Hello,

We are using OpenBSD 3.8 as a firewall/router. We have two internal
nets; one with workstations (NAT) and one DMZ with a single server.
And thus we have three network interfaces installed in the router: one
for the NAT, one for the DMZ and one for the external net.

Our ISP has given us a range of IP adresses (the ones below are
obfuscated ;)), which we cant change:

Segment: 38.87.5.112 /28
net address:   38.87.5.112
gateway adress:   38.87.5.113
firewall:  38.87.5.114
fria fasta ip: 38.87.5.115-126
broadcast address:38.87.5.127
netmask:  255.255.255.240

I have set up the DMZ with
net adress 38.87.5.120
Gateway: 38.87.5.121
Server: 38.87.5.122

netmask:  255.255.255.252

To ensure that routing worked properly I just entered pass (and nat of
course) in the /etc/pf.conf file.

I have no trouble connecting to the server at 38.87.5.122 from the
internal net where nat-addresses are used, but for some reason
I cant connect to the server from the outside. I thought it was a
routing problem but when I entered a port redirect from the gateway

(38.87.5.113) to the server at  38.87.5.122  for the ssh port I reached
the server. I haven't got a
clue whats wrong. Can anybody help to explain this or have an idea of a
workaround (I dont want the port
redirect)? Thanks in advance.

/Jonas


It would help if you attached your pf.conf, and relevant configuration
files (hostname.if, for example)

ok, finally :) this is how my pf.conf and interfaces look like.

# 1. macros
if_ext=fxp0
if_int=bce0
if_dmz=re0
if_lo=lo0

icmp_types = echoreq
dmz_servers = {38.87.5.122}
services = {22, 8080, 8081}
internal_services ={2401}
reserved= { 0.0.0.0/8, 10.0.0.0/8, 20.0.0.0/24 127.0.0.0/8, \
 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, \
 224.0.0.0/3, 255.255.255.255}

# 2. Tables
# No tables are defined

# 3. Options
# What should we do with blocked traffic? drop or return.
set block-policy return
# we can only gather statistics on one interface at a time
set loginterface $if_ext

# 4. Packet normalization
scrub in all

# 5. Queueing is not done

# 6. Adress translation
# The internal network has NAT-adresses
nat on $if_ext from $if_int:network to any - ($if_ext)

# Redirecting ports
# Port redirect to make ftp possible. See manual for OpenBSD
rdr on $if_int proto tcp from any to any port 21 - 127.0.0.1 port 8021

# temporary redirects
rdr on $if_ext proto tcp from any to any port 8080 - 38.87.5.122 port 8080
rdr on $if_ext proto tcp from any to any port 8081 - 38.87.5.122 port 8081
#rdr on $if_ext proto tcp from any to any port 22 - 38.87.5.122 port 22

# 7. Filtering
#allow loopback

# Block everything
block all

pass quick on if_lo all

# Antispoof
antispoof for { $if_lo, $if_ext, $if_int }

# Allow traffic in on our ssh-deamon
pass in log quick on $if_ext proto tcp from any to any port 22 flags S/SA
keep state

# Allow trafic to and from the internal interface
# are the lines below the same as
# pass quick on $if_int all
pass in  on $if_int from $if_int:network to any keep state
pass out on $if_int from any to $if_int:network keep state

# block all traffic from reserved nets to external interface
block in quick on $if_ext from $reserved to any

#allow pinging
pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state

# Open ports 8080 and ssh to trused machines on the dmz
pass in on $if_ext proto tcp from any to any port 8081 keep state
pass in on $if_ext proto tcp from any to any port 8080 keep state

#Allow active ftp
pass in on $if_ext inet proto tcp from port 20 to ($if_ext) \
 user proxy flags S/SA keep state

# Users on the internal network is allowd to initate external contact
pass out on $if_ext proto tcp all modulate state flags S/SA
pass out on $if_ext proto {udp, icmp} all keep state

# DMZ rules. As default we stop all traffic in to the dmz.
# To open up a service we use port forwarding in the external if
# to the specific server in the dmz
block in on $if_dmz all
pass out on $if_dmz proto tcp from any to any port $services flags S/SA
keep state
pass out on $if_dmz proto tcp from any to any port internal_services flags
S/SA keep state
pass in quick on $if_dmz proto tcp from $if_int to $dmz_servers port
internal_services keep state

#pf.conf ends here

### interfaces 
hostname.fxp0
#external interface
inet 38.87.5.114 255.255.255.240 NONE


# more hostname.bce0
#internal interface
inet 192.168.97.254 255.255.255.0 NONE

# more hostname.re0
# dmz
inet 38.87.5.121 255.255.255.252 NONE

Unable to reach server in dmz. Whats wrong?

2006-01-10 Thread Jonas Lindskog


Hello,

We are using OpenBSD 3.8 as a firewall/router. We have two internal 
nets; one with workstations (NAT) and one DMZ with a single server.
And thus we have three network interfaces installed in the router: one 
for the NAT, one for the DMZ and one for the external net.


Our ISP has given us a range of IP adresses (the ones below are 
obfuscated ;)):


Segment: 38.87.5.112 /28 
net address:   38.87.5.112

gateway adress:   38.87.5.113
firewall:  38.87.5.114
fria fasta ip: 38.87.5.115-126
broadcast address:38.87.5.127
netmask:  255.255.255.240

I have set up the DMZ with
net adress 38.87.5.120
Gateway: 38.87.5.121
Server: 38.87.5.122

netmask:  255.255.255.252

To ensure that routing worked properly I just entered pass (and nat of course) in the /etc/pf.conf file. 

I have no trouble connecting to the server at 38.87.5.122 from the 
internal net where nat-addresses are used, but for some reason
I cant connect to the server from the outside. I thought it was a 
routing problem but when I entered a port redirect from the gateway


(38.87.5.113) to the server at  38.87.5.122  for the ssh port I reached the server. I haven't got a 
clue whats wrong. Can anybody help to explain this or have an idea of a workaround (I dont want the port

redirect)? Thanks in advance.

/Jonas

Problem logging in.

Routing problem?

Re: Unable to reach server in dmz. Whats wrong?

[no subject]

Unable to reach server in dmz. Whats wrong?

5 matches

Site Navigation

Mail list logo

Footer information